Scribd
Upload
23 views

Chapter 03

This document discusses information security and risk management. It covers security management responsibilities and using a top-down approach to security. It also discusses security administration controls, organizational security models, information risk management policies, risk analysis, security policies, information classification, layers of responsibility for security roles, and security awareness training. The goal is to provide an overview of establishing an information security program.

Uploaded by

Rex Lau
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views

Chapter 03

This document discusses information security and risk management. It covers security management responsibilities and using a top-down approach to security. It also discusses security administration controls, organizational security models, information risk management policies, risk analysis, security policies, information classification, layers of responsibility for security roles, and security awareness training. The goal is to provide an overview of establishing an information security program.

Uploaded by

Rex Lau
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

CHAPER 03 Information Security and Risk Management p45-152 1. Security Management a. Security Management Responsibilities b.

. The Top-Down Approach to Security 2. Security Administration and Supporting Controls a. Fundamental Principle of Security b. Availability c. Integrity d. Confidentiality e. Security Definitions f. Security Through Obscurity 3. Organizational Security Model a. Security Program Components b. Security Frameworks c. Security Governance d. Security Program Development
i. ii. iii. iv. Plan and organize Implement Operate and Maintain Monitor and evaluate

4. Information Risk Management a. Information Risk Management Policy b. Risk Management Team 5. Risk Analysis a. Risk Analysis Team
i. Risk Ownership

b. c. d. e. f.

The Value of Information and Assets Costs That Make Up the Value Identifying Threats Analysis Failure and Fault Risk Analysis Quantitative
i. Automated Risk Analysis Methods ii. Steps of Risk Analysis 1) Assign Value to Assets 2) Estimate Potential Loss per Threat 3) Perform a Threat Analysis 4) Derive the Overall Annual Loss Potential per Threat 5) Reduce, Transfer, Avoid or Accept the Risk iii. Results of Risk Analysis

g. Qualitative Risk Analysis h. Quantitative vs. Qualitative i. Protection Mechanism j. Putting It Together Risk k. Total Risk vs. Residual l. Handling Risk 6. Policies, Standards, Baselines, Guidelines and Procedures a. Security Policy b. Standards c. Baselines d. Guidelines

CHAPER 03 Information Security and Risk Management p45-152 e. Procedures f. Implementation 7. Information Classification a. Private Business vs. Military Classifications b. Classification Controls 8. Layers of Responsibility a. Whos Involved
i. ii. iii. iv. v. vi. vii. Board of Directors Executive Management The Chief Information Officer The Chief Privacy Officer The Chief Security Officer Committee The IS Security Steering The Audit Committee

b. The Data Owner c. The Data Custodian d. The System Owner e. The Security Administrator f. The Security Analyst g. The Application Owner h. The Supervisor i. The Change Control Analyst j. The Data Analyst k. The Process Owner l. The Solution Provider m. The User n. The Product Line Manager o. The Auditor p. Why so many Roles? q. Personnel r. Structure s. Hiring Practices t. Employee Control u. Termination 9. Security-Awareness Training a. Different Types of Security-Awareness Training b. Evaluating the Program c. Specialized Security Training 10. Summary

You might also like