Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Risk - likelihood that a loss with occur when a threat exposes a vulnerability
- Total Risk = TXV-L
- Manage Risk - avoid, mitigate, accept, transfer
- Threat - any activity that poses a possible danger to cause a loss
- Vulnerability - a weakness loss - results from a compromise to biz acessets or functions
- Exploit - the act of taking advantage of a vulnerability
- SLE (single loss expectancy)= asset value × exposure (% of loss of total asset value)
- ARO - annualized rate of occurrence
- ALE (annual loss expectancy)= SLE x ARO
- MOE - Margin of exposure (part of BIA, MAO >= RTO)
- RTO - Recovery time objective (part of BIA)
- CBA - cost benifit analysis
- POAM - plan of actions and milestones
- Fiduciary responsibility - being responsible for someone else’s money
- FISMA - The Federal Information Security Management Act
- HIPPA - healthcare/portability
- GLBA - broad scope, banking, insurance
- SOX - publically traded companies, holds exec and board - financial data
- FERPA - student datavs funded schools
- CIPA - schools/libraries (computers)
- SEC - secuirity industries - publically traded companies
- DHS - several IT divisions, office cyber and com
- NCCI - insurance
- FTC - unfair trade pract
- State AG - primary legal advisor
- US Ag - head of DOJ
- COSO - joint initiative to combat corporate fraud
- BIA - Business Impact Analysis
- CBF - critical business functions (hotel booking website)
- CSM - critical successfactors (yelp, etc)
- BCP - Business Continuity Plan (focuses on worst case, not likelihood of events. has key facets of DRP and IRP)
- BRP - Business Risk Portfolio
- IRP - Incident Response Plan (computers, hacks attacks, internet)
- DRP - Disaster Recovery Plan (emphasis on technology assets)
- CSF - Common Security Framework
- Responsibilities:
- PM - can manage more than 1 project, reviews all BCPs, ensures BCP is on track
- BCP Coordinator - in charge of one BCP, deving or activating BCP, contacts other teams
- BCP Teams - EMT (Emergency Management Team), DAT (Damage Assessment Team, TRT (Technical Recovery Team)
- EMT - has overall authority for system recovery, composed of senor managers
- DAT - assesses damage and declares severity of an incident, collects and reports data buit doesnt take action
- TRT - recovers critical IT resources (must be listed in BIA), members need specific skill sets
- Risk management Frameworks
- Step 1: Categorize Information Systems. ...
- Step 2: Select Security Controls. ...
- Step 3: Implement Security Controls. ...
- Step 4: Assess Security Controls. ...
- Step 5: Authorize Information System. ...
- Step 6: Monitor Security Controls.
- COSO - Committee of Sponsoring Organizations of the Treadway Commission
- IT
- NIST Cyber framework
- 7 Domains of IT - User, Workstation, LAN, LAN-to-WAN, Remote Access, WAN, System/Application
- how to figure out what control to use (NIST, SANS Top 20)
- -NIST SP 800-53: 18 families of controls, 3 implementation method
- Consider as Scope: CBO, Cost serv delivery, mission-CBB, 7 domains of IT, info sys secuirty gap
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement