Please enable JavaScript.
Coggle requires JavaScript to display documents.
/infosec (Incident response plans (Selection of team members, Definition…
/infosec
Information security threats
theft of intellectual property
identity theft
theft of equipment or information
information extortion
The CIA triad
Confidentiality
revolves around the principle of ‘least privilege'.
need for strong data classification policy
ensures that information is accessible only by authorised individuals
A key component of protecting information confidentiality is encryption
ongoing monitoring, testing, and training.
Integrity
ensures that information is reliable
behavioral controls such as separation of duties, rotation of duties, and training.
Availability
ensures that data is available and accessible to satisfy business needs.
when a security incident occurs – preventing access or yielding too much access – a strong audit capability can assist and determine the root cause.
Backup is key
access controls, monitoring, data redundancy, resilient systems, virtualization, server clustering, environmental controls, continuity of operations planning, and incident response preparedness.
Special challenges for the CIA triad
Big data
Internet of Things privacy
Internet of Things security
How to use the CIA Triad
Risk management process
1) Identification of assets and estimating their value.
Include: people, buildings, hardware, software, data (electronic, print, other), supplies.
2) Conduct a threat assessment.
Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization
3) Conduct a vulnerability assessment
For each vulnerability, calculate the probability that it will be exploited.
Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
4) Calculate the impact that each threat would have on each asset.
Use qualitative analysis or quantitative analysis
5) Identify, select and implement appropriate controls.
Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
6) Evaluate the effectiveness of the control measures
Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Security controls
Administrative
Approved written policies, procedures, standards and guidelines
Logical
Passwords, network and host-based firewalls, network intrusion detection systems, access control lists, and data encryption
Physical
Defense in depth
Security classification for information
Access control
Identification
Authentication
Authorization
Cryptography
Incident response plans
Selection of team members
Definition of roles, responsibilities and lines of authority
Definition of a security incident
Definition of a reportable incident
Training
Detection
Classification
Escalation
Containment
Eradication
Documentation
Change management
Business continuity
Laws and regulations
The U.K. Data Protection Act 1998
The Computer Misuse Act 1990
The Payment Card Industry Data Security Standard (PCI DSS