Professional Documents
Culture Documents
Security and Risk Management - 2021.txt-p
Security and Risk Management - 2021.txt-p
“The safety and welfare of society and the common good, duty to our principles, and
to each other, requires that we adhere, and be seen to adhere, to the highest
ethical standards of behavior.
https://www.isc2.org/ethics#
===================================================================================
===
Violations of Confidentiality can come from ANYWHERE, at ANY TIME... bad decisions
on the part of users, administrators and customers can all lead to a violation.
Also, remember that security policies that are not implemented properly can lead to
potential confidentiality violations.
a. encryption
b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training
Confidentiality & Integrity depend on each other. One is not effective without the
other.
1. sensitivity
2. discretion
3. criticality
4. concealment
5. isolation
1. accuracy
2. authenticity
3. validity
4. nonrepudiation - user cannot deny having performed an action
1. usability
2. accessibility
3. timeliness
===================================================================================
===
A Security Framework
- acts as a reference point
- provides a common language for communications (CULTURE OF SECURITY)
- allows us to share information and create relevancy
Examples
Financial Reporting:
Basel II
Sarbanes-Oxley
COSO
Information Security:
BS7799 / ISO 27000 ISMS fundamentals and vocabulary, umbrella 27003 ISMS
implementation guide, 27004 ISM metrics, 27005 infosec risk management, 27006
certification agencies, 27007 audit, 27009 IS governance, 27010 critical
infrastructure
BS 7799 Part 1 ISO 17799, ISO 27002 code of practice - 133 controls, 500+ detailed
controls
BSIMM:
https://www.bsimm.com/framework.html
ITIL
Management / Enterprise frameworks: NOTE... (LOOK FOR THE DEEP DIVE ON SABSA, TOGAF
& ZACHMAN BELOW)
- Zachman
- Calder-Moir
- TOGAF
- DoDAF
- MODAF
- SABSA
- COSO
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
SP800-161 R1
Guide for Applying the Risk Management Framework to Federal Information Systems: a
Security Life Cycle Approach SP800-37R2
https://www.iso.org/standard/50341.html
https://www.iso.org/isoiec-27001-information-security.html
SABSA -
=======================================================
| Business View | Contextual Architecture |
|======================|================================|
| Architect's View | Conceptual Architecture |
|======================|================================|
| Designer's View | Logical Architecture |
|======================|================================|
| Constructor's View | Physical Architecture |
|======================|================================|
| Technician's View | Component Architecture |
|======================|================================|
| Manager's View | Management Architecture |
|======================|================================|
Strategy & Planning --> Design --> Implement --> Manage & Measure
=============================================================================
Technology Architecture - The logical software and hardware capabilities that are
required to support the deployment of business, data, and application services.
This includes IT infrastructure, middleware, networks, communications, processing,
and standards.
==================================================================
The Zachman Framework -
===================================================================================
================
U.S.- EU Safe Harbor Framework / Privacy Shield (July 16, 2020 judgment of
the Court of Justice of the European Union in the Schrems II case)
2. Privacy requirements
===================================================================================
================
When assessing the effect of cybercrime, you need to evaluate areas such as:
Incident - some sort of occurrence or event that has a negative outcome (ITIL)
The law automatically protects a work that is created and fixed in a tangible
medium of expression on or after January 1, 1978, from the moment of its creation
and gives it a term lasting for the author’s life plus an additional 70 years. For
a “joint work prepared by two or more authors who did not work for hire,” the term
lasts for 70 years after the last surviving author’s death.
For works made for hire and anonymous and pseudonymous works, the duration of
copyright is 95 years from first publication or 120 years from creation, whichever
is shorter (unless the author’s identity is later revealed in Copyright Office
records, in which case the term becomes the author’s life plus 70 years).
3. Import/export controls
OECD Declaration on Transborder Data Flows, OECD Digital Economy Paper No. 1 (Apr.
11, 1985)
5. Privacy
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188
1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Data Controller Accountability
===================================================================================
================
Spotlight on the GDPR
In December 2015 the process of agreeing to new legislation designed to reform the
legal framework for ensuring the rights of EU residents to enhanced privacy
protections was completed. This was ratified in early 2016 and became widely
enforceable on the 25th May 2018.
2. The Data Protection Directive which is designed to enable the police and
criminal justice sectors to ensure that the data of victims, witnesses, and
suspects of crimes are duly protected in the context of a criminal investigation or
a law enforcement action.
What is “Personal Data”? - “Personal data” is defined in both the Directive and the
GDPR as any information relating to an person who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that person.
As a result, in many cases online identifiers including IP address and cookies will
now be regarded as personal data if they can be (or are capable of being) linked
back to the data subject.
The regulation provides specific suggestions for what kinds of security actions
might be considered “appropriate to the risk,” including:
Fines and Enforcement - Regulators will now have authority to issue penalties equal
to the greater of €10 million or 2% of the entity's global gross revenue for
violations of record-keeping, security, breach notification, and privacy impact
assessment obligations.
Data Protection Officers - Data Protection Officers must be appointed for all
public authorities, and where the core activities of the controller or the
processor involve “regular and systematic monitoring of data subjects on a large
scale” or where the entity conducts large-scale processing of “special categories
of personal data” (such as that revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, and the like).
Note: Although an early draft of the GDPR limited mandatory data protection
officer appointment to organizations with more than 250 employees, the final
version has no such restriction.
The regulation requires that they have “expert knowledge of data protection law and
practices.” The level of which “should be determined in particular according to the
data processing operations carried out and the protection required for the personal
data processed by the controller or the processor.”
The data protection officer’s tasks are also delineated in the regulation to
include:
Data Protection Officers may insist upon company resources to fulfill their job
functions and for their own ongoing training.
They must have access to the company’s data processing personnel and operations,
significant independence in the performance of their roles, and a direct reporting
line “to the highest management level” of the company.
A company with multiple subsidiaries may appoint a single data protection officer
so long as they are “easily accessible from each establishment.”
The GDPR also allows the data protection officer functions to be performed by
either an employee of the controller or processor or by a third party service
provider.
Privacy Management - The regulation mandates a “Risk Based Approach:” where the
appropriate organizational controls must be developed according to the degree of
risk associated with the processing activities.
Where appropriate, privacy impact assessments must be made – with the focus on
protecting data subject rights.
Data protection safeguards must be designed into products and services from the
earliest stage of development – Privacy by Design.
Consent - a basis for legal processing (along with legitimate interests, necessary
execution of a contract and others). According to the Regulation consent means “any
freely given, specific, informed and unambiguous indication of his or her wishes by
which the data subject, either by a statement or by a clear affirmative action,
signifies agreement to personal data relating to them being processed;”
The purposes for which the consent is gained does need to be “collected for
specified, explicit and legitimate purposes”. In other words it needs to be obvious
to the data subject what their data is going to be used for at the point of data
collection.
• the identity and the contact details of the controller and DPO
• the purposes of the processing for which the personal data are intended
• the legal basis of the processing
• where applicable, the legitimate interests pursued by the controller or
by a third party
• where applicable, the recipients or categories of recipients of the
personal data
• where applicable, that the controller intends to transfer personal data
internationally
• the period for which the personal data will be stored, or if this is not
possible, the criteria used to determine this period
• the existence of the right to access, rectify or erase the personal data
• the right to data portability
• the right to withdraw consent at any time
• and the right to lodge a complaint to a supervisory authority
Where the data has not been obtained directly from the data subject the list varies
and includes:
There are some exceptions – notably where the effort would be disproportionate and,
where the information has already been provided to the data subject.
Individuals have the right not to be subject to the results of automated decision
making, including profiling. So, individuals can opt out of profiling.
Automated decision making will be legal where individuals have explicitly consented
to it, or if profiling is necessary under a contract between an organization and an
individual, or if profiling is authorized by EU or Member State Law.
The act says that processing is lawful if “processing is necessary for the purposes
of the legitimate interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in
particular where the data subject is a child.”
It’s important to note that the wilful destruction or alteration of data is as much
a breach as theft.
In the event of a personal data breach data controllers must notify the appropriate
supervisory authority “without undue delay and, where feasible, not later than 72
hours after having become aware of it.” If notification is not made within 72
hours, the controller must provide a “reasoned justification” for the delay.
Notice is not required if “the personal data breach is unlikely to result in a risk
for the rights and freedoms of individuals,” How this translates into real-world
action is not clear however.
Should the controller determine that the personal data breach “is likely to result
in a high risk to the rights and freedoms of individuals,” it must also communicate
information regarding the personal data breach to the affected data subjects. Under
Article 32, this must be done “without undue delay.”
The GDPR provides exceptions to this additional requirement to notify data subjects
in the following circumstances:
Data Subject Access Requests - Individuals will have more information on how their
data is processed and this information should be available in a clear and
understandable way.
DSAR’s must be executed “without undue delay and at the latest within one month of
receipt of the request.”
Subject access requests must also give all the information relating to purposes
that should have been provided upon collection.
Retention & The Right to be Forgotten - Controllers must inform subjects of the
period of time (or reasons why) data will be retained on collection. Should the
data subject subsequently wish to have their data removed and the data is no longer
required for the reasons for which it was collected then it must be erased.
Known by many names including ePrivacy, ePrivacy2, PECR2 and ePR this regulation
will replaces the existing EU Directive and is designed to harmonize and enhance
the GDPR. Like the GDPR it has global reach and similarly significant penalties for
non-compliance. In the UK this regulation will replace the exiting PECR laws.
This legislation is designed to regulate the use of personal information across all
electronic communications including telephony.
This legislation is still in draft with the latest version issued on the 9th
September 2017. This version still proposed the law going live simulataniously with
GDPR becoming enforceable on the 25th May 2018.
Cookies and similar tracking technologies, when used for non-essential processes
(like profiling and advertising) will require prior consent. Browser and interface
manufacturers are set to bear the burdon of responsibility here by providing new
mechanisms to allow individuals to manage their consent more easily. The goal is to
lead to much more open dialogue between advertisers and data subjects - with
advertisers needing to make much clearer the "value exchange".
Personal data - Like the DPA, the GDPR applies to ‘personal data’. However, the
GDPR’s definition is more detailed and makes it clear that information such as an
online identifier can be personal data. The more expansive definition provides for
a wide range of personal identifiers to constitute personal data.
You can assume that if you hold information that falls within the scope of the DPA,
it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where
personal data are accessible according to specific criteria. This is wider than the
DPA’s definition and could include chronologically ordered sets of manual records
containing personal data.
Note: Personal data that has been pseudonymised can fall within the scope of the
GDPR depending on how difficult it is to attribute the pseudonym to a particular
individual.
Sensitive personal data - The GDPR refers to sensitive personal data as “special
categories of personal data” (see Article 9). These categories are broadly the same
as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and
biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but
similar extra safeguards apply to its processing (see Article 10).
===================================================================================
================
Investigation Types:
Common law
- developed in England
- based on previous interpretation of laws
- it reflects the communities morals and expectations
- uses judges and juries to decide cases
Criminal
- based on common law, statutory law, or a combination of both
- addresses behavior considered harmful to society
- punishment usually involves loss of freedom or monetary fines
Civil / tort
- under civil law the defendant owes a legal duty to the victim
- the defendants breach of that duty causes injury to the victim
Customary law
- based on traditions and customs
- restitution is commonly in the form of monetary fine or service
Religious law
- rather than creating laws, scholars and lawmakers attempt to
discover the truth of the law
===================================================================================
================
Security Policy - Direction from senior management (Strategic - Why & What)
Process - A series of related tasks or methods that together turn inputs into
outputs. (Operational - Who & When & Where)
===================================================================================
================
Project Management
Senior Management Support (*)
Project Scope
Resources
Timeline
Goals:
Process Steps:
1. Gather requirements/information
2. Vulnerability assessment
3. Risk Analysis
Quantitative - ALE = SLE * ARO ===> ALE = (AV*EF) * ARO
Qualitative
4. Communicate findings - Audience relevancy
Determining Downtime:
===================================================================================
================
===================================================================================
================
Risk: The probability (likelihood) that a given threat source will exercise a
particular vulnerability and the resulting impact should that occur
Vulnerability - weakness
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. Avoid
2. Accept
3. Transfer (Share)
4. Mitigate
5. Recast (reclassifcation)
6. Ignore
Control Categories
• Physical
• Administrative
• Logical (Technical)
Tailoring - filtering
Supplementation - making additions (adding on) to add value and support for
mission objectives
Types of assessments:
a. Vulnerability
Scanning
Analysis
Communicate results
b. Penetration
Strategies:
• External testing
• Internal testing
• Blind testing
• Double-blind testing
Categories:
• Zero knowledge - Black Box
• Partial knowledge - Grey Box
• Full knowledge - White Box
Methodology:
1. Reconnaissance
2. Enumeration
3. Vulnerability analysis
4. Execution / Exploitation
5. Document findings
c. Application
d. DoS / DDoS
e. WAR...
f. Wireless
g. Social Engineering
h. Telephony
Process steps:
• Approval - Senior Management gives us this
• Form a Risk Assessment Team
• Analyze Data
• Calculate Risk
• Countermeasure Recommendations
P lan
D o
C heck
A ct
COSO - identifies 5 areas necessary to meet the financial reporting and disclosure
objectives; These include:
a. Control environment
b. Risk assessment
c. Control activities
d. Information and communication
e. Monitoring
ITIL - showing how controls can be implemented for the service management IT
processes
5 Lifecycle phases:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement (CSI)
ISO 27001 / 27002 series (ISO 17799/BS7799) - ISMS (01) and Controls (02)
NIST: (https://csrc.nist.gov/publications/sp800)
NIST SP800-53R5 Security and Privacy Controls for Information Systems and
Organizations
NIST SP800-161R1 Cybersecurity Supply Chain Risk Management Practices for Systems
and Organizations
===================================================================================
================
THE RISK MANAGEMENT FRAMEWORK PROVIDES A PROCESS THAT INTEGRATES SECURITY & RISK
MANAGEMENT ACTIVITIES INTO THE SYSTEM DEVELOPMENT LIFE CYCLE.
Risk-Based Approach -
1. Prepare Step -
Prepare carries out essential activities at the organization, mission and business
process, and information system levels of the enterprise to help prepare the
organization to manage its security and privacy risks using the Risk Management
Framework.
2. Categorize Step -
Categorize the system and the information processed, stored, and transmitted by
that system based on an impact analysis (*1).
3. Select Step -
Select an initial set of baseline security controls for the system based on the
security categorization; tailoring and supplementing the security control baseline
as needed based on organization assessment of risk and local conditions.
4. Implement Step -
Implement the security controls and document how the controls are deployed within
the system and environment of operation.
5. Assess Step -
Assess the security controls using appropriate procedures to determine the extent
to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for
the system.
6. Authorize Step -
7. Monitor Step -
Monitor and assess selected security controls in the system on an ongoing basis
including assessing security control effectiveness, documenting changes to the
system or environment of operation, conducting security impact analyses of the
associated changes, and reporting the security state of the system to appropriate
organizational officials (*3).
Footnotes:
===================================================================================
================
Topic 11: Understand and apply threat modeling concepts and methodologies
S poofing
T ampering
R epudiation
I nformation Disclosure
D enial of Service
E levation of Privilege
The calculation always produces a number between 0 and 10; the higher the number,
the more serious the risk.
Trike - Threat models are used to satisfy the security auditing process. Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Analysis of the requirements model yields a threat model form which threats are
enumerated and assigned risk values. The completed threat model is used to
construct a risk model based on asset, roles, actions, and calculated risk
exposure.
VAST - Visual, Agile, and Simple Threat modeling. Focuses on the necessity of
scaling the threat modeling process across the infrastructure and entire SDLC, and
integrating it seamlessly into an Agile software development methodology. The
methodology seeks to provide actionable outputs for the unique needs of various
stakeholders: application architects and developers, cybersecurity personnel, and
senior executives.
AS/NZS 4360:2004 Risk Management - the world’s first formal standard for
documenting and managing risk.
1. Establish Context: Establish the risk domain, i.e., which assets/systems are
important?
2. Identify the Risks: Within the risk domain, what specific risks are apparent?
3. Analyze the Risks: Look at the risks and determine if there are any supporting
controls in place.
5. Treat the Risks: Describe the method to treat the risks so that risks selected
by the business will be mitigated.
Note: AS/NZS 4360 assumes that risk will be managed by an operational risk group,
and that the organization has adequate skills and risk management resources in
house to identify, analyze, and treat the risks.
What do you need to know about Threat & Adversary Emulation & Threat Hunting? -
Intelligence Feeds - some feeds are freely available & others are available only
as part of a subscription service, often associated with proprietary hardware &
software tools
Deep Web - unindexed & hidden locations on the Internet generally associated with
malicious activity & criminal operations
What do you need to know about Augmented Reality, Big Data & Deep Learning? -
Big Data - data collections that are so large & complex that they are difficult
for traditional database tools to manage
• the system is not provided with human-directed facts, filters, or rules but
instead is left to independently interpret data & classify it as a certain category
• Script Kiddies
• Insider Threats
• Competitors
• Organized Crime
• Hacktivists
• Nation States
• State Actors
• Advanced Persistent Threats (APTs)
• Supply Chain Access
MITRE ATT&CK for ICS - describes a set of tactics & techniques specific to
industrial control systems & lists the elements described in the ATT&CK for ICS
knowledge base
Diamond Model of Intrusion Analysis - focuses on events & describes them in terms
of four core & interrelated base features:
• Adversary
• Capability
• Infrastructure
• Victim
Available at https://apps.dtic.mil/sti/citations/ADA58696
Steps identify several opportunities for the detection of adversarial action; goal
is to detect these activities as early in the kill chain as possible
===================================================================================
================
NIST SP800-161 - Supply Chain Risk Management Practices for Federal Information
Systems and Organizations (page 7)
NIST SP-800 161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Systems and Organizations (page 7)
C-SCRM encompasses activities spanning the entire system development life cycle,
(SDLC), including research and development, design, manufacturing, acquisition,
delivery, integration, operations and maintenance, disposal, and overall management
of an enterprise’s products and
services. C-SCRM is the organized and purposeful management of cybersecurity risk
in the supply chain.
Requirements gathering
4. Service-level requirements
SLA vs SLR
In addition:
Onsite Assessment
Document Exchange and Review
Process/Policy Review
Third Party Audit
Managing known risks
1. PPRR risk management model - a popular global supply chain risk management
strategy and is used by retailers around the world. “PPRR” stands for:
2. Manage environmental risk in your supply chain - single vs. multi supplier
Supply chain risk assessment software enables you to take a proactive approach to
risk management by providing you with greater visibility into the structure of your
supply chain. With such a solution, you will be able to identify weak points in
your supply chain and receive data-driven insights into how you can strengthen
them.
Define user roles and implement security controls to restrict who is able
to access your system and what level of clearance they are given.
Implement data stewardship standards that define who owns certain data
and what they are able to do with that data.
Number of Stops & Average Stop Time - The more stops a freight carrier
takes in route to delivering a shipment, the longer it will take your product to
reach your customer. Even if a route only includes a few stops, a long average stop
time could still jeopardize on-time delivery and disrupt your supply chain. These
metrics are important to monitor for the sake of supply chain efficiency.
[Note: It’s important to look for a low number of stops and low average stop time
while still being mindful of drivers’ legally regulated hours of service.]
Average Loading Time - This refers to the amount of time it takes to load
a carrier with freight, as well as fill out any necessary paperwork, once it has
arrived at the loading dock. Like the previous item on this list, this is a key
indicator of supply chain efficiency.
Map out your supply chain to get a clear understanding of which entities
are most vulnerable to risk.
Diversify your supplier network so that you are not reliant on a single
supplier.
Carefully document all processes and create a single source of truth that
employees can refer to when executing on your contingency plan.
7. Conduct internal risk awareness training - Management is not the only area of
your organization that can assist in supply chain risk mitigation. In fact,
building a risk-aware culture requires buy-in at all levels of your business. The
easiest way to achieve this is to conduct risk awareness training for your entire
workforce. Training curriculum should include the following:
There is no single approach to TPRM, but some commonly used frameworks serve as a
solid starting point. These include frameworks provided by organizations such as
the National Institute of Standards and Technology (NIST) and the International
Standards Organization (ISO).
Effectively utilizing TPRM frameworks will reduce risks to both your organization
and your customers.
NIST -
NIST Cybersecurity Framework (CSF) Version 1.1 - voluntary guidance, based on
existing standards, guidelines, and practices for organizations to better manage
and reduce cybersecurity risk. In addition to helping organizations manage and
reduce risks, it was designed to foster risk and cybersecurity management
communications amongst both internal and external organizational stakeholders
NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments - guidance for
conducting risk assessments of federal information systems and organizations,
amplifying the guidance in Special Publication 800-39. Risk assessments, carried
out at all three tiers in the risk management hierarchy, are part of an overall
risk management process — providing senior leaders/executives with the information
needed to determine appropriate courses of action in response to identified risks
NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and
Organizations - A System Life Cycle Approach for Security and Privacy - describes
the Risk Management Framework (RMF) and provides guidelines for applying the RMF to
information systems and organizations. The RMF provides a disciplined, structured,
and flexible process for managing security and privacy risk that includes
information security categorization; control selection, implementation, and
assessment; system and common control authorizations; and continuous monitoring
NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems
and Organizations - provides a catalog of security and privacy controls for
information systems and organizations to protect organizational operations and
assets, individuals, other organizations, and the Nation from a diverse set of
threats and risks, including hostile attacks, human errors, natural disasters,
structural failures, foreign intelligence entities, and privacy risks
NISTIR 7622, Notional Supply Chain Risk Management Practices for Federal
Information Systems - provides a wide array of practices that, when implemented,
will help mitigate supply chain risk to federal information systems. It seeks to
equip federal departments and agencies with a notional set of repeatable and
commercially reasonable supply chain assurance methods and practices that offer a
means to obtain an understanding of, and visibility throughout, the supply chain
NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from
Industry - provides the ever-increasing community of digital businesses a set of
Key Practices that any organization can use to manage cybersecurity risks
associated with their supply chains. The Key Practices presented in this document
can be used to implement a robust C-SCRM function at an organization of any size,
scope, and complexity
NISTIR 8286, Identifying and Estimating Cybersecurity Risk for Enterprise Risk
Management (ERM) - helps individual organizations within an enterprise improve
their cybersecurity risk information, which they provide as inputs to their
enterprise’s ERM processes through communications and risk information sharing
ISO/IEC -
ISO 27001 is an international standard for the stringent evaluation of cyber and
information security practices. It provides requirements for establishing,
implementing, maintaining and continually improving an information security
management system. Based on an international set of requirements, it outlines a
systematic approach to managing sensitive company information so that it remains
secure. It includes people, processes and IT systems by applying a risk management
process.
ISO 27002 is a supplementary standard that provides advice on how to implement the
security controls listed in Annex A of ISO 27001. It helps organizations consider
what they need to put in place to meet these requirements.
ISO 27018, when used in conjunction with the information security objectives and
controls in ISO 27002, creates “a common set of security categories and controls
that can be implemented by a public cloud computing service provider acting as a
PII processor.”
ISO 27701 was the first international standard on privacy information management,
which helps organizations to demonstrate the methods and controls used in
protecting both their internal and customers’ personal data. It augments security
guidance published in ISO 27001 an ISO 27002.
• Establish contractual supplier agreements for any third party that may access,
process, store, communicate, or provide IT infrastructure to an organization’s
data.
• Refresh - an optional stage to renew the contract, perhaps reviewing the terms
and conditions, performance, issues, working processes
===================================================================================
================
Topic 13: Establish and maintain a security awareness, education, and training
program
Security awareness:
Establishing an understanding of the importance of, and need to, comply with
security policies within the organization
===================================================================================
================
Asset - anything within the organization that has value and should be afforded CIA
protections
Exposure - degree to which you are susceptible to asset loss due to a threat
$10.00 $1.00 10
ALE = SLE * ARO