Security governance

Top down approach

Management comes up with a policy.

We then implement the policy.

Strategic is a long term, you alin it with the goals missions usually 5 years

Tactical plan, 1 year

Operational plans 

Global

Standards, baselines, guideline and procedure

Security governance a combination of security and management.

Managed by a committee

Senior manager

Professional

Data owner

Custodian

Auditor

Layers defense in depth

Abstract them

Data hiding - lower can't access

Encryption hiding it from unintended users

Privacy requirements compliance.

Individual rights
organization rights.

HIPAA

SOX

PCI DSS

Planning to plan

COBIT and ITIL

DUE cARE is using care

Due dilligence is performing those actions that are in the CARE

CIA

Identity of the user

Authenticating the user

Authorizing him to access items

Auditing his access usage

Accountability to hold him accountable.

Non repudiation so he can't deny it.

Security polocy

Regulatory for the industry

Advisory advises what to do
Informative about a subject

Acceptable use policy

Standard

Baseline - minimum

Guidelines of how to use.

Procedures

Change only the affected part.

Change control in an orderly manor.

Parallel run of a system at the same time.

Top secret

Secret

Confidential

Sensitive but unclassified

Unclassified

Risk and people.

Third party running gvernance they give you the right to operate.

Asset

Asset value $

Vulnerability to attack

Exposure   a vulnerability

Risk  the risk of the  item

Safeguard  - countermeasure

Attack

Breach an attach that worked.

Value

Qualitative  or quantitative

Quantity

Asset Value

EF     chance of something happening in %

SLE    AV*EF

ARO   how many times SLE in a year

ALE    ARO * SLE

Safeguard

Safeguard cost

Qualitative.
Relies on people judgement.

Delphi is a anonymous

Handle the risk

Mitigate

Assign to sombeody

Accept it

Reject

Separate duty

Separate responsibility

Rotation

Background check

Control third party vendor

Terminate employee

Train people by making them aware.

Educate by giving more knowledge.