pre 5-ism

avatar
Created by
astrid liu

Subdecks (1)

Cards (105)

  • Risk Management
    Protecting your information systems
  • Information security and risk management are crucial for any organization that relies on technology
  • The CIA Triangle
    • Confidentiality: Ensuring only authorized users access sensitive information
    • Integrity: Maintaining the accuracy and completeness of data
    • Availability: Guaranteeing authorized users have timely access to information systems
  • Why is Risk Management Important?
    • Protects information assets
    • Ensures business continuity
    • Helps make informed decisions about security investments
  • The Risk Management Process
    1. Risk Identification: Recognizing potential threats and vulnerabilities in your systems
    2. Risk Assessment: Evaluating the likelihood and impact of each risk
    3. Risk Control: Implementing measures to mitigate identified risks
  • By prioritizing risk management, organizations can safeguard their information systems and ensure their long-term success
  • Sun Tzu: 'If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you wil succumb in every battle.'
  • Know Yourself
    • Identify your information assets
    • Understand their value
    • Identify vulnerabilities
    • Know your existing security measures
  • Know the Enemy
    • Identify potential threats
    • Evaluate their impact
    • Prioritize threats
  • Communities involved in managing risks
    • Information Security Community
    • Management
    • Users
    • Information Technology (IT) Community
  • Risk Appetite
    How much risk an organization is willing to accept, balancing security with accessibility
  • Residual Risk
    The risk that remains after implementing controls
  • Addressing Identified Risks
    1. Evaluate the impact: How much damage could each vulnerability cause?
    2. Choose control strategies: Implement measures to reduce risk
    3. Prioritize defense: Focus on preventing the exploitation of vulnerabilities
  • Measures to prioritize defense
    • Policies: Establishing clear guidelines for secure behavior
    • Education and training: Empowering users to be security-conscious
    • Technology: Implementing tools and software to enhance protection
  • Governance
    Sets the direction for IT security: Who decides on security measures? Aligns security with business goals and regulations. Provides oversight to ensure risk mitigation.
  • Management
    Implements security measures: Recommends security strategies, Implements controls to mitigate risks, Ensures controls are effective.
  • Both governance and management are essential for strong IT security
  • Leadership has a legal and ethical duty to: Protect the organization's assets and reputation, Ensure compliance with regulations, Guide employee behavior with policies
  • Enterprise Security Governance
    Governance sets the "why" and "what" of security, while Management focuses on the "how"
  • 11 Key Points of Effective Security Governance
    • Company-wide effort: Everyone plays a part
    • Leadership commitment: Leaders are responsible
    • Business necessity: Security is an essential cost
    • Risk-based approach: Focus on the biggest threats
    • Clear roles and duties: Everyone knows their job
    • Documented policies: Security expectations are clear
    • Adequate resources: Allocate budget and staff for security
    • Security awareness: Train employees on security best practices
    • Development lifecycle: Security is integrated throughout project development
    • Measurable performance: Track and improve security posture
    • Regular reviews: Continuously assess and improve security
  • Effective governance principles
    • Responsibility: People have the authority to fulfill their security duties
    • Alignment with Strategy: Security supports business goals
    • Informed Decisions: IT investments are well-considered
    • Performance: IT systems meet business needs
    • Compliance: Regulations and policies are followed
  • Security Program Hierarchy
    • Institutional Risk Management Plan
    • Institutional Security Strategy
    • Institutional Security Plan
    • Academic Administrative Unit Security Plans
    • System Security Plans
    • Policies & Procedures
    • System Architecture
  • Security vs. Freedom
    There's an ongoing debate about security vs. freedom of information. Some laws prioritize security, like the US Patriot Act, which allows more government surveillance. This raises concerns about civil liberties being restricted.
  • 10 Security Policies
    • Threat assessment
    • Security plan
    • Media storage
    • Disaster recovery
    • Computer malware
    • Access control
    • Security audits
    • Incident handling
    • BYOD (Bring Your Own Device)
    • Computer/Internet usage
  • 15 Security Forms
    • Reports & assessments
    • Plans & schedules
    • Control plans & databases
    • Logs & reports
    • Policies & acknowledgements
  • Future of Information Policy
    • Needs to be adaptable as technology evolves
    • May involve setting boundaries for information access and storage
    • Likely to see increased government regulation of technology
    • Will draw on various fields like information science and communications
  • Benefits of Future Information Policy
    • Maximize benefits of Web 2.0
    • Encourage social responsibility in the digital world
    • Ensure digital content preservation and information access
    • Respect user privacy and promote thoughtful technology use
  • Effective information policy relies on strong international collaboration