Académique Documents
Professionnel Documents
Culture Documents
and Practices
Security Policy
Policy
Practice
Guidelines
Guidelines consist of recommended, nonmandatory controls that help support
standards or serve as a reference when no
applicable standard is in place.
Guidelines should be viewed as best practices
that are not usually requirements, but are
strongly recommended
For ex, a standard may require passwords to
be 8 characters or more and a supporting
guideline may state that it is best practice to
also ensure the password expires after 30
days
Procedures
Procedures consist of step by step
instructions to assist workers in
implementing the various policies, standards
and guidelines
Explains how to implement policies,
guidelines and standard in a step by step
fashion.
For ex, a procedure could be written to
explain how to install Windows securely,
detailing each step that needs to be taken so
that it satisfies the applicable policy,
standards and guidelines
Example.
A policy may state all business information must
be adequately protected when being transferred.
A supporting data transfer standard builds upon
this, requiring that all sensitive information be
encrypted using a specific encryption type and
that all transfers are logged.
A supporting guideline explains the best practices
for recording sensitive data transfers and provides
templates for the logging of these transfers.
A procedure provides step by step instructions for
performing encrypted data transfers and ensures
compliance with the associated policy, standards
and guidelines.
Common Standards
The
Risk Management
Basics
Assets:
Is
Basics
Safeguard:
Is
Vulnerability:
Is
Basics
Threat Agent
Gives rise to
Threat
Exploits
vulnerability
Leads to
Risk
Asset
Can damage
Exposure
causes an
Safeguard
Can be
countered by
Risk Management
Risk
management
Is
what we have,
What are the problems areas
what are the likely threats
and how well it can be prevented
Risk management
Risk
Is
management
Risk management
Information
protection
requirements
Implement
counter
measures
Decides on
risk counter
measures
Evaluate risk
Define
Alternatives
Every
Step
2. (protection requirements)
by
3. (risk evaluation)
Risk
3. (risk evaluation)
Step
4. (risk response)
Find
5. (selection of safeguard)
After
6. (implementation of safeguard)
Implementation
process is involves
implementation and continuous monitoring to
check whether the countermeasure proved any
beneficial.
assessment,
risk mitigation,
evaluation and assessment.
Risk Assessment
Risk
is
assessment
Risk Assessment
Risk Assessment
Step
4: Control Analysis
analyze
Step
5 : Likelihood Determination
The
Risk Assessment
Step
7: Risk Determination
assess
Risk Assessment
Step
8: Control Recommendation
controls
9: Result Documentation
Once
Risk Mitigation
Risk
the
mitigation,
Risk Mitigation
Risk
mitigation,
Step
Risk Mitigation
Risk
mitigation,
Step
5: Assign Responsibility
Plan
Step 7: Implement Selected Control(s)
Business Continuity
and
Disaster Recovery Planning
DRP
IT Risk
Avoidance
No Business
Activity
Disaster Recovery
Manual
Process
Recovery
Process
Normal
Process
BCP
BCP
BCP process has following key phases
1. Scope and plan initiation
2. Business Impact Analysis(BIA)
3. Development of Business continuity plan
4. Approval to the business continuity plan and
implementation
BCP Process
1. Scope and plan initiation
This phase covers the organisations initial
response to a disaster.
The process in this phase are
BCP Process
2. Business Impact Analysis (BIA)
It is a process used to help business units
understand the impact of disruptive event.
When performing BIA the goals are
Prioritization of criticality :
Estimation of downtime
BCP Process
2. Business Impact Analysis (BIA)
BIA goals
Identification of resources
BCP Process
2. Business Impact Analysis (BIA)
Process in BIA
BCP Process
2. Business Impact Analysis (BIA)
Example BIA
BCP Process
3. Development of Business Continuity Plan
Decides a recovery strategy which includes
BCP Process
4. Approval to the business continuity plan and
implementation
DRP
DRP Goals
Provide
services
Clearly document the DR requirement
establish the alternative means of operation in
advance
Train the personnel in recovery procedure
Validate the processes, data required for
recovery of services
DRP
DRP steps
DRP
DRP steps
3. Identify single point of failure
The goal is to mitigate the risk
Impact of failure, probability of failure, estimated
incidents, expected loss and the expected cost of
mitigation is included
4. Create a DR team
5. Develop a DRP addressing the functional
Recovery
Restoring/ sustaining business operation
Transferring data back to machine
DRP
DRP steps
6. Create procedure that support DR plan
7. Test and redefine DRP
DRP
DR plan
Plan
analysis
analysis
DRP
DR plan
Documentation
Vendor list
Remote locations
Critical Phone numbers
Critical software system
Downtime
DRP
Alternate sites : is a location, other than normal
facility, used to process data and/or conduct critical
business function in the event of a disaster.
Cold site
These are offsite pre-configured facility that has the
necessary utilities.
Cold site only have basic environment (electric wiring,
air conditioning, flooring etc), they do not offer any
components at the site in advance.
Activation of the site may takes several weeks. So low
access cost versus time.
DRP
Alternate
sites :
Warm site
These are partially configured, usually with network
connections and selected peripheral equipment, such as
disk drive and controllers but without main computing
equipment or a low grade CPU.
It is called warm because the computing equipment can
be obtained quickly for emergency installation and the
site is ready within several hours.
DRP
Alternate
sites :
Hot site
This is stationary or mobile facility containing all the
backup support of a cold site plus a similar computer to
the one at the primary site.
These are fully configured and ready to use.
The only additional needs are staff, programs and data
files.
The cost associated with third party hot site are usually
high.
The hot site is intended for emergency operation for
limited time period and not for prolonged duration.
DRP
Alternate
sites :
Reciprocal arrangements
This is an arrangement between two or more
organisation that possess similar information process
facility.
Both parties promise each other to provide computer
time in event of emergency.
Duplicate IPF
These are dedicated, self developed recovery sites that
can back up critical applications.
They can work as stand by hot site or reciprocal
arrangement with another organisations IPF
installation.
test
Simulation test
All the operational and support personnel are
expected to perform in practice session.
The goal is test the ability of personnel to respond
to simulated disaster
Ethics
Laws:
Ethics:
example
Ethics Overview
Ethics
The
Difficulties
Example:
many
Ethics
Quality
Rule1
A member shall perform professional duties in
accordance with the law and the highest moral
principles.
Ethical Considerations
1. A member shall abide by the law of the land in
which the services are rendered and perform all
duties in an honorable manner.
2. A member shall not knowingly become
associated in responsibility for work with
colleagues who do not conform to the law and
these ethical standards.
3. A member shall be fair and respect the rights of
others in performing professional responsibilities
Rule2
A member shall observe the precepts (general rule) of
truthfulness, honesty, and integrity
Ethical Considerations
A member shall disclose all relevant information to
those having a right to know.
A right to know is a legally enforceable claim or
demand by a person for disclosure of information by a
member.
Rule3
A member shall be faithful and diligent
(thorough) in discharging professional
responsibilities.
Ethical Considerations
A member is faithful when fair and steadfast
(Persistent ) in adherence to promises and
commitments.
A member is diligent when employing best
efforts in an assignment.
A member shall not act in matters involving
conflicts of interest without appropriate
disclosure and approval.
A member shall represent services or products
fairly and truthfully.
Rule4
A
Rule5
A member shall safeguard confidential information
and exercise due care to prevent its improper
disclosure.
Ethical Considerations
Disclosure of Confidential information should be
restricted.
Due care requires that
Rule5
Ethical Considerations
Rule6
A member shall not maliciously injure
the professional reputation or practice of
colleagues, clients, or employers.
Ethical Considerations
Responsible Professional
Guidelines
A responsible professional
Acts with integrity
Increases personal competence
Ethical
Guidelines
Ethical
Guidelines