Vous êtes sur la page 1sur 2

Purpose of policies

Policy life cycle


Communicate require
Policies is
Prohibited activities and behaviours

Policies in specific situations Standards is

Detail on how to comply with (policy and standards) Procedure is

General guidance Guidelines is Compliance Documents and Policy Frameworks

Business impact analysis (BIA)

Business contingency plans with trusted recovery
Recovery requirements for critical systems
Input Business Continuity and Disaster Recovery
Defined thresholds and triggers for contingencies and escalation
Key term and definition
Disaster recovery plan (DRP)
Inherent Risk
Training and Testing
Resiual Risk
Data classification and ownership
ISO 31000:2009 [ Risk Management -- Principle and Guidelines]
System classification and ownership
COBIT 5 for Risk
Input Resource utilization and prioritization Asset Mangement
IEC 31010:2009 [Risk Management--Risk Assessment Techniques]
Asset life cycle management
ISO/IEC 27001:2013 [ Information Technology--Security Techniques--
Asset protection
Information Security Mangement]
Risk Identification and Classification standards and frameworks
At-work acceptable use and behavior, including privacy, Internet/
ISO/IEC 27005:2011 [Information Technology--Security Techniques--
email, mobile devices, BYOD, etc
Input Rules of Behaviour
Information Security Risk Management]
Offsite acceptable use and behavior, including social media, blogs
NIST Special Publications
General Information Security policy
Information security within the life cycle, requirements definition Types of information security policies NIST Special Publications 800-30 Revision `: Guide for Conducting
and procurement/acquisition processes
Risk Risk Assessment
Input Secure coding practices Policies
Acquisition/Develop[ment/Maintanance Risk Identification
Integration of information security with change and configuration Top-Down Approach
Buttom-up Approach
Contract management Vendor Management
Likelihood and Impact Influence Risk Factors
IT information security architecture and application design
Risk Tolerance Considering how to measure risk.
Input Communication and Operation
Service level agreements
Size and scope of the environtment
Approach to Risk
IT information security compliance assessment process
Amount of data available
Input Development of metrics Compliance
Assessment repositories
Approach to cybersecurity Risk
Organizational risk management plan
Input Risk Management
Information risk profile
Third Party Risk
Number of access violations that exceed the amount allowed

Amount of work disruption due to insufficient access rights Metric

Number of segregation of duties incidents or audit findings
provide proper access to internal and external stakeholder
Ensure Cyberterrorist
that emergency access is appropriately permitted and revoked Access Control Policy
Section 2 : Cybersecurity Cyberwarriors
Physical and logical access provisionaing life cycle

Least privilege/need to know

Concept Threat Agent Employees
Cover following topics: Hacktivist
Segregation of duties
Nation states
Emergency access
Online social hackers
Personnel Information Security Policy
Script Kiddies
Policy frameworks
Attack Vector
Acceptable data loss RPO
Security Incident Response Policy Exploit
Attack Attributes Payload Attack Attribute (Figure 2.6)
Identity Management
Target (Assets)
Provisioning and Deprovisioning
Perform Reconnaisance
Create attack tools
Write,Create, update only
Deliver malicious capabilities
Delete Only Authorization
Exploit and compromise
Execute Only Threat Process
Conduct an Atack
A combination of the above
Cybersecurity Controls Achive results
Access Control List Common Attack Type and Vectors
Maintain a presence or set of capabilities
Access List
Coordinate a campaign
Privileged User Management
Nonadversarial Threat Events
Change Management
Configuration Management
Network Worm
Patch Management
Trojan horses


Type of Malware Adware





Component Stuxnet Link file


Advanced persistent threats (APTs)

Malware, Ransomware and Attack Types

Brute force attack

Buffer overflow

Cross-site scripting (XSS)

DoS attack

Man-in-the-middle attack

Social engineering
Other Atack type

Spear phishing


Structure Query Language (SQL) injection

Zero-day exploit