Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3

13-2 3/10/ :48 Outline 0 Security Management 0 Security Administration and Supporting Controls 0 Organizational Security Model 0 Information Risk Management 0 Risk Analysis 0 Policies, Standards, Baselines, Guidelines, Procedures 0 Information Classification 0 Layers of Responsibility 0 Security Awareness and Training

13-3 3/10/ :48 Security Management 0 Security Management Responsibilities 0 Top-Down approach to security

13-4 3/10/ :48 Security Administration and Supporting Controls 0 Fundamental principles of security -CIA 0 Security definitions -Threats, Vulnerabilities, Risk, Countermeasures/safeguard 0 Security through obscurity

13-5 3/10/ :48 Organizational Security Model 0 Security Program Components 0 Security Frameworks 0 Security Governance 0 Security Program Development

13-6 3/10/ :48 Information Risk Management 0 Who really understands risk management? 0 Information Risk Management Policy 0 The Risk Management Team

13-7 3/10/ :48 Risk Analysis 0 Risk Analysis Team 0 Risk Ownership 0 The value of information and assets 0 Costs that make up the value 0 Identifying Threats 0 Failure and Fault Analysis 0 Quantitative Risk Analysis 0 Qualitative Risk Analysis 0 Protection Mechanisms

13-8 3/10/ :48 Policies, Standards, Baselines, Guidelines, Procedures 0 Security Policy 0 Standards 0 Baselines 0 Guidelines 0 Procedures 0 Implementation

13-9 3/10/ :48 Information Classification 0 Private Business vs. Military Classification 0 Classification Controls

/10/ :48 Layers of Responsibility 0 Board of Directors 0 Executive Management 0 Chief Information Officer 0 Chief Security Officer 0 IS Security Steering Committee 0 Audit Committee 0 Data Owner 0 Data Custodian 0 System Owner 0 Security Administrator 0 Security Analyst 0 Application Owner 0 Supervisor 0 Change Control Analyst 0 Data Analyst 0 Process Owner 0 Solution Provider 0 User 0 Product Line Manager 0 Auditor 0 Other: HR, Hiring Practices, Termination

/10/ :48 Security Awareness and Training 0 Different Types of Security Awareness and Training 0 Evaluating the Program 0 Specialized Security Training