Information Security and Risk Management

Information security and Risk Management system :
Primary Objective: Maintaining and conducting business operations in a secure environment.
- Organization: what are business needs
- Information: which are critical for business
- What's your business/organization mission and vision?
- Which sector your business/organization belongs to ?
- identify and classify our organization's assets (tangible and intangible)
- ensure the security of those assets is adequately protected by implementing core security principles
- - CIA Triad:
  - Confidentiality : deals with secrecy, restrict un authorized access
    Security controls like encryption, access controls
    Which security control we in placed to achieve this
    Data encryption : data at rest
    Hashing : data in transit (file integrity monitoring)
    Sha 256
    Sha 512
    MFA (IAM and user access)
    Privilege Access Management
    Password rotations and policies
    Secret Management
    Physical Security
    Default deny for critical data and infrastructure
    Documented approval from leadership
    Proper auditing/activity log management
- Integrity : protecting reliability
- - Access restriction to make changes
  - Encryption policies to achieve integrity when data at rest
  - Hashing policies to achieve integrity when data at transit
- Availability : having uninterrupted access
- - High availability of services or access to data.
  - What is org Disaster Recovery Plan?
    What is org Business Continuity Plan?
    Fail over clustering
    Site reliability
    Site resiliency
    Automatic failover
    Load balancing
    Redundant components of software and hardware
    Cold, hot and warm sites
- AAA
- - Authentication
  - Authorization
  - Accounting
- IAAAA
- - Identification
  - Authentication
  - Authorization
  - Auditing
  - Accounting
1. Information Security Management System and Risk Management
2. 1. Information security policies, procedures and playbooks
  2. Managing third party Risks
  3. Cloud service provider
    Third Party service provider
    Policies with Third party service provider to know breach information
    Service Level Agreements
    Vendor Security Assessment https://opensource.google/projects/vsaq
    Consensus Assessments Initiative Questionnaire
    Data Loss Prevention
3. Asset Security
4. 1. Assets Types
i. Physical
ii. Digital
iii. Non reputational
1. Asset Register/Inventory
i. Asset Owners
ii. Asset value
iii. Asset Classification
1. CMDB
2. Asset identification and classification
1. Security Awareness Training
a. Phishing simulations
1. Security Architecture and Engineering
2. Vulnerability Management
3. Network Security
4. Identity and Access Management
5. Security Testing
6. Disaster Recovery and Business Continuity plan
7. Security Operations
8. Software Development Security/DevSecOps
References:
https://www.sans.org/posters/ciso-scorecard-cloud-maturity-model/
https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk
https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider

PreviousGRC NextRisk Management

Last updated 5 months ago