Information Security and Risk Management

  • Information security and Risk Management system :

  • Primary Objective: Maintaining and conducting business operations in a secure environment.

    • Organization: what are business needs

    • Information: which are critical for business

    • What's your business/organization mission and vision?

    • Which sector your business/organization belongs to ?

    • identify and classify our organization's assets (tangible and intangible)

    • ensure the security of those assets is adequately protected by implementing core security principles

      • CIA Triad:

        • Confidentiality : deals with secrecy, restrict un authorized access

          • Security controls like encryption, access controls

          • Which security control we in placed to achieve this

            • Data encryption : data at rest

            • Hashing : data in transit (file integrity monitoring)

              • Sha 256

              • Sha 512

            • MFA (IAM and user access)

              • Privilege Access Management

              • Password rotations and policies

              • Secret Management

            • Physical Security

            • Default deny for critical data and infrastructure

              • Documented approval from leadership

              • Proper auditing/activity log management

    • Integrity : protecting reliability

      • Access restriction to make changes

      • Encryption policies to achieve integrity when data at rest

      • Hashing policies to achieve integrity when data at transit

    • Availability : having uninterrupted access

      • High availability of services or access to data.

        • What is org Disaster Recovery Plan?

        • What is org Business Continuity Plan?

        • Fail over clustering

        • Site reliability

        • Site resiliency

        • Automatic failover

        • Load balancing

        • Redundant components of software and hardware

          • Cold, hot and warm sites

    • AAA

      • Authentication

      • Authorization

      • Accounting

    • IAAAA

      • Identification

      • Authentication

      • Authorization

      • Auditing

      • Accounting

    1. Information Security Management System and Risk Management

      1. Information security policies, procedures and playbooks

      2. Managing third party Risks

        1. Cloud service provider

        2. Third Party service provider

        3. Policies with Third party service provider to know breach information

        4. Service Level Agreements

        5. Vendor Security Assessment https://opensource.google/projects/vsaq

        6. Consensus Assessments Initiative Questionnaire

        7. Data Loss Prevention

    3. Asset Security

      1. Assets Types

  • i. Physical

  • ii. Digital

  • iii. Non reputational

    1. Asset Register/Inventory

  • i. Asset Owners

  • ii. Asset value

  • iii. Asset Classification

    1. CMDB

    2. Asset identification and classification

    1. Security Awareness Training

  • a. Phishing simulations

    1. Security Architecture and Engineering

    2. Vulnerability Management

    3. Network Security

    4. Identity and Access Management

    5. Security Testing

    6. Disaster Recovery and Business Continuity plan

    7. Security Operations

    8. Software Development Security/DevSecOps

  • References:

  • https://www.sans.org/posters/ciso-scorecard-cloud-maturity-model/

  • https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

  • https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider

PreviousGRCNextRisk Management

Last updated

Was this helpful?