Guidelines for how to implement policy
Authority for information security department
Basis for data classification
Recognition of information as an asset of the organization
Permit losses that aren't very important.
Be 100% effective in preventing loss.
Reduce losses to a pre-defined level that management can tolerate.
Reduce losses to within 10% of a pre-defined level
When responsibility for the conditions that cause the risk to arise is outside their department
When the cost of taking action outweighs the potential cost of the risk being realized.
When risk reduction measures may affect the productivity of the business.
Never - action should always be taken to reduce or eliminate an identified risk.
Threat and vulnerability analysis
Countermeasure cost/benefit analysis
Separation of duties
Employee's attitude and behaviors
Attitudes of employees with sensitive data
Corporate attitudes about safeguarding data
System security oversight
Human resource oversight
Business service oversight
Identification of users
The approval of the change management control team
The development of a detailed test plan
The formulation of specific management objectives
The communication process among team members
The company is a multi-national company
They have not exercised due care protecting computing resources
They have failed to properly insure computer resources against loss
The company does not prosecute the hacker that caused the breach
Monitor only during off hours
Obtain a search warrant prior to any monitoring
Not capture any network traffic related to monitoring employee's activity
Apply for a waiver from Interpol before monitoring
The fire caused critical business systems to be disabled for longer than the Recovery Time Objective
The fire alarms went off and the building had to be evacuated.
The trash can contained company sensitive documents.
The fire spread beyond the trash can and the fire department had to be called.
Identify the organization's key business functions
Identify the computer systems critical to the survival of the organization.
Estimate the financial impact a loss would have on the business based on how long an outage would last.
Acquire information from government agencies about the likelihood of a natural disaster occurring.
Emergency response plan
Disaster recovery plan
Business impact analysis
It is the process of analyzing all business functions to determine the impact of an outage.
It is the process of analyzing corporate functions, such as accounting, personnel, and legal to determine which functions must operate immediately following an outage.
It is the process of documenting procedures and capabilities to sustain organizational essential functions at an alternate site.
It is the process of documenting viable recovery options for each business unit in the event of an outage.
Customer interruption impacts
Embarassment of loss of confidence impacts
Executive management disruption impacts
Revenue loss potential impact
A description of the settings that will provide the highest level of security
A brief high-level statement defining what is and is not permitted in the operation of a system
A definition of those items that must be denied on the system
A listing of tools and applications that will be used to protect the system
Recommendations for salary improvement of security professionals
Addressing privacy and health care requirements of employees
Alignment with organizational audit and marketing plans
Incorporating input from organizational privacy and safety professionals
Assure protection of organizational data and information
Select the technology solutions to enhance organizational security effectiveness
Identify potential risks to organizational employee behavior
Align organizational data protection schemes to business goals
Service level agreements
The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.
The Security Officer accepts the risk of system failures
The Security Officer reports to the Privacy Officer.
The Security Officer is responsible for protection of business information assets.
The regulations that affect a company within a state or country
The risk management processes and procedures within a company
The organizational structure that includes standards, procedures and policies
The organizational chart that describes who reports to whom as defined for a company