InfoSec Security Governance and Risk Management
Key terms for this section:
- Security in Depth - Multiple layers of controls (administrative, technical, physical) which combine/supplement one another to more fully protect an asset.
- There are 5 types of controls: Preventative, Detective, Corrective, Deterrent and Recovery.
- Most controls are preventative (if a control has multiple types of applicability, choose the main one, which is often preventative)
- Preventative and Deterrent are the only a priori (before the fact) controls. Detective, Corrective and Recovery are all after the fact.
- Fences and lighting are deterrent, most everything else falls under preventative.
- Server images are the only corrective control listed as an example (despite the argument that they could be recovery, since they deal more with system integrity than system recovery)
- Data backups and off-site facilities are the only recovery controls listed in the example.
- Know the history and main guiding documents for security frameworks:
- BS7799 - British Standard that set the foundation for information security management systems (ISMS)
- ISO/IEC 27000 - Expanded / Codified form of 7799, industry defacto standard
- Know main security architectures and frameworks
- Framework is a guideline, architecture is application/actually built system
- Zachman Architecture Framework (ZFA) - Shows org from multiple views
- The Open Group Architecture Framework (TOGAF) - DoD based framework applicable to business, data, applications, technology. Uses Architecture Development Method (ADM), an iterative, cyclical review to update architectures as needed
- Department of Defense Architecture Framework (DODAF) - Focuses on data interoperability
- Minister of Defence Architecture Framework (MoDAD) - Focuses on immediacy and delivery of appropriately formatted data to key points/individuals.
- Sherwood Applied Business Security Architecture (SABSA) - Useful for enterprise security architectures or service management structures. Uses layered approach to ensure cohesion between efforts (avoids stovepipes/overlaps)
- Login to post comments