InfoSec Security Governance and Risk Management

Key terms for this section:

  • Security in Depth - Multiple layers of controls (administrative, technical, physical) which combine/supplement one another to more fully protect an asset.
  • There are 5 types of controls: Preventative, Detective, Corrective, Deterrent and Recovery.
    • Most controls are preventative (if a control has multiple types of applicability, choose the main one, which is often preventative)
    • Preventative and Deterrent are the only a priori (before the fact) controls. Detective, Corrective and Recovery are all after the fact.
    • Fences and lighting are deterrent, most everything else falls under preventative.
    • Server images are the only corrective control listed as an example (despite the argument that they could be recovery, since they deal more with system integrity than system recovery)
    • Data backups and off-site facilities are the only recovery controls listed in the example.
  • Know the history and main guiding documents for security frameworks:
    • BS7799 - British Standard that set the foundation for information security management systems (ISMS)
    • ISO/IEC 27000 - Expanded / Codified form of 7799, industry defacto standard
  • Know main security architectures and frameworks
    • Framework is a guideline, architecture is application/actually built system
    • Zachman Architecture Framework (ZFA) - Shows org from multiple views
    • The Open Group Architecture Framework (TOGAF) - DoD based framework applicable to business, data, applications, technology. Uses Architecture Development Method (ADM), an iterative, cyclical review to update architectures as needed
    • Department of Defense Architecture Framework (DODAF) - Focuses on data interoperability
    • Minister of Defence Architecture Framework (MoDAD) - Focuses on immediacy and delivery of appropriately formatted data to key points/individuals.
    • Sherwood Applied Business Security Architecture (SABSA) - Useful for enterprise security architectures or service management structures. Uses layered approach to ensure cohesion between efforts (avoids stovepipes/overlaps)