enables authorized users to access information without interference or obstruction
and to receive it in the required format.
Information is the quality or state of being genuine or original, rather than a reproduction or fabrication.
When information is protected from disclosure or exposure to
unauthorized individuals or systems.
Systems Development Life Cycle (SDLC)
Investigation, Logical Design, Physical Design, Implementation, Maintenance and change
Unskilled Hacker, Script Kiddie, or Packet Monkey:
Use programs and scripts developed by expert hackers to carry out attacks
Hacktivist or cyberactivist:
hacks to protest the operations, policies or actions of an or government agency
are rules that mandate or prohibit certain behavior in society. Ethics define socially acceptable behavior. The key difference between laws and ethics is that laws carry the sanctions of a governing authority and ethics do not.
has been taken when an organization makes sure that every employee what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical behavior.
requires that an organization makes a valid effort to protect others and continually maintain this level of effort.
Computer Fraud and Abuse act of 1986
The cornerstone of many computer-related federal laws and enforcement efforts.
National Information Infrastructure Protection Act of 1996
modified several provisions of the Computer Fraud and Abuse act of 1986. The severity of penalties under this act depends on the value of the information obtained and whether the offense is judged to have been committed, 1. for the purposes of commercial advantage 2. for private financial gain 3. in furtherance of a criminal act
USA Patriot Act and USA Patriot Act Improvement and Reauthorization Act
expanded the powers of the Department of Homeland Security and FBI in investigating terrorist activity. It also expanded the penalties for many computer related crimes.
The Privacy of Customer Information Section of the common carrier regulation states
that proprietary information shall be used explicitly for providing services, and not for any marketing purposes, and that carriers cannot disclose information except when necessary to provide their services.
The Electronic Communications Privacy Act of 1986
is a collection of statutes that regulate the interception of wire, electronic and oral communications.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act of 1999) requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.
Sarbanes-Oxley Act of 2002
seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.
Fear of penalty. Probability of being caught abd Probability of penalty being administered
is the process of identifying vulnerabilities in an organization's information system and taking careful reasoned steps to insure the confidentiality, integrity and availability of all the components in the organization's information system.
is the process of examining and documenting the security posture of an organization's information technology and the risks it faces.
is the process of applying controls to reduce the risks to an organization's data and information system.
(the likelihood of an occurrence of a vulnerability) X (by
the value of the information asset) - (the percentage of risk mitigated by current controls) + (the uncertainty of current knowledge of the vulnerability)
direct the organization to avoid those business activities that introduce uncontrollable risks
Asset values can be ranked using
both quantitative (actual value) and qualitative (relative value) methods.
best practices (or recommended practices)
Security efforts that seek to provide a superior level of performance in the protection of information
is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared".
the risk that remains even after the vulnerabilities have been controlled as much as possible.
A policy is
a plan or course of action used to convey instructions from an organization's senior-most management to those who make decisions, take actions and perform other duties.
are security processes that are designed by strategic planners and implemented by the security administration of the organization.
are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning.
Technical Controls Include
access controls, such as, identification, authentication, authorization, accountability, cryptography and the classifications of assets and users.
used as a front-line defense against external attacks, since it can be configured to filter incoming data packets based on protocol.
a device that selectively discriminates against information flowing into or out of the organization.
Security Policy Management requires
the policy stay visible
• Individuals responsible for policy reviews
• A schedule of reviews
• A method for making recommendations for changes
• The policy issuance date
• Policy revision date
Intrusion Detection Systems (IDSs)
detect unauthorized activity within the inner network or on
The security blueprint
is the basis for the design, selection and implementation of all security program elements including policy implementation, on-going policy management, risk management programs, education and training programs, technological controls and maintenance of the security program.
The security framework
is an outline of the overall information security strategy for the organizationand a roadmap for planned changes to the information security environment of an organization.
• Incident response (IR) plan
• Disaster recovery (DR) plan
• Business continuity (BC) plan
Business unit analysis -
the analysis and prioritization of the business functions within the organization's departments, sections, divisions, groups or other units to determine which are most vital to continued operations.
attack scenario end case.
estimate the cost of the best, worst and most likely cases; the final result
Subordinate plan classification
once the potential damage has been assessed, and each
scenario and attack scenario end case has been evaluated, a subordinate plan must be
developed or identified from among existing plans already in place.
is any clearly identified attack on the organization's information assets that would threaten
the assets' confidentiality, integrity or availability.
Must be organized in such a way to support quick and easy access to required information
o The information in the IR plan is sensitive and must be protected
o The plan should be readily available to those who must respond to the incident
o The plan should be tested using one or more of the common strategies of checklists,
structured walk-through, simulations, parallel testing and even full interruption
o Check for incident indicators such as, Presence of unfamiliar files, presence or execution
of unknown programs or processes, unusual consumption of computer resources and
unusual system crashes.
o Notify key personnel through the use of an alert roster document containing contact
information for the individuals to be notified in the event of an incident
o Alert message - a scripted description of the incident, usually just enough information
so each individual on the alert roster knows what portion of the IR plan to implement
o Document the incident - as soon as an incident or disaster, has been declared, the
documentation of the event is begun
o Prioritization of Efforts - After the dust settles, people must be kept focused on the task
ahead, and make sure that the necessary personnel begin recovery operations as per
the Incident Response Plan.
o Damage assessment - Incident damage assessment is the rapid determination of the
scope of the breach of the confidentiality, integrity and availability of information and
information assets during or just following an incident.
o Recovery - Identify and resolve vulnerabilities. Install, replace or upgrade failed
safeguards. Improve monitoring capabilities. Restore data from backups. Restore
services. Continue monitoring for a similar attack. Restore the confidence of the
communities of interest.
o Perform an after-action review.
a hot, warm or cold site leased in conjunction with a business partner or sister organization
a contract between two or more organizations that specifies how each will assist the other in a disaster Other options include a rolling mobile site configured in the payload area of a tractor or trailer