New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Session 1

by: pooja Notetaker

Session 1 ISTM-6206

pooja Notetaker
GPA 3.5

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

This session talks briefly about security governance ,frameworks and risk management By, pooja
Study Guide
50 ?





Popular in Department

This 22 page Study Guide was uploaded by pooja Notetaker on Saturday February 14, 2015. The Study Guide belongs to ISTM-6206 at George Washington University taught by in Winter2015. Since its upload, it has received 219 views.


Reviews for Session 1


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 02/14/15
Information Security IS Information Security aims at protecting the availability integrity and confidentiality of data from unauthorized access Enghe recent security breach of data in Sony Home Depot Domains in IS There are ten domains in IS 1 2 3 Information Security Governance and Risk Management Access Control Security Architecture and Design Physical and Environmental Security Telecommunications and Network Security Cryptography Business Continuity and Disaster Recovery Planning Legal Regulations Investigations and Compliance Fundamental Principles of Security The three core goals of security are Availability gives authorized users reliable and timely information and data Redundant data and power lines backups of software and data Colocation and offsite facilities Rollback functions Integrity maintained When a guarantee of reliable and accurate information is provided and any unauthorized changes are preventedHashing data integrity Configuration management system integrity Change control process integrity Con dentiality Prevents unauthorized disclosure and ensures that information is not shared With othersEncryption for data at rest Whole disk database encryption Access control physical and technical Key Terms in Security Vulnerability Lack of countermeasure or weakness It can be hardware software or human weakness that can be exploited Threat Any potential danger associated with the exploitation of a vulnerability Threat Agent An entity that takes advantage of a vulnerability Risk The likelihood of a threat agent exploiting a vulnerability and the associated impact Exposure An instance where vulnerability exposes the organization to threat Control To reduce the potential risk Control Safeguard and Countermeasure are mechanisms for reducing risks and are interchangeable terms Information Security Management Management should understand the Vision objectives and the business goals of the organizations and should establish the ongoing process of Determining the needs of information security needs and assessing the risks 39 implementing the information security infrastructure to include policies and controls to address risks 39 monitoring and evaluating information security systems and practices 39 promoting and ensuring organizational awareness Top down approach is recommended in Information Security Information Security Governance A systematic system of integrated processes that help to ensure consistent oversight accountability and compliance Creates a framework and supports the processes and management structure to ensure that security strategies 39 align With the business objectives adhere to policies standards and internal controls provide assignment of authority and responsibility Information Security Infrastructure The information security infrastructure is an array of controls and procedures that are Designed to ensure security 39 applicable to all levels of the organization Modi ed to speci cs of the tasks to be performed 39 the responsibility of assigned personnel accountable for information security performance monitored to provide feedback on the effectiveness of controls and identify improvement opportunities Process for efimnlgj the ll Information Secur39itysisuraince Infrastructure The dil ni39ten preeee iInFErn la izrn assurance F39eliey predates imFnrnh39l izm ssurmmee Requiu rrr mi EMMA dl39et a le 4p 4p 41 4 Eateur irgr Elt lil ifj39 39Eecuriw S lj Emerita Prueendure Pl eucEdure Prueedee Fmeedur e Pram gallium art39speeled ref 4 4 4r alr WEI39 z Wurk WinFEE 7 IiniLrumii a ilmnueriem Isinmueitieam lriernuetim u Figure 4392 The nnf ermmtiun assurance e miti sm Jrnee Information Security Culture Efficient and productive information security should be put in place to to ensure that people in the organization operate in a safe manner A need for a comprehensive understanding of information security should be put in place 39 Policies 39 Strategies 39 Plans 39 Procedures Work practices CIA Triad Availability Redundancy hardware software environmental data Faulttolerant Systems Contingency Backup facilities hardware software data Integrity Hashing Check Sums Con guration and Change Control Management Con dentiality Encryption A mess Cnntrnl s Control Types The information security system infrastructure is made up of information security controls 39 Administrative Soft controls Management oriented Eg Risk management personnel security and training 39 Technical Logical controls Hardware and software components Eg Firewalls IDS encryption identification authentication mechanisms Control Functionalities Deterrent To discourage a potential attacker Preventive To avoid an incident from occurring Corrective Fixes components or systems after an incident has occurred Recovery To bring the environment back to regular operations Detective Helps to identify an incident s activities and potentially an intruder Compensating Controls that provide an alternative measure of control PolicygtStrategygtPlansgtActions Security Framework A security program is a framework made up of many entities like administrative logical and physical protection mechanisms procedures business processes and people that all work together to provide a protection level for an environment ISOIEC 27000 series International standards on how to develop and maintain an ISMS developed by ISO International Organization for Standardizationand IEC International Electrotechnical Commission ISO follows the Plan Do Check Act PDCA cycle which is an iterative process commonly used in business process quality control programs Plan Establishing objectives and making plans Do Implementation of the plans Check Measuring results to understand if objectives are met Act Direction on how to correct and improve plans to better achieve success Enterprise Architecture Development Framework An enterprise architecture addresses the structure of an organization Zachman framework Development of enterprise architectures developed by John Zachman TOGAF Model and methodology Development of enterprise architectures developed by The Open Group DoDAF US Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals MODAF Architecture framework Military support missions developed by the British Ministry of Defence Security Enterprise Architecture Development SAB SA Model development of information security enterprise architectures Security Controls Development CobiT Set of control objectives for IT management developed by Information Systems Audit and Control Association ISACA and the IT Governance Institute ITGI SP 80053 Set of controls to protect US federal systems developed by the National Institute of Standards and Technology NIST Corporate Governance COSO Set of internal corporate controls to help reduce the risk of nancial fraud developed by the Committee of Sponsoring Organizations COSO Process Management ITIL Processes to allow for IT service management developed by the United Kingdom s Of ce of Government Commerce SiX Sigma Business management strategy that can be used to carry out process improvement Capability Maturity Model Integration CMMI Organizational development for process improvement developed by Carnegie Mellon Risk Management The foundation of having an efficient information security is the ability to anticipate and manage risks Risk management can be de ned as an ongoing process of identifying risks and implementing plans to address them Alberts and Dorofee Risk Assessment Risk Assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine Where to implement security controls A risk assessment is carried out and the results are analyzed CI The prerequisite for managing risks effectively Risk management is knowing Where they lie Risk Assessment Risk Analysis Risk analysis is used to ensure that security is costeffective relevant timely and responsive to threats The main goals of risk analysis identify assets and assign values to them identify vulnerabilities and threats quantify the impact of potential threats provide an economic balance between the impact of the risk and the cost of the safeguards Risk Assessment Methodologies NIST National Institute of standards and Technology AUS federal standard that is focused on IT risks FRAP Facilitated Risk Analysis process A focused qualitative approach that carries out prescreening to save time and money OCTAVE Operationally Critical Threat Asset and Vulnerability Evaluation Teamoriented approach that assesses organizational and IT risks through facilitated workshops Types of Risks Risk can be transferred avoided reduced or accepted Types of Risks Total Risk Full risk amount before a control is put into place Threats gtlt vulnerability gtlt asset value Residual Risk Risk that remains after implementing a control Threats gtlt vulnerability gtlt asset value gtlt controls gap Also Residual Risk total risk countermeasures


Buy Material

Are you sure you want to buy this material for

50 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Anthony Lee UC Santa Barbara

"I bought an awesome study guide, which helped me get an A in my Math 34B class this quarter!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.