New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

security management

by: Frederick Notetaker

security management INFOSYS 6828

Frederick Notetaker
GPA 4.0

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

weeks 2 and 3
Principles of Information Security
Dr. Shaji Khan
Class Notes
security management
25 ?




Popular in Principles of Information Security

Popular in Information technology

This 6 page Class Notes was uploaded by Frederick Notetaker on Tuesday February 9, 2016. The Class Notes belongs to INFOSYS 6828 at University of Missouri - St. Louis taught by Dr. Shaji Khan in Spring 2016. Since its upload, it has received 81 views. For similar materials see Principles of Information Security in Information technology at University of Missouri - St. Louis.

Similar to INFOSYS 6828 at UMSL

Popular in Information technology


Reviews for security management


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 02/09/16
InfoSec Management – Frameworks & Standards Overview Major InfoSec Management Frameworks ISO/IEC ISMS Family of Standards COBIT 5 for Information Security NIST – SP 800 – 100 and related Others: Information Security Forum – Standards of Good Practice PCI – DSS Major InfoSec Management Frameworks – ISO/IEC ISMS Family ISO/IEC, Information Security Management System (ISMS) Family of Standards ISO: International Organization for Standardization IEC: International Electrotechnical Commission Under a Joint Technical Committee (JTC) experts from these organizations drafted a series of standards that pertain to Information Security Management ISO/IEC 27000 Provides an overview of this family ISO/IEC 27001 provides normative requirements that if followed affords an organization opportunity to be “ISO/IEC 27001 Certified” ISO/IEC 27002 provides 114 Controls that organizations could implement to protect information assets ISO/IEC Links What is a Management System Standard by ISO? Documentation for ISO standards is not free You can get the overview standard (27000) from here: (look for ISO/IEC 27000:2014 and download zip file) You can see a “preview of 27001” here (scroll down and look for preview link) ALL Standards Published by the ISO/IEC JTC 1/SC 27 Subcommittee called “IT Security Techniques” commid=45306&published=on Major InfoSec Management Frameworks – COBIT 5 – For Information Security Page1 of6 COBIT 5 – For Information Security COBIT: Control Objectives for Information and Related Technology COBIT 5: A broader Business Framework for the Governance and Management of Enterprise IT One of the areas COBIT 5 focuses on is Information Security It is created by ISACA (previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only) ISACA also offers certifications: Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) COBIT 5 Links COBIT 5 Overall Framework Check out Additional Resources to get an overview COBIT 5 for Information Security Look for the “preview” PDF or see the introduction PowerPoint A simple overview of COBIT 5 for InfoSec NIST – ComNIST (National Institute of Standards and Technology)’s Computer Security Division, develops a variety of Standards, Guidelines, and Recommendations related to InfoSec NIST CSRC Publications A broad set of guidelines are presented in NIST Special Publication NIST SP 800-100: Information Security Handbook: A Guide for Managers This framework addresses major management aspects such as governance, risk management, planning, controls, etc.puter Security Division -Guidelines Other Frameworks/Standards/Best Practices Information Security Forum: The Standard of Good Practice for Information Security Payment Card Industry Data Security Standard (PCI-DSS) Not really a framework but a standard that specifies controls to be implemented by any entity that deals with payment cards data Started by Visa, MasterCard, Discover, JCB, and American Express Page2 of6 Managing InfoSec: The basic idea We have “valuable” information assets that need protection Our assets face “risks” because of inherent vulnerabilities in our “systems” that create, process, store, and communicate information Risks are present because “threats” can exploit vulnerabilities to cause breaches in CIA So, we systematically identify, assess, and evaluate risks Treat unacceptable levels of risks by applying suitable controls to prevent breaches BUT as circumstances related to our assets and the threats change we need to perform these activities continuously Information Security Management System (ISMS) An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives It is based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks It consists of policies, procedures, guidelines, resources, and activities Key activities include: RISK MANAGEMENT SELECTION AND IMPLEMENTATION OF CONTROLS BASED ON INPUT FROM RISK MANAGEMENT PROCESSES Step 1: Identifying information security requirements Identify InfoSec Requirements based on understanding of: identified information assets and their value; business needs for information processing, storage and communication; and legal, regulatory, and contractual requirements Example: A “doctors office” has a Patient Billing Management System (software app) that sits on a local Windows 2003 Server (software and hardware) We need to enter patient billing information and then it needs to be shared with insurance companies for payment Among CIA, integrity of this data is most important to us followed by confidentiality. We could live with a downtime of a day (availability) Page 3 of6 However, due to HIPAA regulations and our contracts with other hospitals/providers we have to also strictly enforce confidentiality 2: Assessing information security risks (Risk Assessment) Identify InfoSec Risks: Look at our assets, their vulnerabilities, and potential threats to clearly identify risks Disgruntled billing clerk could intentionally modify billing data Hackers could exploit known vulnerabilities in Windows Server Analyze InfoSec Risks: Systematically figure out the nature of risk and magnitude of risk 10% probability that billing clerk acts crazy Could result in $10,000 damage per incident Risk = 0.1 * 10000 = 1000 per incident Evaluate InfoSec Risks: Compare estimated risks from our earlier analyses with certain risk criteria (that we developed) to determine if risk is acceptable/tolerable Criteria: Anything less than $5000 is not worth it For the above risk, simply “accept it” and do nothing Risk Treatment: Based on our risk evaluations, we must figure out how to “treat” this risk Simply accept it (Risk Acceptance) Avoid risks by not allowing actions that would cause the risks to occur (Risk Avoidance) Share the associated risks with other parties, e.g. insurers or suppliers (one reason for outsourcing!!!) (Risk Transfer) Apply appropriate controls to reduce the risks (Risk Mitigation) 3: Select and Implement Appropriate Controls Controls: countermeasures that modify risk include any process, policy, device, practice, or a combination of efforts geared toward reducing the risks to an acceptable level Controls may not always exert the intended or assumed modifying effect. Example (continuing our doctors office scenario): Technical Control: Upgrade to Windows 2012 R2 Server, keep it well patched etc. Administrative control: Any major (say $5000 or more) change in billing system needs approval from two people Page4 of6 Controls should be aligned with: requirements and constraints of national and international legislation and regulations; organizational objectives; operational requirements and constraints; their cost of implementation and operation in relation to the risks being reduced, and remaining proportional to the organization’s requirements and constraints; The selection and implementation of controls should be documented within a statement of applicability to assist with compliance requirements. ISO/IEC 27002 Provides a list of 114 specific controls grouped under 14 Categories: 4: Monitor, maintain and improve the effectiveness of the ISMS Monitor and assess ISMS performance against organizational policies and objectives This implies we need to have strong metrics to measure ISMS performance Focus on continuous improvement: seeking opportunities for improvement and not assuming that existing management activities are good enough or as good as they can Some Critical Success Factors in Implementing ISMS that meets Organizational Objectives information security policy, objectives, and activities aligned with business objectives an ISMS approach and framework consistent with the organizational culture visible support and commitment from all levels of management, especially top management an understanding of information asset protection requirements achieved through the application of information security risk management (see ISO/IEC 27005); an effective information security awareness, training and education program for all stakeholders (with motivation to act) an effective information security incident management process an effective business continuity management approach Page5 of6 Page6 of6


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Jennifer McGill UCSF Med School

"Selling my MCAT study guides and notes has been a great source of side revenue while I'm in school. Some months I'm making over $500! Plus, it makes me happy knowing that I'm helping future med students with their MCAT."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.