Security Policy and Governance - B.E. Sixth Semester (CSE)

Security Policy and Governance - B.E. Sixth Semester (CSE)

B.E. Sixth Semester (CSE) - Security Policy and Governance (6 KS 01)

Summer 2022 | Comprehensive Notes & Explanations

CIA Triad: Importance & Components

The CIA triad is the foundation of information security, representing three core principles:

  1. Confidentiality: Ensures information is accessible only to authorized individuals.
    Techniques: Encryption, access controls, data classification.
  2. Integrity: Maintains accuracy and trustworthiness of data.
    Techniques: Checksums, digital signatures, data backups.
  3. Availability: Ensures authorized users have timely access to information.
    Techniques: Redundancy, disaster recovery, network resilience.

Focusing on these ensures a robust security framework, user trust, and regulatory compliance.

InfoSec Processes: Identification, Authentication, Authorization, Accountability
  1. Identification: Recognizing and establishing the identity of a user or entity (e.g., username, ID).
  2. Authentication: Verifying the claimed identity (e.g., passwords, biometrics, 2FA).
  3. Authorization: Granting access rights based on roles and responsibilities (e.g., ACLs, RBAC).
  4. Accountability: Tracking actions through logs and audit trails to ensure traceability and responsibility.
These processes ensure only authorized users access resources and all actions are traceable.

Popular Approach to Management: Key Characteristics

  1. Clear Objectives: Setting specific, measurable goals.
  2. Decentralization: Empowering employees at all levels.
  3. Employee Participation: Involving staff in decision-making.
  4. Open Communication: Fostering transparency and feedback.
  5. Flexibility & Adaptability: Adjusting to change quickly.
  6. Continuous Improvement: Ongoing process enhancements (Kaizen).
  7. Teamwork & Collaboration: Leveraging diverse skills for common goals.
Types of Malware & Differences
  1. Viruses: Attach to files/programs, require user action to spread.
  2. Worms: Self-replicate and spread without user intervention.
  3. Trojan Horses: Disguised as legitimate software, deliver other malware but do not self-replicate.
  4. Ransomware: Encrypts data, demands ransom.
  5. Spyware: Secretly monitors user activity.
  6. Adware: Displays unwanted ads.
  7. Rootkits: Hides malicious activity.
Key Differences: Worms spread independently; viruses need user action. Trojans can deliver viruses/worms but are not self-replicating.

Computer Ethics: Definition & Ten Commandments

Ethics are moral principles guiding behavior. In computing, they ensure responsible and fair use of technology.

  1. Do not use computers to harm others.
  2. Do not interfere with others' computer work.
  3. Do not snoop in others' files.
  4. Do not use computers to steal.
  5. Do not bear false witness using computers.
  6. Do not use unlicensed software.
  7. Do not use others' resources without authorization.
  8. Do not appropriate others' intellectual output.
  9. Consider the social consequences of your programs.
  10. Use computers with respect and consideration for others.
Deterrence & Categories of Unethical Behavior

Deterrence uses consequences to discourage unethical actions.

  • Fraud & Deception
  • Corruption & Bribery
  • Discrimination & Harassment
  • Intellectual Property Infringement
  • Conflicts of Interest
  • Environmental Harm
  • Privacy Violations
Fraud and deception are among the most frequently encountered unethical behaviors due to their prevalence in digital and business environments.

Preventing Illegal or Unethical Behavior

  1. Establish a clear code of conduct.
  2. Provide ethics training and education.
  3. Promote a speak-up culture (whistleblower protection).
  4. Lead by example.
  5. Establish accountability and consequences.
  6. Regular monitoring and auditing.
  7. Continuous improvement of policies.
Types of Public Law & Criminal vs Civil Law
  • Constitutional Law: Governs the structure and powers of government.
  • Administrative Law: Regulates government agencies' actions.
  • Criminal Law: Defines and punishes offenses against society.
Criminal Law: State prosecutes, focus on punishment.
Civil Law: Individuals/entities sue, focus on compensation.

Planning & Organizational Planning

  • Planning: Setting goals and outlining steps to achieve them.
  • Organizational Planning: Strategic planning for long-term direction.
  • Mission: Organization's purpose.
  • Vision: Desired future state.
  • Values: Core beliefs and principles.
  • Strategy: Plan of action to achieve objectives.
Strategic Planning: Components
  1. Executive Summary
  2. Organizational Profile
  3. Environmental Analysis (SWOT)
  4. Strategic Goals & Objectives
  5. Strategies & Action Plans
  6. Performance Measurement (KPIs)
  7. Resource Allocation
  8. Implementation & Monitoring
  9. Risk Management
  10. Communication & Stakeholder Engagement

Information Security Governance: Key Aspects

  1. Leadership & Management Commitment
  2. Clear Roles & Responsibilities
  3. Risk Management
  4. Policies, Standards, Procedures
  5. Compliance & Regulatory Requirements
  6. Training & Awareness
  7. Incident Response & Business Continuity
  8. Continuous Monitoring & Improvement
  9. Collaboration & Communication
  10. Performance Measurement & Reporting
Top-Down vs Bottom-Up Strategic Planning
  • Top-Down: Senior management sets strategy, cascades down. Efficient, consistent, but may lack engagement.
  • Bottom-Up: Involves all levels, encourages ownership and contextual knowledge, but can be slower.
  • Hybrid: Combines both for large, diverse organizations for best results.

NISTSP: Three Types of Information Security Policy

  1. Enterprise Information Security Policy (EISP): High-level, organization-wide direction.
  2. Issue-Specific Security Policy (ISSP): Detailed guidance for specific issues (e.g., email, internet use).
  3. System-Specific Security Policy (SysSP): Technical requirements for individual systems.
Approaches to Policy Development
  • Centralized/Top-Down: Best for small organizations; efficient, consistent.
  • Participatory/Bottom-Up: Best for large organizations; inclusive, addresses diverse needs.
  • Hybrid: Combines both for balance.

ISSP: Three Key Functions

  1. Guidance & Direction: Sets objectives and framework.
  2. Risk Management: Defines risk assessment and mitigation.
  3. Compliance & Legal Requirements: Ensures adherence to laws and standards.
Risk Management: Framework & Process
  1. Risk Identification
  2. Risk Assessment
  3. Risk Prioritization
  4. Risk Mitigation
  5. Risk Monitoring & Review
  6. Communication & Reporting

Threats: Definition & Categories

Threat: Any potential event or action that can cause harm to assets or objectives.

  • Natural Threats: Earthquakes, floods, fires.
  • Human Threats: Malicious (hackers, insiders), non-malicious (accidental errors).
  • Technical Threats: System failures, software bugs.
Human threats, especially insider threats and social engineering, are most frequently encountered due to the human factor in security breaches.
Simplest Risk Formula: Elements & Roles

Risk = Threat × Vulnerability × Impact

  • Threat: Likelihood of an adverse event.
  • Vulnerability: Weaknesses that can be exploited.
  • Impact: Consequences if the threat materializes.

Mitigation: Plans & Examples

  • Physical Security: Access controls, surveillance.
  • Cybersecurity: Firewalls, IDS, employee training.
  • Business Continuity: Backups, disaster recovery, remote work.
Mitigation plans should be tailored, regularly reviewed, and updated as risks evolve.
Risk Treatment Cycle: Steps
  1. Identify Risks
  2. Assess Risks
  3. Evaluate Risks
  4. Treat Risks
  5. Monitor & Review
  6. Communicate & Report
This cycle is continuous and iterative for effective risk management.

Risk Appetite: Definition & Variation

Risk appetite is the amount of risk an organization is willing to accept. It varies due to:

  • Organizational objectives
  • Industry & regulatory environment
  • Culture & values
  • Resources & risk capacity
  • Stakeholder expectations
Defense Strategy: Risk Treatment Approaches
  • Preventive Controls: Firewalls, access controls, encryption.
  • Security Awareness & Training: Educating staff on risks and best practices.
  • Incident Response: Plans and teams for handling breaches.
  • Vulnerability Management: Regular assessments and patching.
  • Defense-in-Depth: Multiple layers of security controls.
© 2024 Security Policy and Governance Notes | Designed for B.E. CSE Students