B.E. Sixth Semester (CSE) - Security Policy and Governance (6 KS 01)
Summer 2022 | Comprehensive Notes & Explanations
CIA Triad: Importance & Components
The CIA triad is the foundation of information security, representing three core principles:
- Confidentiality: Ensures information is accessible only to authorized individuals.
Techniques: Encryption, access controls, data classification. - Integrity: Maintains accuracy and trustworthiness of data.
Techniques: Checksums, digital signatures, data backups. - Availability: Ensures authorized users have timely access to information.
Techniques: Redundancy, disaster recovery, network resilience.
Focusing on these ensures a robust security framework, user trust, and regulatory compliance.
InfoSec Processes: Identification, Authentication, Authorization, Accountability
- Identification: Recognizing and establishing the identity of a user or entity (e.g., username, ID).
- Authentication: Verifying the claimed identity (e.g., passwords, biometrics, 2FA).
- Authorization: Granting access rights based on roles and responsibilities (e.g., ACLs, RBAC).
- Accountability: Tracking actions through logs and audit trails to ensure traceability and responsibility.
Popular Approach to Management: Key Characteristics
- Clear Objectives: Setting specific, measurable goals.
- Decentralization: Empowering employees at all levels.
- Employee Participation: Involving staff in decision-making.
- Open Communication: Fostering transparency and feedback.
- Flexibility & Adaptability: Adjusting to change quickly.
- Continuous Improvement: Ongoing process enhancements (Kaizen).
- Teamwork & Collaboration: Leveraging diverse skills for common goals.
Types of Malware & Differences
- Viruses: Attach to files/programs, require user action to spread.
- Worms: Self-replicate and spread without user intervention.
- Trojan Horses: Disguised as legitimate software, deliver other malware but do not self-replicate.
- Ransomware: Encrypts data, demands ransom.
- Spyware: Secretly monitors user activity.
- Adware: Displays unwanted ads.
- Rootkits: Hides malicious activity.
Computer Ethics: Definition & Ten Commandments
Ethics are moral principles guiding behavior. In computing, they ensure responsible and fair use of technology.
- Do not use computers to harm others.
- Do not interfere with others' computer work.
- Do not snoop in others' files.
- Do not use computers to steal.
- Do not bear false witness using computers.
- Do not use unlicensed software.
- Do not use others' resources without authorization.
- Do not appropriate others' intellectual output.
- Consider the social consequences of your programs.
- Use computers with respect and consideration for others.
Deterrence & Categories of Unethical Behavior
Deterrence uses consequences to discourage unethical actions.
- Fraud & Deception
- Corruption & Bribery
- Discrimination & Harassment
- Intellectual Property Infringement
- Conflicts of Interest
- Environmental Harm
- Privacy Violations
Preventing Illegal or Unethical Behavior
- Establish a clear code of conduct.
- Provide ethics training and education.
- Promote a speak-up culture (whistleblower protection).
- Lead by example.
- Establish accountability and consequences.
- Regular monitoring and auditing.
- Continuous improvement of policies.
Types of Public Law & Criminal vs Civil Law
- Constitutional Law: Governs the structure and powers of government.
- Administrative Law: Regulates government agencies' actions.
- Criminal Law: Defines and punishes offenses against society.
Civil Law: Individuals/entities sue, focus on compensation.
Planning & Organizational Planning
- Planning: Setting goals and outlining steps to achieve them.
- Organizational Planning: Strategic planning for long-term direction.
- Mission: Organization's purpose.
- Vision: Desired future state.
- Values: Core beliefs and principles.
- Strategy: Plan of action to achieve objectives.
Strategic Planning: Components
- Executive Summary
- Organizational Profile
- Environmental Analysis (SWOT)
- Strategic Goals & Objectives
- Strategies & Action Plans
- Performance Measurement (KPIs)
- Resource Allocation
- Implementation & Monitoring
- Risk Management
- Communication & Stakeholder Engagement
Information Security Governance: Key Aspects
- Leadership & Management Commitment
- Clear Roles & Responsibilities
- Risk Management
- Policies, Standards, Procedures
- Compliance & Regulatory Requirements
- Training & Awareness
- Incident Response & Business Continuity
- Continuous Monitoring & Improvement
- Collaboration & Communication
- Performance Measurement & Reporting
Top-Down vs Bottom-Up Strategic Planning
- Top-Down: Senior management sets strategy, cascades down. Efficient, consistent, but may lack engagement.
- Bottom-Up: Involves all levels, encourages ownership and contextual knowledge, but can be slower.
- Hybrid: Combines both for large, diverse organizations for best results.
NISTSP: Three Types of Information Security Policy
- Enterprise Information Security Policy (EISP): High-level, organization-wide direction.
- Issue-Specific Security Policy (ISSP): Detailed guidance for specific issues (e.g., email, internet use).
- System-Specific Security Policy (SysSP): Technical requirements for individual systems.
Approaches to Policy Development
- Centralized/Top-Down: Best for small organizations; efficient, consistent.
- Participatory/Bottom-Up: Best for large organizations; inclusive, addresses diverse needs.
- Hybrid: Combines both for balance.
ISSP: Three Key Functions
- Guidance & Direction: Sets objectives and framework.
- Risk Management: Defines risk assessment and mitigation.
- Compliance & Legal Requirements: Ensures adherence to laws and standards.
Risk Management: Framework & Process
- Risk Identification
- Risk Assessment
- Risk Prioritization
- Risk Mitigation
- Risk Monitoring & Review
- Communication & Reporting
Threats: Definition & Categories
Threat: Any potential event or action that can cause harm to assets or objectives.
- Natural Threats: Earthquakes, floods, fires.
- Human Threats: Malicious (hackers, insiders), non-malicious (accidental errors).
- Technical Threats: System failures, software bugs.
Simplest Risk Formula: Elements & Roles
Risk = Threat × Vulnerability × Impact
- Threat: Likelihood of an adverse event.
- Vulnerability: Weaknesses that can be exploited.
- Impact: Consequences if the threat materializes.
Mitigation: Plans & Examples
- Physical Security: Access controls, surveillance.
- Cybersecurity: Firewalls, IDS, employee training.
- Business Continuity: Backups, disaster recovery, remote work.
Risk Treatment Cycle: Steps
- Identify Risks
- Assess Risks
- Evaluate Risks
- Treat Risks
- Monitor & Review
- Communicate & Report
Risk Appetite: Definition & Variation
Risk appetite is the amount of risk an organization is willing to accept. It varies due to:
- Organizational objectives
- Industry & regulatory environment
- Culture & values
- Resources & risk capacity
- Stakeholder expectations
Defense Strategy: Risk Treatment Approaches
- Preventive Controls: Firewalls, access controls, encryption.
- Security Awareness & Training: Educating staff on risks and best practices.
- Incident Response: Plans and teams for handling breaches.
- Vulnerability Management: Regular assessments and patching.
- Defense-in-Depth: Multiple layers of security controls.