BA 2010 1002
Defense in Depth
Avoid, Prevent, Detect, Respond
CIA
Confidentiality, Integrity, and Availability
Principle of Least Privilege
given only those privileges needed for it to complete its task
5 steps of NIST
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
Risk Management Steps
1. identify risk
2. analyze the risk
3. Risk
assessment
4. Treat the risk
5. Monitor the risk
“known” asset
sometimes there are laws that tell us how to protect the asset
Risk response
Risk management
Quantitative risk assessment
a process for assigning a value to an asset, the likelihood of it being compromised, and the impact of a compromise
Qualitative risk assessment
often more subjective. Risks, Likelihood, and impact are often ranked as High, Medium, or Low
Technical mechanisms to mitigate risk
• PLP
• Data Loss Prevention DLP
• Firewall
•
Encryption
• Multi-Factor Authentication MFA
• Virus scan
Processes
a set of activities that complete a specific goal
Procedure
the set of instructions for completing a process
Policies
the guidelines that dictate how processes and procedures should be carried out
Policy
highest over arching – a form set of requirements or rules – written out
Process
detailed list of steps needed to complete something
Procedure
the instructions on how to complete a specific task
acceptable usage policy
outlines what actions and behaviors are acceptable on an organizations systems, network, and within their environment
Password policies
a set of rules that passwords must meet in order to be acceptable
MFA
Multi factor authentication
data policy
a policy that describes how a business handles personal data
Data governance policy
a document that defines how an organization uses and manages its data
DLP
Data Loss Prevention
Data owner
responsible for the big picture
Data stewards
responsible for what is stored
Data custodians
responsible for the technical environment
Access control
high-level requirements that specify how access is
managed and
who may access information under what circumstances
Access control policy
data security technique that prevents unauthorized physical or remote access to company data
Discretionary
owners and admins set the policies on access rights
Role based
access is controlled based on your role within the
organization
4 main types of access control
Remote access policy
a policy that sets the standards for off-prem connections
VPN
an encrypted connection over the internet from a device to a network
IDS
intrusion detection systems
IPS
Intrusion prevention system
Data encryption
a method where information is encoded and can
only be accessed
or decrypted by a user with the correct encryption key
Synchronous Encryption
uses 1 key
Asynchronous Encryption
uses 2 keys