Data life cycle management
information flow management from creation to disposal; mitigation aimed at lowering risks of breaches by decreasing volume and type of data stored
Paul & Copple 11 element DLM model (to reduce “save everything” plan)
- enterprise objectives: prioritize information
- minimalism - discard unless need = Zubuluke standard
- Simple procedures and training
- Adequacy of information to support task requirements
- IS personnel should be included in development of DLM FW
- authenticity and accuracy of records needed for court procedures
- easy retrievability
- distribution (access) controls and encryption
- auditability - hash, digital signatures, etc.
- Consistency of policy throughout organization
- Enforcement (internal) throughout organization
IS practices: CIA Triad
- confidentiality (prevent unauthorised disclosure)
- integrity (prevent unauthorised modification, deletion)
- availability (accessibility to authorised users)
- accountability (entity ownership traceable)
- assurance (4 other objectives met)
IS risk management practices : ISO 27000
- ID risk
- select and implement measures to mitigate risk
- track and evaluate risk
3 high level security roles
- executive: CIO, ISO, etc.
- functional: security engineers and security professionals
- corollary: support (physical security, privacy professional, supply chain)
US CERT essential body of knowledge 14 generic competency IS practice areas
- data security
- digital forensics (for security incidents)
- enterprise continuity (BCP)
- IRP
- IS training and awareness
- Operations and maintenance of IT systems
- network & telecoms security
- personnel security
- physical/environmental security (computer rooms)
- procurement
- regulatory standards/compliance
- security risk management
- strategic security management (IS in line with mission)
- system and app security
PTA (privacy threshold analysis)
methodology used to determine whether PIA needed
PIA (privacy impact analysis)
methodology for assessing privacy related risks associated with business activities involving personal data processing: -assess existing controls;
-suggest remedial actions/mitigation needed to decrease risks
Governance
decision rights + accountability ;
processes + standards + roles
