What does CIA stand for?
Confidentiality, Integrity and Availability
Policies should be:
5 things
Unambiguous
Short as possible
Cover the majority of cases
Come with a process of dealing with exceptions
Do not contain lengthy background material
Procedures should be:
4 things
Step by step descriptions of what needs to be done
Always accurate and up to date
Immediately flagged for review if they do not work
Minimise opportunity for people to make decisions which may be inconsistent
What are the results of procedures recorded in?
Quality records
What do internal audits do?
Check that procedures are being followed
What do external audits do?
Issue certificates to say the quality system is built for purpose
What is an asset register?
A register of all the information assets in the business. Everything an attacker might want to control, destroy or compromise, that might stop working, that you might want to apply a control to
How do you build an asset register?
Start with systems and databases and then expand downwards. Then do “what you can see”, buildings, people, cabling, etc and expand upwards. Then iterate on it.
What is a threat?
Something that an attacker might try and do to an asset
What is a threat source?
A person or organisation that desires to breach security and will ultimately benefit from said breach.
What is a threat actor?
A threat actor is the person that causes the attack, whether intentional or accidental.
What is a threat level?
A value attributed to the combination of the capability and the motivation of a threat source or threat actor to attack an asset. It takes into account any security clearances the threat actor might have and if they are deterrable in any way.
What is a compromise method?
The broad type of attack by which a threat actor may attempt to compromise the CIA of an asset.
What is a risk assessment?
The list of things that might happen to your assets, looking at likelihood and impact.
What might be included in a risk assessment?
Threat Actor
Threat Source
Compromise method
How the CIA of an asset would be affected
What is a risk treatment plan?
The process of choosing and applying a set of controls to address risks identified in the Risk Assessment.
What 2 things do controls do to risks?
Reduce the chance of the risk taking place
Mitigate the impact of the risk when it does take place
What are the 2 alternatives to controls?
Transfer the risk (insurance, outsource)
Accept the risk
What are direct side effects to controls?
The consequences of imposing the control, irrespective of the way users respond.
What are indirect side effects to controls?
The consequences of imposing the control caused by users working around it or other displacement of risk.
What is risk appetite?
How much risk an organisation is willing to absorb
Why would an organisation accept a risk?
They either see the chance of the event happening to be too small or the impact when it does to be too small to be worth preparing for
Give 5 examples of controls
Firewalls
Encryption
Antivirus software
Intrusion detection systems
Access controls
Give 5 examples of threat actors
Nation States
Ransomware Gangs
Script kiddies
Employees
Cloud service provider
