Week 2 - Planning & Security

CTAINASL

Comprehensive Security

Closing off all possible avenues of attack; an attacker only needs one unprotected avenue to succeed.

Weakest-link Failure

When the failure of a single element of a system ruins the entire security.

Plan-Protect-Respond Cycle

The core security management process: Planning (strategy), Protection (countermeasures), and Response (recovery).

Security as an Enabler

Good security allows a firm to engage in activities otherwise impossible, like interorganizational systems.

Positive Vision of Users

Viewing users as assets to be trained rather than "malicious or stupid" obstacles.

Driving Forces

Factors like the threat environment and compliance laws that necessitate security.

Remediation Plans

Plans developed to address security gaps for every resource unless it is well-protected.

Investment Portfolio

A selection of security projects chosen to provide the largest returns since all gaps cannot be closed at once.

CSO / CISO

Chief Security Officer or Chief Information Security Officer; the executive in charge of security.

In-House IT Security

Security managed by internal teams, offering direct control and alignment with IT strategy.

Outsourced Security (MSSP)

Using Managed Security Service Providers for expertise, though it often reduces control over policies.

Hybrid Model

A combination of internal and external security resources to gain flexibility and expert support.

Sarbanes-Oxley Act (2002)

Requires firms to report material deficiencies in financial reporting processes.

HIPAA

A US law governing the protection of private data in health care organizations.

Defense in Depth

Using multiple independent layers of security in series so the resource remains safe if one layer fails.

Single Point of Vulnerability

A point of failure that has drastic consequences for the entire system (e.g., a central DNS server).

Technical Security Architecture

The total organization of a company's technical countermeasures into a complete system.

Legacy Technologies

Older systems that must be upgraded if they seriously impair security and the cost is justified.

Reasonable Risk

The level of risk an organization accepts by balancing threat likelihood against potential impact.

Risk Reduction

Adopting active countermeasures, like firewalls, to lower the probability of loss.

Risk Acceptance

Implementing no countermeasures and absorbing damages (for low-impact risks).

Risk Transference

Shifting risk to another party, most commonly through insurance.

Risk Avoidance

Stopping an activity entirely because it is considered too risky.

Asset Value (AV)

The total value of the asset to be protected.

Exposure Factor (EF)

The percentage of an asset's value lost in a single breach.

Single Loss Expectancy (SLE)

The damage amount from a single breach (AV \times EF).

Annualized Loss Expectancy (ALE)

The average yearly loss expected (SLE \times \text{Annual Probability}).

Acceptable Use Policy (AUP)

Defines proper user behavior and typically requires a user's signature to minimize misuse.

Standards

Mandatory directives that must be followed within the organization.

Guidelines

Recommended actions that are not mandatory but must be considered.

Segregation of Duties

Requiring two or more people to complete a sensitive task to prevent individual damage.

Job Rotation

Moving employees between roles to uncover fraudulent schemes that require constant maintenance.