Accg

Information Assurance (IA)

Protecting and managing information to ensure its confidentiality, integrity, and availability (CIA).

Australian Red Cross Data Leak (2016)

A significant data breach compromising personal information of over 550,000 blood donors.

IA Strategy Principle

Holistic Approach, Inclusive Mechanisms, Security Across Domains.

Embracing Independence in IA

Flexibility and Vendor Neutrality, Merit-Based Solution Evaluation, Advocating for Open Standards.

Legal and Regulatory Requirements

Understanding Laws and Standards, Compliance as Strategy Cornerstone, Consequences of Non-Compliance.

Living Document

Regular Updates, Feedback Loops, Stakeholder Engagement.

Risk-Based Approach

Risk Identification, Analysis, and Evaluation, Strategic Prioritization of Resources, Engaging in Risk Management.

Organizational Significance

Strategic Planning and Operations, Alignment with Business Objectives, Competitive Advantage.

Strategic, Tactical, and Operational

Strategic Level, Tactical Level, Operational Level.

Concise, Well-Structured, and Extensible

Conciseness, Well-Structured, Extensibility.

Protecting Sensitive Assets

Prioritizing Risks, Effective IA Strategy.

MSR Model of Information Assurance

Holistic framework integrating technology, policies, and people for resilience against cyber threats.

CIA Triad

Confidentiality, Integrity, Availability of information.

Information Security vs

Information Security focuses on CIA triad, Cybersecurity defends against cyber threats.

Information Assurance Principles

Business Enabler, Protect Interconnecting Elements, Cost-Effective, Establish Responsibilities, Robust Method, Periodic Assessment, Social Obligations.

ISMS Cycle

Plan-Do-Check-Act.

Security and Privacy in Technology

Collaboration, Key Security Products and Standards.

ISO/IEC 27001:2013

Internationally Recognized Standard, Auditable/Certifiable Framework, Aligned with Annex SL.

ISO/IEC 27000 Family

27000 (Fundamentals), 27001 (Requirements), 27002 (Code of Practice), 27003 (Implementation Guidance), 27004 (Security Metrics), 27005 (Risk Management), 27006 (Audit Requirements).

Compliance and Legal Frameworks

HIPAA, PCI DSS, NIST 800-53, FedRAMP, FAR/DFAR.

Benefits of Incorporating Security in System Development

Early identification and mitigation of vulnerabilities, awareness of engineering challenges, shared security services, informed executive decision-making, documented security decisions, improved confidence, better system integration.

Traditional SDLC Phases

Requirements gathering, design, implementation, verification/testing, deployment/maintenance.

Importance of Security from the Beginning in SDLC

Minimizes 'test-patch-retest' cycle, integrates best practices, ensures proper security design, aligns with budget and scheduling goals.

Physical Security Controls for IT Assets

Locking server rooms, setting up surveillance, securing vulnerable devices, using rackmount servers, securing printers, maintaining HVAC systems.

Impact of Human Error on Cybersecurity

Human error causes 95% of cybersecurity breaches.

Implementation Phase Steps in SDLC

Code reviews, secure coding standards, defect management.

CISO's Role in SDLC Security Integration

Oversees security measures, educates personnel, assigns security responsibilities, ensures comprehensive risk management.

Deployment Plan Components in SDLC

Deployment environment details, configuration steps, change management, rollback plans, disaster recovery.

Importance of Physical Security in IT Asset Management

Prevents unauthorized access, damage, theft, ensures system integrity and availability.

Secure Disposal Plan for IT Assets

Offsite/onsite technology use policies, clear desk policy, professional document shredding, sensitive information destruction.

Proper Framework for BCMS

Involves management commitment, risk evaluation, business impact analysis, recovery strategy determination, data collection, test criteria development, training, and continuous improvement.

Common Mistakes in BCMS

Lack of Business Impact Analysis, Technology Focus, Failure to Involve Business, Overly Complex Documentation, Lack of Training, and Reliance on Templates.

ISO 22301 Objectives

Aim to protect against disruptions, reduce incident likelihood, respond efficiently, recover quickly, and continuously improve plans.

Disaster Recovery (DR)

Focuses on restoring critical IT systems and data within the first 30 days using solutions like hot site recovery.

Business Continuity (BC)

Ensures the continuation of essential business functions beyond 30 days, involving new equipment and buildings.

PDCA

Plan-Do-Check-Act

Business Impact Analysis (BIA)

To identify critical business functions and their dependencies

Common mistakes in business continuity and disaster recovery planning

No Business Impact Analysis, technology focus, failure to involve the business, overly complex documentation, lack of training, and reliance on templates

Crisis Management Team

To manage the overall response and communication strategy during and after a disruption

Common pitfalls in business continuity planning

Lack of understanding, viewing compliance as a mere exercise, inadequate planning, false sense of security, and procrastination

Recovery Time Objective (RTO)

The targeted timeframe for system recovery after a disruption

Recovery Point Objective (RPO)

The acceptable amount of data loss measured in time

Regular training in business continuity planning

To ensure all employees understand their roles and responsibilities in maintaining business continuity

Management commitment in BCMS

Ensures top-down support, improves follow-through, and assists with communicating the importance of business continuity and disaster recovery planning