lOMoARcPSD|44304259

Unit-1 - unit 1

Cyber security (Anna University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)
 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

UNIT I -PLANNING FOR CYBER SECURITY

Best Practices-Standards and a plan of Action-Security Governance
Principles, components and Approach Information Risk Management-Asset
Identification-Threat Identification-Vulnerability Identification-Risk Assessment
Approaches-Likelihood and Impact Assessment-Risk Determination, Evaluation
and Treatment Security Management Function-Security Policy-Acceptable Use
Policy-Security Management Best Practices.

1. BEST PRACTICES-STANDARDS AND A PLAN OF ACTION

1 Defining Cyberspace and Cyber security

Cyberspace consists of artifacts based on or dependent on computer and
communications technology; the information that these artifacts use, store,
handle, or process; and the interconnections among these various elements.
Cyber Security is provided in ITU-T (International
Telecommunication Union Telecommunication Standardization
Sector) Recommendation X.1205.
Cyber security is the collection of tools, policies, security concepts,
security safeguards, guidelines, risk management approaches, actions,
training, best practices, assurance and technologies that are used to
protect the cyberspace environment and organization and user’s assets.
Organization and user’s assets include connected computing
devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted and/or
stored information in the cyberspace environment.
The general security objectives comprise the following: availability;
integrity, which may include authenticity and non-repudiation; and
confidentiality.
Essential of Cyber security objectives

AAMEC/CA/SEM/II/TVN Page 1 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Availability: The property of a system or a system resource being

accessible or usable or operational upon demand, by an authorized
system entity, according to performance specifications for the system;
Integrity: The property that data has not been changed, destroyed,
or lost in an unauthorized or accidental manner.
Authenticity: The property of being genuine and being able to be
verified and trusted.
Non-repudiation: Assurance that the sender of information is
provided with proof of delivery and the recipient is provided with
proof of the sender’s identity, so neither can later deny having
processed the information.
Confidentiality: The property that data is not disclosed to system
entities unless they have been authorized to know the data.
Accountability: The property of a system or system resource
ensuring that the actions of a system entity may be traced uniquely
to that entity, which can then be held responsible for its actions.
Cyber security Dilemmas: Technology, Policy, and Incentives
[CICE14] summarizes the challenges in developing an effective
cyber security system as follows:
• Scale and complexity of cyberspace:
– Nature of the threat:
• Threat A potential for violation of security that exists
when there is a circumstance, a capability, an action, or
an event that could breach security and cause harm.
• vulnerability A flaw or weakness in a system’s design,
implementation, or operation and management that could
be exploited to violate the system’s security policy.
• User needs versus security implementation
• Difficulty estimating costs and benefits

1.2.THE VALUE OF STANDARDS AND BEST PRACTICES DOCUMENTS

The development, implementation, and management of a cyber security
system for an organization are extraordinarily complex and difficult.
A wide variety of technical approaches are involved, including
cryptography, network security protocols, operating system
mechanisms, database security schemes, and malware identification.

AAMEC/CA/SEM/II/TVN Page 2 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

The areas of concern are broad, including stored data, data

communications, human factors, physical asset and property
security, and legal, regulatory, and contractual concerns.
The good news is that a great deal of thought, experimentation, and
implementation experience have already gone into the development
of policies, procedures, and overall guidance for cyber security
system management teams.
A number of organizations, based on wide professional input, have
developed best practices types of documents as well as standards
for implementing and evaluating cyber security.

AAMEC/CA/SEM/II/TVN Page 3 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

1.3 THE STANDARD OF GOOD PRACTICE FOR INFORMATION SECURITY

The ISF is an independent, not-for-profit association of leading
organizations from around the world.
ISF members fund and cooperate in the development of a practical
research program in information security.
It is dedicated to investing, clarifying, and resolving key issues in
cyber security, information security, and risk management and to
developing best practice methodologies, processes, and solutions
that meet the business needs of its members .
The most significant activity of the ISF is the ongoing development
of the Standard of Good Practice for Information Security (SGP).

Basis for the ISF Standard of Good Practice for Information Security

The SGP is of particular interest to the following individuals:

o Chief information security officers (or equivalent)
o Business managers
Security policy
A set of rules and practices that specify or regulate how a system or
organization provides security services to protect sensitive and
critical system resources.
o Internal and external
auditors o IT service providers
o Procurement and vendor management teams

AAMEC/CA/SEM/II/TVN Page 4 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

ISF Standard of Good Practice for Information Security: Categories and Areas
The SGP is organized into 17 categories, each of which is broken
down into 2 areas
Each area is further broken down into a number of topics, or
business activities.
Areas
Category
Security Governance (SG) Security Governance Approach
Security Governance Components

Information Risk Assessment (IR) Information Risk Assessment Framework

Information Risk Assessment Process
Security Management (SM) Security Policy Management
Information Security Management
People Management (PM) Human Resource Security
Security Awareness/Education
Physical Asset Management (PA) Equipment Management
Mobile Computing
System Development (SD) System Development Management
System Development Life Cycle
Business Application Management Corporate Business Applications
(BA) End User Developed Applications

System Access (SA) Access Management

Customer Access
System Management (SY) System Configuration
System Maintenance
It is informative to consider the 17 SGP categories as being
organized into three principal activities.
o Planning for cyber security: Developing approaches for
managing and controlling the cybersecurity function(s);
o Managing the cyber security function: Deploying and managing
the security controls to satisfy the defined security requirements
o Security assessment: Assuring that the security management
function enables business continuity;

AAMEC/CA/SEM/II/TVN Page 5 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Categories in the Standard of Good Practice for Information Security

1.4 THE ISO/IEC 27000 SUITE OF INFORMATION SECURITY STANDARDS

The most important set of standards for cyber security is the ISO
27000 suite of information security standards.
The ISO is an international agency for the development of standards
on a wide range of subjects
The ISO is not a government body, more than 70% of ISO member bodies
are government standards institutions or organizations incorporated by
public law.

Consists of the policies, procedures, guidelines, and associated

resources and activities, collectively managed by an organization, in
the pursuit of protecting its information assets.
o awareness of the need for information security
o assignment of responsibility for information security;
o incorporating management commitment and the interests of
stakeholders
o enhancing societal values
o risk assessments determining appropriate controls to reach
acceptable levels of risk
o security incorporated as an essential element of information
networks and systems
The ISO 27000 series deals with all aspects of an ISMS. It helps small,
medium, and large businesses in any sector keep information assets
secure. This growing collection of standards falls into four categories
o Overview and vocabulary: Provide an overview and relevant
vocabulary for ISMS

AAMEC/CA/SEM/II/TVN Page 6 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

o Requirements: Discuss normative standards that define

requirements for an ISMS and for those certifying such systems
o Guidelines: Provide direct support and detailed guidance
and/or interpretation for the overall process of establishing,
implementing, maintaining, and improving an ISMS
o Sector-specific guidelines: Address sector-specific guidelines for an
ISMS
The most significant documents in the series are those that are cited in the
ISF SGP:
o ISO 27001: ISMS Requirements:
o ISO 27002: Code of Practice for Information Security Controls
o ISO 27005: Information Security Risk Management System
Implementation Guidance
o ISO 27014: Governance of Information Security:
o ISO 27036: Information Security for Supplier Relationships

The management, operational, and technical controls prescribed for an

information system to protect the confidentiality, integrity, and
availability of the system and its information.

o it is an important document for organizational executives with

security responsibility.
o It is used to define the requirements for an ISMS in such a
way that it serves as a checklist for certification.
ISO 27001 Requirements Topics

Requirement Topics
4 Context of the Organization 4.1 Understanding the Organization
and Its Context
4.2 Understanding the Needs and
Expectations of Interested Parties
5 Leadership 5.1 Leadership and Commitment
5.2 Policy
6 Planning 6.1 Actions to Address Risks and
Opportunities
6.2 Information Security Objectives
and Planning to Achieve Them

AAMEC/CA/SEM/II/TVN Page 7 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

7 Support 7.1 Resources

7.2 Competence
7.3 Awareness
7.4 Communication
8 Operation 8.1 Operational Planning and
Control
8.2 Information Security Risk
Assessment
9 Performance Evaluation 9.1 Monitoring, Measurement,
Analysis and Evaluation
9.2 Internal Audit
10 Improvement 10.1 Nonconformity and Corrective
Action
10.2 Continual Improvement
ISO 27002
The information security controls defined in ISO 27002

Control Topics
5 Information Security Policies 5.1 Management Direction for Information
Security
6 Organization of Information 6.1 Internal Organization
Security 6.2 Mobile Devices and Teleworking
7 Human Resource Security 7.1 Prior to Employment
7.2 During Employment
7.3 Termination and Change of Employment
8 Asset Management 8.1 Responsibility for Assets
8.2 Information Classification
8.3 Media Handling
9 Access Control 9.1 Business Requirements of Access Control
9.2 User Access Management
10 Cryptography 10.1 Cryptographic Controls
11 Physical and Environmental 11.1 Secure Areas
Security 11.2 Equipment
12.1 Operational Procedures and Responsibilities
12 Operations Security 12.2 Protection from Malware
1.5 MAPPING THE ISO 27000 SERIES TO THE ISF SGP
The ISO 27001 requirements to the ISF SGP security controls.
For each of the detailed requirements, this table indicates the
controls that can be used to satisfy those requirements, as
documented in the ISF SGP. Mapping ISO 27001 to the ISF SGP

ISO 27001 Topic ISF SGP Category

4.1 Understanding the Organization Security Governance
and Its Context

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

AAMEC/CA/SEM/II/TVN Page 8 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

4.2 Understanding the Needs and Security Governance

Expectations of Interested Parties
5.1 Leadership and Commitment Security Governance

5.2 Policy Security Management

6.1 Actions to Address Risks and Information Risk Assessment
Opportunities
7.1 Resources Security Management
7.2 Competence People Management
8.1 Operational Planning and Control Security Management
9.1 Monitoring, Measurement, Security Monitoring and
Analysis and Evaluation Improvement
10.1 Non-conformity and Corrective Security Monitoring and
Action Improvement

Mapping ISO 27002 to the ISF SGP

The mapping between the ISO 27002 security controls and the
corresponding controls in ISF SGP
ISO 27002 Topic ISF SGP Category
5.1 Management Direction for Security Monitoring and Improvement
Information Security
6.1 Internal Organization Security Governance People
7.1 Prior to Employment Management Physical Asset
8.1 Responsibility for Assets Management System Access
9.1 Business Requirements of Access
Control
10.1 Cryptographic Controls Technical Security Management
11.1 Secure Areas Local Environment Management
12.1 Operational Procedures and System Development
Responsibilities
13.1 Network Security Management Networks and Communications
14.1 Security Requirements of Security Management
Information Systems

1.6 NIST CYBER SECURITY FRAMEWORK AND SECURITY DOCUMENTS

NIST is a U.S. federal agency that deals with measurement science,
standards, and technology related to the U.S. government and to the
promotion of U.S. private sector innovation.

AAMEC/CA/SEM/II/TVN Page 9 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Although their national scope, NIST Federal Information Processing

Standards (FIPS) and Special Publications (SP) have a worldwide impact.

NIST Cyber security Framework

• The NIST Cyber security Framework consists of three components.
– Core: Provides a set of cyber security activities, desired
outcomes, and applicable references that are common across
critical infrastructure sectors
– Implementation tiers: Provide context on how an organization views
cyber security risk and the processes in place to manage that risk
– Profiles: Represents the outcomes based on business needs
that an organization has selected from the Framework Core
categories and subcategories

NIST Cyber security Framework Functions and Categories

Function Description Category
Identify Develop the organizational understanding to Asset Management
manage cyber security risk to systems, assets, Business
data, and capabilities Environment
Protect Develop and implement the appropriate Access Control
safeguards to ensure delivery of critical Awareness and
infrastructure services Training
Detect Develop and implement the appropriate activities Security Continuous
to identify the occurrence of a cyber security Monitoring
event
Respond Develop and implement the appropriate activities Response Planning
to take action regarding a detected cyber security
event
Recover Develop and implement the appropriate activities Recovering Planning
to maintain plans

AAMEC/CA/SEM/II/TVN Page 10 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Cyber security Framework Implementation Tiers

Risk Management Integrated Risk Management External Participation

Process Program
Tier 1: Partial
Risk management Risk management practices are Risk management
practices are not not formalized but are, rather, ad practices are not
formalized but are, hoc. Prioritization of cyber formalized but are, rather,
rather, ad hoc. security activities ad hoc. Prioritization of
Prioritization of cyber cyber security activities
security activities
Tier 2: Risk Informed
Risk management Processes and procedures are No formal coordination
practices are formally defined and implemented, and staff and collaboration with
approved and have adequate resources to other entities.
expressed as policy perform their cyber security duties.
Tier 3: Repeatable
Risk management Organization wide approach to RM. Collaboration with
practices are formally Risk-informed policies, processes, partners enables risk
approved and and procedures are defined, management
expressed as policy implemented as intended, and decisions in response
reviewed to external events.
Tier 4: Adaptive
Organization actively Organization wide approach to Organization manages
adapts to the changing managing cyber security risk that risk and actively shares
cyber security uses risk-informed policies information with partners
landscape to ensure that accurate,
IST Security Documents
NIST has produced a large number of FIPS publications and SPs that are
enormously useful to security managers, designers, and implementers.
SP 800-53, Security and Privacy Controls for Federal Information
Systems and Organizations. This document lists management,
operational, and technical safeguards or countermeasures
Countermeasure
A device, a procedure, or a technique that reduces a threat, a
vulnerability, or an attack by eliminating or preventing it, by
minimizing the harm it can cause, or by discovering and reporting it
so that corrective action can be taken

AAMEC/CA/SEM/II/TVN Page 11 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

–FIPS 200, Minimum Security Requirements for Federal Information

and Information Systems (2006):
–SP 800-100, Information Security Handbook: A Guide for Managers
(2006):
–SP 800-55, Performance Measurement Guide for Information Security
(2008):
–SP 800-27, Engineering Principles for Information Technology
Security: A Baseline for Achieving Security (2004):
–SP 800-12, Introduction to Information Security, (2017):
–SP 800-144, Guidelines on Security and Privacy in Public Cloud
Computing:
1.7 THE CIS CRITICAL SECURITY CONTROLS FOR EFFECTIVE CYBER DEFENSE

The Center for Internet Security (CIS) is a nonprofit community of

organizations and individuals seeking actionable security resources
A major contribution of CIS is the CIS Critical Security Controls for Effective

Any kind of malicious activity that attempts to collect, disrupt, deny, degrade,
or destroy information system resources or the information itself.
o Share insight into attacks and attackers, identify root causes,
and translate that into classes of defensive action.
o Document stories of adoption and share tools to solve problems.
o Track the evolution of threats, the capabilities of adversaries,
and current vectors of intrusions

The CIS CSC List of Controls

Basic CIS Controls Foundational CIS Controls Organizational CIS Controls
CSC 1: Inventory and Control CSC 7: Email and Web CSC 17: Implement a Security
of Hardware Assets Browser Protections Awareness and Training
Program
CSC 2: Inventory and Control CSC 8: Malware Defenses CSC 18: Application Software
of Software Assets Security
CSC 3: Continuous CSC 9: Limitation and Control CSC 19: Incident Response
Vulnerability Management of Network Ports, Protocols, and Management
and Services
CSC 4: Controlled Use of CSC 10: Data Recovery CSC 20: Penetration Tests and

AAMEC/CA/SEM/II/TVN Page 12 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Administrative Privileges Capability Red Team Exercises

CSC 5: Secure Configuration CSC 11: Secure Configuration
for Hardware and Software for Network Devices
CSC 6: Maintenance, CSC 12: Boundary Defense
Monitoring and Analysis of
Audit Logs
CSC 13: Data Protection
CSC 14: Controlled Access
Based on the Need to Know

Each control section includes the following:

A description of the importance of the control in blocking or
identifying the presence of attacks and an explanation of how
attackers actively exploit the absence of this control
A chart of the specific actions, called sub-controls, that
organizations are taking to implement, automate, and measure
the effectiveness of this control
Procedures and tools that enable implementation and automation
Sample entity relationship diagrams that show components of
implementation

1.8 .COBIT 5 FOR INFORMATION SECURITY

Control Objectives for Business and Related Technology (COBIT) is
a set of documents published by ISACA, which is an independent,
nonprofit, global association engaged in the development, adoption,
and use of globally accepted, industry-leading knowledge and
practices for information systems.
COBIT 5, the fifth version of the set of documents to be released, is
intended to be a comprehensive framework for the governance and
management of enterprise IT
COBIT 5 for Information Security: Main Policies and Functions

Policy Key Functions

Business continuity and disaster recovery Business impact analysis (BIA)
Business contingency plans with trusted
recovery
Asset management Data classification
Data ownership

AAMEC/CA/SEM/II/TVN Page 13 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Rules of behavior (acceptable use) At-work acceptable use and behavior

Off-site acceptable use and behavior
Information systems acquisition, software Information security in the life cycle
development, and maintenance process
Secure coding practices
Vendor management Contract management
Information security terms and conditions
Communication and operation IT information security architecture and
management application Design SLA
Compliance IT information security compliance
assessment process:
Development of metrics
Risk management Organizational risk management plan
Information risk profile

COBIT 5 also provides a useful organization of the techniques

used to achieve effective security into 5 domains and 37
processes, under two general categories, as follows:
Governance of Enterprise IT
o Evaluate, Direct and Monitor (EDM): 5
processes Management of Enterprise IT
o Align, Plan and Organize (APO): 13 processes
o Build, Acquire and Implement (BAI): 10 processes
o Deliver, Service and Support (DSS): 6 processes
o Monitor, Evaluate and Assess (MEA): 3 processes

1.9 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

The PCI-DSS, a standard of the PCI Security Standards Council,
provides guidance for maintaining payment security
The PCI DSS security requirements apply to all system components
included in or connected to the cardholder data environment.
The cardholder data environment (CDE) is comprised of people, processes
and technologies that store, process, or transmit cardholder data or
sensitive authentication data.
PCI DSS Goals and Requirements

AAMEC/CA/SEM/II/TVN Page 14 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Goal Requirements
Build and Maintain a Secure Network and 1. Install and maintain a firewall
Systems configuration to protect cardholder
data
2. Do not use vendor-supplied
defaults for system passwords and
other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder
data across open, public networks
Maintain a Vulnerability Management 5. Protect all systems against malware and
Program regularly update anti-virus software or
programs
6. Develop and maintain secure systems
and applications
Implement Strong Access Control 7. Restrict access to cardholder data by
Measures business need to know
8. Identify and authenticate access to
system components
Regularly Monitor and Test Networks 10. Track and monitor all access to
network resources and cardholder data
11. Regularly test security systems and
processes
Maintain an Information Security Policy 12. Maintain a policy that addresses
information security for all personnel

The following is an example of a PCI sub requirement:

o Sub requirement 8.1.2: Control addition, deletion, and
modification of user IDs, credentials, and other identifier objects.
o Testing procedures: For a sample of privileged user IDs and
general user IDs, examine associated authorizations and
observe system settings to verify each user ID and privileged
user ID has been implemented with only the privileges
specified on the documented approval.
o Guidance: To ensure that user accounts granted access to
systems are all valid and recognized users.
1.10. ITU-T SECURITY DOCUMENTS
The International Telecommunication Union (ITU) is a United Nations
specialized agency—hence the members of ITU-T are governments.

AAMEC/CA/SEM/II/TVN Page 15 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

ITU’s charter states that it is “responsible for studying technical,

operating, and tariff questions and issuing Recommendations on them
with a view to standardizing telecommunications on a worldwide basis.”
Its primary objective is to standardize, to the extent necessary,
techniques and operations in telecommunications to achieve end-to-
end compatibility of international telecommunication connections.

Topic Subtopics
Security requirements Threats, risks, and vulnerabilities
Personnel and physical security
requirements
Security architectures Open systems security
architecture Security services
Security management Information security
management Risk management
Role of the directory Directory concepts Public-
key security mechanisms
Examples of approaches to authentication Secure password-based authentication
protocol with key exchange One-time
and non-repudiation password authentication
Securing the network infrastructure The telecommunications
management network
Securing monitoring and control activities
Some specific approaches to network Next-generation network security
security Mobile communications security
Application security Voice over IP (VoIP) and
multimedia Web services
Security aspects of cloud computing Key characteristics of cloud
computing Generic cloud computing
capabilities and services

1.11 EFFECTIVE CYBERSECURITY

The goal of effective cyber security is constantly receding as

management strives to keep up with changes in the cyberspace
ecosystem, which comprises technology, threat capability,
applications, IT resources, and personnel

AAMEC/CA/SEM/II/TVN Page 16 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Cyber security Management Process

The process cycle with four major activities:

1.(a)Assess the risk, considering the following:
1. Assets and their value or utility
2. Threats and vulnerabilities associated with these assets
3. Risk of exposure of these assets to the threats and
vulnerabilities
4. Risk and impacts resulting from this risk of exposure
1b. Address the risk(s), considering the following:
1. Identification of available risk management options
2. Selection of preferred risk management option
3. Final risk management decision
2. Implement the risk management decision, considering the following:
1. Selection of controls
2. Allocation of resources, roles, and responsibilities
3. Implementation of controls
3.Monitor, review, and communicate the risks, considering the following:
1. Monitoring of the risk situation
2. Risk-related measurements
3. Review and re-assessment of the risks
4. Communication of the risks
4.Update and improve the controls:

AAMEC/CA/SEM/II/TVN Page 17 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

1. Updating controls
2. Improving controls
Cyber security Information and Decision Flows Within an Organization

Using Best Practices and Standards Documents

A broad range of documents available to cyber security planners
and implementers.
o The NIST Cyber security Framework. It provides management
with a clear methodology for developing a framework profile.
o This profile can then be used as a guide in assembling a suite
of controls for risk management. For purposes of putting
together a set of cyber security controls, ISF SGP and ISO
27002 provide the most thorough guidance.
o The ISF SGP is a comprehensive survey of what is available to
cyber security managers, implementers, and evaluators, taken
to a thorough level of detail.
The CIS Critical Security Controls document is invaluable as its
details are based on broad real-world experience

2.SECURITY GOVERNANCE

The process of establishing and maintaining a framework and

supporting management structure and processes to provide
assurance those information security strategies are aligned with and
support business objectives.
They are consistent with applicable laws and regulations through
adherence to policies and internal controls, and provide assignment
of responsibility, all in an effort to manage risk.

AAMEC/CA/SEM/II/TVN Page 18 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

ITU-T X.1054, Governance of Information Security, defines information

security governance as “the system by which an organization’s
information security-related activities are directed and controlled.”
The term security governance encompasses governance concerns
for cyber security, information security, and network security.

2.1 SECURITY GOVERNANCE PRINCIPLES AND DESIRED OUTCOMES

The role of security governance, it is useful to distinguish between
information security governance, information security management,
and information security implementation/operations.
ISO 27000 defines information security management.
1.Principles
X.1054 provides concepts and guidance on principles and processes
for information security governance, by which organizations evaluate,
direct, and monitor the management of information security.
X.1054 lays out as a key objective of information security
governance the alignment of information security objectives and
strategy with overall business objectives and strategy
X.1054 lists six principles for achieving this objective
• Establish organization wide information security.
• Adopt a risk-based approach
• Set the direction of investment decisions.
• Ensure conformance with internal and external requirements.
• Foster a security-positive environment for all stakeholders
• Review performance in relation to business outcomes

2. Desired Outcomes
• The IT Governance Institute defines four basic outcomes of
information security governance that lead to successful integration
of information security with the organization’s mission .
1.Risk management
2.Resource management:
3.Value delivery:
4.Performance measurement:
2.2 SECURITY GOVERNANCE COMPONENTS
SP 800-100 lists the following key activities, or components that
constitute effective security governances.

AAMEC/CA/SEM/II/TVN Page 19 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

o Strategic planning
o Organizational structure
o Establishment of roles and responsibilities
o Integration with the enterprise architecture
o Documentation of security objectives in policies and
guidance 1.Strategic Planning
It is useful for this discussion to define three hierarchically related
aspects of strategic planning.
o Enterprise strategic planning
o Information technology (IT) strategic planning
o Cyber security or information security strategic planning

Strategic plan
IT strategic planning is the alignment of IT management and
operation with enterprise strategic planning.
The need to move beyond IT management and to ensure that the IT
planning process is integrated with enterprise strategic planning follows
from two strategic factors: mission necessity and enterprise maturity.

The six phases are as follows:

Two- to five-year business and technology
outlook Strategic deep dive
Current-state assessment
Imperatives, roadmaps, and finances

AAMEC/CA/SEM/II/TVN Page 20 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Governance process and decision

making Regular reviews

Elements of a Strategic Plan Document

• Definition
– Mission, vision, and objectives
– Priorities
– Success criteria
– Integration
– Threat defense
– Execution
• Operations plan
• Monitoring plan
• Adjustment plan
– Review
• Review plan
2. Organizational Structure

The organizational structure to deal with cyber security depends, in large

part, on the size of the organization, its type and the organization’s degree
of dependence on IT.

• The basic security governance functions are as follows:

– Direct
– Monitor
– Evaluate:
– Communicate:
– Accountability
• Information security policy
• Risk evaluation
• Risk measures and response
• Management systems

AAMEC/CA/SEM/II/TVN Page 21 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Effect on corporate value

Estimates of the costs and benefits of making an inventory of
information assets.
Estimates of the value of an inventory of information assets that is
developed as a result of information security activities.
The economic value of protected information assets.
The amount by which the security implementation reduces the risk of
damaging the information assets.
3.Roles and Responsibilities
A key aspect of security governance is defining the roles and
responsibilities of executives related to information security.

C-level

Chief level. Refers to high-ranking executives in an organization.

Officers who hold C-level positions set the company’s strategy, make high-
stakes decisions, and ensure that the day-to-day operations
align with fulfilling the company’s strategic goals.
o Chief executive officer (CEO) o
Chief operating officer (COO) o
Chief information officer (CIO) o
Chief security officer (CSO)
o Chief risk officer (CRO)
o Chief privacy officer (CPO)

AAMEC/CA/SEM/II/TVN Page 22 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

4. Integration with Enterprise Architecture

The Federal Enterprise Architecture Framework (FEAF) is the most
comprehensive of all the enterprise architectures.
o A perspective on how enterprise architectures are viewed in
terms of sub-architecture domains
o Six reference models for describing different perspectives of
the enterprise architecture
Three levels of artifacts:
o High-level artifacts
o Mid-level artifacts
o Low-level EA artifacts
o The FEAF describes six
domains: Strategy
Business
Data and information
Enabling applications
Host and
infrastructure Security

AAMEC/CA/SEM/II/TVN Page 23 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Enterprise Architecture Reference Models

• These reference models operate on four categories of assets:

– Organization assets:
– Business capabilities:
– Data assets
– .IT assets:
5.Policies and Guidance
NIST SP 800-53, Security and Privacy Controls for Federal Information
Systems and Organizations, defines an information security policy as
an aggregate of directives, rules, and practices that prescribes how an
organization manages, protects, and distributes information
2.3 SECURITY GOVERNANCE APPROACH
Effective security governance requires the development and clear
documentation of a framework, which is a structured approach for
overseeing and managing risk for an enterprise.
Security Governance Framework
Single executive to be ultimately responsible for security governance, whose
duties including implementing the framework and developing and

AAMEC/CA/SEM/II/TVN Page 24 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

monitoring an information security strategy and security assurance

program
The security governance framework, including ensuring alignment
with overall organization policies and goals, enhancing business
value, and adequately managing risk.
Ensure integration of the security architecture with the enterprise
architecture
Regularly review the organization’s risk appetite to ensure that it is
appropriate for the current environment
Formally approve the information security strategy, policy, and architecture.

Security Direction

A governing body is responsible for ensuring that there is

effective security direction.
COBIT 5 provides a more elaborate governing body structure than
the SGP suggests, and it is worthwhile for larger organizations.
Chief information security officer (CISO)
Information security steering (ISS) committee
Information security manager (ISM)
Enterprise risk management (ERM) committee
Information custodians/business owners
Responsible, Accountable, Consulted, and Informed (RACI) Charts
COBIT addresses the responsibility of all roles played by
employees involved in IT governance actions.
o Accountable
o Consulted o
Informed
o RACI charting helps avoid the following problems:
Unclear accountability between individuals or
departments
Redundancies or work not being
accomplished Delayed or incomplete work
• Inadequate communication and/or coordination
• Unclear approval/decision-making processes

AAMEC/CA/SEM/II/TVN Page 25 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

3.INFORMATION RISK ASSESSMENT

Risk assessment is a complex subject that is more art than science
and calls for considerable management judgment.

3.1ASSET IDENTIFICATION

Risk identification is the identification of the assets, threats, existing

controls, vulnerabilities, and impacts relevant to the organization
and that serve as inputs to risk analysis.

Hardware Assets
Hardware assets include servers, workstations, laptops, mobile
devices, removable media, networking and telecommunications
equipment, and peripheral equipment.
They are loss of a device, through theft or damage, and lack of
availability of the device for an extended period.

Software Assets
Software assets include applications, operating systems and other
system software,
– virtual machine
– container virtualization software,
– software for software-defined networking (SDN)
– network function virtualization (NFV),
– database management systems,
– file systems, and client and server software.

Information Assets

Information assets comprise the information stored in databases

and file systems, both on-premises and remotely in the cloud.
• Blacklist information
• Registered service information
• Operational information
• Customer information
• Customer geographic locations

The business assets category includes organization assets that

don’t fit into the other categories, including human resources,
business processes, and physical plant

AAMEC/CA/SEM/II/TVN Page 26 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Asset Register

In order to effectively protect assets, an organization needs to provide a

systematic method of documenting assets and their security implications
–
Asset name/description:
–
Asset type
–
Asset class:
–
Information assets:
–
Asset owner:
–
Location:
3.2 THREAT IDENTIFICATION
Threat identification is the process of identifying threat sources with
the potential to harm system assets.
Threat sources are categorized into three areas:
o Environmental
o Business resources
o Hostile actors

o STRIDE is a threat classification system developed by

Microsoft that is a useful way of categorizing
Spoofing identity
Tampering with
data Repudiation
Denial of service
Elevation of privilege
2. Threat Types
A large category of threat is malicious software, or malware, which
is a general term encompassing many types of software threats,
including the following:
– Malware:
– Virus
– Worm:
– Spam:
– .Logic bomb:
– .Trojan horse.
– Backdoor (trapdoor):
– Mobile code
– Kit (virus generator)

AAMEC/CA/SEM/II/TVN Page 27 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

– Spyware
Other cyber security threat terms frequently encountered include
the following:
– Remote access attacks
– .Denial-of-service (DoS) attack
– Distributed denial-of-service (DDoS)
– DNS attacks
– Code injection
– Password attack:
3. Sources of Information
Information on environmental threats is typically available from a
variety of government and trade groups
Verizon Data Breach Investigations Report
This authoritative and highly respected report is based on data on security
incidents systematically collected from a wide variety of organizations.
– Pattern
– Action
– Asset
Threat Horizon Report
it is a more broad-brush treatment, identifying key threat of the
detailed target profiles.
– Disruption
– Distortion
– Deterioration
ENISA Threat Landscape Report
Another very useful source of information is several threat documents from
European Union Agency for Network and Information Security (ENISA).
kill chain-A systematic process used to target and engage an adversary to
create desired effects.
• In the context of cyber security Threats Reported by ENISA
– Malware
– Web-based attacks
– Web application attacks
– DoS attacks
Trust wave Global Security Report
The report is based on findings from extensive data sources,
including breach investigations, global threat intelligence, product
telemetry, and a number of research sources

AAMEC/CA/SEM/II/TVN Page 28 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Security operations center (SOC)

A facility that tracks and integrates multiple security inputs, ascertains risk,
determines the targets of an attack, contains the impact of an attack, and
recommends and/or executes responses appropriate to any given attack
Cisco Annual Cyber security Report
The Cisco Annual Cyber security Report is yet another excellent
source of threat information
3.3 VULNERABILITY IDENTIFICATION
Vulnerability identification is the process of identifying vulnerabilities that
can be exploited by threats to cause harm to assets

Technical vulnerabilities
Human-caused vulnerabilities
Physical and environmental
vulnerabilities Operational vulnerabilities
Business continuity and compliance vulnerabilities
National Vulnerability Database and Common Vulnerability Scoring
System
The NVD is a comprehensive list of known technical vulnerabilities
in systems, hardware, and software.
The CVSS provides an open framework for communicating the
characteristics of vulnerabilities.
The CVSS defines a vulnerability as a bug, a flaw, a weakness, or an
exposure of an application, a system device, or a service that could
lead to a failure of confidentiality, integrity, or availability.
It consists of three sets of metrics:
• Exploitability
• Impact
• Scope
3.4 RISK ASSESSMENT APPROACHES
1. Quantitative Versus Qualitative Risk
Assessment Two factors of risk assessment can be treated either
quantitatively or qualitatively:
Quantitative Risk Assessment
Level of risk = (Probability of adverse event) × (Impact value)
– This is a measure of the cost of security breaches, expressed
numerically.

AAMEC/CA/SEM/II/TVN Page 29 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Qualitative Risk Assessment

Qualitative risk assessment is usually sufficient for identifying the
most significant risks and allowing management to set priorities for
security expenditures with a reasonable degree of confidence that
all the significant risks have been mitigated.
Categories
o Low: ≤0.1
o Medium: 0.1 to 0.5
o High: 0.5 to 1.0
2. Simple Risk Analysis Worksheet
A simple approach to risk assessment is to use a risk analysis
worksheet Security issue
Likelihood
Impact
Risk level
Recommended security
controls Control priorities
3. Factor Analysis of Information Risk
FAIR, which has been standardized by The Open Group, has
received wide acceptance.
Its relationship to International Organization for Standardization
(ISO) risk standards

A global consortium with more than 500 member organizations that

enables the achievement of business objectives through IT standards.
The Open Group has published four risk-related standards documents:
– Risk Taxonomy
– Requirements for Risk Assessment Methodologies
– FAIR—ISO/IEC 27005
– .The Open Group Risk Analysis (O-RA) Technical
Standard The key FAIR definitions are as follows:
– Asset
– Risk
– Threat
– Vulnerability

AAMEC/CA/SEM/II/TVN Page 30 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

3.5 LIKELIHOOD ASSESSMENT

Likelihood assessment does not yield a numerical value subject to
calculation using probability theory
A likelihood assessment considers the presence, tenacity, and
strengths of threats as well as the presence of vulnerabilities and
the effectiveness of security controls already in place.
o Step 1. Determine the likelihood that a threat event will occur.
o Step 2. Determine the degree of vulnerability of the asset to the
threat.
o Step 3. Based on Step 1 and Step 2, determine the likelihood
that a security incident will occur.
.This analysis needs to be repeated for every threat to
every asset. Estimating Threat Event Frequency.
o The assessment of threat event frequency involves two aspects:
determining the frequency with which a threat agent will
come in contact with an asset and the probability that,
once in contact, the threat agent will act against the asset.
the probability or likelihood that the threat agent will
take action, given that contact has been made.

• Estimating vulnerability involves looking at two factors:

• Skill: The knowledge and experience of the threat agent are critical
factors in the severity of the threat action
• Resources: The other important factor is the resources, such as the time,
financial resources, and materials that a threat agent can bring to bear.
Vulnerability = f1 (Resistance strength, Threat capability)

• The likelihood of a loss, referred to as loss event frequency in the

FAIR documents.
• This matrix defines a function f2:
Primary loss event frequency = f2 (Vulnerability, Threat event frequency)
3.6 IMPACT ASSESSMENT
Impact assessment is the process of developing some sort of agreed-
upon impact score or cost value that estimates the magnitude or the
adverse consequence of a successful threat action.

AAMEC/CA/SEM/II/TVN Page 31 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Value proposition
A statement that identifies clear, measurable, and demonstrable
benefits to consumers when they buy a particular product or service
Primary loss factor: Occurs directly as a result of the threat agent’s
action upon the asset.
Secondary loss factors: Occurs as a result of secondary stakeholders
1. Estimating the Primary Loss
The FAIR impact assessment begins with determining the primary
loss suffered as the result of the event
o Asset factors: The value of the asset under threat.
o Threat factors: Threat factors that contribute to the
loss. Possible actions include:
o Access
o access Misuse
o Disclosure
o Modification
o Deny access
2. Estimating the Secondary Loss
The estimation of secondary loss is more complex than the
estimation of the primary loss.
Secondary loss magnitude: Losses that are expected to materialize
from dealing with secondary stakeholder reactions
o Organizational factors: Characteristics of the organization that
determine the magnitude of the loss
o External factors: Entities that inflict a secondary form of harm
upon the organization as a result of an event
3. Business Impact Reference Table
A useful tool for performing impact assessment is the Business
Impact Reference Table (BIRT).
The BIRT was developed by the ISF to enable all involved in the risk
assessment process to have a common view of the risk elements.
o Unforeseen Impacts of Changes in Operations or Systems
o Delayed Delivery to Customers or Clients
o Loss of Customers or Clients
o Loss of Confidence by Key Institutions and Partners
o Damage to Corporate Image and Reputation

AAMEC/CA/SEM/II/TVN Page 32 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

3.9 RISK DETERMINATION

Once the loss magnitude is estimated and the loss event frequency
derived, it is a straightforward process to derive an estimate of risk.
This is done separately for primary and secondary losses, and then
the two are combined.
o Primary risk = f3 (Primary loss event frequency, Primary loss
magnitude)
o Overall risk = f4 (Primary risk, Secondary
risk) 3.10 RISK EVALUATION
Once a risk analysis is done, senior security management and
executives can determine whether to accept a particular risk and if not
determine the priority in assigning resources to mitigate the risk.
This process, known as risk evaluation, involves comparing the
results of risk analysis with risk evaluation criteria
The advice provided for risk evaluation, both by ISO 27005 and the
FAIR documents, is general as the criteria developed vary
significantly from one organization to another.
SP 800-100 provides some general guidance for evaluating risk and
prioritizing action based on a three-level model:
• High: If an observation or a finding is evaluated as high risk,
there is a strong need for corrective measures
• Moderate: If an observation is rated as moderate risk, corrective
actions are needed, and a plan must be developed to
incorporate these actions within a reasonable period of time.
• Low: If an observation is described as low risk, the system’s
authorizing official must either determine whether corrective
actions are still required or decide to accept the risk.
3.11 RISK TREATMENT
Once the risk assessment process is complete, management should
have a list of all the threats posed to all assets, with an estimate of
the magnitude of each risk.

AAMEC/CA/SEM/II/TVN Page 33 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

ISO 27005 lists these options for treating risk:

– Risk reduction or mitigation: Actions taken to lessen the
probability and/or negative consequences associated with a risk
– Risk retention: Acceptance of the cost from a risk
– Risk avoidance: Decision not to become involved in, or action
to withdraw from, a risk situation
– Risk transfer or sharing: Sharing with another party the burden of
loss from a risk

Risk reduction is achieved by implementing security

controls. Security controls can result in the following:
– Removing the threat source
– Changing the likelihood that the threat can exploit a vulnerability
– Changing the consequences of a security event

Risk retention, also called risk acceptance, is a conscious management

decision to pursue an activity despite the risk presented or to refrain from
adding to the existing controls, if any, in place to protect an asset
from a given threat

If the risk in a certain situation is considered too high and the costs of
mitigating the risk down to an acceptable level exceed the benefits, the
organization may choose to avoid the circumstance leading to the
risk exposure.

Sharing or transferring risk is accomplished by allocating all or

some of the risk mitigation responsibility or risk consequence to
some other organization

4. SECURITY MANAGEMENT
4.1THE SECURITY MANAGEMENT FUNCTION
The security management function enter establishing,
implementing, and monitoring an information security program,
under the direction of a senior responsible person.
–Chief information security officer (CISO)
–Information security manager (ISM )

AAMEC/CA/SEM/II/TVN Page 34 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

Determining the benefit to an organization from IT security

investments is a key element of IT security planning. Traditionally,
capital planning has been applied to IT procurement overall and has
been a separate function from security planning

Security planning: Security planning includes the includes more detailed

planning for the organization, coordination, and implementation of security.
Capital planning: Capital planning is designed to facilitate and control
the expenditure of the organization’s funds

Capital planning

A decision-making process for ensuring that IT investments integrate

strategic planning, budgeting, procurement, and the management of IT
in support of an organization’s missions and business needs.
• Awareness and training
• Information security governance:
• System development life cycle:
• Security products and services acquisition
• Risk management:
• Configuration management:
The information management security function is the ISF SGP,
which recommends that this function encompass the following:
• Support function:
• Monitor function:
• Projects function
• External requirements function
Security Planning

NIST SP 800-18, Guide for Developing Security Plans for Federal

Information Systems, indicates that the purpose of a system security plan is

AAMEC/CA/SEM/II/TVN Page 35 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

to provide an overview of the security requirements of the system and

describe the controls in place or planned for meeting those requirements.
– security plan
– Information system name/identifier:
– Information system owner:
– Authorizing individual
– Assignment of security responsibility
– Security categorization:
– Information system operational status
– Information system type
– Description/purpose
– System environment
This process involves three steps, each of which has goals, objectives,
implementing activities, and output products for formal inclusion in
agency enterprise architecture and capital planning processes:
– Identify
– Analyze
– Select
4.2 SECURITY POLICY
The security policy is an aggregate of directives, rules, and
practices that prescribes how an organization manages, protects,
and distributes information.

1.Information security strategic plan

CISO and a security manager are responsible for developing these policies
– Access control policy
– Contingency planning policy
– Data classification policy
– Change control policy
– Virus policy:
– Backup policy:
– Network security policy
– Encryption policy:
2.Security Policy Document Content
– Overview
– Purpose
– Targeted audience
– Policy
– Definitions:
– Version

AAMEC/CA/SEM/II/TVN Page 36 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

3. Management Guidelines for Security Policies

The SGP provides a useful set of guidelines for the creation,
content, and use of security policy documents

– Those responsible for ratifying policy document

– Responsibilities of all relevant
– individuals to comply with the policy
– Individuals responsible for protecting specific
assets. Principles
– All relevant assets to be identified and classified by value/importance
– All assets protected with respect to CIA
– All laws, regulations, and standards complied
Actions
– That all individuals are made aware of the security policy and
their responsibilities
– That all assets are subject to risk assessment periodically and
before a major change
– That auditing occurs periodically and as needed

– The behaviors are required, acceptable, and prohibited with

respect various assets
– Responsibility for establishing, approving, and monitoring
acceptable use policies
4. Monitoring the Policy
The CISO should designate an individual or a group responsible
for monitoring the implementation of the security policy.
The responsible entity should periodically review policies and
make any changes needed to reflect changes in the
organization’s environment, asset suite, or business procedures
4.3 ACCEPTABLE USE POLICY
(AUP) is a type of security policy targeted at all employees who
have access to one or more organization assets
The Message Labs white paper Acceptable Use Policies suggests
the following process for developing an AUP.
o Conduct a risk assessment to identify areas of concern
o Create the policy
o Distribute the AUP.
o Monitor compliance
o Enforce the policy
SANS Institute AUP Template acceptable-use-policy

AAMEC/CA/SEM/II/TVN Page 37 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)

 lOMoARcPSD|44304259

UNIT –I PLANNING FOR CYBER SECURITY

o General use and ownership

o Security and proprietary information
o Unacceptable use—system and network activities:
o Unacceptable use—email and communication activities
o Unacceptable use—blogging and social media

4.4 SECURITY MANAGEMENT BEST PRACTICES

The SGP breaks down the best practices in the security
management category into two areas.

Security policy management:

A specialist information security function, led by a sufficiently
senior manager (e.g., a CISO), that is assigned adequate authority
and resources to run information security-related projects; promote
information security throughout the organization; and manage the
implications of relevant laws, regulations and contracts.
o Information security policy
o Acceptable use policies

Information security management:

Provides guidance for developing a comprehensive, approved
information security policy.
– Information security function
– Information security projects
– Legal and regulatory compliance

*******

AAMEC/CA/SEM/II/TVN Page 38 of 38

Downloaded by Sharmila S (sharmilanimmi1985@gmail.com)