🛡️

Information Security and Risk Management Summary

Jun 24, 2024

View transcript

SHARP SP Second Round Review Summary

Course Introduction

  • SHARP SP second round review
    • This is the second round of review content
  • The first round includes five days of public classes, explaining the main contents of the eight domains
    • Initial understanding of the knowledge points
  • After five weeks of review, there will be a problem-solving class to apply the knowledge points and deepen understanding
  • Each domain corresponds to one chapter exercise
  • Comprehensive simulation practice
  • After about ten days of courses, you can pass the exam smoothly

Today's Content: Information Security and Risk Management

  • New day governance and risk management domain, five major parts
    • Focused on management content, covering the dual SP knowledge domain
  • Five parts:
    • Basics of security and risk management
    • JRC (Governance) concepts
    • Risk management
    • JRC compliance: legal and ethical compliance
    • Business continuity management
    • The importance of the management dimension

I. Basics of Information Security and Risk Management

Basic Concepts of Information and Its Lifecycle

  • Information: processed data that holds value
  • Information assets need to be classified, graded, and valuable
  • Security protection throughout the information lifecycle: creation, identification, use, storage, transmission, alteration, destruction

Basic Principles of Information Security (CIA Triad)

  • Confidentiality: Only authorized subjects can access or use
  • Integrity: Prevent tampering and maintain information consistency
    • Three goals: prevent unauthorized tampering, inappropriate modifications by authorized users, both internal and external consistency
  • Availability: Ensure accessible when needed and not denied

Security Technologies and Control Measures

  • Techniques to achieve the triad:
    • Confidentiality: Encryption, access control
    • Integrity: Hashing, message digest, configuration management, change control, access control, digital signatures
    • Availability: High-availability technologies, backup and recovery, redundancy, etc.
  • Types of Security Controls
    • Administrative controls: Policies, standards
    • Technical controls: Firewalls, encryption, and other security devices
    • Physical controls: Environmental facilities, access control, surveillance, etc.
    • Defense in Depth: Layered protection combining physical, administrative, and technical measures
  • Categorized by function:
    • Deterrent, preventive, corrective, recovery, detective, compensating

II. Governance, Risk Management, and Compliance

  • Governance (JRC)
    • Overall planning to align information security goals with business objectives
    • Includes: alignment with business goals, policy formulation, organizational structure, accountability mechanisms
    • Ensure implementation and feedback
  • Risk Management
    • Control risks within an acceptable range rather than eliminating all risks
    • Risk assessment and using results as construction needs
  • Compliance
    • Adhere to external laws, regulations, and standards
    • Ensure compliance requirements are met to avoid non-compliance risks

III. Information Security Governance and Management Framework System

  • Security Control Reference Frameworks:
    • COBIT: Related to IT control, issued by ISACA
    • COSO: Enterprise control model, addresses the Sarbanes-Oxley Act requirements
    • ITIL: Best practices for IT service management, related to ISO20000
    • Zachman Framework: Enterprise architecture viewed from different roles
    • TOGAF: The Open Group Architecture Framework
    • SABSA: Enterprise security architecture framework, layered model
    • NIST SP800-53: Security controls for federal government information systems
    • NIST Cybersecurity Framework: Focused on detection, protection, recovery
    • CMMI: Software capability maturity model, five levels

IV. Information Security Management

  • International standard for information security: ISO 27000 series
    • Best practices for systematic security construction
  • PDC Model (Plan - Do - Check - Act)
    • Plan: Conduct risk assessment, identify business context and needs
    • Do: Implement according to the plan, regularly evaluate and optimize
    • Check: Assess effectiveness and conformity
    • Act: Improve based on the assessment results
  • Security Performance Measurement Standards
    • ISO 27004, NIST SP800-55
    • Measure the implementation process, execution effect, business impact

V. Security Policies

  • Hierarchical policies:
    • Policies: Top-level, changes infrequently, approved by management
    • Standards: Mandatory, specific methods to implement policies
    • Guidelines: Recommendations, compared with standards to remember
    • Baselines: Meet minimum security requirements
    • Procedures: Detailed steps, change frequently
  • Different security policies:
    • Organizational: Issued by top management, applicable to the entire organization
    • Functional: Specific to particular problems, areas, or technologies
    • Systemic: More detailed policies or standards

VI. Supply Chain Risk and Management

  • Supply Chain: Full process from raw materials to consumers
    • Every step has risks, continuous monitoring, and inspection needed
  • Supplier Management
    • Security controls: Pre-selection standards, security requirements in contracts, security training and monitoring during implementation
    • Specify security requirements and audit rights in contracts
    • Service Level Agreement (SLA)

VII. Information Security Organization

  • Roles and Responsibilities
    • Senior management: Ultimate responsibility for information security
    • Chief Information Officer (CIO): Daily operations of the company's technology
    • Chief Information Security Officer (CISO): Broad security, including information, personal, and physical security
    • Security Steering Committee: Decision-making body for new governance, personnel composition, task allocation
    • Audit Committee: Comprehensive auditing, including IT audits
    • Risk Management Committee: Comprehensive risk management, including IT risk
  • Security Plan: Long-term strategic planning, mid-term tactical planning, short-term specific plans

VIII. Personnel Security

  • Role-specific responsibilities
    • Data owner: Business department role, data classification, and authorization management
    • Data custodian: IT role, implement data security requirements
    • System owner: Maintain system security
    • Information Security Administrator: Monitor and enforce regulations
    • Auditor: External perspective, review system implementation and effectiveness
    • Security Analyst: Data analysis, policy and standard formulation
    • End users: Comply with security requirements, properly use systems
  • In-service personnel control: Separation of duties, least privilege, job rotation, mandatory vacations
  • Termination control: Disable access permissions, confidentiality agreement signing
  • Third-party personnel control: Same as employee management, background checks, monitoring, confidentiality agreements
  • Awareness Training and Education: Increase security awareness, prevent social engineering risks

Full transcript