A plan for the organization’s intended strategic efforts over the next several years goals objectives strategic plan strategic planning. The process of defining and specifying the long-term direction (strategy). goals objectives strategic plan strategic planning. The process of tactical planning breaks each strategic goal into a series of incremental
objectives Tactical planning Policies Standard Practice. They direct how issues should be addressed and how technologies should be used Tactical planning Policies Standard Practice. A detailed statement of what must be done to comply with policy- sometimes viewed
as the rules governing policy compliance Tactical planning Policies Standard Practice. recommendations Tactical planning Policies Standard Practice. recommendations the employee may use as a reference in complying with a policy. guidelines procedures Comprehension (understanding) Compliance (agreement). Step-by-step instructions designed to assist employees in following policies- standardsand guDissemination (distribution) - The organization must be able to demonstrate
that the policy has been made readily available for review by the employee (eg.- hard
copy and electronic distribution). guidelines procedures Comprehension (understanding) Compliance (agreement). The organization must be able to demonstrate that the employee understands the
requirements and content of the policy (eg.- quizzes and other assessments) guidelines procedures Comprehension (understanding) Compliance (agreement). The organization must be able to demonstrate that the employee agrees to comply
with the policy through act or affirmation (eg.- logon banners- which require a specific
action to acknowledge agreement). guidelines procedures Comprehension (understanding) Compliance (agreement). The organization must be able to demonstrate that the policy has been uniformly
enforced- regardless of employee status or assignment Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. Written instructions provided by management that inform employees and others in
the workplace about proper behavior regarding the use of information and
information assets Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. Specifications of authorization that govern the rights and privileges of users to a
particular information asset Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. An integration of access control lists (focusing on assets) and capability tables
(focusing on users) that results in a matrix with organizational assets listed in the
column headings and users listed in the row headings Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. A lattice-based access control with rows of attributes associated with a particular
subject (such as a user). Capabilities table Configuration Rule Policies Information security blueprint Information security framework. Configuring firewalls- intrusion detection and prevention systems (IDPSs)- and proxy
servers—use specific configuration scripts that represent the configuration rule policy Capabilities table Configuration Rule Policies Information security blueprint Information security framework. A framework or security model customized to an organization- including
implementation details. Capabilities table Configuration Rule Policies Information security blueprint Information security framework. A specification of a model to be followed during the design- selection- and initial and
ongoing implementation of all subsequent security controls- including information
security policies- security education and training programs- and technological controls Capabilities table Configuration Rule Policies Information security blueprint Information security framework. It illustrate how information is under attack from a variety of sources. It illustrates the
ways in which people access information Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. It is designed and implemented policies- people (education- training- and awareness
programs)- and technology Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. A strategy for the protection of information assets that uses multiple layers and
different types of controls (managerial- operational- and technical) to provide optimal
protection Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. Information security safeguards that focus on administrative planning- organizingleading- and controlling- and that are designed by strategic planners and implemented
by the organization’s security administration. These safeguards include governance
and risk management Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. Information security safeguards focusing on lower-level planning that deals with the
functionality of the organization’s security. These safeguards include disaster recovery
and incident response planning operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). Information security safeguards that focus on the application of modern technologiessystems- and processes to protect information assets. These safeguards include
firewalls- virtual private networks- and IDPSs. operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). It is a managerial program designed to improve the security of information assets by
providing targeted knowledge- skills- and guidance for an organization’s employees operational control technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). The documented product of business continuity planning. Occurs concurrently with
the DR plan when the damage is major or ongoing operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). The actions taken to develop and implement the BC policy. Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The actions taken to implement a combined DR and BC policy- and plan Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The actions taken to incident response- disaster recovery- and business continuity
efforts- as well as preparatory business impact analysis. It includes incident response
planning (IRP)- disaster recovery planning (DRP)- and business continuity planning
(BCP) Business continuity planning (BCP) business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). It leads all CP efforts Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The documented product. It focuses on restoring systems. Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The actions taken. Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The documented product. It focuses on immediate response- but if the attack is there Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). An investigation and assessment of the various adverse events that can affect the
organization. The BIA attempts to answer the question- “How will it affect us?” Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The total amount of time the system owner or authorizing official is willing to accept
for a mission/business process outage or disruption- including all impact
considerations. Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The point in time prior to a disruption or system outage to which mission/business
process data can be recovered after an outage (given the most recent backup copy of
the data). Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The maximum amount of time that a system resource can remain unavailable before
there is an unacceptable impact on other system resources- supported
mission/business processes- and the MTD Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The amount of effort (expressed as elapsed time) necessary to make the business
function operational after the technology element is recovered (as identified with
RTO). Tasks include testing and validation of the system Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). It is important to collect critical information about each business unit before
prioritizing the business units. Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. Identify Resource Requirements. Once the organization has created a prioritized list of
its mission and business processes- it needs to determine which resources would be
required to recover those processes and associated assets. Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. Identify Recovery Priorities for System Resources To do so- it needs to understand the
information assets used by those processes. Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. The process of examining an incident candidate and determining whether it
constitutes an actual incident (both host-based and network-based) Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage2 Incident classification. Information or information systems become unavailable Loss of availability Loss of integrity Loss of confidentiality Violation of policy. Users report corrupt data files- garbage where data should be- or data that looks
wrong. Loss of availability Loss of integrity Loss of confidentiality Violation of policy. You are notified of sensitive information leaks or informed that information you
thought was protected has been disclosed Loss of availability Loss of integrity Loss of confidentiality Violation of policy. Organizational policies that address information or information security have been
violated Loss of availability Loss of integrity Loss of confidentiality Violation of policy. The law has been broken- and the organization’s information assets are involved Violation of law Alert message Alert roster After-action review. A scripted description of the incident that usually contains just enough information so
that each person knows what portion of the IR plan to implement without slowing
down the notification process Violation of law Alert message Alert roster After-action review. A document that contains contact information for people to be notified in the event of
an incident. Violation of law Alert message Alert roster After-action review. A detailed examination and discussion of the events that occurred- from first
detection to final recovery Violation of law Alert message Alert roster After-action review.