1. Cyber Security Assurance
* Goal of Information Assurance
* Seven Principles of Survivability and Information Assurance.
* Survivable Functional Units
#* Definitions of Information Security:
# - classical
# - C-I-A
- tree
* Definitions of main pillars of IS:
- confidentiality (two viewpoints)
- possession (two viewpoints)
- integrity (two viewpoints)
- authenticity (two viewpoints)
- availability (one viewpoint), availability vs. reliability, common availability values
- utility (two viewpoints)
* Physical security
- definition
- examples
- policies
- facility controls
- personnel controls
* Administrative security
- definition
- examples
* IT Security
- data security (vs. information security?)
- communications security (comsec)
#* Information Assurance [slides 57, 69]
#* Computer Security (compusec)
#* Information Assurance Process [slide 73]
#* IA/IS axioms [slide 79] and approach !!!
2.1 Risk basics
* Risk-based protection
#* Risk definition:
# - general
# - ISO 31000
* Risk management
#* Risk appetite
* Risk characteristics:
# - uncertainity
# - exposure
# - problem
* Terms related to risk:
# - threat
# - vulnerability
# - exploit
# - risk assessment
# - risk management
* Sources of risks
- strategic
- tactical
- operations
- reporting
- compliance
* Types of risk:
- physical
- human interaction
- equipment malfunction
- inside and outside attacks
- misuse of data
- loss of data
- application error
###2.2 Principles of Risk Management
* RM priorities
* Strategic vs. tactical risk management
#* Operational plans
#* Policy
#* Procedure
#* Method
#* Rule
* Terminology
- asset, asset valuation
# - threat, threat agent, threat event
- vulnerability
# - exposure
- risk
# - safeguard
- attack
# - breach
#* Threat vectors
- Natural
- Unintentional
- Intentional (insider, outsider)
#* STRIDE model (-)
* Threat trees
* Threat identification
* Mitigation strategies
2.3 Enterprise Risk Management
* Definition
* COSO II
#* ISO 31000(:2009)
# - key definitions (risk, risk management, risk management vs. managing risks)
# - sections (principles, framework, process)
- differences (what is measured, what is protected)
* IT Risk Management Framework
- controls
* IT Risk Governance
# - Risk IT (scope, principles)
- three domains
* Cobit 5
* Risk IT
* NIST Special Publications 800
- NIST SP 800-53 (Recommended Security Controls for Federal Information Systems and Organizations)
- NIST SP 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems)
- NIST SP 800-39 (Integrated Enterprise-wide Risk Management)
- NIST SP 800-53A (Guide for Assessing the Security Controls in Federal Information Systems and Organizations)
- NIST SP 800-30 (Guide for Conducting Risk Assessments)
#* Agile Defence
- inertia (cognitive, action, volitive)
- boundary protection
- examples
#* Agile strategy
* Risk executive function
2.4 Cybersecurity risk management
* Risk-based security engineering process
* Subset of ERM
* Fundamentals
* Assymetry
* Rating threats and risks
- risk=probability*damage
# - DREAD
* Best practises in Threat Management
* Threat analysis
* Risk analysis
* Risk handling
* Total risk
* Risk calculation
# - EF (exposure factor) (percentage of asset value)
# - SLE (single loss expectancy) = asset_value*EF (how much in money)
# - ARO (annual rate of occurence) (how many times)
# - ALE (annual loss expectancy) = SLE*ARO (money)
* Threat/risk caluclation
# - ALE_before - ALE_after - cost_safeguard = value of the safeguard
* Qualitative risk analysis
- Delphi technique
- scenarios
- heat map
* Risk prioritization (impact, probability)
* Residual risk (control gap)
* OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
- types
* Microsoft Operations Framework
2.5 Risk Management Summary
#* ISMS (Information Security Management System) Framework
3. IT Strategy
#* Basics (mission, vision, objectives)
* Strategy
* Basis for strategies
- operational excellence
- customer intimacy
- product leadership
#* Strategic planning
#* SWOT analysis
* GAP analysis
* Balanced Scoreboard
4. IT Governance
* Enterprise Governance
* Governance Triad
- Governance
- Compliance
- Standards
* IT Governance
* Organizational Structure
* Focus areas of IT Governance
* IT Strategic Alignment
#* Performance Measurement Balanced Scorecard (BSC)
#* IT Governance Life Cycle (*)
#* Maturity Models (and scales)
* IT Demand Governance
- plan
- implement
- manage
- monitor
5.1 Project Management
* Optimal size for interaction
* Project definition
#* Project Life cycle
- the Gantt chart
* Project Management Documentation
* Project Order
* Final Report
* The Need for Documentation
* Needs for smaller projects
- project charter
- project plan
- project status report
- project issue document/log
- project change control request
- post implementation evalutation report
* Needs for mid-sized projects
#* Process for Ventures
- venture
5.2 Project Portfolio Management
* Definition [slide 13]
* Goals
* PPM Process
* Evaluation Criteria
* Roles
* OPM3
6. IT Service Management
* Business Change Process
* IT Infrastructure Library (ITIL)
* ITIL Processes
* Service Support Processes
#* Incident Management
#* Problem Management
* Configuration Management Database (CMDB)
#* The Deming Cycle
* Service Lifecycle
- strategy
- design
- transition
- operation
- continous service improvement
* Service Catalog
7.1 Secure software engineering (two branches of software engineering)
* Waterfall method
* Iterative method
* Capability maturity model integration (CMMI)
#* Agile
#* Scrum
7.2 SSE
* Complex Adaptive System (CAS)
* Self-organized team
#* Lean Production ("Toyota Way")
- just-in-time development
- total quality management
- continous process improvement (kaizen)
#* Reduction of waste
#* 5S
#* Poka-yoke (jidoki)
#* Kanban
7.5
* OWASP
- CLASP