370 likes | 958 Views
Fundamentals of Information Systems Security Chapter 4 The Drivers of the Information Security Business. Learning Objective. Describe how information security activities directly support several common business drivers. Key Concepts.
E N D
Fundamentals of Information Systems Security Chapter 4 The Drivers of the Information Security Business
Learning Objective • Describe how information security activities directly support several common business drivers.
Key Concepts • Risk assessment approach to securing an IT infrastructure • Risk mitigation strategies to shrink the information security gap • Business impact analysis (BIA), business continuity plan (BCP), and disaster recovery plan (DRP) • Adhere to compliance laws and governance (policies, standards, procedures, and guidelines) • Complying with A-I-C goals in an IT infrastructure
Quantitative Risk Assessment • Single loss expectancy (SLE) • Total loss expected from a single incident • Annual rate of occurrence (ARO) • Number of times an incident is expected to occur in a year • Annual loss expectancy (ALE) • Expected loss for a year SLE X ARO = ALE
Qualitative Risk Assessment • Probability • Likelihood a threat will exploit a vulnerability • Impact • Negative result if a risk occurs Risk level = Probability X Impact
BCP • A plan designed to help an organization continue to operate during and after a disruption • Covers all functions of abusiness: IT systems,facilities, and personnel • Generally includes onlymission-critical systems
DRP • Includes the specific steps and procedures to recover from a disaster • Is part of a BCP • Important terms: • Critical business function (CBF) • Maximum acceptable outage (MAO) • Recovery time objectives (RTO)
BIA • A study that identifies the CBFs and MAOs of a DRP • Studies include interviews, surveys, meetings, and so on. • Identifies the impact to the business if one or more IT functions fails • Identifies the priority of different critical systems
Summary • Risk assessment approach to securing an IT infrastructure • Business impact analysis (BIA), business continuity plan (BCP), and disaster recovery plan (DRP) • Adhere to compliance laws • Complying with A-I-C goals in an IT infrastructure