Security objectives

Obtained through discussion, interviews, questionnaires or determined by analyzing existing documents and formal frameworks. They should provide answers to:

• What is general level of risk that is acceptable
• How much does the organization depend on IS
  • What are the essential decisions that depend on accurate information
  • Which basic processes cannot be performed successfully without IS?
  • Which of them are completely dependent on IS?
• What are the critical unwanted incidents and what are their implications for the organization?
• Which is the critical data that need security?

Risks prioritizing with relation to expected loss

Quantitative approach

1. Complete record of organization's assets and resources
2. Identify threats (take motivation of potential attacker and human factor into account)
3. Define probability E(x) of an event occurring within a certain period (one year) for each threat identified in 2
4. Determine damage cost D(x)
5. Evaluate risks for certain period by calculating expected damage D(x)*E(x) in this period (expected annual loss)
6. Set priorities (investments for prevention of threats should not exceed damage cost)
7. Define actions

Qualitative approach

• based on various matrices or tables with predefined values

...

Personnel security

• internal members
  • roles and responsibilities
  • employment contract must contain clauses about security policy
• external partners
  • contractual agreement about responsibilities for accessing IS
• visitors
  • supervision of visitors (recording their entry and departure
  • should wear visible identifiers

Thefts are a classic risk and should be dealt with under IS security and privacy management!

...

Social engineering

Social engineering is a method where an attacker exploits a relationship with an affiliate of an organization and uses this affiliate to get unauthorized access to organization resources. It should be done in a fair and moral way.

Incident handling

Organization should have clear reporting procedure.

• responsible person (or more of them) to whom all reports are sent
• feed-back channel to initial reporter

For serious cases procedure should include response to limit damage to minimum.
After incident happened our goal is to discover how it occurred and what damage has been done. Steps have to be taken to prevent such incidents to happen in the future.


...