- Lifecycle
- Plan & organise
- Implement
- Operate & maintain
- Monitor & evaluate
- OCTAVE
- ISO 27005
- NIST SP 800-30
- SLE
- ALE
- DRP
- BCP
- Delphi
Lifecycle
- plan & organise
- implement
- operate & maintain
- monitor & evaluate
Plan & organise
- management commitment
- oversight steering committee
- business drivers assessment
- organisation threat profile
- risk assessment
- security architectures + solutions
Implement
- roles and responsibilities assigned
- develop and implement security policy
- identify sensitive data
- asset identification and management
- risk management
- compliance
- IdM and AC
- change control
- BCM and DRP
- awareness and training
- physical security
- incident response
- audit and monitoring
- establish baseline
Operate & maintain
- internal and external audit
Monitor & evaluate
- assess goal accomplishment
- quarterly meeting with steering committee
OCTAVE
- operationally critical threat, asset and vulnerability evaluation
- organisation-wide risk management
ISO 27005
- organisation-wide risk management
NIST SP 800-30
- IT security risk management
SLE
- single loss expectancy
- = value ($$$) * exposure factor (%)
- exposure factor (EF): how much will be damaged if threat is realized
ALE
- annual loss expectancy
- annualized rate of occurence (ARO): how many event per year (0.1 = once per decade)
- = SLE * ARO
DRP
- disaster recovery plan
- actions on disaster (e.g. evacuation plan in case of fire)
- usually IT-focused
BCP
- business continuity plan
- actions after disaster (e.g. what to do after building burnt completely or was saved from fire)
Delphi
- group decision method
- phases:
- anonymous data collection
- anonymous spread of other participants’ comments → repeat 1. if not consensus