Managing Information Security Treats & Risks (ISO/ICE

27002)
Preparing for Success
Aware about the Risk and Threats
Setting the Stage
Information is and Asset:
- Financial
- Medical
- Intellectual Property
- Software Code
- Customer Information
- Strategic Goals & Objective
Setting the Stage:
Change favor the prepared mind – by Louis Pasteur

 Preparing to Successfully Complete this Course

Module 1: Information and Security Concepts
- What information is
- What is need to be protecting
- Think about the information for protection
Module 2: The Value of Information
 - Concept for information
Module 3: Reliability as it Relates to Information
- Reliability of assets and information
Module 4: Risk vs. Threats
- Difference about the risk and threats
Module 5: The Potential Impact of Threats on
- Information Reliability until the threat is
- Potential impact of threat on information
Module 6: Analyzing and Mitigating Risk
- About risk analysis and risk treatment / mitigation

 Understanding Basic Information Concepts

Information and Security Concepts:
- Key information security terms and concepts
- Storing information
- Managing information
 Determining the value of information assets
The Value of Information:
- Information ownership
- Determining value
- Managing information
 Achieving information reliability through security
 Reliability as it relates to information:
- Confidentiality
- Integrity
- Availability
 Preparing to manage Threat and Risks
 Risks vs. Threats:
- Threat and risks
- Vulnerability and incidents
- Risk Management
- Disaster Recovery
 Categorizing Threats, Identifying Damage, and
Calculating Loss
 The Potential Impact of Threats on Information
Reliability:
- Threat categories
- Damage Categories
- Cost measurements
 Analyzing Risk to Help Drive Information Security
Decisions
 Analyzing and Mitigating Risk:
- Vulnerabilities and incidents
- Types of risks analysis
- Risk analysis and determining asset value
 Using Risk Mitigation Strategies to Minimize the
Impact of Risk
 Analyzing and Mitigating Risk:
- Minimizing risk
- Risk strategies
- Risk mitigation measures

 A Business Case Scenario: (MuseLair)

One night at a local club. MuseLair production deals
with the Squirt Guns.
MuseLair Productions:
Three new division were created by MuseLair
Production
1. MuseLair Studios : Recording Part of MuseLair
production
2. MuseLair Records: Production of CD and
distribution of Recorded
3. MuseLair Talent: Books tour and financial
management of their artist
Everything was looking great for company and their
artist, however recently there was a security breach at
MuseLair, and the artist contract and their personal
information was compromised and widely published
out on internet. Because of lack of confidential
MuseLair ability to secure their personal information on
their very next day after breach two of their major artist
including squirt guns, that was the banned them to put
them on the map and MuseLair was very sad.
This incident forced MuseLair leadership to take a
closure look at the information security practices,
during an incident review meaning. They order to fall
evaluate their current security practices based on the
ISO/IEC 27002 Standard.
As there trusted adviser you have been asked by
leadership review the ISO/IEC 27002 standard identified
the opportunity to MuseLair security practices and
provide the proposal to them. How you are going to go
about the implementing the security improvements
bow the best place to start the review is to understand
the basic information security concepts:
 Understanding Basic Information Security Concepts
 Defining Information:
- Information Teams & Concepts
- Information Systems
Information:
One or more data elements used for the act or fact of
informing.
“I hear that MuseLair is looking for new artist”
Communication------
“I heard the same thing. Let’s submit or demo CD”
 Two type communication:
- Audible:
o Verbal
o Voice Mail
o Audio recoding
o Morse code
o Tribal drums
o Etc.
- Visual:
o Document
o E-mail
o Texting
o Sign language
o Signal flags
o Signal fires
o Smoke signals
o Etc….
 Communication method: two Methods
Technical:
- Voice mail
- Audio recording
- Texting
- Electronic documents
- E-mail
- Morse code
- Etc…
Non-technical
- Verbal
- Sign language
- Handwritten documents
- Tribal drums
- Signal fires
- Signal flags
- Etc….
All types of communication require some form of
security to be identified and when necessary, applied.
Understanding the Value of
Data, Information, Knowledge, and Wisdom
Data: “Individual elements used to create information.
Data by itself tells us nothing useful.”
“By putting context the data is called information”
Information: “Data elements with context. Information
tells us what.”
“Information is telling what we are looking”
Knowledge: Information analyzed. Knowledge tells us
how.”
Wisdom: knowledge of what is true and right. Wisdom
tells us why.”
 What Information Systems Are And How They Add
Value
 Information System:
An integrated set of component used for collecting,
storing, and processing data and for delivering
information and knowledge.
What Information System Are and How They Add Value:
Human  Integrated components
Function Component
Collecting Data Eyes
Ears
Nose
Storing and Processing data Brain
Delivering Information and Knowledge Mouth

Information technology 
Information System is collection of:
- People
- Process
- Technology
 People: Employees, Business Partners,
Vendors, and Customers
- Creators:
- Data Owners:
- Administrators:
- And Users:
 Process: Documented method that information
system must follow when managing data:
- Policies:
- Procedures:
- Rules:
- Role Definitions:
- And Audit Controls:
Process enables organization to do certain things like:
- Monitor
- Measure
- And Improvement Information Systems
 Technology:
Information System will manage the data and
information throughout the entire information lifecycle.

 Managing the Information Lifecycle:

Stage 1 - Conceptualize: “plan for the creation of the
data that you need to achieve the business outcome”
- What are you trying to accomplished
 - What information you are going to creating
- Why?
Stage 2 – Create or Receive: “Receive the data from
other creators, archives, or repositories”
Stage 3 – Appraise & Select: “Evaluate the data and
select the data elements needed for long term
consumption and preservation”
- Not every data needed some time
- Data Long term value doesn’t exist
Stage 4 – Ingest: “Transfer data to an archive repository,
or other stewardship in accordance with any applicable
policies or regulatory requirements”
- Archive: would be able to back-up your data up
- Repository: Another/other place that could access
the data, protecting original source of data
- Stewardship: Another organization want to access
based on policies/regulatory requirement so that
we can transfer the same
Stage 5 – Preserve: “Take necessary steps needed to
preserve and retain the data and the authoritative
nature of the source”
 - For making data more confidential, integrated and
available
Stage 6 – Store: “Store the data in such a way so as to
maintain confidentiality integrity, and availability.”
- To make data confidential, available
Stage 7 – Access, Use & Reuse: “Provide ongoing access
to both users and systems in such a way so as to
maintain confidentiality, integrity, and availability of
the required content”
Stage 8 – Transform: “Create new data from existing
data through the process of transforming the data into
new formats, subnets, and views”
Stage 9 – Dispose: “Properly destroy all data that is no
longer required for use, reuse, or preservation based on
retention policies or legal hold orders”

Information system must be designed to support the

entire lifecycle.
APPLY PROPER SECURITY MEASURE THROUGHOUT THE
ENTIRE INFORMATION LIFECYCLE
Exercise Time
Data Information Knowledge Wisdom