Module 4 looks in detail at those resources and constraints. From a resource perspective, we have to understand what is available and if any are the restrictions such as cultural or socially acceptable. Policies? Of course policies and standards or paperwork as a resource. Policy is managed statement of intent. Standards tell us how we're going to implement that policy. Procedures are step-by-step instructions for how we implement those standards and guidelines are just that like recommendations for how to select a password. From an architecture point of view, there are a number of different architectures that are out there. Things like the UK, they have their Ministry of Defense. The Open Group has an architecture called TOGAF, even the federal government has one called FEA. The folks at Sherwood have an interesting architecture called SABSA. It really looks at an interesting aspect and that is the folks at Sherwood say that operational security should cover all of the levels from the component architecture all the way up to the 30,000-foot view or the contextual architecture. The Open Group has a couple of interesting aspects to that as well. Then look on the left-hand side as what is the business vision and drivers? Then on the parallel side, what does the business have the capability of doing? From a control point of view, we have both IT controls and non-IT controls. We have countermeasures and safeguards and defense in depth. From a technology point of view, technology really is the cornerstone and there are a number of things in technology. Systems that provide us with prevention from subsystem compromise like authentication and authorization. Controls that provide us with containment, like data privacy and firewalls and network segmentation. Controls that provide us with reaction, like Incident Response and evidence collection and tracking, like auditing and logging in some devices. Controls that do recovery and restoration, like BCP and disaster recovery planning. Personnel, always a resource, but we have to make sure that they have the appropriate background. In some cases, when you're doing background checks, you have to understand what the local laws are with regard to what we can ask. Again, depending on the position you are going to put an individual in is going to determine how much of a background investigation that you do. We talked earlier about the organizational structure and the fact that it might be risk-averse or a risk-taking organization. But one of the other things that we have to look at is this organization managed centrally and everything is standardized or is it decentralized? Both have their advantages and both have their disadvantages. From an organizational point of view, we want to make sure that all of the things that we do in security are very closely aligned with the business objectives. From an employee's point of view, roles and responsibilities have to be very clearly defined. Everyone needs to know their job and what's expected of them when it comes to information security. Those employees also bring to the table a certain skill set. HR needs to develop and maintain a skills inventory and also a way of testing whether or not those employees are proficient in their skill set. Speaking of training, everybody in the organization, including contractors, guests, part times, everybody has to go through security awareness, training, and education, and that has to be a recurring program. One of the other resources that is very good for us are the audits, both internal and external because the auditors are looking at the controls and telling us which controls are good, which ones are working, and which ones need to be improved that are not working? That basically is compliance enforcement. Are we complying with the standards that we have in place? Auditing that self-reporting will help us establish that. One of the things that we can do also is we can take our assets and we can do a threat assessment, what we call threat modeling. What are the threats against any particular asset? Then where are those assets vulnerable? Remember, people are assets, people have threats, and people are also vulnerable to certain things. Doing a risk assessment and then managing that risk can also be a resource. There are basically four ways that management can address or treat those risks. They can say, you know what, I'm just going to accept that risk because I don't think it's going to occur or they could mitigate that risk by putting controls in place. They could also buy an insurance policy or move the application to the Cloud, thereby transferring the risk. You can never transfer responsibility, but you can transfer the risk or they could simply avoid the risk by not doing that aspect of the business either. In a lot of cases, companies will buy insurance policies to cover that residual risk and they may be either first-party insurance, they may be third-party insurance, or it may even be fidelity to cover things like embezzlement or employee or theft or something like that. We do business impact analysis. We identify what the impact would be to the business if a particular asset or function was adversely impacted or was not able to be performed. This helps us determine criticality and sensitivity for those systems that are identified. When we do BI, one of the other things that we also identify is what are the resources that those business functions are dependent upon because each one of those records resources potentially identifies an asset and we then would identify the impacts to those assets that the system or the business function is dependent upon. Increasingly, we are outsourcing aspects of the business. Help desk is one that for the most part, a lot of organizations are outsourcing their help desk. A lot of companies are also outsourcing software development so that outsourced service can be a resource that we need to take a look at. There are some issues though because those outsourced offshore resource providers may have different standards and they may be difficult to control. When we look throughout the other parts of the organization, there are also other things that we may turn to for some help, for some support. People like HR, legal, auditing, physical security, change management, or QA.
