no more cubes

Category: Security & Privacy

  • P.U.S.H.

    The four phases of PUSH are:

    • Preparation
      Defining audience and purpose of risk assessment.
    • Universe definition
      identifying and characterizing most critical assets, risks and controls.
    • Scoring
      choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
    • Hitting the mark
      ensure risk assesment fulfils the purpose set out in the planning phase.

  • Risk Assessment Methodolgies

    • OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
    • FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
    • NIST is a qualitative risk assessment methodology established with healthcare in mind.
    • Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
    • CRAMM is an IT risk analysis method used in the British Government.

  • Methodological Frameworks

    • ISO 27000 is a series of of standards to manage information security
    • ITIL is comprised of a series of books aiming to improve IT service management and IT processes
    • COSO is a framework for financial reporting and disclosure
    • COBIT is a four domain model for IT governance and has 214 control objectives

  • Baselines, Procedures, Guidelines & Policies

    • Baselines define a minimum technical standard that should be maintained across the organization
    • Procedures are step-by-step instruction on how to comply with security requirements.
    • Guidelines give discretionary guidance on how to comply with security requirements best.
    • Policies define security requirements broadly.