- 1.Policy - Goals (priority in CIA) Responsibility (who responsible) Commitment (org chart for sec)
- 2.Current State - Risk analysis & what to do with new additions, Privacy Impact Assessment
- 3.Requirements - Who is allowed to do what? Nothing to do with mechanism
- 4.Recommended Controls - Mechanisms for Program, OS, Network
- 5.Accountability - Who is accountable for failure?
- 6.Timetable - Milestone, tracking progress
- 7.Continuing Attention - Reality is not static
Security Planning team will write the plan, have reps from CTO, IT, SYSADMINS
Business Continuity Plan is another kind of security plan - Availability
Advance Planning for catastrophe - Who will be in charge, what needs to be done, who will do it
-> Arrange regular backups, stockpile supplies, train employees
Incident Response Plan - Legal issues, Preserving Evidence, Records, Public Relations(Speak with one voice)
Risk has probability and impact; risk exposure = probability * impact
Risk analysis:
- 1.Identify assets - Hard/Software/Data, People, Docs, Supplies
- 2.Determine vulnerabilities - Come up with attacks
- 3.Estimate likelihood of exploitation - Frequency analysis (how often in the past?)
- 4.Compute risk exposure - Competitor having/not having data
- 5.Survey applicable controls - Ways to control vulnerability
- 6.Project savings = Risk Exposure - Cost of control - New risk exposure;
- 7.Physical Security
- 8.Physical Threats
Tiger Teams break into system for a price
Legal Protections against threats
IP Kinds Differ:
- 1.Cover different kinds of intangibilities
- 2.Convey different rights
- 3.Have different durations
- 4.Have different registration requirements
- 5.But are confused
Intellectual Property is non-depletable, replicable, minimum marginal cost
IP:
- 1.Trade secrets - Secret Information
- 2.Trademarks - Protect names, brand, domains and logos
- 3.Patents - Inventions which are novel, useful, non-obvious
- 4.Copyrights - Limited protection of expression of ideas
Canada has more specific copyright laws than US. Exhaustive fair dealing law in Canada.
P2P downloading songs arguably legal in Canada but uploading likely still is not.
July 2012 - Supreme Court of Canada determined copying teaching materials was fair use
1998 - US passed Digital Millennium Copyright Act (DMCA)
As of 2012, Canada has similar restrictions
Violating digital lock does not carry significant penalties
Computer Crime
Early laws were bizarre - value of stolen data was worth as much as the paper it was printed on
Computer forensics replaces regular forensics
Worse that computer crime is international
Bill C-13 or Cyberbullying law is really a lawful access law
UK, RIP Act - Full backdoor
Full disclosure - post full leaks, provide vendors incentives to fix problem
Responsible disclosure - give vendor thirty days to fix problem
Attacks:
Attack | Desc | Soln | |
---|---|---|---|
Replay | |||
Reaction | |||
Tracker | |||
Port Scanning | |||
Phishing | |||
MITM |