/undefined/notes/CS458/Module_7
  1. 1.Policy - Goals (priority in CIA) Responsibility (who responsible) Commitment (org chart for sec)
  2. 2.Current State - Risk analysis & what to do with new additions, Privacy Impact Assessment
  3. 3.Requirements - Who is allowed to do what? Nothing to do with mechanism
  4. 4.Recommended Controls - Mechanisms for Program, OS, Network
  5. 5.Accountability - Who is accountable for failure?
  6. 6.Timetable - Milestone, tracking progress
  7. 7.Continuing Attention - Reality is not static

Security Planning team will write the plan, have reps from CTO, IT, SYSADMINS

Business Continuity Plan is another kind of security plan - Availability

Advance Planning for catastrophe - Who will be in charge, what needs to be done, who will do it

-> Arrange regular backups, stockpile supplies, train employees

Incident Response Plan - Legal issues, Preserving Evidence, Records, Public Relations(Speak with one voice)

Risk has probability and impact; risk exposure = probability * impact

Risk analysis:

  1. 1.Identify assets - Hard/Software/Data, People, Docs, Supplies
  2. 2.Determine vulnerabilities - Come up with attacks
  3. 3.Estimate likelihood of exploitation - Frequency analysis (how often in the past?)
  4. 4.Compute risk exposure - Competitor having/not having data
  5. 5.Survey applicable controls - Ways to control vulnerability
  6. 6.Project savings = Risk Exposure - Cost of control - New risk exposure;
  7. 7.Physical Security
  8. 8.Physical Threats

Tiger Teams break into system for a price

Legal Protections against threats

IP Kinds Differ:

  1. 1.Cover different kinds of intangibilities
  2. 2.Convey different rights
  3. 3.Have different durations
  4. 4.Have different registration requirements
  5. 5.But are confused

Intellectual Property is non-depletable, replicable, minimum marginal cost

IP:

  1. 1.Trade secrets - Secret Information
  2. 2.Trademarks - Protect names, brand, domains and logos
  3. 3.Patents - Inventions which are novel, useful, non-obvious
  4. 4.Copyrights - Limited protection of expression of ideas

Canada has more specific copyright laws than US. Exhaustive fair dealing law in Canada.

P2P downloading songs arguably legal in Canada but uploading likely still is not.

July 2012 - Supreme Court of Canada determined copying teaching materials was fair use

1998 - US passed Digital Millennium Copyright Act (DMCA)

As of 2012, Canada has similar restrictions

Violating digital lock does not carry significant penalties

Computer Crime

Early laws were bizarre - value of stolen data was worth as much as the paper it was printed on

Computer forensics replaces regular forensics

Worse that computer crime is international

Bill C-13 or Cyberbullying law is really a lawful access law

UK, RIP Act - Full backdoor

Full disclosure - post full leaks, provide vendors incentives to fix problem

Responsible disclosure - give vendor thirty days to fix problem

Attacks:

AttackDescSoln
Replay
Reaction
Tracker
Port Scanning
Phishing
MITM