Simple chart with classification of different InfoSec threats.
Misdirection:
|
Social trust:
|
Vulnerability:
|
Snooping:
|
Password attacks:
|
Escalation:
|
Malware:
|
Malicious actions:
|
Mitigations:
|
SEcurity Content COmmunity
Simple chart with classification of different InfoSec threats.
Misdirection:
|
Social trust:
|
Vulnerability:
|
Snooping:
|
Password attacks:
|
Escalation:
|
Malware:
|
Malicious actions:
|
Mitigations:
|
During the validation of control activities you should attempt to make security easier on users and more difficult for attackers.
Activities to verify may include (not limited to):
NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.
Due care:
You should care! Due care is the conduct of a person in a particular situation. If due care negligence is tested, each due care juror (auditor/tester) has to determine what is “reasonable” in the given situation. Do train people in good choice vs bad choice.
Due diligence:
Continually ensure that threats and vulnerabilities are known and acted upon.
Q. What is CIA?
Confidentiality:
is:
enforced via:
Integrity (of data):
is:
enforce via:
Availability:
is:
enforced via:
Is…
Provides:
Enforced via:
*standards should include [internal] Minimal Security Baseline (MSB) with influences of vendor best practices, external standards, directives, etc.