More assurance slang

Due care:

You should care! Due care is the conduct of a person in a particular situation. If due care negligence is tested, each due care juror (auditor/tester) has to determine what is “reasonable” in the given situation. Do train people in good choice vs bad choice.

Due diligence:

Continually ensure that threats and vulnerabilities are known and acted upon.

  • Assets are identified and protected.
  • Controls are in-place.
  • Regulations are followed and evaluated.

Accountability in a more classical structure

Is…

  • Who did it?
  • Do we have Non-repudiation?
  • What are legal consequences?
  • How shall we secure the systems?
  • Who is accountable?

Provides:

  • integrity and assurance,
  • authenticity..

Enforced via:

  • audit trails & logs,
  • design, governance and policy,
  • standards*,
  • RACI matrix..

*standards should include [internal] Minimal Security Baseline (MSB) with influences of vendor best practices, external standards, directives, etc.

It’s alive…

It’s alive! Welcome to the SEcurity Content COmmunity (SECCO), a place to share and comment on: IT security – related topics.

SECCO is the interactive section of the CIA³ site (pronounced: CIA cubed). CIA³ is a more modern version of the more classical security concepts known as the CIA triad. CIA³ does however cover: Confidentiality, Integrity, Availability, Accountability, and Assurance.