Samenvatting Security Management: H1

1 The sliding scale of cybersecurity

 Three phases in information:
o Security according to fixed rules or best practices
o Security based on risk assessment (passive and active)
o Threat intelligence driven security

 In early days  security measures were best practises (passwords change every month, you
need to have a firewall, etc)
o This checklist approach  maturity-based approach to cybersecurity
 Risk assessment  defensive point of view
o Cannot keep all bad traffic out  detection  passive defense
 Active defense  learning from adversaries and using threat intelligence
 The sliding scale of cybersecurity
o 5 phases
 Architecture
 planning, establishing, and upkeep of systems with security in mind
 Passive defense
 systems added to the architecture to provide consistent protection
against or insight into threats without constant human interaction
 Active defense
 analysts monitoring for, responding to, learning from, and applying
their knowledge to threats internal to the network
 Intelligence
 The process of collecting data, exploiting it into information, and
producing an assessment that satisfies a previously identified
knowledge gap
 Offence
 represents direct action taken against the adversary outside friendly
networks

 Cyberspace Warfare Attack

o  employment of cyberspace capabilities not to attack CIA (confidentiality, integrity,
availability, see further) but to destroy, deny, degrade, disrupt, deceive, corrupt, or
usurp the adversary's ability to use the cyberspace domain for his advantage
 North-south security  old
o East-west security  new
 In zero we trust
o  Not trust anyone or anything by default
o Replaces old approach  Trust but verify

2 Security vs safety
 Security is the process of prevention of crime, threat or danger whereas safety is the
condition when e.g., traffic accidents are avoided

1
3 IS vs IT
 Information security  close to business and determines security measures aligned with the
business
 IT Security  working with antivirus, monitoring security tools, web site security, firewalls,
etc…

4 Dilemmas of Information security

 Known knowns  vulnerabilities discovered and getting patched
 Known unknowns  aware of fact that there are undiscovered vulnerabilities
 Unknown knowns  not aware of the fact that known vulnerabilities cause a post-disclosure
risk
 Unknown unknowns  not aware of the fact that IoT devices on our network can be used to
bypass all security controls
 Use of risk management

5 Security engineering
 Good security engineering  4 things come together
o Policy
 what you’re supposed to achieve
o Mechanism
 the ciphers, access controls, hardware tamper-resistance and other
machinery that you assemble in order to implement the policy
o Assurance
 the amount of reliance you can place on each particular mechanism
o Incentive
 the motive that the people guarding and maintaining the system have to do
their job properly, and also the motive that the attackers have to try to defeat
your policy.
 Most people only talk about Policy and mechanisms
o  Incentives and assurance are poorly set up
 Most policy and mechanisms are defined without taking into account the threat model

6 Modeling information security

 Most authors  not speak of incentives and assurance  supposed to be part of
mechanisms/mitigations
 Requirements = use case (system model) + policy
 Threat model = threats
 Compliance and governance  have to doi woth the system context and are thought to be
part of the system (use case)
 System model, security objectives, risk assessment, requirements:
o Good properties we want to maintain, bad properties we want to prevent
 Attacker model:
o The power of the attacker and the parts of the system potentially under control of
the attacker
 Defense model:
o Selecting what you want to defend using which resources

2
  Security organization, compliance, governance
o roles and responsibilities, policies, procedures
 2 distinct approaches
o Defense
o Attackers point of view

7 Security objectives
 Information security  often defined as CIA (confidentiality, integrity, availability)
 Mechanisms are meant to achieve objectives
 Information security aims to achieve preservation of these security objectives or to prevent
harm to assets
o Harm is loss of one of the security objectives
o Threat refers to an attacker and has the notion of a likelihood.
 Confidentiality  concealing information so that it is not accessed by unauthorized parties
o ≠ privacy  less strictly defined as it has cultural and legal meanings
 Integrity  prevention of unauthorized changes
 Availability  ability to use the information and to access the resources desired
 CIA  original triad
o CIAA  adds authenticity and accountability
o CI4AM  authentication, authorization, auditing and management
 Authenticity  property that an entity is what it claims to be
 Accountability  keeping audit trails and installing procedures for analyzing the trails
(forensics)
 Auditability  synonym of accountability
 Non-repudation  a party cannot deny it is part of a contract
 Reliability  has to do with consistent intended behavior and results
 Privacy and data protection  refers to personal data and has become an objective on its
own with regulations such as GDPR
 Code validation  linked to the numerous vulnerabilities added by software code, and the
attempts to detect this or prevent this
 Authentication and authorization  security mechanisms
o Authentication  identification and assurance of origin of information. We
distinguish between
 data or message authenNcaNon: assuring that the data have not been
tampered with
 entity or origin authentication: assuring that the entity that is said to be the
origin, is also the origin
o Authorization  specifying access rights/privileges to users or processes
 In an organization flow  distinguish between
o Identification
 when you arrive in the organization, we need to identify you
o Authentication
 when you want access to a system, you will first have to authenticate
yourself, to prove that you are who you claim to be
o Authorization
 we know who you are, and we then check your access rights

3
8 Industrial control systems (ICS) p28
 umbrella term that comprises different information systems and technologies
o supervisory control
o data acquisition (SCADA)
o distributed control systems (DCS)
o programmable logic controllers (PLC)
o and more
o  with one main goal: to provide management and control of industrial processes
 Conventional information systems (ERP, mail server, OS, tec.)  manage information
 ICS  manage physical processes
o  Cyberphysical systems
 Control systems  typically referred to as OT (operational technology) vs traditional IT
o OT uses a combination of traditional IT protocols and a large number of specific
protocols
 Is CIA valid in an industrial control system (ICS) environment?
o AIC is CIA in reverse order
 RAMS
o reliability, availability, maintainability and safety
 RAMSS
o Adds security
 P-RAMSS
o Adds privacy
 ICS  similar security objectives  but priorities are different
o  Dependability
 Combines concepts of availability, reliability, integrity, safety and
maintainability
 First 3  when going deeper, reveal confidentiality
 Most important difference  priority shifted from confidentiality to
availability and reliability
 Availability
o ensures that systems services and data are not upset, and are reachable when
required
 This is close to reliability
o All connected functionally interdependent components must function correctly to
achieved this goal; this relates to the whole system
 Integrity
o ensures that a system performs
 in the manner that it is intended without alteration or manipulation of
information or functionality
 Dependability
o The need to ensure that services delivered can be justifiably trusted
o This principle has been alternatively defined as the ability to avoid service failures
that are more frequent and more severe than is acceptable
 These security objectives lead to other security objectives
o Confidentiality

4
  enforces authorized restrictions on information access, guarding against
disclosures to unauthorized individual or systems
o Authenticity
 the guarantee that a message, information, or other exchange of transaction
is from a claimed source. It essentially involves the proof of origin or identity
 = Veracity
o Safety
 the absence of catastrophic consequences on the user(s) and the
environment
o Maintainability
 emphasizes the ability to undergo modifications and repairs
o Availability/reliability violations
 aim to deliberately delay, block, or corrupt (via denial of service) the
communication in manufacturing ICS
o Integrity violations
 on manufacturing ICS involves doing severe damage(s) in inconspicuous
way(s), as they often do not disrupt or halt processes or systems but change
the outcome of the systems
o Confidentiality violations
 are e.g., disclosure of business and (or) production-critical data or
information to competitors and adversaries that could cause a loss of
competitive advantage and market relevance
 Typical ICS vulnerabilities
o categorized as Data, Security administration, Network, Architecture and Platforms
 Impact in case of a successful ICS attack can be categorized as
o (1) Denial of view (DoV)
o (2) Loss of view (LoV)
o (3) Manipulation of view (MoV)
o (4) Denial of control (DoC)
o (5) Loss of control (LoC)
o (6) Manipulation of control (MoC)

9 Smart manufacturing controls (moeten niet vanbuiten kennen,

enkel kunnen begrijpen
 Policies
o Security by design
 Security measures which should be applied from the very beginning of
product development
o Privacy by design
 Security measures related to privacy and protection of personal data. These
measures should be applied from the first stages of product development
o Asset management
 Security measures regarding asset discovery, administra, monitoring and
maintenance
o Risk and threat management
 Security measures regarding the recommended approach to the process of
risk and threat management adapted to Industry 4.0 environment

5
 Organizational practices
o Endpoints lifecycle
 Security measures related to security at different stages of product lifecycle,
including the procurement process, supply chain, handover phase,
exploitation and end-of-life
o Security architecture
 Security measures regarding the architectural-based approach and
establishment of security architecture
o Incident handling
 Security measures regarding the detection and response to incidents that
may occur in Industry 4.0 environments
o Vulnerabilities management
 Security measures on the vulnerability management process, related
activities and vulnerability disclosure
o Training and awareness
 Security measures regarding the recommended approach related to security
training and raising awareness of employees working with IIoT devices and
systems
o Third party management
 Security measures related to third party management and control of third
party access
 Technical practices
o Trust and integrity management
 Security measures that can help ensure the integrity and trustfulness of data
and devices
o Cloud security
 Security measures regarding various security aspects of cloud computing
o Business continuity and recovery
 Security measures regarding the development, testing and reviewing of
company’s plan to ensure resilience and continuity of operations in the event
of security incidents
o Machine to machine security
 Security measures regarding key storage, encryption, input validation and
protection in Machine-to- Machine communications security
o Data protection
 Security measures regarding protection of confidential data on various levels
of an organisation and management of access to data
o Software / firmware updates
 Security measures regarding verification, testing and execution of patches
o Access control
 Security measures regarding the control of remote access, authentication,
privileges, accounts and physical access
o Networks, protocols, encryption
 Security measures can help ensure security of communication through
proper protocols implementation, encryption and network segmentation
o Monitoring and auditing

6
  Security measures regarding the network traffic and availability monitoring,
logs collection and reviews
o Configuration management
 Security measures regarding security configuration, management of changes
in configuration, devices hardening and backup verification

10 Security failure
 Threat
o is any circumstance or event with the potential to adversely impact organizational
operations and assets, individuals, other organizations, or the NaNon through an
information system via unauthorized access, destruction, disclosure, or modification
of information, and/or denial of service
 Vulnerability
o is a weakness in an information system, system security procedures, internal controls,
or implementation that could be exploited by a threat source
 Predisposing condition
o is a condition that exists within an organization, a mission or business process,
enterprise architecture, information system, or environment of operation, which
affects (i.e., increases or decreases) the likelihood that threat events, once initiated,
result in adverse impacts to organizational operations and assets, individuals, other
organizations, or the Nation
 Likelihood of occurrence
o a weighted risk factor based on an analysis of the probability that a given threat is
capable of exploiting a given vulnerability (or set of vulnerabilities)
 Level of impact from a threat event
o the magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information
system availability

11 ISSRM domain model

 ISSRM
o Information System Security Risk Management
o This domain model is the result of literature review: risk management standards, risk
management methods, security standards and security frameworks
 Risk  determined by event and impact
o Consequence  better choice than impact
o Impact is when your car hits a tree. Consequence is that you are dead
 Threat event consists of
o Threat
o Vulnerability
 Threat consists of
o Threat agent/actor
o Attack method
 Impact  linked to asses (IS or business)
 Security criterion  certain group of risks
o For example CIA

7
  The risk treatment decides to treat a given risk. This leads to a security requirement
implemented with a control.
 Vulnerability  weakness
 Segmentation  important part of network security

12 Risk
 Impact * likelihood
 Determining risk  3 approaches
o Likelihood * impact
 although very high level and incomplete, it is do-able; you estimate the
likelihood, you estimate the impact and done
o likelihood is the combination of three factors
 Threat
 Asset
 Vulnerability
o FAIR
 3 elements necessary and sufficient for a successful attack
o System Susceptibility
o Threat Accessibility
o Threat Capability

13 Risk management, Risk assessment

 Risk management
o a recurrent activity that deals with the analysis, planning, implementation, control
and monitoring of implemented measurements and the enforced security policy
 Risk Assessment
o executed at discrete time points (e.g., once a year, on demand, etc.) and – until the
performance of the next assessment – provides a temporary view of assessed risks
and while parameterizing the entire Risk Management process
 Risk analysis
o the quantification of the risk

14 ISMS
 ISMS (Information Security Management System)
o a critical output of information security management
o ≠ a system
o = an organized approach to managing sensitive business information so that it
remains secure
o a set of information security rules, responsibilities, and controls
 6 steps
o Definition of Security Policy,
o Definition of ISMS Scope,
o Risk Assessment (as part of Risk Management)
o Risk Management,
o Selection of Appropriate Controls and
o Statement of Applicability

8
  Risk Assessment and Management process = Risk management
o comprise the heart of the ISMS and are the processes that “transform” on one hand
the rules and guidelines of security policy and the targets; and on the other to
transform objectives of ISMS into specific plans for the implementation of controls
and mechanisms that aim at minimizing threats and vulnerabilities

15 Risk management processes

 Risk management
o the process, distinct from Risk Assessment, of weighing policy alternatives in
consultation with interested parties, considering Risk Assessment and other
legitimate factors, and selecting appropriate prevention and control options
 Definition of Scope
o Process for the establishment of global parameters for the performance of Risk
Management within an organization (internal and external factors
 Risk Assessment
o A scientific and technologically based process consisting of three steps, risk
identification, risk analysis and risk evaluation
 Risk Treatment
o Process of selection and implementation of measures to modify risk
 Can include avoiding, optimizing, transferring or retaining risk
 Risk Communication
o A process to exchange or share information about risk between the decision-maker
and other stakeholders inside and outside an organization (e.g. departments and
outsourcers respectively)
 Monitor and Review
o A process for measuring the efficiency and effectiveness of the organization’s Risk
Management processes is the establishment of an ongoing monitor and review
process
 Risk acceptance
o Decision to accept a risk by the responsible management of the organization

16 FAIR risk taxonomy

 Identify the various aspects of “risk”
o transform the abstract notion into more concrete ones: FAIR and Allegro are two
examples of this
 Quantify risk elements
o Emphasis on how obtain a number
 Allegro also specifies this; other methods in this section are DREAD, CWSS
and OWASP
 FAIR
o Factor Analysis of Information Risk
 Risk  estimates the probable frequency and magnitude of future loss
o 2 components
 Frequency and loss magnitude
 Loss Event Frequency (LEF)
o the probable frequency, within a given timeframe, that a threat agent will inflict harm
upon an asset

9
 o In order for a loss event to occur  a threat agent has to act upon an asset, such that
loss results
 Leads to next 2 factors  Threat Event Frequency (TEF) and Vulnerability
(Vuln)
 Threat Event Frequency (TEF)
o the probable frequency, within a given timeframe, that a threat agent will act against
an asset
o 2 factors drive TEF
 Contact frequency and Probability of Action
 Contact Frequency (CF)
o the probable frequency, within a given timeframe, that a threat agent will come into
contact with an asset. There are three types of contact:
 Random
 Regular
 Intentional
 Probability of Action (PoA)
o the probability that a threat agent will act against an asset once contact occurs
o probability that an intentional act will take place is driven by three primary factors:
 Value
 Level of effort
 Risk of detection / capture
 Vulnerability (Vuln)
o probability that a threat event will become a loss event
o 2 primary factors that drive vulnerability
 Threat Capability (TCap) and Resistance Strength (RS)
 Threat Capability (TCap)
o probable level of force that a threat agent is capable of applying against an asset
 Resistance Strength (RS)
o the strength of a control as compared to a baseline measure of force
 Loss Magnitude (LM)
o the probable magnitude of loss resulting from a loss event
o Loss flow
 a structured decomposition of how losses materialize when an event occurs
 incorporates:
 A threat agent acts against an asset.
 This event affects the primary stakeholder in terms of productivity
loss, response costs, etc.. This is considered the primary component
of the loss event.
 Sometimes this initial event also has an effect on secondary
stakeholders, such as customers, regulators, media, etc.
 The reactions of the secondary stakeholders may, in turn, act as new
threat agents against the organization’s assets (such as reputation,
legal fees, etc.) which, of course, affects the primary stakeholder. This
is referred to as the secondary component of the loss event
 First phase: Primary Loss
o occurs directly as a result of the threat agent’s action upon the asset

10
 o Productivity, Response, and Replacement are generally the forms of loss experienced
as Primary Loss
o Other 3 forms of loss  only occur as Primary Loss when the threat agent is directly
responsible for those losses
 Second phase: Secondary Loss
o occurs as a result of secondary stakeholders (e.g., customers, stockholders,
regulators, etc.) reacting negatively to the primary event
o 2 primary components
 Secondary Loss Event Frequency (SLEF)
 Secondary Loss Magnitude (SLM)
 Secondary Loss Event Frequency
o allows the analyst to estimate the percentage of time a scenario is expected to have
secondary effects
 Secondary Loss Magnitude
o represents the losses that are expected to materialize from dealing with secondary
stakeholder reactions (e.g., fines and judgments, loss of market share, etc.)

17 FAIR control categories

 Avoidance
o Firewall filters
o Physical barriers
o The relocation of assets
o The reduction of threat populations (e.g., reducing the number of personnel who are
given legitimate access to assets)
 Deterrent controls
o Policies
o Logging and monitoring
o Enforcement practices
o Asset “hardening” (e.g., many threat actors are opportunistic in nature and will
gravitate toward easier targets, rather than targets that are perceived to be difficult)
o Physical obstacles (e.g., external lights on building, barb-wire fencing, etc.)
 Vulnerability controls
o Authentication
o Access privileges
o Patching
o Some configuration settings
 Response controls
o Back-up and restore media and processes
o Forensics capabilities
o Incident response processes
o Credit monitoring for persons whose private information has been compromised

18 Octave: another method

 FAIR is a the most extensive method in decomposing the risk element into more tangible
components. Other risk management methods emphasize the processes and subprocesses to
perform but do not do such a good job for the core element, i.e., risk. OCTAVE is one of them

11
19 Graphical representation of threat threes

 Threat trees
o The threat scenario derived from your areas of concern corresponds to a branch on
these threat trees

20 Risk rating octave allegro

 Octave Allegro approach
o investigate how to perform risk rating. Most methods give very limited guidance on
actual rating

21 DREAD for risk rating

 DREAD
o Damage
 Assessing the damage that could result from a security attack is obviously a
critical part of threat modelling
o Reproducibility
 a measure of how often a specified type of attack will succeed
o Exploitability
 assesses the effort and expertise that are required to mount an attack
o Affected Users
 The number of users that could be affected by an attack is another important
factor in assessing a threat
o Discoverability
 the likelihood that a threat will be exploited

12
22 Example of the use of DREAD

23 CWRAF: common weakness risk analysis framework

 MITRE  created CWRAF
o Risk analysis framework based on the CWE’s (weaknesses)
o CWSS
 Rating aspect of the CWRAF
 Vulnerabilities
o specific problem points with specific software versions
 Weaknesses
o more general concepts that can cause problems
o Weaknesses are a generalization of vulnerabilities
 CWE
o Common Weaknesses Enumeration
 CVE
o Common Vulnerabilities Enumeration
 CWE and CVE are the lists of weaknesses / vulnerabilities
 CVSS
o the well-known scoring system for vulnerabilities
 CWSS
o the similar scoring system for weaknesses
 CWSS  organized into 3 metric groups
o Base Finding
 captures the inherent risk of the weakness, confidence in the accuracy of the
finding, and strength of controls
o Attack Surface
 the barriers that an attacker must overcome in order to exploit the weakness
o Environmental
 characteristics of the weakness that are specific to a particular environment
or operational context

13
24 OWASP Risk rating methodology
 Another risk rating methodology
 The likelihood consists of threat agent factors and vulnerability factors. The impact consists of
technical impact and business impact

25 The facilitated risk analysis and assessment process (FRAAP)

 used for risk analysis and assessment in a pure business context and not just in information
security
 FRAAP is also a very complete method

26 Risk assessment in a less formal way

 Risk assessment  often done in less detailed way  with risk = impact * likelihood and
documentation why we assess impact and likelihood in a given way
 Quantitative or qualitative risk assessment methodology?

27 Likelihood scale and risk scale

 high impact / low probability  higher rate than low impact / high probability

28 Cost benefit analysis of security control

 Risk analysis  not the end
o You not only need to know what the highest risk levels are, you should compare
these to the costs to mitigate them. This is called a cost benefit analysis
o Concepts  SLE, AV, EF, ARO, ALE, CBA, ACS, ROSI
 To decide whether you should do an investment in some safeguard, you need to consider the
economic cost and the economic benefit
 Economic benefit
o is the estimation of the avoided cost or of the reduced loss of certain assets
o In theory, the optimal point is when cost and benefit are equal
o Cost is accurate. Benefit is an estimation
 The paper “The Economics of Information Security Investment” by Gordon and Loeb, states
that in most cases you should never spend more than 37% of the cost you are trying to
prevent, and in most cases the limit is even 25%.
 The ROSI values in these cases are (1-0,37) and (1-0,25)
 QuERIES Methodology
o This theory says that based on a cost benefit analysis of the attacker (how much will
he spend to hack you), you might conclude that you need to be able to protect your
assets for 1000 hours
 Conclusion
o is again that your security budget should not be too close to the benefit you calculate

14
29 Cost elements of cybercrime
 Examples of indirect economical cost of cybercrime
o include loss of trust in online banking, leading to reduced revenues from transaction
fees and higher costs for maintaining branch staff; sales foregone by online retailers
when their fraud engine cause them to decline shopping baskets; reduced uptake by
citizens of electronic services whether from companies or governments; cancelled
operations due to online medical services being unavailable; and efforts to clean up
machines infected with botnet malware
 difference between cybercrime cost and cybercrime income for the cybercriminals
 Malware often uses PPI (pay-per-install)
o mechanism for distribution as a way of transferring money to the malware
developers
 If you really want to do something about cybercrime, society should solve the problem of
near-complete impunity for cybercriminals

30 Cost of cybercrime: some data

 (with the highest net value technology savings minus technology spend). Threat intelligence,
AI/machine learning, advanced identity and access management, behaviour analytics and
cryptography are the most promising technologies.

31 Total cost of cybercrime

 How can you improve your cybersecurity, based on this formula

o Total attempted breaches
 Reduce the number of attempted breaches: this is not possible
o Successful breach ratio
 Stop more attacks
o Days to detect and fix an attack of damage type i
 Reduce the number of days for detecting the attack
o Days to detect and fix an attack of damage type i
 Reduce the number of days for fixing the attack
o Daily cost of an attack of damage type i
 Lower the impact of a breach
o Proportion of attacks of damage type i
 we assume this is fixed but by lowering the impact of a breach, this is also
improved

15
32 Risk control strategies
 Avoidance
o the risk control strategy that attempts to prevent the exploitation of the vulnerability
o accomplished through:
 Application of policy
 Application of training and education
 Countering threats
 Implementation of technical security controls and safeguards
 Transference
o the control approach that attempts to shift the risk to other assets, other processes,
or other organizations (cyber insurance or outsourcing)
o accomplished by
 rethinking how services are offered, revising deployment models,
outsourcing to other organizations, purchasing insurance, or by
implementing service contracts with providers
 Mitigation
o the control approach that attempts to reduce, by means of planning and preparation,
the damage caused by the exploitation of vulnerability
o Includes 3 types of plans
 the disaster recovery plan (DRP)
 incident response plan (IRP)
 business continuity plan (BCP)
 Acceptance
o Acceptance of risk is the choice to do nothing to protect an information asset and to
accept the outcome from any resulting exploitation

33 Inherent and residual risk

 Inherent risk
o based on estimates of impact and likelihood in the absence of controls
 Residual risk
o a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a
vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less
the effect of asset value-reducing safeguards

16
34 Risk map

 Risk map
o shows the two-dimensional representation of risk (impact and likelihood) and the
typical mitigation strategies and where these strategies fit in this two-dimensional
space
 Segregation of duties (SOD)
o making sure that you have distinct roles in your organization to decide on submitting
a request, ordering it, and paying it

17
35 Document and communicate he risk assessment

 Cover the complete message in the communication: who, what, when, where, why, how
 When you have decided to accept a risk, you should definitely make sure to communicate it
to the board or management

36 Attacks have further consequences

 2011 PlayStation Network outage
 On November 24, 2014, a hacker group which identified itself by the name "Guardians of
Peace" leaked a release of confidential data from the film studio Sony Pictures
 2014 JPMorgan Chase data breach
o was a cyber-attack against American bank JPMorgan Chase that is believed to have
compromised data associated with over 83 million accounts – 76 million households
(approximately two out of three households in US) and 7 million small businesses
 In July 2015, a group calling itself "The Impact Team" stole the user data of Ashley Madison, a
commercial website billed as enabling extramarital affairs

18
37 Information security is not alone

 Governance
o The structure, oversight and management processes which ensure the delivery of the
expected benefits of technology in a controlled way to help enhance the long-term
sustainable success of the enterprise
 Risk management
o the identification, assessment, and prioritization of risks followed by coordinated and
economical application of resources to minimize, monitor, and control the probability
and/or impact of unfortunate events or to maximize the realization of opportunities
(not limited to information security risks)
 Audits
o are performed to ascertain the validity and reliability of information; also to provide
an assessment of a system's internal control
o The goal of an audit is to express an opinion of the person / organization / system
(etc.) in question, under evaluation based on work done on a test basis
 Compliance
o has to do with conforming to a rule, such as a specification, policy, standard or law
 Cybersecurity
o A measure of system’s ability to resist unauthorized attempts at usage or behaviour
modification, while still providing service to legitimate users
 All comes down to asset protection

19