...
Tip | ||
---|---|---|
| ||
ITANA-Security Architecture Wisconsin v2.ppt |
Should there even be a Security Architecture? Shouldn't security be embedded in all of the groups and users? When Stefan started in 2001, he always was asked, "Why" about security items. Why do I need to use a firewall? Why should I have logging turned on? Set a set of principles:
• Security is Everyone's Responsibility
• Security is Part of the Development Life Cycle
• Security is Asset Management (classifying the information)
• Security is a Common Understanding
We have a five step process for doing a risk assessment. First we agree to the assessment scope, then conduct the assessment, develop a draft report, communicate the findings then re-assess as needed.Risk = (Impact X Likelihood) / (Mitigation Controls)
Impact is related to costs. How do you monetize reputation? You can ask how would you spend to prevent this from happening. This is a Risk Prioritization process.
How do you balance the security principles against the development principles (scalability et al).
...