Information Security Risk Management

               Principles and Requirements
                   •  Requirements: functionality (what are the
                       features?) & assurance (how well does it
                       perform those features?)
                   •  Security blueprint: best practices that form a
                       comprehensive security policy program.  A
                       security architect figures out what the
                       security needs of an organization are and
                       creates a blueprint for the staff to follow.

               Policy - Terms
                   •  Standards: hardware & software to be
                       deployed universally across organizations.
                       Standards start with the phrase “We use…”
                       as in “We use Dell laptops” or “We use
                       Norton Antivirus.”
                   •  Procedures: step by step required actions.
                   •  Baseline: minimum security implementations
                       for specific platforms or environments.
                       Baselines measure minimums as in “All our
                       PCs have 1 GB RAM” or normal as in “Our e-
                       mail server sends 1,000 e-mails per hour.”
                   •  Guidelines: recommended actions, best
                       practices or suggestions
                          •  ISO 17799/27002
                                 •  Based on British Standard (BS)
                                     7799-1