Vulnerability

Something that represents failure or fragility of someone or something.

"1 Sign of becoming vulnerable. 2 Means by which something becomes susceptible or fragile in a certain situation."

Marcos Sêmola website© 2011 | www.semola.com.br | Brasil, Rio de Janeiro | London UK, Netherlands NL | ©S4P Photography
Translated by Global Translations.BR www.globaltranslations.com.br
HOME | OBJECTIVE | ARTICLES | PROJECTS | CONCEPTS | PROFILE | CONTACT
Properties of information safe from non-authorised access and disclosure.

In other words, its preservation is the guaranteed protection of information given personally in confidence and protection against its non-authorised disclosure.





Property of information that is maintained accurately, completely and up-to-date.

In other words, its preservation is the guarantee that the information is kept true to the original, or even, that any alteration during the process has been authorised and controlled.




Property of information that is available for authorised agents, whenever it is required.

In other words, its preservation is the guarantee that the information will always be accessible to authorised agents.





The life cycle of information is represented by the macro-phases where it is used, from its creation to its dismissal.

USE
STORAGE
TRANSPORT
DISPOSAL


One of the main assets of the information risk models, given their involvement in the various phases of the information’s life cycle and their autonomy to make decisions, reveal their behaviour and profile when facing a situation of risk.






Most stable and lasting portion of the information risk model given the nature of their purpose in regulating, standardising and giving guidelines on actions, responsibilities, procedures, inputs and outputs in a situation of risk.






Most dynamic portion of the model of information risk management given the speed at which they are developed and introduced in the processes of specification, implementation, automation and maintenance of security controls.
CISM - Certified Information Security Manager
The Certified Information Security Manager is the new certification of ISACA, specially designed for experienced professionals in information security. CISM is directed at the business and is focused on information risk management, when dealing conceptually with security issues, which can be managerial, of design or technical. It is designed for individuals that need to maintain a global vision to manage, design, supervise and evaluate the security of the company’s information. Learn more here.

CISSP is the acronym for Certified Information System Security Professional, a professional certificate issued and maintained by ISC2, founded with the objective of establishing criteria to evaluate professionals that work with information security. According to ISC2, there are more than 49,000 certified security professionals in more than 120 countries. Recently, it was designed as the ANSI ISO/IEC Standard 17024:2003 certification. The certification is based on a group of best practices established by ISC2 that have been aggregated in the form of 10 dominions. Learn more here.
ISO/IEC 27001 is a standard for the information security management system, ISMS, published in October 2005 by the International Organization for Standardization and by the International Electrotechnical Commission. Its complete name is ISO/IEC 27001:2005 Information technology – security techniques – information security management systems - requisites better known as "ISO 27001".

ISO 17799 17799 is the code of practices for information security management that establishes objectives of control and recommends a group of security specifications.
PCI-DSS is a global standard of information security for establishments using cards as a means of payment. Its guidelines, developed jointly with credit and debit card issuers, including Visa, MasterCard and American Express, should be respected by organisations associated to the credit and debit card logos, processers, payment gateways and, soon, bank issuers. These requirements aim at reducing credit card fraud. Professionals can be PCI QSA - Qualified Security Assessor - certified
There are other Professional, technical and managerial certifications, and we can highlight:
CISM Certified Information Security Management
CISSP Certified Information Systems Security Professional CISA Certified Information Systems Auditor
BS7799 Lead Auditor
SSCP Systems Security Certified Practitioner
PCI QSA Payment Card Industry Qualified Security Assessor
GIAC Global Information Assurance Certification
CBCP Certified Business Continuity Professional
CIA Certified Internal Auditor
There are many books that deal with risk management and information security, however I would like to highlight the following:

• PELTIER, Thomas R.: Information Security Policies and Procedures – a practitioner’s reference. Auerbach Publications. 373p.

• KRAUSE TIPON, Handbook of Information Security Management 1999, Editora Auerback
• SCHNEIER, Bruce. Segurança.com – Secrets and lies about protection in digital life. Editora Campus.
The information security courses are becoming widespread in Brazil, thus, we have assembled a compilation of the main courses on the market.

Information Security Courses: PDF | XLS

Correction, suggestion or recycling? Click here for more





Main documents:

• NBR/ISO/IEC 17799. Information Technology: Code of practice for information security management. ABNT, 2002. 56p

• DOU. Decree Law no. 3,505, which instituted the Security Policy in the Federal Administration. 13 June 2000.

• ISO/IEC JTC 1/SC 27. Glossary of IT Security Terminology. Information Technology - security techniques. 1998. .

hotsite | BSI BS ISO/IEC 27001:2005 Information Security
BSI BS7799-2:2002 Information Security
BSI BS 25999 Business Continuity Management
ISO 13335 IT Security Management
ISO/IEC 17799:2000 Information Security
ISO 18044 Security Incident Management
ISO 15408 Common Criteria
ISO 12207 Software Life Cycle Processes
ISO 18028 IT Network Security
NIST SP800-53 Recommended Security Controls
ISACA COBIT | PCI QSA | OCTAVE Risk Assessment
PCI DSS Payment Card Industry Data Security Standard
Augusto Quadros Paes de Barros, CISSP
André Fucs, CISSP | Anderson Ramos, CISSP
André Machado Blog OGlobo Online
Edson Fontes, CISA, CISM
Eduardo Neves, CISSP
Francisco Milagres, CISSP
Marcos Machado
Nelson Correia, CISSP
Patrícia Peck, Advogada
Segio Dias, MVP, CISSP
Bruce Schneier, CISSP
Wagner Elias INFOSEC FEEDS

FERMA Federation European Risk Management Associations
IRM The Institute od Risk Management
NIC BR
CERT Computer Emergency Response Team
CERT.br Centro de Estudos e Tratamento de Incidentes Brasil
SANS System Administration, Networking, and Security
USCERT United States Computer Emergency Readiness Team
NIST
CSI Computer Security Institute
MICROSOFT Security Centre
ISA Internet Security Alliance
UNICAMP Security Team in Network Systems

ISACA Information System Security & Control Association
ISC2 International Information Systems Security Certification
ISSA Information System Security Professionals BRASIL
BSI British Stantard Institution
DRI Disaster Recovery Institute
BCI Business Continuity Institute
BRASSEC Brazilian Information Security
ABRAIC
IISP Institute of Information Security Professionals
CISSPs
ISM3 Information Security Management Maturity Model
Hiring Guide for Information Security Resources

ISMS International User Group
Comunidade ISMS PT
IFTF Info Security Task Force
Blog CISSP
Microsoft Security
Cartilha de Segurança on the Web
Navegue Seguro
Internet Segura
Guide to CISSP Blog by Leandro Bennaton
Crypto-Gram BR
www.grcti.com.br

ICP-Brasil ROI Institute JPhilip Methodology
Medida Provisória nº 2.200-2
CG Comitê Gestor
SecurityFocus Online
InfoGuerra
Módulo Security Solutions
SecForum
CSO Online
InfoSecurity Magazine
Xforce ISS
SECINF Glossary of Terms Network Security
ENISA European Security Agency

Risk Management

Act of establishing and executing continuous processes of follow up on the risk levels and adopt controls that eliminate vulnerabilities, remove threats and reduce the probability of a threat exploiting a certain vulnerability and impacting confidentiality, integrity and availability of information..

Risk Management Process

Risk Decision Tree


1. Reject: this option should be considered when the risk is not being considered by the strategy of the business, once the cost of control, or the countermeasure, exceeds the risk or asset being protected.

2. Accept: this option should be considered when the risk is inherent to the nature and model of business, being part of the normal operations and, therefore, having been predicted in the strategy. The choice of this option generates another level of analysis:

a. Avoid: this decision is based on the will and feasibility of totally eliminating the source of a specific risk.

b. Transfer: this decision is based on the cost-benefit perspective and on the feasibility (disposition and financial capacity) of outsourcing, to take on the risk.

c. Exploit: this decision is based on the interest and on the possibility of obtaining competitive advantages by increasing the exposure and level of risk.

d. Retain: this decision is based on the interest of the business, considering cost and tolerance, in guaranteeing the maintenance of exposure and the level of risk.

e. Mitigate: this decision is based on the need of the business, considering cost and tolerance, in diversifying, controlling and reducing risks.

The Tolerance factor is determinant to define investments that are compatible with the asset being protected and mainly, so that the level of the residual risk may be found enclosed in the comfort zone and compatible with the nature of each business. .

Maturity

Conceptually, we shall reach the adequate maturity in the management of risks when it is not perceptible. When the processes are well defined and documented, offering guidance to the human agents and ready to support common changes to physical, technological and human assets, without this representing a gross and unplanned oscillation in the level of risk.

But, if the processes are interrupted, the users are dissatisfied for having to keep changing their passwords and the CEOs asking themselves why, despite all the investments in security, do they receive more spam than reliable e-mails, then surely there must be something that is wrong.

CONCEPTS

Information Risk Management

This theme has been my object of study and professional activities for the last few years. According to its importance in the development of society, business continuity and to preserve privacy and knowledge, I thought it would be good to share some basic concepts that can guide, even though still superficially, executives, technicians and users.


Present on the Internet supporting education.
1997-2011

GUIDELINES


Crime? Denounce it
www.semola.com.br
4 January, 2011
PORTUGUÊS .
Threat

Something that can act voluntarily or involuntarily in prejudice of someone or something.

"1 Act of threatening. 2 Danger. 3 Gesture that expresses the intention to harm or cause damage."

Information

Something that is known and used as foundation when reasoning.

“1 Act or effect of informing. 2 Transmission of news. 3 Instruction, teaching. 4 Transmission of knowledge.” ”

Risk

Objective result of the combination of the probability of occurrence of an event and its resulting impact.

"1 Possibility of an uncertain future event. 2 Danger or possibility of danger."

Impact

Result provoked by an act of threat on a particular vulnerability.

"1 Loss. 2 Damage. 3 Consequence of an attack. 4 Effect. 5 Obtained result.”




compilation