Syllabus - Security Assessment and Risk Analysis (IO - 503 (A))

SECURITY BASICS

Information Security (INFOSEC) Overview: critical information characteristics – availability information states – processing security countermeasures-education, training and awareness, critical information characteristics – confidentiality critical information characteristics – integrity, information states – storage, information states – transmission, security countermeasurespolicy, procedures and practices, threats, vulnerabilities.

Threats to and Vulnerabilities of Systems

Threats, major categories of threats (e.g., fraud, Hostile Intelligence Service (HOIS). Countermeasures: assessments (e.g., surveys, inspections). Concepts of Risk Management: consequences (e.g., corrective action, risk assessment), cost/benefit analysis and implementation of controls, monitoring the efficiency and effectiveness of controls (e.g., unauthorized or inadvertent disclosure of information).

Security Planning

directives and procedures for policy mechanism. Contingency Planning/Disaster Recovery: agency response procedures and continuity of operations, contingency plan components, determination of backup requirements, development of plans for recovery actions after a disruptive event.

Personnel Security Practices and Procedures

access authorization/verification (need- to-know), contractors, employee clearances, position sensitivity, security training and awareness, systems maintenance personnel.

Auditing and Monitoring

conducting security reviews, effectiveness of security programs, investigation of security breaches, privacy review of accountability controls, review of audit trails and logs.

Operations Security (OPSEC)

OPSEC surveys/OPSEC planning INFOSEC: computer security – audit, cryptography-encryption (e.g., point-to-point, network, link). Case study of threat and vulnerability assessment.