1. 1.Policy - Goals (priority in CIA) Responsibility (who responsible) Commitment (org chart for sec)
  2. 2.Current State - Risk analysis & what to do with new additions, Privacy Impact Assessment
  3. 3.Requirements - Who is allowed to do what? Nothing to do with mechanism
  4. 4.Recommended Controls - Mechanisms for Program, OS, Network
  5. 5.Accountability - Who is accountable for failure?
  6. 6.Timetable - Milestone, tracking progress
  7. 7.Continuing Attention - Reality is not static

Security Planning team will write the plan, have reps from CTO, IT, SYSADMINS

Business Continuity Plan is another kind of security plan - Availability

Advance Planning for catastrophe - Who will be in charge, what needs to be done, who will do it

-\> Arrange regular backups, stockpile supplies, train employees

Incident Response Plan - Legal issues, Preserving Evidence, Records, Public Relations(Speak with one voice)

Risk has probability and impact; risk exposure = probability * impact

Risk analysis:

  1. 1.Identify assets - Hard/Software/Data, People, Docs, Supplies

  2. 2.Determine vulnerabilities - Come up with attacks

  3. 3.Estimate likelihood of exploitation - Frequency analysis (how often in the past?)

  4. 4.Compute risk exposure - Competitor having/not having data

  5. 5.Survey applicable controls - Ways to control vulnerability

  6. 6.Project savings = Risk Exposure - Cost of control - New risk exposure;

  7. 7.Physical Security

  8. 8.Physical Threats

    Tiger Teams break into system for a price

    Legal Protections against threats

    IP Kinds Differ:

  9. 1.Cover different kinds of intangibilities

  10. 2.Convey different rights

  11. 3.Have different durations

  12. 4.Have different registration requirements

  13. 5.But are confused

    Intellectual Property is non-depletable, replicable, minimum marginal cost

    IP:

  14. 1.Trade secrets - Secret Information

  15. 2.Trademarks - Protect names, brand, domains and logos

  16. 3.Patents - Inventions which are novel, useful, non-obvious

  17. 4.Copyrights - Limited protection of expression of ideas

    Canada has more specific copyright laws than US. Exhaustive fair dealing law in Canada.

    P2P downloading songs arguably legal in Canada but uploading likely still is not.

    July 2012 - Supreme Court of Canada determined copying teaching materials was fair use

    1998 - US passed Digital Millennium Copyright Act (DMCA)

    As of 2012, Canada has similar restrictions

    Violating digital lock does not carry significant penalties

    Computer Crime

    Early laws were bizarre - value of stolen data was worth as much as the paper it was printed on

    Computer forensics replaces regular forensics

    Worse that computer crime is international

    Bill C-13 or Cyberbullying law is really a lawful access law

    UK, RIP Act - Full backdoor

    Full disclosure - post full leaks, provide vendors incentives to fix problem

    Responsible disclosure - give vendor thirty days to fix problem

    Attacks:

AttackDescSoln
Replay
Reaction
Tracker
Port Scanning
Phishing
MITM