Design Requirements

Business Requirements Analysis

How do organizations know how to handle risks - security decisions, like risk assessments, need to be based off business requirements.

Use the info below to develop information to drive security decisions - like risk analysis

Inventory of assets

• Tangible - hardware, software, networks,

• Intangible - knowledge, information, intellectual property, and others

• Build list of - number, location, and type of assets

Valuation of Assets

• Understand what the true cost is in price

• or

• BIA - asset is essential for business functions

Determination of Criticality

• Senior management determines criticality

• Is the asset a SPOF?

Risk Appetite

• Risk for organization that they find acceptable

• How to handle risk

  • Accept

  • Avoid

  • Transfer

  • Mitigate

Security Considerations for Different Cloud Categories

• IAAS

  • Highly regulated industries need to determine how they will audit cloud IAAS environment, how often

  • Adapt security policy for the cloud

  • Customer can still collect event logs for environment

• PAAS

  • Customer will want to monitor events for software

  • Customer can't monitor infrastructure or OS

• SAAS

  • Customer will want to build policy for the data

  • CSP maintains access and control

• General Considerations

  • Physical Access is all on CSP

  • Customer has to relinquish control but may want to understand these:

    • Background checks

    • SubProcessor/Subcontractor checks

    • Data Center Security

    • Contract

    • Encryption

Design Principles for Protecting Sensitive Data

Hardening Devices

Encryption

Layered Defenses