vault backup: 2022-09-21 12:54:30

content/notes/14-policies-standards-practices.md

@@ -4,6 +4,9 @@ aliases:
 tags: 
 - comp210
 - lecture
+sr-due: 2022-09-24
+sr-interval: 3
+sr-ease: 250
 ---
 
 # news
@@ -30,18 +33,72 @@ provide roadmap for day-to-day operations
 	- dont often change or deteriorate when staff changes
 - evidence of quality control, internal audits etc
 
-## good policies are
+## good policies 
+are properly
 - disseminated
 - read
 - understood
 - agreed-to
 - uniformly enforced
 
+and help us to answer these questions
+- what info should be collected
+- how should it be stored
+- who is responsible for managing it
+- who can access it
+- what info should be published
+- how long should it be kept/maintained
+- when should it be discarded
+
+## example
+Revealing Information To Prospective Employee
+Policy: Information systems technical details, such as network addresses, network diagrams, and security software employed, must not be revealed to job applicants until they have signed a confidentiality agreement and also have been hired or retained
+
 # Procedures
 Defn: step by step descriptions of what employees must do to achieve a certain goal (as specified by a policy)
 
 - must be kept separate from policies
 - keeping them together will create a complex document that will (likely) not be read
 
-![policy and procedure p](https://i.imgur.com/rdQaLkh.png)
+![policy and procedure pyramid|400](https://i.imgur.com/rdQaLkh.png)
 
+# Standards
+The ISO 27000 is a global standard to build a Information Security Management System (ISMS)
+
+## ISO standards
+![iso standards chart (2013)|400](https://i.imgur.com/BjgT9lK.png)
+
+![ISO/IEC 27002:2022|400](https://i.imgur.com/zhCsjzZ.png)
+
+## IS measurement model - ISO 27004
+- monitoring
+- measurement
+- analysis
+- evaluation
+
+![IS measurement diagram|400](https://i.imgur.com/8R7vatT.png)
+![IS measurement and ISMS integration diagram|400](https://i.imgur.com/HuvV6mn.png)
+
+## Capability maturity model integration CMMI
+
+![CMMI diagram|400](https://i.imgur.com/4SseQm7.png)
+
+# Practices
+Defn: detailed and repeateable ways of complying to a standard (and to a policy)
+
+diff with procedures is that a proceduure contains a step by step method on how to complete a certain task
+
+## examples
+![id badges example|400](https://i.imgur.com/bkdXQOy.png)
+![temp badges example|400](https://i.imgur.com/Y13IGfP.png)
+![badge controlled acces example|400](https://i.imgur.com/hj9gPCb.png)
+
+# Info sec audit
+- Organisation (Is there a security policy?) 
+- Employee Security Focus (Training, Recruitment) 
+- Change Management Network Security (Router/Firewall, VPN) 
+- Application Security (App Dev., Data Security) 
+- System Security (Server Vulnerability & Hardening) 
+- Identity Management (Account & Password Management) 
+- Event Management (Incident Response) 
+- Asset Security (Asset Inventory, Laptop Security, Software Management)

content/notes/comp-210.md

@@ -34,4 +34,5 @@ No final exam
 - [07-cryptography-applications](notes/07-cryptography-applications.md)
 - [8-application-security-1](notes/8-application-security-1.md)
 - [12-pen-testing](notes/12-pen-testing.md)
-
+- [13-pen-testing-2](notes/13-pen-testing-2.md)
+- [14-policies-standards-practices](notes/14-policies-standards-practices.md)