1. Authentication
   1. 3 factors
      1. 1. Something you know
         1. password, PIN
      2. 2. Something you have
         1. Smart card, token device
      3. 3. Something you own
         1. fingerprint, voice print, iris pattern
   2. Passwords
      1. Poor mechanism
         1. Chosen: Too easy to remember
         2. Random: Too hard to remember
         3. Easily shared, written down, forgotten
         4. Can be stolen
         5. Transmitted in clear text
      2. Strong passwords
         1. 8-12 characters or more
         2. Keep secret
         3. Not contain dictionary words
         4. Not the variant of username
         5. Combination
            1. Uppercase letters
            2. Lowercase letters
            3. Numbers
            4. Punctuation
   3. Biometrics
      1. Type
         1. Fingerprints
         2. Retina scans
         3. Iris scans
         4. Facial scans
         5. Palm scans
         6. Hand writing
         7. Voice
      2. Performance measurement
         1. False Rejection Rate percentage
         2. False Acceptance Rate percentage
         3. Crossover Error Rate percentage
   4. Token devices
      1. Static
      2. Dynamic
         1. synchronous
         2. asynchronous
      3. Challenge-response
2. Access Control
   1. Subject
      1. Active
      2. Obtain information
      3. e.g. User, system, process
   2. Object
      1. Passive
      2. Provide information
      3. e.g. file, database, printer
   3. Phases
      1. Identification
         1. Claim identity
      2. Authentication
         1. Prove identity
      3. Authorization
         1. Permission
      4. Accounting
         1. audit user activity
   4. Separation of duties
      1. Audit trail
      2. Logging
      3. Supervisory review
      4. Independent review
3. Standards
   1. SOX404
      1. Target: publicly-traded organizations
      2. Use: protect financial information
   2. HIPPA
      1. Target: healthcare/medical systems
      2. Use: protect health and patient data
   3. Basel 2
      1. Target: Banks
      2. Use: banking laws and regulations
   4. PCI-DSS
      1. Target: Card center/Bank
      2. Use: protect cardholders' information
   5. ISO 27001
      1. Information security management system standard
4. Security Operations Management
   1. Proactive analysis
   2. System management
   3. Security device management
   4. Fault management
   5. Configuration management
   6. Reporting
   7. Security alert
   8. DDos mitigation
   9. Security assessment
   10. Technical assistance
5. Risk management
   1. Risk: likehood that something bad will happen
      1. Risk = P(accident) x (loss)
      2. Audit risk model
         1. AR = IR x CR x DR)
         2. I = Inherent
         3. C = Control
         4. D = Detection
   2. Works
      1. Identify and estimate the value of assets
      2. Conduct threat assessment
      3. Conduct vulnerability assessment
      4. Evaluate security elements
         1. Policies
         2. Procedures
         3. Standards
      5. Calculate the impact
         1. Qualitative
         2. Quantitative
      6. Identify, select, implement controls
         1. Evaluate effectiveness
   3. Solutions
      1. Accept
      2. Mitigate
      3. Transfer
      4. Fix
6. Authority + Responsibility + Accountability
7. Control
   1. Administrative
      1. Preventative access
         1. Avoid violations
      2. Detective access
         1. Investigate violations
      3. Corrective access
         1. Remedy violations
      4. Recovery access
         1. Restore lost resources
   2. Logical
      1. Password
      2. Firewall
      3. IDS
      4. ACL
      5. Encryption
   3. Physical
      1. Door
      2. Lock
      3. CCTV
      4. Guard