1. Authority + Responsibility + Accountability
   1. Confidentiality
      1. Protection of information in a system
      2. For: military, government, commercial
      3. Rainbow series
         1. Trusted Computer System Evaluation Criteria
         2. Trusted Network Interpretation
         3. Password Management Guideline
      4. Methods
         1. Encryption
         2. Strict access control
         3. Data classification
         4. Extensive personnel training
   2. Integrity
      1. Protection of system data from unauthorized changes
      2. For: government, commercial
      3. Methods
         1. Need-to-know access
            1. Users can only access what they need
            2. Max control, min restrictions
            3. Integrity models
            4. Prevent unauthorized users to make modifications
            5. Prevent authorized users to make improper modifications
            6. Maintain internal and external consistency of data and programs
         2. Separation of duties
         3. Job rotation
   3. Availability
      1. System is accessible whenever needed
      2. Methods
         1. Physical
            1. Fire control, backup storage
         2. Technical
            1. Fault-tolerance hardware
         3. Administrative
            1. Policies, contingency plan
2. Human/staff
   1. Human is the weakest element in any security solution
   2. Employ steps
      1. Create job description
      2. Separation of duties
      3. Job responsibilities
      4. Job rotation
      5. Screening and background checks
      6. Create employment agreement
      7. Employee termination
   3. Roles
      1. Data owner
      2. User
      3. Security professional
      4. Senior manager
      5. Auditor
3. Management
   1. Change
      1. Standardize methods and procedures to handle changes properly
      2. Implement changes in a monitored and orderly manner
      3. Formalized testing process
      4. All changes can be reversed
      5. Users are informed of changes
      6. The effect of changes are systematically analyzed
   2. Configuration
      1. Establishing and maintaining consistency
         1. Functional attributes
         2. Physical attributes
      2. Management of security features and assurances
         1. Control of changes made to hardware, software, firmware, documentation
   3. Asset
      1. Join financial, contractual and inventory functions to support life cycle management and strategic decision making
   4. Incident
      1. Activities of an organization to identify, analyze and correct hazards
4. Topic
   1. Asset valuation
      1. Cost
      2. Value
   2. Calculating safeguards
   3. Threats
      1. Natural
      2. Incident
      3. Physical
   4. Risks
      1. Scenarios
         1. Threat-oriented
         2. Safeguards
         3. Rating
      2. Handle