1. Governance
    1. Definitions
      1. vulnerabilities
      2. threats
      3. risk
      4. exposure
      5. control
    2. documentation
      1. policies
        1. issue specific
        2. system specific
        3. types
          1. regulatory
          2. advisory
          3. informtive
      2. standards
      3. baselines
      4. guidelines
      5. procedures
    3. performance metrics
      1. balanced score cards
      2. best practuces and industry standards
      3. maturity model
  2. Organisation
    1. Layers of Reponsibility
      1. Board of Directors
      2. Executive Management
        1. CEO, CFO
      3. CIO
      4. CPO
      5. CSO
        1. CISO
    2. Security Steering Committee
      1. Audit committee
      2. data owner
      3. data custodian
      4. system owner
      5. security administrator
      6. security analyst
      7. application owner
      8. supervisor
      9. change control analyst
      10. data analyst
      11. process owner
      12. solution provider
      13. user
      14. product line manager
      15. auditor
    3. Personnel Security
      1. separation of duties
      2. rotation of duties
      3. collusion
        1. split knowledge
        2. dual control
      4. mandatory vacation
      5. skill set
      6. hiring practice
        1. nondisclosure agreement
        2. background checks
      7. termination
      8. awareness training
  3. Risk Managment
    1. Types of Risk
      1. physical
      2. human interaction
      3. equipment malfunction
      4. inside/outside attacks
      5. misuse of data
      6. loss of data
      7. application error
    2. IRM Policy
      1. addressed items
    3. IRM Team
    4. Risk Assessment/Analysis
      1. cost/benefit
      2. project sizing
      3. risk analysis team
      4. asset value
      5. identifying vulnerabilities and threats
        1. loss potential
        2. delayed loss
        3. threat agents
      6. methodologies
        1. NIST SP800
        2. FRAP
        3. OCTAVE
        4. ISO 27005
        5. FMEA
          1. fault tree analysis
        6. CRAMM
      7. Approach
        1. quantitative
          1. sle
          2. ef
          3. aro
          4. ale
        2. qualitative
          1. risk matrix
          2. delphi
          3. DSS
        3. pros and cons
      8. handling
        1. transfer
        2. avoidance
        3. acceptance
        4. mitigation
  4. Information Classification
    1. data classification procedures
    2. classification controls
      1. access control
      2. encryption
      3. auditing/mirroring
      4. separation of duties
      5. periodic reviews
      6. backup and recovery
      7. change control
      8. physical security
      9. info flow channels
      10. disposal actions
      11. marking/labeling procedures
    3. classification levels
      1. sensitivity scheme
      2. criteria
      3. commercial
        1. confidential
        2. private
        3. sensitive
        4. public
      4. military
        1. top secret
        2. secret
        3. confidential
        4. sensitive but unclassified
        5. unclassified