CIA Triangle
Confidentiality
Integrity
Availability
Authentication (e.g., methods of authentication, multi-factor authentication (MFA))
Methods of authentication
Multi-factor authentication (MFA)
Non-repudiation
Example: online purchase transactions or activity logs
Privacy
EU GDPR
HIPAA
US State Privacy Laws
Personally Identifiable Information (PII)
Risk management (e.g., risk priorities, risk tolerance)
Asset
Vulnerability
Threat
Decision Making on Risk Priorities
Risk identification, assessment and treatment
Risk Identification
Takeaways:
Security professionals: assist in risk assessment at a system level (process, control, monitoring, or incident response or recovery.)
Smaller orgs or lack risk management and mitigation plan: opportunity to fill that void
Risk mitigation: Evaluate likelihood then take appropriate action
Security controls in risk management process to mitigate risk at an acceptable level.