1. What is Information security and name information assets? 2.

What is a name of the task or proccess resposnible for resolving issues to mininize threats and vulberabilities and possible ways to avoid or minimize impact for information assets? 3. What benefits can offer metrics ? 4. What are the major data loss causes, and what strategic approach is used to minimize impacts? 5. Which IT Governance framework proposes ServiceDesk, and what is purpose of ServiceDesk?

1. How can an organization make good decisions about information risk? Risks identified, mitigated, accepted equals security Information Security is a business requirement CIA Confidentiality, Integrity, Availability PCI, HIPAA, SOX, State Privacy Regulations Impact of loss of security on an organization is extreme Damage to brand, share price Direct costs Unavailable critical business processes Business awareness of impact is key. Information security is not Information Technology (IT) security. It is security of information and information assets. Information assets are: Electronic Information Non-electronic Information; Environment / Infrastructure; Hardware; Software; Physical; People; Services. Keep assets CIA 2. Name: Risk Managment ISO 27005 Possible ways to avoid or minimize impact for information assets: Risk analysis Risk identification Risk estimation Risk evaluation Risk reduction Risk retention Risk avoidance

Risk transfer Risk acceptance Risk Communication

All assets should be accounted for and have a nominated owner. Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets. Control: All information and assets associated with information processing facilities should be owned by a designated part of the organization. Implementation guidance: The asset owner should be responsible for: a) ensuring that information and assets associated with information processing facilities are appropriately classified; b) defining and periodically reviewing access restrictions and classifications, taking into account applicable access control policies. The term owner identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. Information classification Objective: To ensure that information receives an appropriate level of protection. Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures. 3. Metrics ISO 27004 Key Performance Indicators Choosing what to measure Collecting data
4. Major data loss causes: Hardware or System Malfunctions 44% Human Error 32% Software Corruption 14% Computer Viruses 7% Natural Disasters 3% Strategic approach used to minimize impacts:

1.CIA Electronic Information Non-electronic Information; Environment / Infrastructure; Hardware; Software; Physical; People; Services. 4. Major data loss causes Hardware or System Malfunctions 44% Human Error 32% Software Corruption 14% Computer Viruses 7% Natural Disasters 3%

2. Risk analysis Risk identification Risk estmation Risk evaluation Risk reduction Risk retention Risk avoidance Risk transfer Risk acceptance Riks Communication 5. Major data loss causes Hardware or System Malfunctions 44% Human Error 32% Software Corruption 14% Computer Viruses 7% Natural Disasters 3%