MANAGEMENT of - PowerPoint PPT Presentation

1 / 75
About This Presentation
Title:

MANAGEMENT of

Description:

Implement the fundamental elements of key information security ... Use antivirus software. Use strong passwords. Verify your software security settings ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 76
Provided by: course176
Category:

less

Transcript and Presenter's Notes

Title: MANAGEMENT of


1
MANAGEMENT of INFORMATION SECURITY Second Edition
2
Learning Objectives
  • Upon completion of this chapter, you should be
    able to
  • Select from the dominant information security
    management models, including U.S. government
    sanctioned models, and customize them for your
    organizations needs
  • Implement the fundamental elements of key
    information security management practices
  • Follow emerging trends in the certification and
    accreditation of U. S. Federal IT systems

3
Introduction
  • To create or maintain a secure environment, one
    must design a working security plan and then
    implement a management model to execute and
    maintain the plan
  • This may begin with the creation or validation of
    a security framework, followed by an information
    security blueprint that describes existing
    controls and identifies other necessary security
    controls
  • A framework is the outline of the more thorough
    blueprint, which is the basis for the design,
    selection, and implementation of all subsequent
    security controls
  • Most organizations draw from established security
    models and practices to develop a blueprint or
    methodology

4
ISO/IEC 177992005
  • One of the most widely referenced and often
    discussed security models is Information
    Technology Code of Practice for Information
    Security Management, which was originally
    published as British Standard BS 7799
  • The purpose is to establish guidelines and
    general principles for initiating, implementing,
    maintaining, and improving information security
    management in an organization

5
ISO/IEC 177992005 (continued)
  • ISO/IEC 177992005 is intended as a common basis
    and practical guideline for developing
    organizational security standards and effective
    security management practices, and to help build
    confidence in inter-organizational activities
  • ISO/IEC 177992005 replaced BS77991

6
ISO/IEC 177992005 (continued)
  • ISO/IEC 177992005 has 133 possible controls, not
    all of which must be used part of the process is
    to identify which are relevant
  • Each section includes four categories of
    information
  • One or more objectives
  • Controls relevant to the achievement of the
    objectives
  • Implementation guidance
  • Other information

7
ISO/IEC 177992005 (continued)
  • Many countries, including the U.S., Germany, and
    Japan, have not adopted the model, claiming it is
    fundamentally flawed
  • The global InfoSec community has not defined any
    justification for the code of practice identified
  • The model lacks the necessary measurement
    precision of a technical standard
  • There is no reason to believe the model is more
    useful than any other approach
  • It is not as complete as other frameworks
  • It is perceived as being hurriedly prepared,
    given the tremendous impact that its adoption
    could have on industry information security
    controls

8
Figure 6-1 177992005 Usability
9
SANS SCORE and ISO/IEC 17799
  • One way to determine how closely an organization
    is complying with ISO 17799 is to use the SANS
    SCORE Audit Checklist
  • The checklist provides insight into eleven
    sections of ISO/IEC 17799

10
The Eleven Sections Of ISO/IEC 17799
  • Security Policy focusing mainly on InfoSec
    policy
  • Organization of InfoSec for both the internal
    organization and external parties
  • Asset Management including responsibility for
    assets and information classification
  • Human Resources Security ranging from controls
    prior to employment, during employment, to
    termination or change of employment
  • Physical and Environmental Security including
    secure areas and equipment security

11
The Eleven Sections Of ISO/IEC 17799 (continued)
  • 6. Communications and Operations Management
  • Incorporating operational procedures and
    responsibilities
  • Third-party service delivery management
  • System planning and acceptance
  • Protection against malicious and mobile code
  • Backup
  • Network security management
  • Media handling
  • Exchange of information
  • Electronic commerce services and monitoring

12
The Eleven Sections Of ISO/IEC 17799 (continued)
  • 7. Access Control
  • Business requirement for access control
  • User access management
  • User responsibilities
  • Network access control
  • Operating system access control
  • Application and information access control
  • Mobile computing and teleworking

13
The Eleven Sections Of ISO/IEC 17799 (continued)
  • 8. Information Systems Acquisition, Development,
    and Maintenance
  • Security requirements of information systems
  • Correct processing in applications
  • Cryptographic controls
  • Security of system files
  • Security in development and support processes and
    technical vulnerability management

14
The Eleven Sections Of ISO/IEC 17799 (continued)
  • 9. Information Security Incident Management
    addressing reporting InfoSec events and
    weaknesses and management of InfoSec incidents
    and improvements
  • Business Continuity Management InfoSec aspects
    of BCM
  • Compliance
  • With legal standards
  • With security policies and standards
  • Technical compliance with information systems
    audit considerations

15
ISO/IEC 270012005 The InfoSec Management System
  • BS77992 is the companion to BS77991, and
    provides implementation details using a
    Plan-Do-Check-Act cycle

16
Figure 6-3BS77992 Plan-Do-Check-Act
17
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Plan
  • Define the scope of the ISMS
  • Define an ISMS policy
  • Define the approach to risk assessment
  • Identify the risks
  • Assess the risks
  • Identify and evaluate options for the treatment
    of risk
  • Select control objectives and controls
  • Prepare a Statement of Applicability(SOA)

18
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Do
  • Formulate a Risk Treatment Plan
  • Implement the Risk Treatment Plan
  • Implement controls
  • Implement training and awareness programs
  • Manage operations
  • Manage resources
  • Implement procedures to detect and respond to
    security incidents

19
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Check
  • Execute monitoring procedures
  • Undertake regular reviews of ISMS effectiveness
  • Review the level of residual and acceptable risk
  • Conduct internal ISMS audits
  • Undertake regular management review of the ISMS
  • Record actions and events that impact an ISMS

20
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Act
  • Implement identified improvements
  • Take corrective or preventive action
  • Apply lessons learned
  • Communicate results to interested parties
  • Ensure improvements achieve objectives

21
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • In 2005, BS 77992 was updated and codified as
    ISO/IEC 270012005, and is the foundation for
    third-party certification
  • Its major sections include
  • Introduction
  • Scope
  • Terms and definitions
  • ISMS
  • Management responsibility
  • Management review
  • ISMS improvement

22
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Proposed use of 270012005
  • Use within organizations to formulate security
    requirements and objectives
  • Use within organizations as a way to ensure that
    security risks are cost-effectively managed
  • Use within organizations to ensure compliance
    with laws and regulations
  • Use within organizations as a process framework
    for the implementation and management of controls
    to ensure that the specific security objectives
    of an organization are met

23
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Proposed use of 270012005 (continued)
  • Definition of new InfoSec management processes
  • Identification and clarification of existing
    InfoSec management processes
  • Used by the management of organizations to
    determine the status of InfoSec management
    activities
  • Used by the internal and external auditors of
    organizations to determine the degree of
    compliance with the policies, directives, and
    standards adopted by an organization

24
ISO/IEC 270012005 The InfoSec Management
System (continued)
  • Proposed use of 270012005 (continued)
  • Used by organizations to provide relevant
    information about InfoSec policies, directives,
    standards, and procedures to trading partners and
    other organizations with whom they interact for
    operational or commercial reasons
  • Implementation of business-enabling InfoSec
  • Used by organizations to provide relevant
    information about InfoSec to customers

25
NIST Security Models
  • NIST documents have two notable advantages
  • They are publicly available at no charge
  • They have been available for some time and thus
    have been broadly reviewed by government and
    industry professionals
  • SP 800-12, Computer Security Handbook
  • SP 800-14, Generally Accepted Security Principles
    Practices
  • SP 800-18, Guide for Developing Security Plans
  • SP 800-26, Security Self-Assessment Guide-IT
    Systems
  • SP 800-30, Risk Management for Information
    Technology Systems

26
NIST SP 800-12 The Computer Security Handbook
  • Excellent reference and guide for the routine
    management of information security
  • Little provided on design and implementation of
    new security systems use as supplement to gain a
    deeper understanding of background and terminology

27
NIST SP 800-12 The Computer Security Handbook
(continued)
  • Lays out the NIST philosophy on security
    management by identifying 17 controls organized
    into three categories
  • The Management Controls section addresses
    security topics that can be characterized as
    managerial
  • The Operational Controls section addresses
    security controls that focus on controls that
    are, broadly speaking, implemented and executed
    by people (as opposed to systems)
  • The Technical Controls section focuses on
    security controls that the computer system
    executes

28
NIST Special Publication 800-14Generally
Accepted Principles and Practices for Securing
Information Technology Systems
  • Describes best practices useful in the
    development of a security blueprint
  • Describes principles that should be integrated
    into information security processes
  • Documents 8 points and 33 principles

29
NIST Special Publication 800-14Key Points
  • The more significant points made in NIST SP
    800-14 are
  • Security supports the mission of the organization
  • Security is an integral element of sound
    management
  • Security should be cost-effective
  • Systems owners have security responsibilities
    outside their own organizations
  • Security responsibilities and accountability
    should be made explicit
  • Security requires a comprehensive and integrated
    approach
  • Security should be periodically reassessed
  • Security is constrained by societal factors

30
NIST Special Publication 800-14Principles
  • Principle 1. Establish a sound security policy as
    the foundation for design
  • Principle 2. Treat security as an integral part
    of the overall system design
  • Principle 3. Clearly delineate the physical and
    logical security boundaries governed by
    associated security policies
  • Principle 4. Reduce risk to an acceptable level
  • Principle 5. Assume that external systems are
    insecure

31
NIST Special Publication 800-14Principles
(continued)
  • Principle 6. Identify potential trade-offs
    between reducing risk and increased costs and
    decreases in other aspects of operational
    effectiveness
  • Principle 7. Implement layered security (Ensure
    no single point of vulnerability)
  • Principle 8. Implement tailored system security
    measures to meet organizational security goals
  • Principle 9. Strive for simplicity

32
NIST Special Publication 800-14Principles
(continued)
  • Principle 10. Design and operate an IT system to
    limit vulnerability and to be resilient in
    response
  • Principle 11. Minimize the system elements to be
    trusted
  • Principle 12. Implement security through a
    combination of measures distributed physically
    and logically
  • Principle 13. Provide assurance that the system
    is, and continues to be, resilient in the face of
    expected threats
  • Principle 14. Limit or contain vulnerabilities

33
NIST Special Publication 800-14Principles
(continued)
  • Principle 15. Formulate security measures to
    address multiple overlapping information domains
  • Principle 16. Isolate public access systems from
    mission critical resources
  • Principle 17. Use boundary mechanisms to separate
    computing systems and network infrastructures
  • Principle 18. Where possible, base security on
    open standards for portability and
    interoperability
  • Principle 19. Use common language in developing
    security requirements

34
NIST Special Publication 800-14Principles
(continued)
  • Principle 20. Design and implement audit
    mechanisms to detect unauthorized use and to
    support incident investigations
  • Principle 21. Design security to allow for
    regular adoption of new technology, including a
    secure and logical technology upgrade process
  • Principle 22. Authenticate users and processes to
    ensure appropriate access control decisions both
    within and across domains

35
NIST Special Publication 800-14Principles
(continued)
  • Principle 23. Use unique identities to ensure
    accountability
  • Principle 24. Implement least privilege
  • Principle 25. Do not implement unnecessary
    security mechanisms
  • Principle 26. Protect information while being
    processed, in transit, and in storage
  • Principle 27. Strive for operational ease of use
  • Principle 28. Develop and exercise contingency or
    disaster recovery procedures to ensure
    appropriate availability

36
NIST Special Publication 800-14Principles
(continued)
  • Principle 29. Consider custom products to achieve
    adequate security
  • Principle 30. Ensure proper security in the
    shutdown or disposal of a system
  • Principle 31. Protect against all likely classes
    of attacks
  • Principle 32. Identify and prevent common errors
    and vulnerabilities
  • Principle 33. Ensure that developers are trained
    in how to develop secure software

37
NIST Special Publication 800-18A Guide for
Developing Security Plans for Information
Technology Systems
  • Provides detailed methods for assessing,
    designing, and implementing controls and plans
    for various-sized applications
  • Serves as a guide for the activities described in
    this chapter, and for the overall information
    security planning process
  • It includes templates for major application
    security plans

38
NIST Special Publication 800-2617 Areas Defining
the core of the NIST Security Management
Structure
  • Management Controls
  • Risk Management
  • Review of Security Controls
  • Life Cycle Maintenance
  • Authorization of Processing (Certification and
    Accreditation)
  • System Security Plan
  • Operational Controls
  • Personnel Security
  • Physical Security
  • Production, Input/Output Controls
  • Contingency Planning
  • Hardware and Systems Software
  • Data Integrity
  • Documentation
  • Security Awareness, Training, and Education
  • Incident Response Capability
  • Technical Controls
  • Identification and Authentication
  • Logical Access Controls
  • Audit Trails

39
NIST Special Publication 800-30Risk Management
Guide for Information Technology Systems
  • Provides a foundation for the development of an
    effective risk management program
  • Contains both the definitions and the practical
    guidance necessary for assessing and mitigating
    risks identified within IT systems
  • Strives to enable organizations to better manage
    IT-related risks

40
RFC 2196 Site Security Handbook
  • The Security Area Working Group within the IETF
    has created RFC 2196, the Site Security Handbook
    that provides a functional discussion of
    important security issues along with development
    and implementation details
  • Covers security policies, security technical
    architecture, security services, and security
    incident handling
  • Also includes discussion of the importance of
    security policies, and expands into an
    examination of services, access controls, and
    other relevant areas

41
Control Objectives for Information and related
Technology (COBIT)
  • Control Objectives for Information and related
    Technology (COBIT) also provides advice about the
    implementation of sound controls and control
    objectives for InfoSec
  • COBIT was created by the Information Systems
    Audit and Control Association (ISACA) and the IT
    Governance Institute (ITGI) in 1992

42
Control Objectives for Information and related
Technology (COBIT) (continued)
  • COBIT presents 34 high-level objectives that
    cover 215 control objectives these objectives
    are categorized into four domains
  • Plan and organize
  • Acquire and implement
  • Deliver and support
  • Monitor and evaluate

43
Control Objectives for Information and related
Technology (COBIT) (continued)
  • Plan and organize
  • Makes recommendations for achieving
    organizational goals and objectives through the
    use of IT
  • Ten controlling objectives (PO1 PO10)
  • Acquire and implement
  • Focuses on specification of requirements
  • Acquisition of needed components
  • Integration of these components into the
    organizations systems
  • Examines ongoing maintenance and change
    requirements
  • Seven controlling objectives (AI1 AI7)

44
Control Objectives for Information and related
Technology (COBIT) (continued)
  • Delivery and support
  • Focuses on the functionality of the system and
    its use to the end user
  • Examines systems applications, including input,
    processing, and output components
  • Examines processes for efficiency and
    effectiveness of operations
  • 13 high-level controlling objectives (DS1 DS13)

45
Control Objectives for Information and related
Technology (COBIT) (continued)
  • Monitor and evaluate
  • Seeks to examine the alignment between IT systems
    usage and organizational strategy
  • Identifies the regulatory requirements for which
    controls are needed
  • Monitors the effectiveness and efficiency of IT
    systems against the organizational control
    processes in the delivery and support domain
  • Four high-level controlling objectives (ME1 ME4)

46
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
  • COSO is a U.S. private-sector initiative formed
    in 1985
  • Its major objective is to identify the factors
    that cause fraudulent financial reporting and to
    make recommendations to reduce its incidence
  • COSO has established a common definition of
    internal controls, standards and criteria, and
    helps organizations comply with critical
    regulations like Sarbanes-Oxley

47
Committee of Sponsoring Organizations of the
Treadway Commission (COSO) (continued)
  • COSO is built on five interrelated components
  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

48
Security Management Practices
  • In information security, two categories of
    benchmarks are used
  • Standards of due care/due diligence
  • Best practices
  • Best practices include a subcategory of
    practicescalled the gold standardthat are
    general regarded as the best of the best

49
Standards of Due Care/Due Diligence
  • When organizations adopt minimum levels of
    security for a legal defense, they may need to
    show that they have done what any prudent
    organization would do in similar circumstances
    this is known as a standard of due care
  • Implementing controls at this minimum standard,
    and maintaining them, demonstrates that an
    organization has performed due diligence

50
Standards of Due Care/Due Diligence (continued)
  • Due diligence requires that an organization
    ensure that the implemented standards continue to
    provide the required level of protection
  • Failure to support a standard of due care or due
    diligence can expose an organization to legal
    liability, provided it can be shown that the
    organization was negligent in its application or
    lack of application of information protection

51
Best Security Practices
  • Security efforts that seek to provide a superior
    level of performance in the protection of
    information are referred to as best business
    practices or simply best practices
  • Some organizations refer to these as recommended
    practices
  • Security efforts that are among the best in the
    industry are referred to as best security
    practices

52
Best Security Practices (continued)
  • These practices balance the need for information
    access with the need for adequate protection
    best practices seek to provide as much security
    as possible for information and information
    systems, while demonstrating fiscal
    responsibility and ensuring information access
  • Companies with best practices may not be the best
    in every area they may only have established an
    extremely high quality or successful security
    effort in one area

53
The Gold Standard
  • Best business practices are not sufficient for
    organizations that prefer to set the standard by
    implementing the most protective, supportive, and
    yet fiscally responsible standards they can
  • They strive toward the gold standard, a model
    level of performance that demonstrates industrial
    leadership, quality, and concern for the
    protection of information
  • The implementation of gold standard security
    requires a great deal of support, both in
    financial and personnel resources

54
Selecting Best Practices
  • Choosing which recommended practices to implement
    can pose a challenge for some organizations
  • In industries that are regulated by governmental
    agencies, government guidelines are often
    requirements
  • For other organizations, government guidelines
    are excellent sources of information and can
    inform their selection of best practices

55
Selecting Best Practices (continued)
  • When considering best practices for your
    organization, consider the following
  • Does your organization resemble the identified
    target organization of the best practice?
  • Are you in a similar industry as the target?
  • Do you face similar challenges as the target?
  • Is your organizational structure similar to the
    target?
  • Are the resources you can expend similar to those
    called for by the best practice?
  • Are you in a similar threat environment as the
    one assumed by the best practice?

56
Best Practices
  • Microsoft has published a set of best practices
    in security at its Web site
  • Use antivirus software
  • Use strong passwords
  • Verify your software security settings
  • Update product security
  • Build personal firewalls
  • Back up early and often
  • Protect against power surges and loss

57
Benchmarking and Best Practices Limitations
  • The biggest problem with benchmarking in
    information security is that organizations dont
    talk to each other a successful attack is viewed
    as an organizational failure, and is kept secret,
    insofar as possible
  • However, more and more security administrators
    are joining professional associations and
    societies like ISSA and sharing their stories and
    lessons learned
  • An alternative to this direct dialogue is the
    publication of lessons learned

58
Baselining
  • A baseline is a value or profile of a
    performance metric against which changes in the
    performance metric can be usefully compared
  • Baselining is the process of measuring against
    established standards
  • In InfoSec, baselining is the comparison of
    security activities and events against the
    organizations future performance
  • Baselining can provide the foundation for
    internal benchmarking, as information gathered
    for an organizations first risk assessment
    becomes the baseline for future comparisons

59
Baselining Example
  • The Gartner group offers twelve questions as a
    self assessment for best security practices
  • People
  • Do you perform background checks on all employees
    with access to sensitive data, areas, or access
    points?
  • Would the average employee recognize a security
    issue?
  • Would they choose to report it?
  • Would they know how to report it to the right
    people?

60
Baselining Example (continued)
  • Processes
  • Are enterprise security policies updated on at
    least an annual basis, employees educated on
    changes, and policies consistently enforced?
  • Does your enterprise follow a patch/update
    management and evaluation process to prioritize
    and mediate new security vulnerabilities?
  • Are the user accounts of former employees
    immediately removed on termination?
  • Are security group representatives involved in
    all stages of the project life cycle for new
    projects?

61
Baselining Example (continued)
  • Technology
  • Is every possible route to the Internet protected
    by a properly configured firewall?
  • Is sensitive data on laptops and remote systems
    encrypted?
  • Do you regularly scan your systems and networks,
    using a vulnerability analysis tool, for security
    exposures?
  • Are malicious software scanning tools deployed on
    all workstations and servers?

62
Metrics in InfoSec Management
  • When an organization applies statistical and
    quantitative approaches of mathematical analysis
    to the process of measuring the activities and
    outcomes of the InfoSec program, it is using
    InfoSec metrics
  • InfoSec metrics enable organizations to measure
    the level of effort required to meet the stated
    objectives of the InfoSec program

63
Metrics in InfoSec Management (continued)
  • Specifying InfoSec metrics requires the
    assessment and quantification of what will be
    measured
  • Collecting InfoSec metrics is daunting to some
    organizations, and requires thoughtful
    consideration of the intent of the metric, along
    with a thorough knowledge of how production
    services are delivered

64
Metrics in InfoSec Management (continued)
  • Interpreting InfoSec metrics requires both raw
    data as well as the context
  • Decisions also need to be made regarding
    presentation of correlated metrics, as well as
    color use to denote specific results
  • Disseminating InfoSec metrics requires the CISO
    to consider who gets them, as well as method of
    delivery

65
Emerging Trends In Certification and
Accreditation
  • In security management, accreditation is the
    authorization of an IT system to process, store,
    or transmit information
  • It is issued by a management official and serves
    as a means of assuring that systems are of
    adequate quality
  • It also challenges managers and technical staff
    to find the best methods to assure security,
    given technical constraints, operational
    constraints, and mission requirements

66
Emerging Trends In Certification and
Accreditation (continued)
  • Certification is the comprehensive evaluation of
    the technical and nontechnical security controls
    of an IT system to support the accreditation
    process that establishes the extent to which a
    particular design and implementation meets a set
    of specified security requirements
  • Organizations pursue accreditation or
    certification to gain a competitive advantage, or
    to provide assurance or confidence to customers

67
SP 800-37 Guidelines for Security C A of
Federal IT Systems
  • Develops standard guidelines and procedures for
    certifying and accrediting federal IT systems
    including the critical infrastructure of the
    United States
  • Defines essential minimum security controls for
    federal IT systems
  • Promotes the development of public and private
    sector assessment organizations and certification
    of individuals capable of providing cost
    effective, high-quality security certifications
    based on standard guidelines and procedures

68
SP 800-37 Guidelines for Security C A of
Federal IT Systems (continued)
  • The specific benefits of the security
    certification and accreditation (CA) initiative
    include
  • More consistent, comparable, and repeatable
    certifications of IT systems
  • More complete, reliable, information for
    authorizing officialsleading to better
    understanding of complex IT systems and
    associated risks and vulnerabilitiesand
    therefore, more informed decisions by management
    officials
  • Greater availability of competent security
    evaluation and assessment services
  • More secure IT systems within the federal
    government

69
Figure 6-4SpecialPublicationsSupportingSP
800-37
70
SP 800-37 Guidelines for Security C A of
Federal IT Systems (continued)
  • 800-37 focuses on a three-step security controls
    selection process
  • Step 1 Characterize the system
  • Step 2 Select the appropriate minimum security
    controls for the system
  • Step 3 Adjust security controls based on system
    exposure and risk decision

71
Planned Federal System Certifications
  • Systems are to be certified to one of three
    levels
  • Security Certification Level 1 - The entry-level
    certification appropriate for low priority
    (concern) systems
  • Security Certification Level 2 - The mid-level
    certification appropriate for moderate priority
    (concern) systems
  • Security Certification Level 3 - The top-level
    certification appropriate for high priority
    (concern) systems

72
SP 800-53 Minimum Security Controls for Federal
IT Systems
  • SP 800-53 is part two of the Certification and
    Accreditation project
  • Its purpose is to establish a set of
    standardized, minimum security controls for IT
    systems addressing low, moderate, and high levels
    of concern for confidentiality, integrity, and
    availability
  • Controls are broken into the three familiar
    general classes of security controls management,
    operational, and technical

73
SP 800-53 Minimum Security Controls for Federal
IT Systems (continued)
  • Critical elements represent important
    security-related focus areas for the system, with
    each critical element addressed by one or more
    security controls
  • As technology evolves, so will the set of
    security controls, requiring additional control
    mechanisms

74
Figure 6-5Participants in the CA Process
75
Summary
  • Introduction
  • Security Management Models
  • Security Management Practices
  • Emerging Trends in Certification and
    Accreditation
Write a Comment
User Comments (0)
About PowerShow.com