opexxx

Document Type	Policy - Mandatory
Document ID
Audience	All employees
Confidentiality	For internal use
Language	English
Applies to
Version
Owner
Author

opexxx

1	Has the board and executive expressed their support for a risk management programme?
2	Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy?
3	Have you identified a person who will be responsible for implementing risk management?
4	Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
5	Have you defined categories of risk relevant to your organisation and industry?
6	Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
7	Is there a clear organisational strategy (or objectives) articulated for the organisation?
8	Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation?
9	Have you defined and agreed a consequence scale to help assess risk impacts across the organisation?
10	Does the organisation's consequence scale describe both financial and non-financial impacts?

opexxx

Access Control
Is Collection of mechanism that permits managers of system to exercise a directing or restraining influence over the behavior ,use and content of a system.  
Access Control Concepts
Access Control Principles
Information Classifi cation
Access Control Requirements
Access Control Categories
Access Control Types
Access Control Strategies
Identity Management

opexxx

LinkedIn Learning Courses for CISOs and DPOs
I like LinkedIn Learning and have collected the most valuable of them!

For CISOs:

 Become a Cybersecurity Professional (6h 28m) - https://www.linkedin.com/learning/paths/become-a-cybersecurity-professional
 Cybersecurity Careers: Getting Started as a CISO (46m) - https://www.linkedin.com/learning/cybersecurity-careers-getting-started-as-a-ciso
 Building an ISO 27001-Compliant Cybersecurity Program: Getting Started (1h 29m) - https://www.linkedin.com/learning/building-an-iso-27001-compliant-cybersecurity-program-getting-started
 Building an ISO 27001-Compliant Cybersecurity Program: The Annex A Controls (2h 15m) - https://www.linkedin.com/learning/building-an-iso-27001-compliant-cybersecurity-program-the-annex-a-controls
 Implementing an Information Security Program (2h 33m) - https://www.linkedin.com/learning/implementing-an-information-security-program

opexxx

1	S	1. Management Support
2	T	Outline business case
3	T	Present business case
4	M	Management support is obtained
5	T	Initiate project
6	T	Plan project
7	S	2. Determine Scope
8	T	Determine external issues
9	T	Determine internal issues
10	T	Identify external interested parties

opexxx

The Guide describes 22 best practices for mitigating insider threat based on the CERT Division's continued research and analysis of more than 3,000 insider threat cases.​
Best Practices

1. Know and Protect Your Critical Assets
2. Develop a Formalized Insider Risk Management Program (IRMP)
3. Clearly Document and Consistently Enforce Administrative Controls
4. Beginning With the Hiring Process, Monitor and Respond to Suspicious or Disruptive Behavior
5. Anticipate and Manage Negative Issues in the Work Environment
6. Consider Threats From Insiders and Trusted External Entities in Enterprise-Wide Risk Assessments
7. Be Especially Vigilant Regarding Social Media

opexxx

Auf dem Weg zur Arbeit
Am Arbeitsplatz
Incident Reporting
Auf dem Weg nach Hause
Geschäftsreise / Bahn / ÖVM
Klassifizierung von Daten
Verschlüsselung (SMIME/PGP/SecureFileShare) bzw. sicherer Datentransfer
Sichere Passwörter
Clear Desk Policy
AUP /Compliance (copyright, software beschaffung und lizenzen)

opexxx

Eigentum des Unternehmens:
Ich bestätige, dass ich am oder vor meinem letzten Arbeitstag alle in meinem Besitz befindlichen Gegenstände und Geräte an das Unternehmen zurückgeben werde.
zurückgeben werde, unabhängig davon, wo sie sich befinden, einschließlich, aber nicht beschränkt auf alle Akten, Dokumente und alle Kopien
in jeglicher Form (auch elektronisch), Handbücher und Bedienungsanleitungen, Kunden- und Mitarbeiterlisten usw,
usw., Computerausrüstung einschließlich Laptops, Flash-Laufwerke, Drucker usw., Software, Faxgeräte,
Kreditkarten, Telefonkarten, Mobiltelefone, Blackberrys oder andere PDAs, Tür- und/oder Schreibtischschlüssel,
Sicherheitsausweise, Passwörter, Token, Kraftfahrzeuge und sonstiges Eigentum des Unternehmens in meinem Besitz an einen
Vertreter des Unternehmens. Mir ist bekannt, dass es mir nicht gestattet ist, Firmeneigentum, einschließlich
Kopien von Dokumenten, in irgendeiner Form aufzubewahren oder vervielfältigen.

opexxx

A. Risk Assessment and Treatment	
A.1	Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? If so, does it include:
A.1.1	A risk assessment, conducted within the last 12 months?
A.1.2	Risk Governance?
A.1.3	Range of assets to include: people, processes, data and technology?
A.1.4	Range of threats to include: malicious, natural, accidental, business changes (transaction volume)?
A.1.5	Risk scoping?
A.1.6	Risk context?
A.1.7	Risk training plan?
A.1.8	Risk evaluation criteria?

opexxx

#run elevated pwsh
 
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
 
refreshenv
 
cinst ooniprobe
 
while($true) {
ooniprobe run all