Alice: Would you tell me, please, which way I ought to go from here?

The Cheshire Cat: That depends a good deal on where you want to get to.

Alice: I don’t much care where.

The Cheshire Cat: Then it doesn’t much matter which way you go.

Alice: …So long as I get somewhere.

The Cheshire Cat: Oh, you’re sure to do that, if only you walk long enough.

― Lewis Carroll, Alice in Wonderland

It’s about time for me to review my performance for the year of 2018 and plan for the coming year of 2019.

• Mission: To Inspire People to Enjoy Learning
• Vision: To be one of the most influential share points of people and knowledge in Taiwan
• Annual goals for 2019:
  • To publish a book of agile and/or CISSP for exam prep in memory of my father
  • Start a new business initiative with a long term goal to train 1000 CISSPs in Taiwan
  • Get insights to AI/machine learning with emphasis on Python

• Security Posture: synonym of security status
• Risk Posture
  • A company’s risk posture refers to its overarching cybersecurity plan – that is, its approach to keeping sensitive data safe from internal and external threats.
  • 5 Ways to Strengthen Your Organization’s Cybersecurity Risk Posture
• Threat Landscape
  • The ENISA Threat Landscape is a collection of threats. It contains identified threats, trends observed and threat agents involved. ETL consists of a list with top threats prioritized according to the frequency of appearance and NOT according to the impact caused.
  • The ENISA Threat Landscape (ETL)
• Vulnerability Landscape?
  • Vulnerabilities and the Vulnerability Landscape
• Risk Landscape?
  • Risk Landscape of Cloud Computing
• IT Risk Profile
  • a description of the overall (identified) IT risk to which the enterprise is exposed.
  • Key Elements of an Information Risk Profile
  • TechTarget: a risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.

• Enterprise Architecture [CNSSI 4009]
  The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.
• Information Security Architecture
  An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security
  systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic
  plans.
• Enterprise architecture also promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations more effectively manage risk.
• The Federal Enterprise Architecture (FEA) defines a collection of interrelated reference models including Performance, Business, Service Component, Data, and Technical as well as more detailed segment and solution architectures that are derived from the enterprise architecture.
  • Organizational assets (including programs, processes, information, applications, technology, investments, personnel, and facilities) are mapped to the enterprise-level reference models to create a segment-oriented view of organizations.
  • Segments are elements of organizations describing mission areas, common/shared business services, and organization-wide services. From an investment perspective, segment architecture drives decisions for a business case or group of business cases supporting specific mission areas or common/shared services. The primary stakeholders for segment architecture are mission/business owners.
  • Following closely from segment architecture, solution architecture defines the information technology assets within organizations used to automate and improve mission/business processes. The scope of solution architecture is typically used to develop and implement all or parts of information systems or business solutions, including information security solutions. The primary stakeholders for solution architectures are information system developers and integrators, information system owners, information system/security engineers, and end users.

Source: NIST SP800-39

Links:

• Federal Enterprise Architecture (FEA)
• US IT Dashboard

• COSO Enterprise Risk Management – Integrating with Strategy and Performance
• Octave v2.0 (and Octave-S v1.0 for Small and Medium Businesses)

• CAM, Cumulus Assessment Module