View
219
Download
2
Category
Tags:
Preview:
Citation preview
INFORMATION SECURITY & RISK MANAGEMENT
SZABIST – Spring 2012
Information Security & Risk Management
This chapter presents the following:
Security management responsibilities Difference between administrative, technical, and
physical controls Three main security principles Risk management and risk analysis Security policies Information classification Security-awareness training
Security Management
Security management includes: risk management / risk analysis, information security policies and procedures, standards, guidelines, baselines, information classification, security organization, and security education.
The objective of security, and a security program, is to protect the company and its assets
Security Management Process of security management:
Is the Risk Management one time activity?
Risk Assessment and determination of
Need
Monitoring and Evaluation of systems and
practices
Promoting Awareness
Implementation of policies and controls to address the identified risks .
Continuous evaluation
and Evaluation
Security Management
Are the risks in Mainframes and PC similar? Functionality, Connectivity What about the required controls?
Based on the Risk Assessment, which of the following is more critical? Computers Data Physical buildings, Factory equipment,
Security Management
“Security is more than just a firewall and a router with an access list; these systems
must be managed, and a big part of security is managing the actions of users
and the procedures they follow”
Security Management Responsibilities
Okay, who is in charge and why?
Security Management Responsibilities
Security, management’s functions involve determining: Scope and objectives, policies, priorities, and strategies.
Business Equation = Productivity + Information security
Again, Who’s responsibility is this? IT administrator’s responsibilities. highest levels of management Both IT and Management
Security Management Responsibilities
Management’s responsibility is to provide: Protection for the resources it is responsible, and the company
overall. human, capital, hardware, information; etc
Funding to support security initiatives, Strategic representatives should participate in the security
program. Assignment of roles and responsibilities to get the security
program off the ground and to keep it evolving as the environment changes.
Integrate the program into the current business environment and monitor its accomplishments.
Management’s support is one of the most important pieces of a security program.
Security Management Responsibilities
Identification and valuation of company’s assets,
Risk analysis and assessments. Identify vulnerabilities and exposure rate Rank the severity of identified vulnerabilities
Classification of data, Implementation of security policies to provide
integrity, confidentiality, and availability for those assets.
Security Administration and Supporting Controls Security Officer - Directly responsible for
development and monitoring of the security program. Information Owners - Dictate which users can
access their resources, what those users can do with those resources. Usually a senior executive within the management
group of the company, or the head of a specific department.
Corporate responsibility for data protection If the information owner does not lay out the foundation
of data protection and ensure the directives are being enforced, she would be violating the due care concept.
Security Administrator - Make sure these objectives are implemented.
Following controls should be utilized to achieve management’s security directives: (figure 3.1) Administrative controls Technical controls (also called logical controls) Physical controls
Security Administration and Supporting Controls
Security Administration and Supporting Controls
Fundamental Principle of Security Now, what are we trying to
accomplish again?
AIC or CIA triad!!!
Fundamental Principle of Security
Availability
Emergency! I can’t get to my data! Response: Turn the computer on!
Fundamental Principle of Security
Integrity assurance of the accuracy and
reliability of the information any unauthorized modification is
prevented.
Fundamental Principle of Security
Confidentiality
Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Security Definitions
Define the following, based on the prior knowledge???
Vulnerability Threat Risk Exposure Countermeasure (controls)
Relationship between different Security Components
Security Frameworks
What are the Security Standards and Frameworks?
Security Frameworks
Control Objectives for Information and
related Technology (CobiT)
ISO/IEC 27001 – Information Security Management System (ISMS)
Information Technology Infrastructure
Library (ITIL)
Security Frameworks
ISO 27001:2005 – Information Security Management System Information Security Policy Organization of Information Security Access Controls Communications and Operations Management Asset Management Physical and Environmental Security Systems Acquisition, Development and Maintainence Human Resource Security Business Continuity Management Compliance
Security Program Development
A continuous life cycle that is described in the following steps: Plan and organize.
Risk Assessment and determination of Need - 1 Implement.
Implementation of policies and controls to address the identified risks - 2
Operate and maintain. Promoting Awareness - 3
Monitor and evaluate. Monitoring and Evaluation of systems and practices - 4
Security Program Development
Identify and relate the following in stages of life cycle: Establish management commitment. Carry out a risk assessment. Develop security architectures at an organizational,
application, and network level. Assign roles and responsibilities. Develop and implement security policies, procedures, and
guidelines. Asset identification and management. Follow procedures to ensure all baselines are met as required. Carry out internal and external audits. Manage service level agreements. Review logs, audit results, and SLAs. Assess goal accomplishments.
Information Risk Management
“The process of identifying and assessing risk, reducing it to an acceptable level, and
implementing the right mechanisms to maintain that level.”
Risks to a company come in different forms, and they are not all computer related.
Information Risk Management
Organizations should be aware of the following major risk categories and prioritize them accordingly: Physical damage - Fire, water, vandalism, power loss, and natural
disasters Human interaction - Accidental or intentional action or inaction that
can disrupt productivity Equipment malfunction - Failure of systems and peripheral devices Inside and outside attacks - Hacking, cracking, and attacking Misuse of data - Sharing trade secrets, fraud, espionage, and theft Loss of data - Intentional or unintentional loss of information through
destructive means Application error - Computation errors, input errors, and buffer
overflows
Risk Analysis
A risk analysis has four main goals / steps:
Identify assets and their value to the
organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of
these potential threats.
Provide controls (a balance between the impact of
the threat and the cost of the countermeasure).
The Value of Information and Assets
Based on the CIA Triad Qualitative approach will be used in class.
Categorization in HIGH, MEDIUM, and LOW Valuation of assets in High, Medium and Low
Quantitative approach is also used in industry to assign value to assets. Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Operational activities affected if the asset is
unavailable Usefulness and role of the asset in the organization
Workshop 1
Identify information Assets
Assets Valuation
Threats and Vulnerability
Difference between threat and vulnerability?
Examples???
Relate threat and vulnerability?
Identification of Threats & Vulnerabilities
Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats. Threats for IT Environment?
Protection Mechanism (Controls) identify the current security mechanisms
and to evaluate their effectiveness. each threat type must be addressed and
planned for individually. Access control mechanisms Software applications and data malfunction Site location, fire protection, site construction,
power loss, and equipment malfunctions Telecommunication and networking issues Business continuity and disaster recovery
Controls Selection
It should be cost-effective (its benefit outweighs its cost).
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard, and the ALE is $3,000 after implementing the safeguard, while the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
Workshop 2
Putting it all Together
Total Risk vs Residual Risk total risk – countermeasures = residual risk
Handling the Risk
Now, Handle which risk? Residual Risk
Risk Management???? Avoid Reduce Transfer Accept
Policies, Standards, Baselines, and Procedures
Security Policy - An overall general statement produced by senior management that dictates what role security plays within the organization.
Standards - mandatory activities, actions, or rules. Can give a policy its support and reinforcement in
direction. Can be internal or external (government laws and
regulations) Baselines - define the minimum level of protection
required. Procedures - detailed step-by-step tasks that should
be performed to achieve a certain goal.
Information Classification
Security-Awareness Training Security Trends and Risk Awareness Communication of Policies and
Procedures Expected responsibilities and acceptable
behaviors Legal Actions in case of Non-Compliance;
etc
Summary
End of Chapter 2
Thank You
Recommended