Upload
jbrackett239
View
213
Download
0
Embed Size (px)
Citation preview
7/28/2019 Information Security Governance and Risk Management.docx
1/6
Information Security Governance and Risk Management
Confidentiality- prevent unauthorized disclosure of sensitive information
National defense
Integrity prevent unauthorized modification systems and information
BankingAvailability prevent disruption of service and productivity.
E-commerce
ISO/IEC 17799 and 27001 Controls (exact copies)
Security policy
Organizing information Security
Asset management
Human Resources Security
Physical and Environmental security
Communications and operations management
Access controlInformation systems acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
Plan DO Check Act (PDCA) modelSecurity is an ongoing process and never achieved
Plan
Implement
Monitor and review
Act
Due care and Due Diligence
Due Care- to do the right thing to protect assets
Updating antivirus sigs
D C do correct
Due diligence to investigate actual threats and risks
Installing antivirus
Approach to security management
Top-Down Approach Better approach
Security practices are directed and supported at the senior management level
Advantage - budgets
Bottom Up Approach
IT department tries to implement security
Planning Horizon
Operational goals dayto-day goals that focus on productivity and task oriented activites
7/28/2019 Information Security Governance and Risk Management.docx
2/6
Tactical goals mid term goals that lay the necessary foundation to accomplish strategic goals
Strategic goals Long term goals supported by operational and tactical goals
Risk management process
Risk Identification
Risk management
Qualitative Risk analysis
Quantitative risk analysis
Asset any resource that is of value
Vulnerability weakness in an asset
Threat potential danger to an asset which would be carried out by a threat agent
Loss real or perceived devaluation of an asset
Risk likelihood of a threat agent exploiting a vulnerability
Exposure instance of being exposed to compromise
Even/exploit instance of loss experienced
Control/ measure a safeguard put into place to mitigate potential losses
Purpose of risk assessment
Identify what a company actually has and what its potential loss is for each and every threat
recognized
To ensure that a security program is cost-effective, relevant, and appropriate for the real risks it
faces.
Four main goals of a risk assessment
Identify assets and their values
Identify risks
Quantify the impact of potential threats
Provide an economic balance between the impact of the risk and the cost of the
countermeasure
SP 800-30: Risk Assessment Activities day 1 1:21
Step 1 System Characterization
Input - Hardware, system , system interfaces, data and information, people, system
mission
Output System boundary, system functions, system and data critically, system and
data sensitivity
Step 2 Threat identification
Input History of system attack, data from intelligence agencies
Output threat statement
Step 3 - Vulnerability Identification
Input -Reports from prior risk assessments, any audit comments, security requirements,
security test results
Output list of potential vulnerabilities
7/28/2019 Information Security Governance and Risk Management.docx
3/6
Step 4 Control analysis
Input current controls
Step 5 - likelihood determination
Step 6 Impact analysis
Step 7 risk dtermination
Step 8 control recommendations
Step 9 results documentation
Asset valuation
Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to the owners
Price others are willing to pay for the asset
Liability of the asset is compromised
Operational and productivity losses that will be suffered if the asset is unavailable
Cost to replace the asset
Data classification process
Value of data
Identified during risk analysis
Sensitivity and value of the information
Organize according to sensitivity to loss or disclosure
Decide on control
Data is segmented according to sensitivity level
Each classification of data should have different security controls
Classification criteria
Usefulness of data
Value of data
Age of data
Level of damage that could be caused if the data were disclosed, modified, or corrupted
Laws, regulations, or liability responsibility about protecting the data
Effects the data has on national security
Who should accessing this data?
Who should be maintaining this data?
Who should be able to reproduce this data?
What data would require labels and special marking?
Data classification procedure
Identify Data Owner (part of management)
Identify Data custodian (technical person)
Develop classification criteria based on CIA
Define controls per classification
Define document exceptions
Document how to transfer custody of the data
7/28/2019 Information Security Governance and Risk Management.docx
4/6
Decassification procedures
Security awareness program
Commercial classifications
Confidential
Private
Sensitive
Public
Military class
Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified
Quantitative analysis
Numeric and monetary value
Management prefers quantitative
Qualitative
Subjective rating assigned
Intuition
Delphi method
Allows you to assign ratings anonymously to prevent company culture influence
Annualized loss expectancy (ALE)
SLE =asset value (AV) x exposure factor(EF) =SLE
Building cost x amount of damage
ALE
SLE x Annualized rate of occurrence (ARO) =ALE
Qualitative risk analysis steps
Develop risk scenarios
Gather company subject matter experts
Work through scenario to determine outcome
Prioritize risks and threats to assets
Build consensus for best countermeasure
Type of risks
Total risk vs residual risk
Total risk - Risk that exits before a countermeasure is put into place
Residual risk Remaining risk after a countermeasure is put in place
Residual risk calculation =
threats +vulnerability= total risk
total risk control gap = residual risk
+ sign simply means in relation to
7/28/2019 Information Security Governance and Risk Management.docx
5/6
Risk analysis team
Representatives from each department should be on the team
Identify company assets by interviewing individuals, reviewing documentation, and tours
Identified assets must have values assigned to them
Many things go into estimating the value of an asset, not just paper value
***Ensure business managers maintain accountability for their decisions***
Threat sources
Easily identified
Fires, hackers, intruders
Not easily identified
Software flaw (buffer overflow)
Employee fraud
Potential loss
Delayed loss
Possible threats
Availablility
Disaster
Failure of components
DOS attacks
Integrity
Changing accounting records or system logs
Disabling the alert mechanism in an IDS
Modifying config files
Confidentiality
Shoulder surfing
Social engineering
Interception of a message
Mitigation
Options
Reduce avoidance, limitation, research and acknowledgment
Transfer
Accept when the cost to protect is more than the asset value
Reject ignorance or neglect
Cost-Benefit analysis formula
ALE (before countermeasure)-ALE (after countermeasure)- Annual cost of
countermeasure= Value of the countermeasure to the company
Strategy
Control implementation
Control categories
7/28/2019 Information Security Governance and Risk Management.docx
6/6
Policies
Standards binding
Compulsory rules that dictate how hardware and software are to be used and expected
behavior of employees
Baselines - binding
Minimum level of security that is required throughout the organization
Procedures - binding
Detailed step by step actions to be taken to achieve a specific task
Guidelines non binding
Recommended actions and operations guides for users and staff members where
standards to not apply
Roles and responsibilities
Executive management
Assigned overall responsibility for the security of information
Information systems security professionals
Responsible for the design, implementation, management, and review of the
organizations security policies
Data owners
Responsible for determing classification levels of the data as well as maintaining the
accuracy and integrity of the data.
Process owners or system owner
Responsible for ensuring that appropriate security consistent with the organizations
security policy is embedded in their information systems
Technology providers or third party providers
Responsible for assisting with the implementation of information security
Users
Responsible for following the procedures set out in the organizations security policy.
IT system auditor
Providing independent assurance to management on the appropriateness of the
security objectives
Deciding whether the security policies are appropriate and comply with the
organizations security objectives
Employee management policies
Termination procedures
First step is to inform all other departments that an employee is no longer to be trusted
Second step disable or delete accounts