INFORMATION SECURITY & RISK MANAGEMENT

SZABIST – Spring 2012

Information Security & Risk Management

This chapter presents the following:

Security management responsibilities Difference between administrative, technical, and

physical controls Three main security principles Risk management and risk analysis Security policies Information classification Security-awareness training

Security Management

Security management includes: risk management / risk analysis, information security policies and procedures, standards, guidelines, baselines, information classification, security organization, and security education.

The objective of security, and a security program, is to protect the company and its assets

Security Management Process of security management:

Is the Risk Management one time activity?

Risk Assessment and determination of

Need

Monitoring and Evaluation of systems and

practices

Promoting Awareness

Implementation of policies and controls to address the identified risks .

Continuous evaluation

and Evaluation

Security Management

Are the risks in Mainframes and PC similar? Functionality, Connectivity What about the required controls?

Based on the Risk Assessment, which of the following is more critical? Computers Data Physical buildings, Factory equipment,

Security Management

“Security is more than just a firewall and a router with an access list; these systems

must be managed, and a big part of security is managing the actions of users

and the procedures they follow”

Security Management Responsibilities

Okay, who is in charge and why?

Security Management Responsibilities

Security, management’s functions involve determining: Scope and objectives, policies, priorities, and strategies.

Business Equation = Productivity + Information security

Again, Who’s responsibility is this? IT administrator’s responsibilities. highest levels of management Both IT and Management

Security Management Responsibilities

Management’s responsibility is to provide: Protection for the resources it is responsible, and the company

overall. human, capital, hardware, information; etc

Funding to support security initiatives, Strategic representatives should participate in the security

program. Assignment of roles and responsibilities to get the security

program off the ground and to keep it evolving as the environment changes.

Integrate the program into the current business environment and monitor its accomplishments.

Management’s support is one of the most important pieces of a security program.

Security Management Responsibilities

Identification and valuation of company’s assets,

Risk analysis and assessments. Identify vulnerabilities and exposure rate Rank the severity of identified vulnerabilities

Classification of data, Implementation of security policies to provide

integrity, confidentiality, and availability for those assets.

Security Administration and Supporting Controls Security Officer - Directly responsible for

development and monitoring of the security program. Information Owners - Dictate which users can

access their resources, what those users can do with those resources. Usually a senior executive within the management

group of the company, or the head of a specific department.

Corporate responsibility for data protection If the information owner does not lay out the foundation

of data protection and ensure the directives are being enforced, she would be violating the due care concept.

Security Administrator - Make sure these objectives are implemented.

Following controls should be utilized to achieve management’s security directives: (figure 3.1) Administrative controls Technical controls (also called logical controls) Physical controls

Security Administration and Supporting Controls

Security Administration and Supporting Controls

Fundamental Principle of Security Now, what are we trying to

accomplish again?

AIC or CIA triad!!!

Fundamental Principle of Security

Availability

Emergency! I can’t get to my data! Response: Turn the computer on!

Fundamental Principle of Security

Integrity assurance of the accuracy and

reliability of the information any unauthorized modification is

prevented.

Fundamental Principle of Security

Confidentiality

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

Security Definitions

Define the following, based on the prior knowledge???

Vulnerability Threat Risk Exposure Countermeasure (controls)

Relationship between different Security Components

Security Frameworks

What are the Security Standards and Frameworks?

Security Frameworks

Control Objectives for Information and

related Technology (CobiT)

ISO/IEC 27001 – Information Security Management System (ISMS)

Information Technology Infrastructure

Library (ITIL)

Security Frameworks

ISO 27001:2005 – Information Security Management System Information Security Policy Organization of Information Security Access Controls Communications and Operations Management Asset Management Physical and Environmental Security Systems Acquisition, Development and Maintainence Human Resource Security Business Continuity Management Compliance

Security Program Development

A continuous life cycle that is described in the following steps: Plan and organize.

Risk Assessment and determination of Need - 1 Implement.

Implementation of policies and controls to address the identified risks - 2

Operate and maintain. Promoting Awareness - 3

Monitor and evaluate. Monitoring and Evaluation of systems and practices - 4

Security Program Development

Identify and relate the following in stages of life cycle: Establish management commitment. Carry out a risk assessment. Develop security architectures at an organizational,

application, and network level. Assign roles and responsibilities. Develop and implement security policies, procedures, and

guidelines. Asset identification and management. Follow procedures to ensure all baselines are met as required. Carry out internal and external audits. Manage service level agreements. Review logs, audit results, and SLAs. Assess goal accomplishments.

Information Risk Management

“The process of identifying and assessing risk, reducing it to an acceptable level, and

implementing the right mechanisms to maintain that level.”

Risks to a company come in different forms, and they are not all computer related.

Information Risk Management

Organizations should be aware of the following major risk categories and prioritize them accordingly: Physical damage - Fire, water, vandalism, power loss, and natural

disasters Human interaction - Accidental or intentional action or inaction that

can disrupt productivity Equipment malfunction - Failure of systems and peripheral devices Inside and outside attacks - Hacking, cracking, and attacking Misuse of data - Sharing trade secrets, fraud, espionage, and theft Loss of data - Intentional or unintentional loss of information through

destructive means Application error - Computation errors, input errors, and buffer

overflows

Risk Analysis

A risk analysis has four main goals / steps:

Identify assets and their value to the

organization.

Identify vulnerabilities and threats.

Quantify the probability and business impact of

these potential threats.

Provide controls (a balance between the impact of

the threat and the cost of the countermeasure).

The Value of Information and Assets

Based on the CIA Triad Qualitative approach will be used in class.

Categorization in HIGH, MEDIUM, and LOW Valuation of assets in High, Medium and Low

Quantitative approach is also used in industry to assign value to assets. Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Operational activities affected if the asset is

unavailable Usefulness and role of the asset in the organization

Workshop 1

Identify information Assets

Assets Valuation

Threats and Vulnerability

Difference between threat and vulnerability?

Examples???

Relate threat and vulnerability?

Identification of Threats & Vulnerabilities

Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats. Threats for IT Environment?

Protection Mechanism (Controls) identify the current security mechanisms

and to evaluate their effectiveness. each threat type must be addressed and

planned for individually. Access control mechanisms Software applications and data malfunction Site location, fire protection, site construction,

power loss, and equipment malfunctions Telecommunication and networking issues Business continuity and disaster recovery

Controls Selection

It should be cost-effective (its benefit outweighs its cost).

(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company

For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard, and the ALE is $3,000 after implementing the safeguard, while the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.

Workshop 2

Putting it all Together

Total Risk vs Residual Risk total risk – countermeasures = residual risk

Handling the Risk

Now, Handle which risk? Residual Risk

Risk Management???? Avoid Reduce Transfer Accept

Policies, Standards, Baselines, and Procedures

Security Policy - An overall general statement produced by senior management that dictates what role security plays within the organization.

Standards - mandatory activities, actions, or rules. Can give a policy its support and reinforcement in

direction. Can be internal or external (government laws and

regulations) Baselines - define the minimum level of protection

required. Procedures - detailed step-by-step tasks that should

be performed to achieve a certain goal.

Information Classification

Security-Awareness Training Security Trends and Risk Awareness Communication of Policies and

Procedures Expected responsibilities and acceptable

behaviors Legal Actions in case of Non-Compliance;

etc

Summary

End of Chapter 2

Thank You