MIS 5206 Protecting Information Assets
Protecting Information Assets- Week 5 -
Risk Evaluation
MIS 5206 Protecting Information Assets
MIS5206 Week 5
• Brief intro to Team Project
• In the News
• Week 3 & 4 Material Highlights
• Risk Evaluation
• Test Taking Tip
• Quiz
MIS 5206 Protecting Information Assets
Weeks 3&4: Data Classification Process and Models
3
Why is data classification important?
• Focuses attention on the identification and valuation of information assets
• Is the basis for access control policy and processes
MIS 5206 Protecting Information Assets
Weeks 3&4: Data classification process and models
MIS 5206 Protecting Information Assets
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE-1)
• Goal: Ensure IT-related risks and opportunities are identified, analyzed and presented in business terms
• Metric: Cumulative business impact from IT-related incidents and events not identified by risk evaluation processes
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE-1)
• Process Goal: Identify relevant data to enable effective IT-related risk identification, analysis and reporting
• Process Metrics:– # of loss events with key characteristics not captured or
measured
– Degree to which collected data support • Analyzing scenarios and reporting trends
• Visibility and understanding of the control state
• Visibility and understanding of the threat landscape
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE1)• Activity Goals:
– Establish and maintain a risk data collection model
– Identify risk factors
– Collect data on operating environment
– Collect data on risk events
• Process Metrics:– Existence of a documented risk data collection model
– # of data sources
– # of data items with identified risk factors
– Completeness of • Risk event data
– Affected assets
– Impact data
– Threats
– Controls
– Measures of the effectiveness of controls
• Historical data on risk factors
MIS 5206 Protecting Information Assets
RE1: Collect Data summary of goals and metrics
MIS 5206 Protecting Information Assets
RE-1: Collect Data – Key Activities
RE1.1 Establish and maintain a model for data collection
RE1.2 Collect data on the operating environment
RE1.3 Collect data on risk events
RE1.4 Identify risk factors
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data: Roles
• Board of directors• Chief Executive Officer (CEO)• Chief Financial Officer (CFO)• Chief Risk Officer (CRO)• Enterprise Risk Committee• Business Management• Business Process Owner • Risk Control Functions• Human Resources• Compliance and Audit
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data: Roles
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Risk Evaluation - Analyze Risk (RE2)
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
Annualized loss expectancy (ALE) =
Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
FIPS 199: Risk event impact ratings
MIS 5206 Protecting Information Assets
FIPS 199: Composite IS risk event impact ratings
Example with multiple information types:
MIS 5206 Protecting Information Assets
Security Categorization of Different Types of Information and Information Systems
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
How to prioritize an enterprise’s data for protection ?
MIS 5206 Protecting Information Assets
How to prioritize an enterprise’s data for protection ?
MIS 5206 Protecting Information Assets
Analyzing risk to prioritize protection
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99
Transforming ordinal risk rankings to interval risk measures
MIS 5206 Protecting Information Assets
Analyzing risk example
MIS 5206 Protecting Information Assets
Analyze Risk
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
Maintain Risk Profile
MIS 5206 Protecting Information Assets
Maintain Risk Profile
MIS 5206 Protecting Information Assets
…Projected Growth of Data
MIS 5206 Protecting Information Assets
Projected Growth of Data
What is a Zetta Byte?
A zettabyte is a quantity of information or information storage capacity equal to 1021
bytes
Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.
MIS 5206 Protecting Information Assets
Projected Growth of Data
MIS 5206 Protecting Information Assets
Projected Growth of Data
MIS 5206 Protecting Information Assets
Projected Growth of Data
MIS 5206 Protecting Information Assets
Data Retention
Why have a formal data retention policy?
a) Applicable Laws and Regulationsb) Resource Limits c) Privacy d) Access e) Security f) Plagiarism and Copyright g) Enforcement
MIS 5206 Protecting Information Assets
Data Retention
Why companies need to have a formal data retention policy…
• Practical Concerns• Regulatory Concerns• Privacy Concerns
MIS 5206 Protecting Information Assets
Data Retention
Why companies need to have a formal data retention policy…
• Practical Concerns
MIS 5206 Protecting Information Assets
Data RetentionWhy companies need to have a formal data retention policy…
Practical Concerns• Regulatory Concerns
MIS 5206 Protecting Information Assets
Data RetentionWhy companies need to have a formal data retention policy…
Practical Concerns Regulatory Concerns• Privacy Concerns
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
• Establish data classes• Classify data• Establish retention periods• Select archive methods
• Paper-based• Electronic forms
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
• Paper-based• Electronic forms
• Create end-of-life processes• Create policies for destruction of media
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
• Paper-based• Electronic forms
Create end-of-life processes Create policies for destruction of media• Identify roles and responsibilities• Create enforcement mechanisms
Owner Steward Custodian
Manages the business function that generates and/or uses the data
Has business and/or regulatory responsibility for data quality and management
Focuses on managing data content and the business logic behind all data transformations.
Oversees the safe transport and storage of data
Focuses on the underlying infrastructure and activities required to keep the data intact
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
Paper-based Electronic forms
Create end-of-life processes Create policies for destruction of media Identify roles and responsibilities Create enforcement mechanisms
MIS 5206 Protecting Information Assets
Data RetentionHandling Customer Data
• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard
(PA-DSS)
MIS 5206 Protecting Information Assets
Data RetentionHandling Customer Data
• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard
(PA-DSS)• Pilot data tokenization solutions• Implement end-to-end encryption• Restrict Internal access to customer data
MIS 5206 Protecting Information Assets
Test Taking Tip
53
Focus on the “highest likelihood” answers for test taking efficiency
Here’s why:• Some of the answers use unfamiliar terms and stand out as unlikely and
can therefore be discarded immediately
- Eliminate any “probably wrong” answers first -
• Some answers are clearly wrong and you can recognize them based on your familiarity with the subject
• The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice
MIS 5206 Protecting Information Assets
Test Taking Tip
54
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
MIS 5206 Protecting Information Assets
Test Taking Tip
55
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing seems mandatory about this scenario
MIS 5206 Protecting Information Assets
Test Taking Tip
56
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Maybe ….
MIS 5206 Protecting Information Assets
Test Taking Tip
57
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing about roles other than manager in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
58
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Distributed is not relevant to the information in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
59
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
MIS 5206 Protecting Information Assets
Quiz
60
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
Top Related