Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management Issues in Information Security Amanda Kershishnik COSC 481 24 April 2007.

Published byAbel Boyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Management Issues in Information Security Amanda Kershishnik COSC 481 24 April 2007."— Presentation transcript:

1 Risk Management Issues in Information Security Amanda Kershishnik COSC 481 24 April 2007

2 Information Security “The protection of information and the systems and hardware that use, store, and transmit that information,” (Whitman et al. 2004).

3 InfoSec components: Confidentiality Integrity Availability Privacy Identification Authentication Authorization Accountability

4 Confidentiality Confidentiality is the capability to ensure the proper subjects (people and other processes or systems) have the necessary access when needed.

5 Integrity “the quality or state of being whole, complete, and uncorrupted,” (Whitman 2004). Information is free of corruption both physically as well as logically Corruption can take place while information is being entered, stored, or transmitted.

6 Availability “Availability is the characteristic of information that enables user access to information without interference or obstruction and in a useable format,” (Whitman 2004). A user within this definition is either a person or another computer system

7 Privacy “information that is collected, used, and stored by an organization is to be used only for the purposes stated to data owner at the time it was collected,” (Whitman, 2004).

8 Identification Identification is a system that is able to recognize individual users. 1 st step in gaining information

9 Authentication “proof that a user is indeed the person or entity requesting authorized access to a system or facility,” (Whitman 2004). Authentication is dependent upon one of three things: what a person knows, what a person has, or what a person is.

10 Authorization provides assurance that the entity attempting to access information has been exclusively and clearly authorized by proper authority to access, delete, or modify information

11 Accountability systematic process of tracking and recording the operations and activities taking place by individuals or accounts while they are active in a system or working environment

12 Risk Management risk assessment risk mitigation risk evaluation managers are able to balance operation and economic costs or protective measures enables managers to achieve an increase in mission capability by protecting the assets that support their organizational objective

13 Risk Managers “The risk manager has overall responsibility for the success of the whole process and is responsible, ultimately, for the level of recommended risk the business accepts and is mitigated in one way or another,” (Jones et al. 2005) handle risk to a level that is acceptable assigned to handle the overall conformity with not only their corporation’s requirements but also state and federal requirements

14 Risk Manager roles/duties Developing risk management environment The whole risk management process Communications Coordination Facilitation

15 Assets anything or anyone that requires protection people, procedures, data, software, hardware, and networking.

16 Asset subcategories People: inside, outside Procedures: standard, sensitive Data: all states (transmission, processing, storage) Software: applications, OS, security Hardware: systems/peripherals, security Networking: intranet, internet/extranet

17

18 keep this in mind… *********************

19 Classifying/Categorizing Assets Data classification scheme –unclassified data, sensitive but unclassified data, confidential data, secret data, and top secret data Personnel classification scheme –confidential clearance, secret clearance, or top secret clearance

20 Asset Value Assessment organize the assets in a most important to least important questions that help create an effective weighted factor analysis worksheet assets then ranked by the weighted score

21 Threat Identification assessing potential weaknesses for each information asset Environmental –tornados, hurricanes, floods, severe winter storms, drought, earthquakes, electrical storms, and fire Human –terrorism, sabotage, war, theft, arson, and labor disputes

22

23 Threat Value Assessment each threat is examined more thoroughly to determine its potential ability to affect information assets and must be done prior to risk assessment ☺It is a good idea to ask questions (and possibly answer questions) based on an organization’s policy and guidelines.

24 Vulnerability Assessment “A vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that, if exercised… would result in a security breach or a violation of the system’s security policy,” (Rittinghouse, 2005). when you evaluate each information asset for each threat

25 Risk Assessment PCMag.com (2006) defines risk assessment as, “A report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.”

26 Likelihood Analysis Statement gives the exact threats and the estimated exposure, the unforeseen event and mitigation actions required, and the benefit arising out of covering the risk 3 components: – threat-source motivation and capability – nature of the vulnerability – existence and effectiveness of current controls.

27 Each scenario should be examined for its possibility of occurrence along with the severity it would have on an organization. If a vulnerability is already completely managed by an existing control, it can be set aside. If the vulnerability is only partially controlled, an estimate needs to be calculated as to what percentage of the vulnerability is controlled There is error when calculating to which degree a current control can reduce risk

28

29 Risk Determination

30 References Jones, Andy & Ashenden, Debi. 2005. Risk Management for Computer Security: Protecting Your Network and Information Assets. Boston, Massachusetts: Elsevier Inc. Leto, Thomas. (2006). CIA Triangle. Retrieved April 21, 2007, from http://istprojects.syr.edu/~sise/flexwiki/default.aspx/MyWiki/CIA% 20Triangle.html http://istprojects.syr.edu/~sise/flexwiki/default.aspx/MyWiki/CIA% 20Triangle.html McCumber, John. 2005. Assessing and Managing Security Risk in IT Systems. Boca Raton, Florida: Auerbach Publications. PCMag.com. (2006). Definition of: Risk Assessment. Retrieved April 23, 2007 from http://www.pcmag.com/encyclopedia_term/0,2542,t=risk+assess ment&i=50556,00.asp http://www.pcmag.com/encyclopedia_term/0,2542,t=risk+assess ment&i=50556,00.asp Powers, Rod. 2007. About: Us Military: Security Clearance Secrets. Retrieved April 22, 2007, from http://usmilitary.about.com/cs/generalinfo/a/security.htm http://usmilitary.about.com/cs/generalinfo/a/security.htm Rittinghouse, John W. & Ransome, James F. 2005. Business Continuity and Disaster Recovery and InfoSec Managers. Burlington, Massachusetts: Elsevier Digital Press. Whitman, Dr. Michael E. & Mattord, Herbert J. 2004. Management of Information Security. Canada: Thomson Learning, Inc.

Download ppt "Risk Management Issues in Information Security Amanda Kershishnik COSC 481 24 April 2007."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Auditing Computer Systems

Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
If this is the information superhighway, it’s

If this is the information superhighway, it’s
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.

Risk Management.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Principles of Information Security, 2nd Edition1 Introduction.

Principles of Information Security, 2nd Edition1 Introduction.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

Similar presentations

Ads by Google