Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Published byAron Hampton Modified over 7 years ago

Similar presentations

Presentation on theme: "Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE."— Presentation transcript:

1 Risk Controls in IA Zachary Rensko COSC 481

2 Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE

3 Definition A risk control is any device or practice designed to prevent, reduce, or redirect risk. Risk Controls are differentiated from one and another by the risk control strategy they follow and by the risk control category they are in.

4 Risk Control Strategies In order to choose a risk control you must first choose a risk control strategy to follow. A risk control strategy is the basic principle behind a risk control. There are four different types of risk controls.

5 Acceptance Acceptance is really the absence of a risk control strategy. To accept risk is to not take any action to prevent, reduce, or redirect risk. This is typically the worst choice of risk control strategies. Acceptance should only be considered when the potential cost of a risk is far less than the cost of implementing the cheapest applicable risk control strategy.

6 Mitigation Mitigation is the process of lessening the damage done by an exploited vulnerability when it occurs. The key element of mitigation is the ability to detect and respond to an exploit when it occurs. Once an exploit has been detected the use of either an incident response plan, disaster recovery plan, or business continuity plan, must be implemented in order to mitigate the risk.

7 Transference Transference seeks to shift the risk involved from one area to another. The two main ways to do this are through insurance and outsourcing.

8 Avoidance Avoidance is the most common and often the best risk control strategy to use. It seeks to prevent the exploitation of vulnerabilities. Avoidance can be achieved through the application of policy, training and education, by countering threats, or through the implementation of technical safeguards and controls.

9 Risk Control Categories After the appropriate risk control strategy has been selected a risk control can be selected based upon its category. There are four basic risk control categories; control function, architectural layer, strategy layer, and information security principle.

10 Control Function The control function category refers to the purpose behind the risk control. There are two basic subcategories to control function; preventative and detective controls. Preventative controls are often a digital enforcement of organizational policies. Detective controls are technical devices, such as an IDS, that alert a system administrator to exploits.

11 Architectural Layer This category refers to the architectural layer the control operates in (i.e. the application layer). Controls in this category can exist in multiple architectural layers, such as password policies.

12 Strategy Layer Controls that are categorized by the strategy layer are defined by what risk control strategy they use. For example; using insurance on a critical system component can be classified in the transference strategic layer.

13 Information Security Principle This category means that the control is defined by the information security principle it is focused on. The information security principles are; confidentiality, integrity, availability, authentication, authorization, accountability, and privacy.

14 Exceptional Risk Controls There are two notable examples of risk controls that should be looked at more closely. The first is the Human Firewall Project. The second is the OCTAVE method.

15 The Human Firewall Project The Human Firewall Project is an initiative started by the Human Firewall Council in order to promote information security through the use of policy. The basic idea of this project is that if proper policy is enforced, an organization’s personnel can act as a very effective firewall that is not susceptible to digital attack, such as viruses and denial of service attacks. This project follows the avoidance risk control strategy and can be categorized as a preventative control function.

16 The Human Firewall Project There are eight essential steps for an organization to undergo in order to establish a human firewall. The first step is for upper management to consider the effectiveness of their policy across the organization, whether their employees would know if a security violation occurred, and would the same employees know what to do if a violation occurred.

17 Human Firewall Project The second step is to establish and delegate roles and responsibilities in information security. Next, create a plan for information security along with a budget. Then, develop or update information security policies. Fifth, establish an organization-wide security awareness and education program.

18 The Human Firewall Sixth, measure the progress of the organization’s security awareness and education programs. Then, adapt and improve these security awareness and education programs according to the feedback previously received. Last, develop an information security incident response team and plan.

19 OCTAVE OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. OCTAVE defines the essential components of the comprehensive systematic context-driven self- directed information security evaluation. This means that organizations that use OCTAVE will be able to make informed information security decisions relevant to the risks associated with the different information security principles that apply to a particular asset.

20 OCTAVE This method utilizes a three phase progression to achieve its goal. Phase one focuses on information assets and seeks to determine what threats currently exist to each of these assets, the security requirements for each asset, current protection strategy practices for these assets, and any weaknesses within the organizational policies and practices.

21 OCTAVE Phase two focuses on identifying infrastructure vulnerabilities. This phase involves identifying key operational components of the information technology infrastructure and establishing the weaknesses found there. The final phase, phase three, focuses on the development of security strategies and plans. In this phase is completed by analyzing risks based upon findings from phases one and two.

22 Why is OCTAVE so good? There are several reasons that the OCTAVE method is a best practice for risk control. First, OCTAVE is self directed, meaning that the organization’s personnel are involved in the decision making process. This insures that those making the decisions will have the internal knowledge of how the organization works and, thus, will be able to make better decisions than an out-sourced agency that does not have internal knowledge would make.

23 Why is OCTAVE so good? Secondly, OCTAVE requires that an analysis team does evaluation and analyzes information. Having a small dedicated team devoted to security analysis for a specific company allows for the team to focus entirely on security. The OCTAVE method also stresses that the analysis team can add personnel to it as need. An analysis team may need more personnel if they reach an area of their security evaluation where they lack the professional knowledge require or need another view point.

24 Why is OCTAVE so good? Last, OCTAVE utilizes a workshop-based approach. This allows participants from various organizational levels to meet in one location at a particular time to work on various tasks related to one of the three phases of OCTAVE. This will help gather information that may have been left out if only one organizational level had been considered.

25 Summary A risk control is any device or practice that is specifically designed to prevent, reduce, or transfer risk. A risk control should be selected based upon the risk strategy it follows the risk control category it belongs in. The Human Firewall Project and OCTAVE methods are two exceptional examples of Risk Controls

26 References Whitman, E. & Mattord, H. (2004). Management of information security. Boston: Course Technology.

Download ppt "Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Weakness is a better teacher than strength.

Weakness is a better teacher than strength.
Introducing Computer and Network Security

Introducing Computer and Network Security
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.

PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Similar presentations

Ads by Google