Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
PII Breach Management and Risk Assessment
Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.
Session 3 – Information Security Policies
Computer Security: Principles and Practice
Introduction to Network Defense
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
PRM 702 Project Risk Management Lecture #28
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Chapter 8 Administering Security
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
David N. Wozei Systems Administrator, IT Auditor.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Chapter 12 Project Risk Management
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Note1 (Admi1) Overview of administering security.
Information Security What is Information Security?
INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.
1 Risk Management 2 n IEEE defines risk as: “the likelihood of an event, hazard, threat or situation occurring and its undesirable consequences” [Std.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
Alaa Mubaied Risk Management Alaa Mubaied
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering | Architecture | Design-Build | Surveying | Planning | GeoSpatial Solutions November 16, 2015 THE AWWA J100 - WHAT IT IS, WHY IT IS BEING UPDATED,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.
Chapter 13 Risk Management. Chapter Objectives 1.Define risk and risk management 2.Outline key risk issues and types of risk 3.Identify concrete methods.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
Information Security Crisis Management Daryl Goodwin.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Information Security Management Goes Global
Information Systems Security
Risk management.
CompTIA Security+ Study Guide (SY0-401)
Compliance with hardening standards
A Thread Relevant to all Levels of the EA Cube
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
I have many checklists: how do I get started with cyber security?
CompTIA Security+ Study Guide (SY0-501)
Database Security &Threats
Presentation transcript:

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner

 Information Security Risk Management Risk Define relevant terms Steps to manage risk  Recovery Factors General Steps Disaster Recovery

 What is risk? The chance that undesired events will take place For businesses, risks are things that can be seen as exploitable by outside/inside threats Examples Information leakage, denial of service, natural disaster  Risk has uncertainty

 What is risk management? Identification of vulnerabilities and threats to organizational resources Determining countermeasures necessary to reduce risk to acceptable level Methods to mitigate the uncertainty of risk

 Organizational Assets Main asset is information Comprised of all components that contribute to organizational information architecture Information assets all have different values, which can be approximated based on their business value Examples: ▪People, data, procedures, technologies, network, etc.

 Organizational Threats Natural Threats that are random and related to the environment Consequence usually involves reduced availability of services Bad weather, earthquakes, … Natural events can also exacerbate man made problems Nuclear problems in Japan after earthquake

 Organizational Threats Man-made Accidental ▪Mistakes made by individuals (e.g. bugs in a program) ▪Not targeted at a specific process or asset ▪Can occur anytime and anywhere ▪Consequences are unpredictable, as the threat is not targeted

 Organizational Threats Man-made Intentional ▪Attacks that deliberately target a victim/asset ▪Usually perpetrated by a hacker or insider ▪Usually have a calculated consequence ▪Examples  Unauthorized access to assets, disclosure of data, denial of service  Denial of Service (DoS) to disable web portal  Think the unexpected – 9/11

 Impact Potential harm that could be inflicted on an asset and the resulting effect on organization Usually can be measured in loss of income that would have been made in ideal situation Should be determined for every individual asset for the specific threats that they face

 Steps for organizational risk management  Risk Identification Must identify threats and asset vulnerabilities Should be done by multiple groups with varying perspectives Information owners, business experts, security experts Stakeholder analysis is a good tool

 Risk Assessment 1 Determine what the asset vulnerabilities are and the likelihood that they could be exploited  Risk Assessment 2 Assess the threats that were identified and determine the chance that they will occur

 Impact Estimation Estimate the impact of each threat on each asset  Risk Estimation Using the previous steps, estimate a basic level of risk At the level of individual assets and at the organizational level

 Security Controls Select/develop appropriate security controls based on cost-benefit analysis of the risk estimate for specific assets Know that threats can often cascade, and each threat has a set of actions that can ameliorate the situation

 Implementing Security Controls Mitigate risks by implementing the security control scheme that was developed in Step 6 Examples Multi-layer user authentication, physical access controls, training Insurance, detailed incident handling procedures, developing a recovery plan

 Evaluation Evaluate the effectiveness of the implemented security control scheme Ensure that risk has been reduced to acceptable levels

 Affected by many factors Importance of asset that was compromised Cost of general recovery process The cause of the asset compromise The extent of the damage The type of damage How quickly the disruption was detected and fixed Presence/lack of contingency plan

 General Steps Implement contingency plan Assess damage Determine cause of damage Repair damage Document incident Develop new security controls to prevent repeat of situation Evaluate recovery response

 Disaster Recovery Restoration of information architecture achieved through duplication of computing operations Often requires off-site backup which is frequently updated ▪Backup should be off-site to ensure that disaster does’t compromise all data centers Most effective when a well-designed disaster recovery plan has been written and evaluated Save all configuration information for all devices

 Disaster Recovery Important to write and implement procedures for activating important information systems in a safer environment Mission critical assets must be prioritized Goal is to create an environment where operating conditions can be reestablished at a functional level Hot standby is one method

 Importance of Risk Management Similar to security management; needed in order to assess and protect assets against various threats Understanding threats allows an organization to defend against them and prepare in case a disruption occurs Lack of defense/preparation can significantly impact/destroy an organization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.