Risk Management Issues in Information Security Amanda Kershishnik COSC 481 24 April 2007.

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

Museum Presentation Intermuseum Conservation Association.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works
1 An Overview of Computer Security computer security.
Introducing Computer and Network Security
Security Management Practices Keith A. Watson, CISSP CERIAS.
Principles of Information Security, 2nd Edition1 Risk Management.
If this is the information superhighway, it’s
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Principles of Information Security, 2nd Edition1 Introduction.
SEC835 Database and Web application security Information Security Architecture.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Risk Management (Risk Identification)
Lecture 32 Risk Management (Cont’d)
ETHICS & Information Security Issues
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Security Architecture
TEL2813/IS2820 Security Management Risk Management: Identifying and Assessing Risk Lecture 7 Feb 17, 2005.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Information Systems Security Operational Control for Information Security.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Information Security What is Information Security?
Slide 1 Risk Management: Identifying and Assessing Risk  “ Once we know our weakness, they cease to do us an harm” Greg Lichen.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Alaa Mubaied Risk Management Alaa Mubaied
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Introduction to Information Security
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
MANAGEMENT of INFORMATION SECURITY Second Edition.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 1 I NTRODUCTION TO THE M ANAGEMENT OF I NFORMATION S ECURITY If this is the information superhighway,
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Slide 1 MANAGEMENT OF INFORMATION SECURITY  “ If this is the information superhighway, it is going through a bad, bad neighborhoods” Dorian Berger, 1997.
Headquarters U.S. Air Force
CS457 Introduction to Information Security Systems
Risk management.
Chapter 8 – Administering Security
Data and database administration
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Risk Management Issues in Information Security Amanda Kershishnik COSC April 2007

Information Security “The protection of information and the systems and hardware that use, store, and transmit that information,” (Whitman et al. 2004).

InfoSec components: Confidentiality Integrity Availability Privacy Identification Authentication Authorization Accountability

Confidentiality Confidentiality is the capability to ensure the proper subjects (people and other processes or systems) have the necessary access when needed.

Integrity “the quality or state of being whole, complete, and uncorrupted,” (Whitman 2004). Information is free of corruption both physically as well as logically Corruption can take place while information is being entered, stored, or transmitted.

Availability “Availability is the characteristic of information that enables user access to information without interference or obstruction and in a useable format,” (Whitman 2004). A user within this definition is either a person or another computer system

Privacy “information that is collected, used, and stored by an organization is to be used only for the purposes stated to data owner at the time it was collected,” (Whitman, 2004).

Identification Identification is a system that is able to recognize individual users. 1 st step in gaining information

Authentication “proof that a user is indeed the person or entity requesting authorized access to a system or facility,” (Whitman 2004). Authentication is dependent upon one of three things: what a person knows, what a person has, or what a person is.

Authorization provides assurance that the entity attempting to access information has been exclusively and clearly authorized by proper authority to access, delete, or modify information

Accountability systematic process of tracking and recording the operations and activities taking place by individuals or accounts while they are active in a system or working environment

Risk Management risk assessment risk mitigation risk evaluation managers are able to balance operation and economic costs or protective measures enables managers to achieve an increase in mission capability by protecting the assets that support their organizational objective

Risk Managers “The risk manager has overall responsibility for the success of the whole process and is responsible, ultimately, for the level of recommended risk the business accepts and is mitigated in one way or another,” (Jones et al. 2005) handle risk to a level that is acceptable assigned to handle the overall conformity with not only their corporation’s requirements but also state and federal requirements

Risk Manager roles/duties Developing risk management environment The whole risk management process Communications Coordination Facilitation

Assets anything or anyone that requires protection people, procedures, data, software, hardware, and networking.

Asset subcategories People: inside, outside Procedures: standard, sensitive Data: all states (transmission, processing, storage) Software: applications, OS, security Hardware: systems/peripherals, security Networking: intranet, internet/extranet

keep this in mind… *********************

Classifying/Categorizing Assets Data classification scheme –unclassified data, sensitive but unclassified data, confidential data, secret data, and top secret data Personnel classification scheme –confidential clearance, secret clearance, or top secret clearance

Asset Value Assessment organize the assets in a most important to least important questions that help create an effective weighted factor analysis worksheet assets then ranked by the weighted score

Threat Identification assessing potential weaknesses for each information asset Environmental –tornados, hurricanes, floods, severe winter storms, drought, earthquakes, electrical storms, and fire Human –terrorism, sabotage, war, theft, arson, and labor disputes

Threat Value Assessment each threat is examined more thoroughly to determine its potential ability to affect information assets and must be done prior to risk assessment ☺It is a good idea to ask questions (and possibly answer questions) based on an organization’s policy and guidelines.

Vulnerability Assessment “A vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that, if exercised… would result in a security breach or a violation of the system’s security policy,” (Rittinghouse, 2005). when you evaluate each information asset for each threat

Risk Assessment PCMag.com (2006) defines risk assessment as, “A report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.”

Likelihood Analysis Statement gives the exact threats and the estimated exposure, the unforeseen event and mitigation actions required, and the benefit arising out of covering the risk 3 components: – threat-source motivation and capability – nature of the vulnerability – existence and effectiveness of current controls.

Each scenario should be examined for its possibility of occurrence along with the severity it would have on an organization. If a vulnerability is already completely managed by an existing control, it can be set aside. If the vulnerability is only partially controlled, an estimate needs to be calculated as to what percentage of the vulnerability is controlled There is error when calculating to which degree a current control can reduce risk

Risk Determination

References Jones, Andy & Ashenden, Debi Risk Management for Computer Security: Protecting Your Network and Information Assets. Boston, Massachusetts: Elsevier Inc. Leto, Thomas. (2006). CIA Triangle. Retrieved April 21, 2007, from 20Triangle.html 20Triangle.html McCumber, John Assessing and Managing Security Risk in IT Systems. Boca Raton, Florida: Auerbach Publications. PCMag.com. (2006). Definition of: Risk Assessment. Retrieved April 23, 2007 from ment&i=50556,00.asp ment&i=50556,00.asp Powers, Rod About: Us Military: Security Clearance Secrets. Retrieved April 22, 2007, from Rittinghouse, John W. & Ransome, James F Business Continuity and Disaster Recovery and InfoSec Managers. Burlington, Massachusetts: Elsevier Digital Press. Whitman, Dr. Michael E. & Mattord, Herbert J Management of Information Security. Canada: Thomson Learning, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.