INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012
Information Security & Risk Management This chapter presents the following: Security management responsibilities Difference between administrative, technical, and physical controls Three main security principles Risk management and risk analysis Security policies Information classification Security-awareness training
Security Management Security management includes: risk management / risk analysis, information security policies and procedures, standards, guidelines, baselines, information classification, security organization, and security education. The objective of security, and a security program, is to protect the company and its assets
Security Management Process of security management: Is the Risk Management one time activity? Risk Assessment and determination of Need Monitoring and Evaluation of systems and practices Promoting Awareness Implementation of policies and controls to address the identified risks. Continuous evaluation and Evaluation
Security Management Are the risks in Mainframes and PC similar? Functionality, Connectivity What about the required controls? Based on the Risk Assessment, which of the following is more critical? Computers Data Physical buildings, Factory equipment,
Security Management “Security is more than just a firewall and a router with an access list; these systems must be managed, and a big part of security is managing the actions of users and the procedures they follow”
Security Management Responsibilities Okay, who is in charge and why?
Security Management Responsibilities Security, management’s functions involve determining: Scope and objectives, policies, priorities, and strategies. Business Equation = Productivity + Information security Again, Who’s responsibility is this? IT administrator’s responsibilities. highest levels of management Both IT and Management
Security Management Responsibilities Management’s responsibility is to provide: Protection for the resources it is responsible, and the company overall. human, capital, hardware, information; etc Funding to support security initiatives, Strategic representatives should participate in the security program. Assignment of roles and responsibilities to get the security program off the ground and to keep it evolving as the environment changes. Integrate the program into the current business environment and monitor its accomplishments. Management’s support is one of the most important pieces of a security program.
Security Management Responsibilities Identification and valuation of company’s assets, Risk analysis and assessments. Identify vulnerabilities and exposure rate Rank the severity of identified vulnerabilities Classification of data, Implementation of security policies to provide integrity, confidentiality, and availability for those assets.
Security Administration and Supporting Controls Security Officer - Directly responsible for development and monitoring of the security program. Information Owners - Dictate which users can access their resources, what those users can do with those resources. Usually a senior executive within the management group of the company, or the head of a specific department. Corporate responsibility for data protection If the information owner does not lay out the foundation of data protection and ensure the directives are being enforced, she would be violating the due care concept.
Security Administrator - Make sure these objectives are implemented. Following controls should be utilized to achieve management’s security directives: (figure 3.1) Administrative controls Technical controls (also called logical controls) Physical controls Security Administration and Supporting Controls
Fundamental Principle of Security Now, what are we trying to accomplish again? AIC or CIA triad!!!
Fundamental Principle of Security Availability Emergency! I can’t get to my data! Response: Turn the computer on!
Fundamental Principle of Security Integrity assurance of the accuracy and reliability of the information any unauthorized modification is prevented.
Fundamental Principle of Security Confidentiality Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Security Definitions Define the following, based on the prior knowledge??? Vulnerability Threat Risk Exposure Countermeasure (controls)
Relationship between different Security Components
Security Frameworks What are the Security Standards and Frameworks?
Security Frameworks Control Objectives for Information and related Technology (CobiT) ISO/IEC – Information Security Management System (ISMS) Information Technology Infrastructure Library (ITIL)
Security Frameworks ISO 27001:2005 – Information Security Management System Information Security Policy Organization of Information Security Access Controls Communications and Operations Management Asset Management Physical and Environmental Security Systems Acquisition, Development and Maintainence Human Resource Security Business Continuity Management Compliance
Security Program Development A continuous life cycle that is described in the following steps: Plan and organize. Risk Assessment and determination of Need - 1 Implement. Implementation of policies and controls to address the identified risks - 2 Operate and maintain. Promoting Awareness - 3 Monitor and evaluate. Monitoring and Evaluation of systems and practices - 4
Security Program Development Identify and relate the following in stages of life cycle: Establish management commitment. Carry out a risk assessment. Develop security architectures at an organizational, application, and network level. Assign roles and responsibilities. Develop and implement security policies, procedures, and guidelines. Asset identification and management. Follow procedures to ensure all baselines are met as required. Carry out internal and external audits. Manage service level agreements. Review logs, audit results, and SLAs. Assess goal accomplishments.
Information Risk Management “The process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.” Risks to a company come in different forms, and they are not all computer related.
Information Risk Management Organizations should be aware of the following major risk categories and prioritize them accordingly: Physical damage - Fire, water, vandalism, power loss, and natural disasters Human interaction - Accidental or intentional action or inaction that can disrupt productivity Equipment malfunction - Failure of systems and peripheral devices Inside and outside attacks - Hacking, cracking, and attacking Misuse of data - Sharing trade secrets, fraud, espionage, and theft Loss of data - Intentional or unintentional loss of information through destructive means Application error - Computation errors, input errors, and buffer overflows
Risk Analysis A risk analysis has four main goals / steps: Identify assets and their value to the organization. Identify vulnerabilities and threats. Quantify the probability and business impact of these potential threats. Provide controls (a balance between the impact of the threat and the cost of the countermeasure).
The Value of Information and Assets Based on the CIA Triad Qualitative approach will be used in class. Categorization in HIGH, MEDIUM, and LOW Valuation of assets in High, Medium and Low Quantitative approach is also used in industry to assign value to assets. Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Operational activities affected if the asset is unavailable Usefulness and role of the asset in the organization
Workshop 1 Identify information Assets Assets Valuation
Threats and Vulnerability Difference between threat and vulnerability? Examples??? Relate threat and vulnerability?
Identification of Threats & Vulnerabilities Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats. Threats for IT Environment?
Protection Mechanism (Controls) identify the current security mechanisms and to evaluate their effectiveness. each threat type must be addressed and planned for individually. Access control mechanisms Software applications and data malfunction Site location, fire protection, site construction, power loss, and equipment malfunctions Telecommunication and networking issues Business continuity and disaster recovery
Controls Selection It should be cost-effective (its benefit outweighs its cost). (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard, and the ALE is $3,000 after implementing the safeguard, while the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
Workshop 2
Putting it all Together Total Risk vs Residual Risk total risk – countermeasures = residual risk
Handling the Risk Now, Handle which risk? Residual Risk Risk Management???? Avoid Reduce Transfer Accept
Policies, Standards, Baselines, and Procedures Security Policy - An overall general statement produced by senior management that dictates what role security plays within the organization. Standards - mandatory activities, actions, or rules. Can give a policy its support and reinforcement in direction. Can be internal or external (government laws and regulations) Baselines - define the minimum level of protection required. Procedures - detailed step-by-step tasks that should be performed to achieve a certain goal.
Information Classification
Security-Awareness Training Security Trends and Risk Awareness Communication of Policies and Procedures Expected responsibilities and acceptable behaviors Legal Actions in case of Non-Compliance; etc
Summary
End of Chapter 2 Thank You