Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4550 Security Policies and Implementation Unit 7 Risk Management

Published byAnissa Cole Modified over 6 years ago

Similar presentations

Presentation on theme: "IS4550 Security Policies and Implementation Unit 7 Risk Management"— Presentation transcript:

1 IS4550 Security Policies and Implementation Unit 7 Risk Management

2 Class Agenda 7/28/16 Lesson Covers Chapter 11 Learning Objectives
6/27/2018 Class Agenda 7/28/16 Lesson Covers Chapter 11 Learning Objectives Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Break Times as per School Regulations. Try to read the text book before class. (c) ITT Educational Services, Inc.

3 Learning Objective Describe the different information security systems (ISS) policies associated with risk management.

4 Key Concepts Business risks related to information systems
Risks associated with the selected business model, and describe policies related to business impact analysis (BIA) Policies specific to risk assessment, business impact analysis (BIA), and business continuity planning (BCP) Policies connected with disaster recovery planning (DRP) Differences between public and private examples of risk management policies

5 Group discussion. What is data classification an why is it important?
Different between Risk Management and risk assessment? What is meant by Business Impact Analysis (BIA), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP)

6 EXPLORE: CONCEPTS

7 Military Classification Scheme
The U.S. military classification scheme is defined in National Security Information document Executive Order (EO) Top Secret—Data that the unauthorized disclosure would reasonably expect to cause grave damage to the national security Secret—Data that the unauthorized disclosure would reasonably expect to cause serious damage to the national security Confidential—Data that the unauthorized disclosure would reasonably expect to cause damage to the national security

8 Military Classification Scheme (Continued)
This type of data has two classification levels: Sensitive but unclassified—Confidential data not subject to release under the Freedom of Information Act Unclassified—Data available to the public

9 Risk Management Policies
Risk avoidance is primarily a business decision, however differences between public and private are clear: Public organizations cannot avoid high risk, such as police departments Private organizations can avoid risk with strategic decisions as to where to place their data centers, out of storm paths

10 Risk Management Policies (Continued)
The power to choose what risk to accept is the main difference between public and private organizations

11 EXPLORE: ROLES

12 Roles and Responsibilities
Risk Manager Manages risk, creates the BIA Auditor Conducts Assurance functions relating to data classification policies, assists in the BIA Data Owners Own the data responsible for data creation, access, use, transmission, classification process, develops data retention, disposal policies

13 Roles and Responsibilities (Continued)
Information Technology (IT) Management Develops BCP, DRP, works with data owners to determine what data needs to be backed-up based on data classification process, storage Security Manager Supports BCP, DRP process allocates full-time employees (FTEs) to be part of teams set up to confer BCP, DRP realities Senior Management Supports policy creation functions, BCP and DRP effort, and allocates funding

14 EXPLORE: CONTEXT

15 Data Handling Policies
Policies, Standards, and Procedures must be defined regarding data during: Creation—During creation, data must be classified. That could be simply placing the data within a common storage area Access—Access to data is governed by security policies. Special guidance is provided on separation of duties (SoD) Use—Use of data includes protecting and labeling information properly after its access Transmission—Data must be transmitted in accordance with policies and standards

16 Data Handling Policies (Continued)
Storage—Storage devices of data must be approved. This ensures that access to the device is secured and properly controlled Physical Transport—Transport of data must be approved. This ensures that the data leaves the confines of the private network and is protected and tracked Destruction—Destruction of data is sometimes called “disposal.” When an asset reaches its end of life, it must be destroyed in a controlled procedure

17 EXPLORE: RATIONALE

18 BIA, BCP, and DRP Policies
BIA Policies - The BIA is used to develop business continuity plans to minimize losses BCP Policies - The BCP policies outline the guidance for building a plan such as key assumptions, accountabilities, and frequency of testing

19 BIA, BCP, and DRP Policies (Continued)
DRP Policies - The policies and documentation needed for an organization to recover their IT assets such as software, data, and hardware during a disaster

20 Summary In this presentation, the following were covered:
Data classification based on military scheme Risk management policies for private and public sector Roles and responsibilities associated with risk management policies Data handling policies BIA, DRP, and BCP policies

21 Unit 7 Assignment Discussion 7.1 Business Impact Analysis (BIA), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) Assignment 7.3 Risk Management in a Business Model

22 Unit 7 Lab Activities Lab is in the lab manual on line Lab 6.2 Identify Necessary Policies for Business Continuity - BIA & Recovery Time Objectives Reading assignment: Read chapter 11

Download ppt "IS4550 Security Policies and Implementation Unit 7 Risk Management"

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Auditing Computer Systems

Auditing Computer Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Information Asset Classification

Information Asset Classification
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Security Awareness Norfolk State University Policies.

Security Awareness Norfolk State University Policies.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.

1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Similar presentations

Ads by Google