Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment."— Presentation transcript:

1 Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives  Module 6: Case Study Module 7: Summary

2 Module 6 Case Study

3 Case Study Introduction The Arlington Community Schools of Hawk County (ACSHC) is planning to conduct a risk assessment. For this case study, you are to put yourself in the position of the team leader responsible for the risk assessment on the Student Management System (SMS) for this school corporation. This school corporation includes an elementary school, a middle school, and a high school. There are 1028 students, 61 teachers, 9 administrators, 2 full time technology staff, and IT consultants all of whom have regular access to the ACSHC information system including SMS. Also, the software developers for SMS Software have remote access to this system to perform software updates. All users have the ability to remotely access their home directory from any Internet connection. Access to the Information System varies depending upon a person’s role at ACSHC.

4 Case Study List of Users/Admins with SMS Information, Part I IT Support Staff – These users include two full time employees and two outside technology contractors. It is this group’s role to maintain all workstations and servers and provide support and training to the end users. They are responsible for all areas of the Information System such as backups, updates, repair, and replacement. Corporation and School Administrators – These users are the leaders of ACSHC and the respective schools. They have access to student and teacher folders as well as their own on the network. In the SMS system they have access to discipline, contact information, schedules, attendance records, demographic information, grades and academic history. Bookstore Secretary – These two users run their schools bookstores. They also are responsible for their respective school’s accounts. In the SMS system they have administrative access. Support Staff – These users include the main school secretaries. They have access to their own directories on the information system. In the SMS system they have access to almost all administrative aspects and components.

5 Case Study List of Users/Admins with SMS Information, Part II Guidance Staff – These users make up the corporation guidance department. They have access to their own directories on the information system. In the SMS system they have access to discipline, contact information, schedules, attendance, demographics, grades, academic history, and schedules. Teachers – These users make up the second largest group of users. They have access to their own directories and that of their students. They have individual login names for network connectivity. In the SMS system they have access to attendance, grades, schedules and contact information. Instructional Assistants – These users provide education support for teachers and students. Like teachers, they have individual login names for network connectivity but do not have access to the SMS system. Students – These users make up the largest group of users. They have access to their individual user directory. In the SMS system they have access to their own schedules. All students logon to the workstations using the same user login name, student.

6 Case Study Management Controls The ACSHC facility has two distinct buildings on one campus. One building houses an elementary, a middle school and a high school; the other building houses the ACSHC corporation office. The ACSHC information system’s main distribution frame (MDF) is connected to five intermediate distribution frames (IDF) via fiber optic cable. There are also multiple wireless access points that are secured via 128 bit encryption. The current controls for ACSHC SMS Information system are categorized into the following three: management controls, operational controls, and technical controls. Management Controls –Management Controls of an IT system are concerned with identifying the personnel and human factors that are involved in managing an information system. This includes items such as separation of duties, security and technical training, and assignment of responsibilities.

7 Case Study Operational Controls Operational Controls of an IT system are concerned with the physical controls in place to protect the system. This includes items such as main server room door, backup systems, temperature control systems, dust control systems, quality of electrical power, and physical security such as locked doors and access control. The main server room is located directly behind the Director of Technology’s office requiring passing in front of the Director’s door to gain access to the room. The lock on the server room door requires an ACSHC master key and is kept locked except when the room is in use. The server room contains the router to the Internet, the main switch, and five servers. The SMS server sits on the floor with the email server sitting on top of it. Each server has its own uninterruptible power supply (UPS) which sits on the floor next to the servers. There are also two cabinets that contain the other three servers, two UPSes, patch panels, switches, fiber connectors, and the router to the Internet powered by two circuits. This room houses two other cabinets that contain the intercom system and surveillance equipment. High temperatures have been avoided in this room with the installation of its own air conditioning unit. There is an internal backup drive in the SMS server which is used to perform a full server back-up on the SMS system every Wednesday night. The backup tapes are changed by the Director of Technology and stored in the school vault or in the Directory of Technology’s purse. Other backups are performed on the system before updates are installed.

8 Case Study Operational Controls Operational Controls of an IT system are concerned with the physical controls in place to protect the system. This includes items such as main server room door, backup systems, temperature control systems, dust control systems, quality of electrical power, and physical security such as locked doors and access control. The main server room is located directly behind the Director of Technology’s office requiring passing in front of the Director’s door to gain access to the room. The lock on the server room door requires an ACSHC master key and is kept locked except when the room is in use. The server room contains the router to the Internet, the main switch, and five servers. The SMS server sits on the floor with the email server sitting on top of it. Each server has its own uninterruptible power supply (UPS) which sits on the floor next to the servers. There are also two cabinets that contain the other three servers, two UPSes, patch panels, switches, fiber connectors, and the router to the Internet powered by two circuits. This room houses two other cabinets that contain the intercom system and surveillance equipment. High temperatures have been avoided in this room with the installation of its own air conditioning unit. There is an internal backup drive in the SMS server which is used to perform a full server back-up on the SMS system every Wednesday night. The backup tapes are changed by the Director of Technology and stored in the school vault or in the Directory of Technology’s purse. Other backups are performed on the system before updates are installed.

9 Case Study Technical Controls Technical controls of an IT system are concerned with digital security to protect an information system or allow the ability to trace an intrusion. Examples of technical controls include: –Communication –Firewall –Intrusion Detection System –Encryption –System Audits –Object reuse. Examples of technical controls in the ACSHC system include: –Vexira anti-virus software –Deep Freeze and Fool Proof workstation security software –Filters to prevent students from downloading files from the Internet

10 Case Study Questions 1.According to the material of Module 4 of Course 1 or standards in document 800-30 (NIST 800-30), please identify the main work plan steps of risk assessment in this case. 2.If you conduct the threat assessment-one part of the risk assessment of the SMS information system for ACSHC, how many sub-categories will you think of dividing your investigation into? Please briefly explain how each plays a role in this specific case.

11 Case Study Question 1, Reference Solution A 1.According the course material, the main work plan steps are: a.Planning: It includes risk assessment scope determination and security baseline in which we should identify the current system characteristics. b.Preparation: This is mainly to identify the assets related with the SMS information system at ACSHC. This can further break down to asset identification, asset classification and asset prioritization based on their weighted important to confidentiality, integrity and availability. c.Threat assessment: This is the study covering threats, threat sources, and threat impacts. d.Risk assessment: This includes evaluation of current risk controls, vulnerability identification, likelihood determination, and all the information generated so far will lead to the complete risk determination about the SMS information system for ACSHC. e.Finally, we can obtain the complete control recommendations.

12 Case Study Question 1, Reference Solution B 1. If we follow the NIST 800-30, the main risk assessment work plan steps are: Step 1 – System Characterization Step 2 – Threat Identification Step 3 – Vulnerability Identification Step 4 – Control Analysis Step 5 – Likelihood Determination Step 6 – Impact Analysis Step 7 – Risk Determination Step 8 – Control Recommendations Step 9 – Results and Documentation

13 Case Study Question 2, Reference Solution 2. Mainly, the threats to the SMS information system of ACSHC can be categorized into three areas: human threat (internal/external), natural/physical threats, and technical threats based on the threat sources.

Download ppt "Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment."

Similar presentations

GCSE ICT Networks & Security..

GCSE ICT Networks & Security..
Objectives: Chapter 9: Data Centre Architecture VLAN definition and benefits * VLANs and broadcast domains * Routers role in VLANs * Types of VLANs * VLANs.

Objectives: Chapter 9: Data Centre Architecture VLAN definition and benefits * VLANs and broadcast domains * Routers role in VLANs * Types of VLANs * VLANs.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Join the conference call by dialing the conference number in your Invitation or Reminder Emails. Please put your phone on mute. Please stand by! The webinar.

Join the conference call by dialing the conference number in your Invitation or Reminder s. Please put your phone on mute. Please stand by! The webinar.
Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.

Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.
Position Opening Page 1 Job Classification: Network Server Administrator Opening Date: June 27, 2014 Location: Dobson Office Closing Date: July 7, 2014Grade:

Position Opening Page 1 Job Classification: Network Server Administrator Opening Date: June 27, 2014 Location: Dobson Office Closing Date: July 7, 2014Grade:
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,

Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.

1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.

1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Similar presentations

Ads by Google