Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Published byMoses Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:"— Presentation transcript:

1 Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student: Jing Zhang

2 Background Research question Literature founding Case study Threat landscape Risk framework (Case study company) Comparison and improvement Conclusion Presentation outline

3 Cybercrime influence faced by company 75 billion USD financial losing each year in United States Target: E-commerce, sensitive information Attack type: E-mail spoofing, phishing, malware installation, etc. Reason: counterfeit software, employee security awareness, etc. Background

4 What are the (cyber) threat landscape and the emerging trends and challenges that would have an impact on the China Aerospace Systems Engineering Corporation (Case Study Company)? What are the limitations of existing information security risk management frameworks and/or how can existing frameworks be adapted in the Case Study Company? Research questions

5 Three international risk management frameworks: NIST sp800-30 (National institute of Standard and Technology) USA ISO 31000 (International Organization for Standardization) Australia ENISA (European Network and Information Security Agency) European country Literature finding

6 Terminology and risk management phases NIST sp800-30ISO 31000ENISA First phase Mandate and commitment Corporate risk management strategy Design of framework for managing risk Second phaseRisk assessment Implementing risk management Risk assessment Risk treatment Risk mitigation Risk acceptance (optional) Third phase Evaluation and assessment Monitoring and review of the framework Monitoring and review Continual improvement of the framework Literature finding (Cont’d)

7 NIST sp800-30 Literature finding (Cont’d)

8 ISO 31000 Literature finding (Cont’d)

9 ENISA Literature finding (Cont’d)

10 Threat landscape Phishing: online shopping, ticket selling, travelling agency, Internet banking Mobile device attacking: steal Email account, mobile banking information, unauthorised charging fee (premium SMS) Advanced Persistent Threat (APT): enterprise level attack, more specific target, sensitive information. Case study

11 Risk framework (Case study company) Risk management process: risk identification, risk analysis, risk treatment, control implementation, risk monitoring and control improvement, communication Risk identification: information assets (system, software, hardware, employee and archived data) Threat (Non-human, human) vulnerability (technical, operational, management) Risk analysis: Likelihood (attraction level of each information asset) and consequence (financial: both information value and recovery cost) Case study (Cont’d)

12 Risk framework (Case study company) Risk treatment: Control method: Risk avoidance, Risk transformation, Risk minimisation, Risk acceptance Control category: Technical control, Operation control, Management control Cost benefit analysis: Purchase cost, Continuing cost, Employee training cost Control implementation Implementation report: timeline, responsibility Risk monitoring and control improvement new risk treatment plan after review and monitoring Communication Case study (Cont’d)

13 Risk framework (Case study company) Implementation plan: Planning and preparation, Deployment and implementation, Monitoring and improvement Planning and preparation: Achieve the support: senior management team, related department (human, physical, financial and timing support) Main processor and responsibility: information security team, IT group, Human resources, Financial department Security control selection and implementation: Economic factor, Timing factor, Technical factor, Control implementation plan Case study (Cont’d)

14 Risk framework (Case study company) Deployment and implementation Security training: User training, Manager training, Security staff training Monitoring and improvement Mitigation plan: Internal and external network data exchange policy, Security auditing, Accessing control, etc. Case study (Cont’d)

15 Comparison and improvement: What feature missed in company framework: Context establishment (ISO 31000 and ENISA), system characterization (NIST), risk criteria (ISO) Motivation analysis (NIST), organisation processor, stakeholder concern and expertise decision, organisation risk attitude and tolerance (ISO 31000, ENISA) Cost benefit (NIST): implementing effect, non-implementing effect, implementing cost Positive risk (ENISA) Risk assessment and mitigation activity (NIST) Residual risk (all three frameworks) Case study (Cont’d)

16 Different perspective in some fields Still could improvement Risk management is vital in organisation activity Conclusion

17 E. G. Amoroso, "Cyber attacks: awareness," Network Security, vol. 2011, pp. 10-16, 2011. E. E. Anderson and J. Choobineh, "Enterprise information security strategies," Computers & Security, vol. 27, pp. 22-29, 2008. K. K. R. Choo, "Cyber threat landscape faced by financial and insurance industry." Trends and Issues in Crime and Criminal Justice 408: 1-6, 2011. B. Kakoli, P. Peter, K. M. Mykytyn, "A framework for integrated risk management in information technology", Management Decision, vol. 37 no: 5, pp.437 – 445, 1999. M. Burdon, B. Lane, and P. von Nessen, "The mandatory notification of data breaches: Issues arising for Australian and EU legal developments," Computer Law & Security Review, vol. 26, pp. 115-129, 2010. K.K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers & Security, vol. 30, pp. 719-731, 2011. G. Locke, P. D. Gallagher, “Guide for applying the risk management framework to federal information system: a security life cycle approach”, NIST Special Publication 800-37, 2010. Standard. A and Standard. N. Z, “Risk management”, Standard Australia and Standard New Zealand, AS/NZS 4360:2004, 2004. N. I. S. A. European, “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools”, European Network and Information Security Agency, 2006. G. Stoneburner, A. Goguen, et al. "Risk management guide for information technology systems" NIST special publication 800(30): 800–830, 2002. Reference

18 Question?

Download ppt "Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:"

Similar presentations

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
The Department of Energy Enterprise Risk Management Model

The Department of Energy Enterprise Risk Management Model
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.

UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Control and Accounting Information Systems

Control and Accounting Information Systems
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
A Framework to Implement a National Cyber Security Structure for Developing Nations ID Ellefsen - SH von Solms - Academy.

A Framework to Implement a National Cyber Security Structure for Developing Nations ID Ellefsen - SH von Solms - Academy.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Session 2 World Bank Institute Katalin Demeter

Session 2 World Bank Institute Katalin Demeter
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Similar presentations

Ads by Google