Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Published byAlice Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012."— Presentation transcript:

1 INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012

2 Information Security & Risk Management This chapter presents the following:  Security management responsibilities  Difference between administrative, technical, and physical controls  Three main security principles  Risk management and risk analysis  Security policies  Information classification  Security-awareness training

3 Security Management  Security management includes:  risk management / risk analysis,  information security policies and procedures,  standards, guidelines, baselines,  information classification,  security organization, and  security education.  The objective of security, and a security program, is to protect the company and its assets

4 Security Management  Process of security management:  Is the Risk Management one time activity? Risk Assessment and determination of Need Monitoring and Evaluation of systems and practices Promoting Awareness Implementation of policies and controls to address the identified risks. Continuous evaluation and Evaluation

5 Security Management  Are the risks in Mainframes and PC similar?  Functionality, Connectivity  What about the required controls?  Based on the Risk Assessment, which of the following is more critical?  Computers  Data  Physical buildings,  Factory equipment,

6 Security Management “Security is more than just a firewall and a router with an access list; these systems must be managed, and a big part of security is managing the actions of users and the procedures they follow”

7 Security Management Responsibilities Okay, who is in charge and why?

8 Security Management Responsibilities  Security, management’s functions involve determining:  Scope and objectives,  policies, priorities, and  strategies.  Business Equation = Productivity + Information security  Again, Who’s responsibility is this?  IT administrator’s responsibilities.  highest levels of management  Both IT and Management

9 Security Management Responsibilities  Management’s responsibility is to provide:  Protection for the resources it is responsible, and the company overall. human, capital, hardware, information; etc  Funding to support security initiatives,  Strategic representatives should participate in the security program.  Assignment of roles and responsibilities to get the security program off the ground and to keep it evolving as the environment changes.  Integrate the program into the current business environment and monitor its accomplishments.  Management’s support is one of the most important pieces of a security program.

10 Security Management Responsibilities  Identification and valuation of company’s assets,  Risk analysis and assessments.  Identify vulnerabilities and exposure rate  Rank the severity of identified vulnerabilities  Classification of data,  Implementation of security policies to provide integrity, confidentiality, and availability for those assets.

11 Security Administration and Supporting Controls  Security Officer - Directly responsible for development and monitoring of the security program.  Information Owners - Dictate which users can access their resources, what those users can do with those resources.  Usually a senior executive within the management group of the company, or the head of a specific department.  Corporate responsibility for data protection  If the information owner does not lay out the foundation of data protection and ensure the directives are being enforced, she would be violating the due care concept.

12  Security Administrator - Make sure these objectives are implemented.  Following controls should be utilized to achieve management’s security directives: (figure 3.1)  Administrative controls  Technical controls (also called logical controls)  Physical controls Security Administration and Supporting Controls

13

14 Fundamental Principle of Security  Now, what are we trying to accomplish again?  AIC or CIA triad!!!

15 Fundamental Principle of Security Availability  Emergency! I can’t get to my data!  Response: Turn the computer on!

16 Fundamental Principle of Security Integrity  assurance of the accuracy and reliability of the information  any unauthorized modification is prevented.

17 Fundamental Principle of Security Confidentiality  Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

18 Security Definitions Define the following, based on the prior knowledge???  Vulnerability  Threat  Risk  Exposure  Countermeasure (controls)

19 Relationship between different Security Components

20 Security Frameworks  What are the Security Standards and Frameworks?

21 Security Frameworks  Control Objectives for Information and related Technology (CobiT)  ISO/IEC 27001 – Information Security Management System (ISMS)  Information Technology Infrastructure Library (ITIL)

22 Security Frameworks  ISO 27001:2005 – Information Security Management System  Information Security Policy  Organization of Information Security  Access Controls  Communications and Operations Management  Asset Management  Physical and Environmental Security  Systems Acquisition, Development and Maintainence  Human Resource Security  Business Continuity Management  Compliance

23 Security Program Development  A continuous life cycle that is described in the following steps:  Plan and organize. Risk Assessment and determination of Need - 1  Implement. Implementation of policies and controls to address the identified risks - 2  Operate and maintain. Promoting Awareness - 3  Monitor and evaluate. Monitoring and Evaluation of systems and practices - 4

24 Security Program Development  Identify and relate the following in stages of life cycle:  Establish management commitment.  Carry out a risk assessment.  Develop security architectures at an organizational, application, and network level.  Assign roles and responsibilities.  Develop and implement security policies, procedures, and guidelines.  Asset identification and management.  Follow procedures to ensure all baselines are met as required.  Carry out internal and external audits.  Manage service level agreements.  Review logs, audit results, and SLAs.  Assess goal accomplishments.

25 Information Risk Management “The process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.”  Risks to a company come in different forms, and they are not all computer related.

26 Information Risk Management  Organizations should be aware of the following major risk categories and prioritize them accordingly:  Physical damage - Fire, water, vandalism, power loss, and natural disasters  Human interaction - Accidental or intentional action or inaction that can disrupt productivity  Equipment malfunction - Failure of systems and peripheral devices  Inside and outside attacks - Hacking, cracking, and attacking  Misuse of data - Sharing trade secrets, fraud, espionage, and theft  Loss of data - Intentional or unintentional loss of information through destructive means  Application error - Computation errors, input errors, and buffer overflows

27 Risk Analysis  A risk analysis has four main goals / steps:  Identify assets and their value to the organization.  Identify vulnerabilities and threats.  Quantify the probability and business impact of these potential threats.  Provide controls (a balance between the impact of the threat and the cost of the countermeasure).

28 The Value of Information and Assets  Based on the CIA Triad  Qualitative approach will be used in class.  Categorization in HIGH, MEDIUM, and LOW  Valuation of assets in High, Medium and Low  Quantitative approach is also used in industry to assign value to assets.  Cost to acquire or develop the asset  Cost to maintain and protect the asset  Value of the asset to owners and users  Operational activities affected if the asset is unavailable  Usefulness and role of the asset in the organization

29 Workshop 1  Identify information Assets  Assets Valuation

30 Threats and Vulnerability  Difference between threat and vulnerability?  Examples???  Relate threat and vulnerability?

31 Identification of Threats & Vulnerabilities  Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats.  Threats for IT Environment?

32 Protection Mechanism (Controls)  identify the current security mechanisms and to evaluate their effectiveness.  each threat type must be addressed and planned for individually.  Access control mechanisms  Software applications and data malfunction  Site location, fire protection, site construction, power loss, and equipment malfunctions  Telecommunication and networking issues  Business continuity and disaster recovery

33 Controls Selection  It should be cost-effective (its benefit outweighs its cost).  (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company  For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard, and the ALE is $3,000 after implementing the safeguard, while the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.

34 Workshop 2

35 Putting it all Together  Total Risk vs Residual Risk  total risk – countermeasures = residual risk

36 Handling the Risk  Now, Handle which risk?  Residual Risk  Risk Management????  Avoid  Reduce  Transfer  Accept

37 Policies, Standards, Baselines, and Procedures  Security Policy - An overall general statement produced by senior management that dictates what role security plays within the organization.  Standards - mandatory activities, actions, or rules.  Can give a policy its support and reinforcement in direction.  Can be internal or external (government laws and regulations)  Baselines - define the minimum level of protection required.  Procedures - detailed step-by-step tasks that should be performed to achieve a certain goal.

38 Information Classification

39 Security-Awareness Training  Security Trends and Risk Awareness  Communication of Policies and Procedures  Expected responsibilities and acceptable behaviors  Legal Actions in case of Non-Compliance; etc

40 Summary

41 End of Chapter 2  Thank You

Download ppt "INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Auditing Computer Systems

Auditing Computer Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google