Principles of Information Security 2 nd Edition Introduction

Principles of Information Security, 2 nd Edition

Introduction § Risk management: process of identifying and controlling risks facing an organization § Risk identification: process of examining an organization’s current information technology security situation § Risk control: applying controls to reduce risks to an organizations data and information systems Principles of Information Security, 2 nd Edition 2

An Overview of Risk Management § Know yourself: identify, examine, and understand the information and systems currently in place § Know the enemy: identify, examine, and understand threats facing the organization § Responsibility of each community of interest within an organization to manage risks that are encountered Principles of Information Security, 2 nd Edition 3

Risk Identification § Assets are targets of various threats and threat agents § Risk management involves identifying organization’s assets and identifying threats/vulnerabilities § Risk identification begins with identifying organization’s assets and assessing their value Principles of Information Security, 2 nd Edition 4

Principles of Information Security, 2 nd Edition 5

Asset Identification and Valuation § Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) § Assets are then classified and categorized Principles of Information Security, 2 nd Edition 6

Table 4 -1 - Categorizing Components Principles of Information Security, 2 nd Edition 7

Information Asset Classification § Many organizations have data classification schemes (e. g. , confidential, internal, public data) § Classification of components must be specific to allow determination of priority levels § Categories must be comprehensive and mutually exclusive Principles of Information Security, 2 nd Edition 8

Information Asset Valuation § Questions help develop criteria for asset valuation: which information asset § is most critical to organization’s success? § generates the most revenue/profitability? § would be most expensive to replace or protect? § would be the most embarrassing or cause greatest liability if revealed? Principles of Information Security, 2 nd Edition 9

Figure 4 -3 – Example Worksheet Principles of Information Security, 2 nd Edition 10

Listing Assets in Order of Importance § Create weighting for each category based on the answers to questions § Calculate relative importance of each asset using weighted factor analysis § List the assets in order of importance using a weighted factor analysis worksheet Principles of Information Security, 2 nd Edition 11

Table 4 -2 – Example Weighted Factor Analysis Principles of Information Security, 2 nd Edition 12

Management of Classified Data § Storage, distribution, portability, and destruction of classified data § Information not unclassified or public must be clearly marked as such § Clean desk policy requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed § Dumpster diving can compromise information Principles of Information Security, 2 nd Edition 13

Threat Identification § Realistic threats need investigation; unimportant threats are set aside § Threat assessment: § Which threats present danger to assets? § Which threats represent the most danger to information? § How much would it cost to recover from attack? § Which threat requires greatest expenditure to Principles ofprevent? Information Security, 2 nd Edition 14

Principles of Information Security, 2 nd Edition 15

Vulnerability Identification § Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities § Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities § Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions § At end of risk identification process, list of assets and their vulnerabilities is achieved Principles of Information Security, 2 nd Edition 16

Risk Assessment § Risk assessment evaluates the relative risk for each vulnerability § Assigns a risk rating or score to each information asset Principles of Information Security, 2 nd Edition 17

Valuation of Information Assets § Assign weighted scores for value of each asset; actual number used can vary with needs of organization § To be effective, assign values by asking questions: § Which threats present danger to assets? § Which threats represent the most danger to information? § How much would it cost to recover from attack? § Which threat requires greatest expenditure to Principles ofprevent? Information Security, 2 nd Edition 18

Risk Determination § For the purpose of relative risk assessment, risk equals: § Likelihood of vulnerability occurrence TIMES value (or impact) § MINUS percentage risk already controlled § PLUS an element of uncertainty Principles of Information Security, 2 nd Edition 19

Identify Possible Controls § For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas § Residual risk is risk that remains to information asset even after existing control has been applied Principles of Information Security, 2 nd Edition 20

Types of Access Controls § Mandatory access controls (MAC): give users and data owners limited control over access to information § Nondiscretionary controls: managed by a central authority in organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls) § Discretionary access controls (DAC): implemented at discretion or option of data user Principles of Information Security, 2 nd Edition 21

Documenting the Results of Risk Assessment § Final summary comprised in ranked vulnerability risk worksheet § Worksheet details asset, asset impact, vulnerability likelihood, and riskrating factor § Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk Principles of Information Security, 2 nd Edition 22

Principles of Information Security, 2 nd Edition 23

Risk Control Strategies § Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk: § Apply safeguards (avoidance) § Transfer the risk (transference) § Reduce impact (mitigation) § Understand consequences and accept risk (acceptance) Principles of Information Security, 2 nd Edition 24

Mitigation § Attempts to reduce impact of vulnerability exploitation through planning and preparation § Approach includes three types of plans: § Incident response plan (IRP) § Disaster recovery plan (DRP) § Business continuity plan (BCP) Principles of Information Security, 2 nd Edition 25

Selecting a Risk Control Strategy § Level of threat and value of asset play major role in selection of strategy § Rules of thumb on strategy selection can be applied: § When a vulnerability exists § When a vulnerability can be exploited § When attacker’s cost is less than potential gain § When potential loss is substantial Principles of Information Security, 2 nd Edition 26

Figure 4 - 8 - Risk Handling Decision Points Principles of Information Security, 2 nd Edition 27

Categories of Controls § Controlling risk through avoidance, mitigation or transference accomplished by implementing controls § Effective approach is to select controls by category: § Control function § Architectural layer § Strategy layer § Information security principle Principles of Information Security, 2 nd Edition 28

Characteristics of Secure Information § Controls can be classified according to the characteristics of secure information they are intended to assure § These characteristics include: confidentiality; integrity; availability; authentication; authorization; accountability; privacy Principles of Information Security, 2 nd Edition 29

Feasibility Studies § Before deciding on strategy, all information about economic/non-economic consequences of vulnerability of information asset must be explored § A number of ways exist to determine advantage of a specific control Principles of Information Security, 2 nd Edition 30

Cost Benefit Analysis (CBA) § Most common approach for information security controls is economic feasibility of implementation § CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised § The formal process to document this is called cost benefit analysis or economic feasibility study Principles of Information Security, 2 nd Edition 31

Cost Benefit Analysis (CBA) (continued) § Once worth of various assets is estimated, potential loss from exploitation of vulnerability is examined § Process results in estimate of potential loss per risk § Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMES Annualized rate of occurrence (ARO) Principles of Information Security, 2 nd Edition 32

The Cost Benefit Analysis (CBA) Formula § CBA determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability § CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: CBA = ALE(prior) – ALE(post) – ACS § ALE(prior) is annualized loss expectancy of risk before implementation of control § ALE(post) is estimated ALE based on control being in place for a period of time Principles of Information Security, 2 nd Edition 33

Benchmarking § An alternative approach to risk management § Benchmarking is process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate § One of two measures typically used to compare practices: § Metrics-based measures § Process-based measures Principles of Information Security, 2 nd Edition 34

Problems with Applying Benchmarking and Best Practices § Organizations don’t talk to each other (biggest problem) § No two organizations are identical § Best practices are a moving target § Knowing what was going on in information security industry in recent years through benchmarking doesn’t necessarily prepare for what’s next Principles of Information Security, 2 nd Edition 35

Baselining § Analysis of measures against established standards § In information security, baselining is comparison of security activities and events against an organization’s future performance § Useful when baselining to have a guide to the overall process Principles of Information Security, 2 nd Edition 36

Other Feasibility Studies § Operational: examines how well proposed information security alternatives will contribute to organization’s efficiency, effectiveness, and overall operation § Technical: examines whether or not organization has or can acquire the technology necessary to implement and support the control alternatives § Political: defines what can/cannot occur based on consensus and relationships between communities of interest Principles of Information Security, 2 nd Edition 37

Risk Management Discussion Points § Organizations must define level of risk it can live with § Risk appetite: defines quantity and nature of risk that organizations are willing to accept as tradeoffs between perfect security and unlimited accessibility are weighed § Residual risk: risk that has not been completely removed, shifted, or planned for Principles of Information Security, 2 nd Edition 38

Recommended Practices in Controlling Risk § Convince budget authorities to spend up to value of asset to protect from identified threat § Final control choice may be balance of controls providing greatest value to as many assetthreat pairs as possible § Organizations looking to implement controls that don’t involve such complex, inexact and dynamic calculations Principles of Information Security, 2 nd Edition 39

Summary § Risk identification: formal process of examining and documenting risk present in information systems § Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components in organization’s information system § Risk identification § A risk management strategy enables identification, classification, and prioritization of organization’s information assets § Residual risk: risk that remains to the Principles of Information Security, 2 nd Edition 40

Summary § Risk control: four strategies are used to control risks that result from vulnerabilities: § Apply safeguards (avoidance) § Transfer the risk (transference) § Reduce impact (mitigation) § Understand consequences and accept risk (acceptance) Principles of Information Security, 2 nd Edition 41