Principles of Information Security 2 nd Edition Introduction
- Slides: 41
Principles of Information Security, 2 nd Edition
Introduction § Risk management: process of identifying and controlling risks facing an organization § Risk identification: process of examining an organization’s current information technology security situation § Risk control: applying controls to reduce risks to an organizations data and information systems Principles of Information Security, 2 nd Edition 2
An Overview of Risk Management § Know yourself: identify, examine, and understand the information and systems currently in place § Know the enemy: identify, examine, and understand threats facing the organization § Responsibility of each community of interest within an organization to manage risks that are encountered Principles of Information Security, 2 nd Edition 3
Risk Identification § Assets are targets of various threats and threat agents § Risk management involves identifying organization’s assets and identifying threats/vulnerabilities § Risk identification begins with identifying organization’s assets and assessing their value Principles of Information Security, 2 nd Edition 4
Principles of Information Security, 2 nd Edition 5
Asset Identification and Valuation § Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) § Assets are then classified and categorized Principles of Information Security, 2 nd Edition 6
Table 4 -1 - Categorizing Components Principles of Information Security, 2 nd Edition 7
Information Asset Classification § Many organizations have data classification schemes (e. g. , confidential, internal, public data) § Classification of components must be specific to allow determination of priority levels § Categories must be comprehensive and mutually exclusive Principles of Information Security, 2 nd Edition 8
Information Asset Valuation § Questions help develop criteria for asset valuation: which information asset § is most critical to organization’s success? § generates the most revenue/profitability? § would be most expensive to replace or protect? § would be the most embarrassing or cause greatest liability if revealed? Principles of Information Security, 2 nd Edition 9
Figure 4 -3 – Example Worksheet Principles of Information Security, 2 nd Edition 10
Listing Assets in Order of Importance § Create weighting for each category based on the answers to questions § Calculate relative importance of each asset using weighted factor analysis § List the assets in order of importance using a weighted factor analysis worksheet Principles of Information Security, 2 nd Edition 11
Table 4 -2 – Example Weighted Factor Analysis Principles of Information Security, 2 nd Edition 12
Management of Classified Data § Storage, distribution, portability, and destruction of classified data § Information not unclassified or public must be clearly marked as such § Clean desk policy requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed § Dumpster diving can compromise information Principles of Information Security, 2 nd Edition 13
Threat Identification § Realistic threats need investigation; unimportant threats are set aside § Threat assessment: § Which threats present danger to assets? § Which threats represent the most danger to information? § How much would it cost to recover from attack? § Which threat requires greatest expenditure to Principles ofprevent? Information Security, 2 nd Edition 14
Principles of Information Security, 2 nd Edition 15
Vulnerability Identification § Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities § Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities § Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions § At end of risk identification process, list of assets and their vulnerabilities is achieved Principles of Information Security, 2 nd Edition 16
Risk Assessment § Risk assessment evaluates the relative risk for each vulnerability § Assigns a risk rating or score to each information asset Principles of Information Security, 2 nd Edition 17
Valuation of Information Assets § Assign weighted scores for value of each asset; actual number used can vary with needs of organization § To be effective, assign values by asking questions: § Which threats present danger to assets? § Which threats represent the most danger to information? § How much would it cost to recover from attack? § Which threat requires greatest expenditure to Principles ofprevent? Information Security, 2 nd Edition 18
Risk Determination § For the purpose of relative risk assessment, risk equals: § Likelihood of vulnerability occurrence TIMES value (or impact) § MINUS percentage risk already controlled § PLUS an element of uncertainty Principles of Information Security, 2 nd Edition 19
Identify Possible Controls § For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas § Residual risk is risk that remains to information asset even after existing control has been applied Principles of Information Security, 2 nd Edition 20
Types of Access Controls § Mandatory access controls (MAC): give users and data owners limited control over access to information § Nondiscretionary controls: managed by a central authority in organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls) § Discretionary access controls (DAC): implemented at discretion or option of data user Principles of Information Security, 2 nd Edition 21
Documenting the Results of Risk Assessment § Final summary comprised in ranked vulnerability risk worksheet § Worksheet details asset, asset impact, vulnerability likelihood, and riskrating factor § Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk Principles of Information Security, 2 nd Edition 22
Principles of Information Security, 2 nd Edition 23
Risk Control Strategies § Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk: § Apply safeguards (avoidance) § Transfer the risk (transference) § Reduce impact (mitigation) § Understand consequences and accept risk (acceptance) Principles of Information Security, 2 nd Edition 24
Mitigation § Attempts to reduce impact of vulnerability exploitation through planning and preparation § Approach includes three types of plans: § Incident response plan (IRP) § Disaster recovery plan (DRP) § Business continuity plan (BCP) Principles of Information Security, 2 nd Edition 25
Selecting a Risk Control Strategy § Level of threat and value of asset play major role in selection of strategy § Rules of thumb on strategy selection can be applied: § When a vulnerability exists § When a vulnerability can be exploited § When attacker’s cost is less than potential gain § When potential loss is substantial Principles of Information Security, 2 nd Edition 26
Figure 4 - 8 - Risk Handling Decision Points Principles of Information Security, 2 nd Edition 27
Categories of Controls § Controlling risk through avoidance, mitigation or transference accomplished by implementing controls § Effective approach is to select controls by category: § Control function § Architectural layer § Strategy layer § Information security principle Principles of Information Security, 2 nd Edition 28
Characteristics of Secure Information § Controls can be classified according to the characteristics of secure information they are intended to assure § These characteristics include: confidentiality; integrity; availability; authentication; authorization; accountability; privacy Principles of Information Security, 2 nd Edition 29
Feasibility Studies § Before deciding on strategy, all information about economic/non-economic consequences of vulnerability of information asset must be explored § A number of ways exist to determine advantage of a specific control Principles of Information Security, 2 nd Edition 30
Cost Benefit Analysis (CBA) § Most common approach for information security controls is economic feasibility of implementation § CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised § The formal process to document this is called cost benefit analysis or economic feasibility study Principles of Information Security, 2 nd Edition 31
Cost Benefit Analysis (CBA) (continued) § Once worth of various assets is estimated, potential loss from exploitation of vulnerability is examined § Process results in estimate of potential loss per risk § Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMES Annualized rate of occurrence (ARO) Principles of Information Security, 2 nd Edition 32
The Cost Benefit Analysis (CBA) Formula § CBA determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability § CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: CBA = ALE(prior) – ALE(post) – ACS § ALE(prior) is annualized loss expectancy of risk before implementation of control § ALE(post) is estimated ALE based on control being in place for a period of time Principles of Information Security, 2 nd Edition 33
Benchmarking § An alternative approach to risk management § Benchmarking is process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate § One of two measures typically used to compare practices: § Metrics-based measures § Process-based measures Principles of Information Security, 2 nd Edition 34
Problems with Applying Benchmarking and Best Practices § Organizations don’t talk to each other (biggest problem) § No two organizations are identical § Best practices are a moving target § Knowing what was going on in information security industry in recent years through benchmarking doesn’t necessarily prepare for what’s next Principles of Information Security, 2 nd Edition 35
Baselining § Analysis of measures against established standards § In information security, baselining is comparison of security activities and events against an organization’s future performance § Useful when baselining to have a guide to the overall process Principles of Information Security, 2 nd Edition 36
Other Feasibility Studies § Operational: examines how well proposed information security alternatives will contribute to organization’s efficiency, effectiveness, and overall operation § Technical: examines whether or not organization has or can acquire the technology necessary to implement and support the control alternatives § Political: defines what can/cannot occur based on consensus and relationships between communities of interest Principles of Information Security, 2 nd Edition 37
Risk Management Discussion Points § Organizations must define level of risk it can live with § Risk appetite: defines quantity and nature of risk that organizations are willing to accept as tradeoffs between perfect security and unlimited accessibility are weighed § Residual risk: risk that has not been completely removed, shifted, or planned for Principles of Information Security, 2 nd Edition 38
Recommended Practices in Controlling Risk § Convince budget authorities to spend up to value of asset to protect from identified threat § Final control choice may be balance of controls providing greatest value to as many assetthreat pairs as possible § Organizations looking to implement controls that don’t involve such complex, inexact and dynamic calculations Principles of Information Security, 2 nd Edition 39
Summary § Risk identification: formal process of examining and documenting risk present in information systems § Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components in organization’s information system § Risk identification § A risk management strategy enables identification, classification, and prioritization of organization’s information assets § Residual risk: risk that remains to the Principles of Information Security, 2 nd Edition 40
Summary § Risk control: four strategies are used to control risks that result from vulnerabilities: § Apply safeguards (avoidance) § Transfer the risk (transference) § Reduce impact (mitigation) § Understand consequences and accept risk (acceptance) Principles of Information Security, 2 nd Edition 41
- Principles of information security 5th edition pdf
- Information systems literacy
- Principles of information security 4th edition
- Principles of information security 4th edition
- Bulls eye model in information security
- Computer security principles and practice 4th edition
- Computer security principles and practice 4th edition
- Management of information security 5th edition
- Private securty
- Principles of information systems 11th edition
- Introduction to information systems 6th edition
- White-collar workers คือ
- Introduction to information systems 3rd edition
- Introduction to information systems 5th edition
- Introduction to information systems 3rd edition
- Introduction to information systems 3rd edition
- Visa international security model diagram
- Cnss security model
- 12 principles of information security
- 12 principles of information security
- Roman emperors cipher
- Using mis 10th edition
- Using mis (10th edition) 10th edition
- Network security essentials 5th edition
- Modulo table
- Cryptography and network security 6th edition pdf
- Cryptography and network security 4th edition
- Security in computing 5th edition ppt chapter 2
- Security in computing 5th edition answers
- Computer security fundamentals 4th edition
- Network security essentials 5th edition
- Cryptography and network security pearson
- Principles of electronic communication systems 3rd edition
- Principles of economics third edition politeknik
- Accounting principles second canadian edition
- Accounting principles second canadian edition
- Accounting principles second canadian edition
- Management stephen p. robbins
- Florida real estate principles practices & law 43rd edition
- Principles of marketing fifth european edition
- Accounting principles 13th edition
- Accounting principles second canadian edition