Post on 19-Dec-2015
transcript
Information Systems Security
Information Security
&
Risk Management
Core Principles
Confidentiality – only authorized nodes have access to information on need-to-know basis
Integrity – Information should be protected from intentional, unauthorized, or accidental change
Availability – Information is accessible by users when needed
Security Concepts
Privacy Authentication Authorization Auditing Non-repudiation
Type of Policies
Regulatory– Ensures company is following standards– More detailed in nature– Specific to type of industry
Advisory– Outlines expected behaviors in a company and
the associated ramifications
Policies Con’td
Informative– Tool to teach employees about specific issues– Not enforceable
BS/ISO 7799
Address topics in terms of policies and best practices– Organizational security policy– Asset classification– Personnel security– Physical/environmental safety– Communications security– Access control– BCP– Compliance
Components of a Security Policy
Policy – Must be – Virus protection
Guides – Should be– Recommend McAfee
Standards – Will be– Will be installed on all systems
Procedures – How to– Will be updated each week from server
Control – Has it? Does it?
Senior Management Role
Defines the scope, objectives, priorities, and strategies of the security program
Provides vision, funds, and enforcement Ultimately liable Without support, efforts will be doomed from
the start
Security Roles
Data Owner– Data classification– Sets security requirements
System Owner– Responsible for computer system– One system – One owner
Security Roles
Data Custodian– Data maintenance tasks– Implements and maintains controls to provide
necessary protection
User– Person who routinely uses company data
Information Classification
Determine the value of data– Role of data– Liability if disclosed– Cost to gather– Value that opposition would pay
Classify Information– Pertaining to availability, integrity, and
confidentiality issues per data set– Assign a classification level
Classification Con’td
Decide on Controls– Controls are implemented to protect data at
each classification level– Each classification level has different handling
procedures
Classification Criteria
Criteria Items– Usefulness and value– Level of damage possible– Law and regulations– Who should access? Who should maintain?– Who should monitor? Who should audit?– How long will protection be required
Military Classification Levels
Top Secret– Drastic effects and critical damage to NS
Secret– Significant effect and critical damage to NS
Confidential– Noticeable effects and serious damage to NS
Sensitive but Unclassified– Not cause significant damage if disclosed
Unclassified
Commercial Classifications
Confidential– Extremely sensitive and for internal use only
Private– Personal data for internal use only
Sensitive– Negative impact if disclosed
Public– No negative impact if disclosed
How is Liability Determined?
Due Diligence – Identifying threats and risks– Uncover potential dangers– Carry out assessments– Perform analysis on assessment data– Implement risk management– Research vulnerabilities and risks
Liability Con’td
Due Care – Acting upon findings to mitigate risks– Doing the right thing– Implementing solutions based on analyses– Properly protecting the company and its assets– Acting responsibly
Prudent Person Rule– Perform duties that prudent and responsible
people would exercise in similar circumstances
Risk Assessment
Identify Vulnerabilities – a flaw or weakness in system security procedures or controls that can be exploited and result in a breach
Threats – potential for a particular threat to successfully exercise a vulnerability
Risk Management
Reduce– Implement safeguards
Assign– Transfer risks to another entity
Accept– Agreed to accept the consequences
Reject– Ignore that the risk exists
Risk Management is Hard
Trying to predict the future Incredible number of variables Surmising all possible threats Gathering data from many sources Dealing with many unknowns Quantifying qualitative items
Valuating an Asset
Cost of acquisition Replacement cost Cost of development Role of the asset in the company Amount of worth to competition Cost of maintain and protecting Production Losses Liability
Categorizing Risk Analysis
Immediate vs. Delayed Loss Quantitative
– Numeric and monetary values available– Management likes it better
Qualitative– Opinion based– Uses rating system– Scenario based
Qualitative Analysis
Gather company experts Present risk scenarios Rank seriousness of threats Rank countermeasures
DELPHI METHOD– Anonymous – More honest – No intimidation
Quantitative Analysis
ALE (Annualized Loss Expectancy)– Expected monetary loss for an asset due to a
risk over a 1-year period. ALE = SLE * ARO
SLE (Single Loss Expectancy)– Asset Value X Exposure Factor (EF)– EF = Percentage of loss that could be
experienced
Quantitative Con’td
ARO – Annualized Rate of Occurrence– Probability that a risk will occur in a year
Fire will reduce building usage by 3/4– EF = 75%
Probability that fire occurs every 10 years– ARO = .10
Quantitative Con’td
Building Asset Valued at $1M– SLE = $1M * .75 = $750K– ALE = $750K * .10 = $75K
If a company’s website is attacked, it will cause 40% damage. The threat is estimated to happen once a year. The website is valued at $300K. What is the cap to be spent on safeguards?
Cost/Benefit of Countermeasure
ALE prior to Countermeasure –– ALE after Countermeasure –
Annual Cost of Countermeasure =– Cost/Benefit of Countermeasure
ALE of web disruption = $40K ALE after countermeasure = $24K Cost of countermeasure = $2K/annually Benefit of countermeasure = $23K
Eliminate ALL Risks?
Total Risk Versus Residual Risk– Amount of risk that exists before a safeguard is
put into place in total risk– After safeguard installed, the remaining risk is
residual risk Threat x Vulnerability x Asset Value = TR TR x Control Gap = RR
Mitigate Risk
Team presents the analysis results to management
Management makes the decision about the next steps
Transfer the risk (insurance) Reduce the risk (control) Accept the risk (informed decision) Reject the risk (no decision made)
Liability of Actions
Accepting Risks– Carried out in due diligence– Made an informed business decision– Better change of not being found negligent
Reject Risks– Did not practice due diligence– Decision based on ignorance of the issue– Most likely will be found negligent
Employee Management
Weakest link in security is people Proper management of employees needed Communication structure in place Management structure in place Enforce acceptable usage policy Rotation of duties 20/80 Rule
Employee Security Management
Separation of duties Job responsibilities Job rotation Background checks Employee agreements
Firing Issues
Complete an exit interview Non-disclosure agreements Collect keys and escort out of building Disable accounts
Ethics – ISC2
Four canons– Protect society and the infrastructure– Act honorably, justly, responsibly, and legally– Provide diligent and competent service– Advance and protect the profession
Ethics - CEI
Compute Ethics Institute– Non-profit organization to stimulate awareness
of the ethical issues of technology– Tries to help balance civil liberty and
government monitoring– Provides advisory and consultative activities,
research, education, and public outreach
Ethics - IAB
Internet Advisory Board– Coordinating committee for Internet design– Two task forces:
Internet Engineering Task Force (IETF) Internet Research Task Force (IRTF)
– Internet use to be seen as a privilege and should be treated as such
IAB Standards
Unethical behavior includes:– Seeking to gain unauthorized access to Internet– Disrupting the normal use of the Internet– Wasting resources through purposeful actions– Destroying the integrity of computer information– Compromising the privacy of others– Involving negligence in the conduct of Internet-
wide experiments