MIS 5206 Protecting Information Assets
MIS5206 Week 4
• Readings– Vacca, Security Management Systems, Chapter 22
– Vacca, Risk Management, Chapter 53
– ISACA RiskIT Framework pp. 47- 96
– NIST Reading 1: Information Security Handbook: A Guide for Managers, Chapter 10 – “Risk Management”, pp.84-95
• Class– In the News
– Week 3 Material Highlights
– Risk Evaluation
– Test Taking Tip
– Quiz
MIS 5206 Protecting Information Assets
Week 3: Data Classification Process and Models
4
Why is data classification important?
• Focuses attention on the identification and valuation of information assets
• Is the basis for access control policy and processes
MIS 5206 Protecting Information Assets
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Annualized loss expectancy (ALE) =
Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)
MIS 5206 Protecting Information Assets
FIPS 199: Composite IS risk event impact ratings
Example with multiple information types:
MIS 5206 Protecting Information Assets
Analyzing risk
18
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99
MIS 5206 Protecting Information Assets
Pironti’s recommendations…
• High – Severe material compliance, legal and/or financial consequences; significant material impact on critical business or operations processes; loss of customer trust and/or damage to brand reputation
Pironti, J.P. (2013) “Key Elements of an Information Risk Profile”, ISACA Journal, Volume 4 , 2013
• Medium – Significant material compliance, legal or financial consequences; substantial material impact on key business or operations processes; weakened customer trust and/or brand reputation
• Low – Negligible…
MIS 5206 Protecting Information Assets
Material business impact - Financial
Pironti, J.P. (2013) “Key Elements of an Information Risk Profile”, ISACA Journal, Volume 4 , 2013
Material business impact - Productivity
Material business impact - Availability
MIS 5206 Protecting Information Assets
Case: HDFC Banking
26
Let’s discuss the case:
Article is a bit dated, since it was written online adoption and use has increased exponentially.
Is online banking in India still in awareness creation mode?
Generationally…?Age is a big issue – older folks want face to face “guarantee” for their transactions
Geographically…?City dwellers versus country dwellers is a big thing!
Country dwellers…• Anything that is tangible, that customers can touch they can trust• To many in the country - online is not tangible, if they cannot physically
see/touch the bank teller then there is a believe it cannot be trusted
MIS 5206 Protecting Information Assets
Case: HDFC Banking
27
Let’s discuss the case:
• What is the role of employee security awareness training in the overall security risk management strategy?
• To what extent should a company attempt to educate their customers about security concerns?
• What are some of the methods a company can use to raise security awareness?
MIS 5206 Protecting Information Assets
Case: HDFC Banking
28
Let’s discuss the case:
• What if anything should HDFC do to make existing customers more secure?
• How should HDFC deal with customers who, while signed-up, do not use online banking services?
• At this point, should HDFC bank outsource secure data and transactions?
MIS 5206 Protecting Information Assets
HDFC Case Analysis Write Up
1. What are the security challenges in online banking?
2. What are the issues of security that are unique to online banking in India?
3. What are the challenges faced by Salvi?
4. How should Salvi address the issues before him?
MIS 5206 Protecting Information Assets
Test Taking Tip
30
Focus on the “highest likelihood” answers for test taking efficiency
Here’s why:• Some of the answers use unfamiliar terms and stand out as unlikely and
can therefore be discarded immediately
- Eliminate any “probably wrong” answers first -
• Some answers are clearly wrong and you can recognize them based on your familiarity with the subject
• The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice
MIS 5206 Protecting Information Assets
Test Taking Tip
31
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
MIS 5206 Protecting Information Assets
Test Taking Tip
32
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing seems mandatory about this scenario
MIS 5206 Protecting Information Assets
Test Taking Tip
33
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Maybe ….
MIS 5206 Protecting Information Assets
Test Taking Tip
34
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing about roles other than manager in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
35
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Distributed is not relevant to the information in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
36
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C