Cybersecurity: Risk Management

Slides:

Advertisements

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

Advertisements

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Control and Accounting Information Systems

Control and Accounting Information Systems

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Information Security Policies and Standards

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

Factors to be taken into account when designing ICT Security Policies

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Risk Analysis COEN 250.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

SEC835 Database and Web application security Information Security Architecture.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Information Systems Security Computer System Life Cycle Security.

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Insurance Institute for Business & Home Safety Even if the worst happens, be prepared to stay.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.

Computer Security: Principles and Practice

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Information Systems Security Operational Control for Information Security.

What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.

Information Systems Security Operations Security Domain #9.

Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009.

Liability Issues for TRIO Programs Managing Your Project’s Risk.

Working with HIT Systems

Advanced Accounting Information Systems Day 19 Control and Security Frameworks October 7, 2009.

Section Topics Risk and control terminology Risk elements

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

Viewing Information Systems Security. The basic objectives of Information Security are the same as the basic objectives of EDP auditing. They are: 1.To.

Chap1: Is there a Security Problem in Computing?.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Checking and Corrective Action EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.

© 2003 McGraw-Hill Australia Pty Ltd, PPTs t/a Accounting Information & Reporting Systems by A. Aseervatham and D. Anandarajah. Slides prepared by Kaye.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

The NIST Special Publications for Security Management By: Waylon Coulter.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Business Continuity Planning 101

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Welcome to the ICT Department Unit 3_5 Security Policies.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Module 5: Designing Physical Security for Network Resources

SUNY Maritime College Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal.

Information Systems Security

CS457 Introduction to Information Security Systems

Risk management.

Cybersecurity First Principles

and Security Management: ISO 28000

Cybersecurity: Threat Matrix

I have many checklists: how do I get started with cyber security?

NRC Cyber Security Regulatory Overview

Cyber Risk & Cyber Insurance - Overview

Security week 1 Introductions Class website Syllabus review

Presentation transcript:

Cybersecurity: Risk Management Janica Edmonds http://www.pbs.org/wgbh/nova/labs/video_popup/5/34/

Cyber Realm Card game Created by GenCyber Duo at California State University, San Bernardino Answers??

4 1 2 3 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Minimization Answers Notes: #9 shows up in two places Minimization was left off the card (see top for solutions)

Example: Mom & Pop Shop Mom & Pop Shop Running a touristy type business selling handmade crafts Keep accounts and business transactions records on a computer Running a website to advertise their business

Example: Threat Matrix Mom & Pop Shop Threat/Asset HW SW People Data Interception Interruption Modification Fabrication What are some things that could happen to threaten the security of the Mom & Pop Shop? Form small groups of three or four Brainstorm ways of filling in the possible threats to the security of the Mom & Pop Shop 10 minutes or so Reconvene for discussion

Example: Application of Principles Domain separation Layering Least privilege Information hiding Simplicity Minimization Modularization Domain separation – keep website hosting separate from accounting records Layering – levels of security Least privilege – who has access? To what? Information hiding – keeping account #s, etc. hidden. Simplicity – Minimization – least functionality needed  no online purchases? No need for certain SW Modularization – let’s add functionality  online purchases! How does that change the threat matrix?

Risk Management Risk assessment Risk mitigation Evaluation Identify and evaluate risk, its impact, and recommended risk reducing activities Risk mitigation Prioritize, implement, and maintain risk reducing activities Evaluation Continual process

Risk Mitigation Prioritize, evaluate, and implement controls Philosophy Risk mitigation options Philosophy Least cost approach Implement most appropriate controls Accept minimal adverse impact Risk mitigation options Risk assumption – zen-like state risk avoidance – e.g., shut down services to avoid attacks risk limitation – implement controls to mitigate threats risk planning – managing risk systematically Research and acknowledgement – identify flaws and correct them Risk transference – e.g., insurance

Risk Mitigation: Action Points Action point rules of thumb Vulnerability exists? Implement assurance techniques to reduce likelihood of exercise Vulnerability can be exercised? Apply layered protection to minimize impact Attacker’s cost < potential gain? Apply protection to decrease attacker incentive Loss is too great? Apply design principles and protective measures to reduce the potential for loss

Security Controls Prevent, limit, deter threat-source damage to assets Technical Management Operational

Technical Controls Supporting Preventive Detect and recover Supporting Underlie most security capabilities Preventive E.g., firewalls, access control, secure communication Detect and recover Auditing, redundancy, archival, IDSs

Management Controls Information protection policies, guidelines & standards for operations Preventive Detection Recovery Preventive Assign security responsibility Develop and maintain security plans Implement personnel security controls such as least privilege or separation of duties Conduct security awareness & training Detection Implement personnel security controls such as background checks Periodic review of security controls Periodic system audits Ongoing risk management processes Recovery Provide for continuity of operations during emergencies and disasters Establish an incident response capability

Operational Controls Procedures governing the use and operation of IT systems Preventive Detection Preventive Control data media access and disposal Limit external data distribution Control SW viruses Protect computing facility (badges, biometrics, guards) Provide backup capability (power, communications, and facility) Control environment (temperature, humidity) Detection Provide physical security (cameras) Monitor environmental conditions (smoke/fire detectors)

Residual Risk