Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
HMG Risk Management - Systems Accreditation (a view from 40,000 ft in 50 minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Information Security Policies Larry Conrad September 29, 2009.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
SOX & ISO Protect your data and be ready to be audited!!!
Vulnerability Assessments
UK Office for Security & Counter Terrorism Future threats and the potential role of the CBRN Action plan in supporting the BTWC Dr Catherine Terry International.
Session 3 – Information Security Policies
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Paris Project Meeting January 2012 Item – Statistics Objective 5 B. Proia With financial support from Criminal Justice Programme 2008 European Commission.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.
PwC Informations- gold assets. 2 Introduction 3 Central and Eastern EuropeGlobal Number of companies that have been victims of economic crime in the.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
A New Standard for Disposal Mark Crookston Senior Advisor Appraisal Government Recordkeeping Group.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,
CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Articulate the major security risks and legal compliance issues for a Fire and Rescue Service. Identify and justify technical controls for securing remote.
IS YOUR ORGANISATION’S INFORMATION SECURE?
An Overview on Risk Management
ISSeG Integrated Site Security for Grids WP2 - Methodology
NISF Objectives Conceptual structure for guiding IS activities
4th SG13 Regional Workshop for Africa on “Future Networks for a better Africa: IMT-2020, Trust, Cloud Computing and Big Data” (Accra, Ghana, March.
General Data Protection Regulation
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
Chapter 3: IRS and FTC Data Security Rules
GDPR - New Data Protection Regulation
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Presentation transcript:

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS

Anatomy of a Risk Assessment UK Government Case study UK government services have gone online UK government services have gone online Personal and sensitive data being propagated and populated by government departments to provide these services Personal and sensitive data being propagated and populated by government departments to provide these services Online services targeted by hackers, fraudsters, espionage Online services targeted by hackers, fraudsters, espionage Old and new risks, threats and vulnerabilities threaten services Old and new risks, threats and vulnerabilities threaten services Departments need to identify and mitigate these risks Departments need to identify and mitigate these risks

Anatomy of Risk Management UK Case study UK government policy is that any government information system used to store, process or forward any official information must be accredited before use UK government policy is that any government information system used to store, process or forward any official information must be accredited before use Objective of accreditation is to show that all relevant risks to the system have been identified and will be managed by appropriate configuration, use, maintenance, evolution and disposal Objective of accreditation is to show that all relevant risks to the system have been identified and will be managed by appropriate configuration, use, maintenance, evolution and disposal RMADS methodology applied to government systems RMADS methodology applied to government systems

RMADS Documents and Process

RMADS Stages Determine the Business Impact Level of the information that is held on the information system to be accredited. (Most Important) Determine the Business Impact Level of the information that is held on the information system to be accredited. (Most Important) Impacts are assessed against confidentiality, integrity and availability Impacts are assessed against confidentiality, integrity and availability Depending on the findings of that, it may be sufficient to simply comply with ISO Depending on the findings of that, it may be sufficient to simply comply with ISO For higher levels of impact level, an RMADS is mandatory. For higher levels of impact level, an RMADS is mandatory.

Impact Samples Impacts measured against the government department and the data subject Impacts measured against the government department and the data subject Financial Loss due to Fraud Financial Loss due to Fraud Reputational Loss due to service not being available. Reputational Loss due to service not being available. Criminal Charges due to breach of Data Protection. Criminal Charges due to breach of Data Protection.

Business Impact Assessment Business Impact levels range from 0-8 Business Impact levels range from 0-8 Level 1 Trivial: No further actions taken Level 1 Trivial: No further actions taken Levels 2 and 3 Minor: No further actions taken Levels 2 and 3 Minor: No further actions taken Level 4: Significant: Some negative effects: Acceptable risks: actions may need to be taken Level 4: Significant: Some negative effects: Acceptable risks: actions may need to be taken Level 5: Significant: Significant negative effects: actions to be taken on case by case basis Level 5: Significant: Significant negative effects: actions to be taken on case by case basis Levels 6,7: Major risks need to be reduced or treated Levels 6,7: Major risks need to be reduced or treated Level 8: Catastrophic: Disastrous: Dealt with and reduced under all circumtances Level 8: Catastrophic: Disastrous: Dealt with and reduced under all circumtances

Business Impact Assessment Confidentiality Impact Level Markings Confidentiality Impact Level Markings For Confidentiality, the Impact Levels relate directly to protective markings: For Confidentiality, the Impact Levels relate directly to protective markings: Impact Levels 1 and 2 – PROTECT, Impact Levels 1 and 2 – PROTECT, Impact Level 3 – RESTRICTED, Impact Level 3 – RESTRICTED, Impact Level 4 – CONFIDENTIAL, Impact Level 4 – CONFIDENTIAL, Impact Level 5 – SECRET Impact Level 5 – SECRET Impact Level 6 - TOP SECRET Impact Level 6 - TOP SECRET

RMADS First Phase in developing an RMADS. First Phase in developing an RMADS. Conduct Standard 1 Technical Risk Assessment. Conduct Standard 1 Technical Risk Assessment. Catalogue the information system and generate a scope diagram. Catalogue the information system and generate a scope diagram. Verify minimum assumptions to ensure that the risk assessment is accurate. Verify minimum assumptions to ensure that the risk assessment is accurate. Perform Privacy Impact Assessment Perform Privacy Impact Assessment Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS. Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS.

Identify Threats Asset List: What the system is made of Asset List: What the system is made of Threat Sources: Where is the threat coming from Threat Sources: Where is the threat coming from Focus of Interest: The system being accredited Focus of Interest: The system being accredited Threat Actors: Principle parties involved in constituting the threat Threat Actors: Principle parties involved in constituting the threat

Asset List DataBase DataBase Application Application Development and Test Environments Development and Test Environments Desktop Desktop Government Offices Government Offices Inter connecting systems Inter connecting systems Data Centre Data Centre Third Party Location Third Party Location

Threat Source Samples Organised Crime Organised Crime Pressure Groups Pressure Groups Investigative Journalists Investigative Journalists Terrorist Organisations Terrorist Organisations

Threat Actor Samples Hacker: Altering website, Denial of service Hacker: Altering website, Denial of service Third Party: Inappropriate Access, Privacy Breach Third Party: Inappropriate Access, Privacy Breach Normal User: Accidental Data Loss Normal User: Accidental Data Loss Privileged User: Data Confidentiality Compromise Privileged User: Data Confidentiality Compromise Data Handler: Data Loss Data Handler: Data Loss

RMADS Second Part Create the RMADS Second Part Create the RMADS Perform an ISO Benchmarking Review to determine that there are suitable commercial countermeasures already in existence. Perform an ISO Benchmarking Review to determine that there are suitable commercial countermeasures already in existence. Develop the Security Case and Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite. Develop the Security Case and Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.

ISO Benchmarking ISO Information Security Standard ISO Information Security Standard Covers: Security Policy, Security Organisation, Asset Classification, Personnel Security, Physical Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Business Continuity Management, Compliance Covers: Security Policy, Security Organisation, Asset Classification, Personnel Security, Physical Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Business Continuity Management, Compliance Benchmarking involves conducting face to face review with System Architects, Administrators, Security Teams to verify compliance with the areas above Benchmarking involves conducting face to face review with System Architects, Administrators, Security Teams to verify compliance with the areas above

Risk Treatment Plan Risk Treatment Plan identifies what steps will be taken to resolve identified risks Risk Treatment Plan identifies what steps will be taken to resolve identified risks It highlights who will be responsible for risk It highlights who will be responsible for risk Date for resolving risk Date for resolving risk Status Status

Penetration Test Network and Application tests Network and Application tests Round up to identify if there is any exposure to known vulnerabilities by conducting a penetration and application test. Round up to identify if there is any exposure to known vulnerabilities by conducting a penetration and application test. Review outcome Review outcome Accredit system Accredit system

Application Vulnerability Tests Cross Site Scripting Cross Site Scripting Failure to Restrict URL Access Failure to Restrict URL Access

End Of Session