Information Systems Security Information Security & Risk Management

Core Principles  Confidentiality – only authorized nodes have access to information on need-to-know basis  Integrity – Information should be protected from intentional, unauthorized, or accidental change  Availability – Information is accessible by users when needed

Security Concepts  Privacy  Authentication  Authorization  Auditing  Non-repudiation

Type of Policies  Regulatory –Ensures company is following standards –More detailed in nature –Specific to type of industry  Advisory –Outlines expected behaviors in a company and the associated ramifications

Policies Con’td  Informative –Tool to teach employees about specific issues –Not enforceable

BS/ISO 7799  Address topics in terms of policies and best practices –Organizational security policy –Asset classification –Personnel security –Physical/environmental safety –Communications security –Access control –BCP –Compliance

Components of a Security Policy  Policy – Must be –Virus protection  Guides – Should be –Recommend McAfee  Standards – Will be –Will be installed on all systems  Procedures – How to –Will be updated each week from server  Control – Has it? Does it?

Senior Management Role  Defines the scope, objectives, priorities, and strategies of the security program  Provides vision, funds, and enforcement  Ultimately liable  Without support, efforts will be doomed from the start

Security Roles  Data Owner –Data classification –Sets security requirements  System Owner –Responsible for computer system –One system – One owner

Security Roles  Data Custodian –Data maintenance tasks –Implements and maintains controls to provide necessary protection  User –Person who routinely uses company data

Information Classification  Determine the value of data –Role of data –Liability if disclosed –Cost to gather –Value that opposition would pay  Classify Information –Pertaining to availability, integrity, and confidentiality issues per data set –Assign a classification level

Classification Con’td  Decide on Controls –Controls are implemented to protect data at each classification level –Each classification level has different handling procedures

Classification Criteria  Criteria Items –Usefulness and value –Level of damage possible –Law and regulations –Who should access? Who should maintain? –Who should monitor? Who should audit? –How long will protection be required

Military Classification Levels  Top Secret –Drastic effects and critical damage to NS  Secret –Significant effect and critical damage to NS  Confidential –Noticeable effects and serious damage to NS  Sensitive but Unclassified –Not cause significant damage if disclosed  Unclassified

Commercial Classifications  Confidential –Extremely sensitive and for internal use only  Private –Personal data for internal use only  Sensitive –Negative impact if disclosed  Public –No negative impact if disclosed

How is Liability Determined?  Due Diligence – Identifying threats and risks –Uncover potential dangers –Carry out assessments –Perform analysis on assessment data –Implement risk management –Research vulnerabilities and risks

Liability Con’td  Due Care – Acting upon findings to mitigate risks –Doing the right thing –Implementing solutions based on analyses –Properly protecting the company and its assets –Acting responsibly  Prudent Person Rule –Perform duties that prudent and responsible people would exercise in similar circumstances

Risk Assessment  Identify Vulnerabilities – a flaw or weakness in system security procedures or controls that can be exploited and result in a breach  Threats – potential for a particular threat to successfully exercise a vulnerability

Risk Management  Reduce –Implement safeguards  Assign –Transfer risks to another entity  Accept –Agreed to accept the consequences  Reject –Ignore that the risk exists

Risk Management is Hard  Trying to predict the future  Incredible number of variables  Surmising all possible threats  Gathering data from many sources  Dealing with many unknowns  Quantifying qualitative items

Valuating an Asset  Cost of acquisition  Replacement cost  Cost of development  Role of the asset in the company  Amount of worth to competition  Cost of maintain and protecting  Production Losses  Liability

Categorizing Risk Analysis  Immediate vs. Delayed Loss  Quantitative –Numeric and monetary values available –Management likes it better  Qualitative –Opinion based –Uses rating system –Scenario based

Qualitative Analysis  Gather company experts  Present risk scenarios  Rank seriousness of threats  Rank countermeasures  DELPHI METHOD –Anonymous – More honest – No intimidation

Quantitative Analysis  ALE (Annualized Loss Expectancy) –Expected monetary loss for an asset due to a risk over a 1-year period.  ALE = SLE * ARO  SLE (Single Loss Expectancy) –Asset Value X Exposure Factor (EF) –EF = Percentage of loss that could be experienced

Quantitative Con’td  ARO – Annualized Rate of Occurrence –Probability that a risk will occur in a year  Fire will reduce building usage by 3/4 –EF = 75%  Probability that fire occurs every 10 years –ARO =.10

Quantitative Con’td  Building Asset Valued at $1M –SLE = $1M *.75 = $750K –ALE = $750K *.10 = $75K  If a company’s website is attacked, it will cause 40% damage. The threat is estimated to happen once a year. The website is valued at $300K. What is the cap to be spent on safeguards?

Cost/Benefit of Countermeasure  ALE prior to Countermeasure – –ALE after Countermeasure –  Annual Cost of Countermeasure = –Cost/Benefit of Countermeasure  ALE of web disruption = $40K  ALE after countermeasure = $24K  Cost of countermeasure = $2K/annually  Benefit of countermeasure = $23K

Eliminate ALL Risks?  Total Risk Versus Residual Risk –Amount of risk that exists before a safeguard is put into place in total risk –After safeguard installed, the remaining risk is residual risk  Threat x Vulnerability x Asset Value = TR  TR x Control Gap = RR

Mitigate Risk  Team presents the analysis results to management  Management makes the decision about the next steps  Transfer the risk(insurance)  Reduce the risk (control)  Accept the risk(informed decision)  Reject the risk (no decision made)

Liability of Actions  Accepting Risks –Carried out in due diligence –Made an informed business decision –Better change of not being found negligent  Reject Risks –Did not practice due diligence –Decision based on ignorance of the issue –Most likely will be found negligent

Employee Management  Weakest link in security is people  Proper management of employees needed  Communication structure in place  Management structure in place  Enforce acceptable usage policy  Rotation of duties  20/80 Rule

Employee Security Management  Separation of duties  Job responsibilities  Job rotation  Background checks  Employee agreements

Firing Issues  Complete an exit interview  Non-disclosure agreements  Collect keys and escort out of building  Disable accounts

Ethics – ISC 2  Four canons –Protect society and the infrastructure –Act honorably, justly, responsibly, and legally –Provide diligent and competent service –Advance and protect the profession

Ethics - CEI  Compute Ethics Institute –Non-profit organization to stimulate awareness of the ethical issues of technology –Tries to help balance civil liberty and government monitoring –Provides advisory and consultative activities, research, education, and public outreach

Ethics - IAB  Internet Advisory Board –Coordinating committee for Internet design –Two task forces:  Internet Engineering Task Force (IETF)  Internet Research Task Force (IRTF) –Internet use to be seen as a privilege and should be treated as such

IAB Standards  Unethical behavior includes: –Seeking to gain unauthorized access to Internet –Disrupting the normal use of the Internet –Wasting resources through purposeful actions –Destroying the integrity of computer information –Compromising the privacy of others –Involving negligence in the conduct of Internet- wide experiments