Unit # 3: Information Security and Risk Management Cyber Security Lecture for June 25, 2010 Unit # 3: Information Security and Risk Management Dr. Bhavani Thuraisingham

Outline Security Management, Administration and Governance Policies, Standards, Guidelines, Procedures Information Classification Roles and Responsibilities Risk Management and Analysis Best Practices

Security Management, Administration and Governance Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. The risks to these assets can be calculated by analysis of the following issues: Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets Vulnerabilities. How susceptible your assets are to attack Impact. The magnitude of the potential loss or the seriousness of the event.

Security Management, Administration and Governance Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations

Security Management, Administration and Governance Develop the information security strategy in support of business strategy and direction. Obtain senior management commitment and support Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. Establish reporting and communication channels that support information security governance activities. Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. Establish and maintain information security policies that support business goals and objectives. Ensure the development of procedures and guidelines that support information security policies. Develop business case for information security program investments.

Policies, Standards, Guidelines and Procedures Policies are the top tier of formalized security documents. These high-level documents offer a general statement about the organization’s assets and what level of protection they should have. Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.. Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.

Policies, Standards, Guidelines and Procedures A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. A guideline points to a statement in a policy or procedure by which to determine a course of action. It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations. A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. A security model is a scheme for specifying and enforcing security policies. Examples include: Bell and LaPadula, Biba, Access control lists

Information Classification It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. A system of classification should ideally be: simple to understand and to administer effective in order to determine the level of protection the information is given. applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).

Information Classification With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. Violations of the Information Classification Policy should result in disciplinary proceedings against the individual. Number of information classification levels in an organization should be a manageable number as having too many makes maintenance and compliance difficult.

Information Classification Top Secret: Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible. Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

Information Classification Proprietary: Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high. Internal Use Only: Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal. Public Documents: Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.

Roles and Responsibilities Internal Roles Executive Management; Information System Security Professionals; Owners: Data and System Owners; Custodians Operational Staff; Users; Legal, Compliance and Privacy Officers; Internal Auditors; Physical Security Officers External Roles Vendors and Supplies; Contractors; Temporary Employees; Customers; Business Partners; Outsourced Relationships; Outsourced Security Human Resources Employee development and management; Hiring and termination; Signed employee agreements; Education

Risk Management and Analysis Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

Risk Managementg and Analysis A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion (scenarios), or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business.

Risk Management and Analysis Identification of assets and estimating their value. Include: people, buildings, hardware, software, data supplies. Conduct a threat assessment. Include: Acts of nature, accidents, malicious acts originating from inside or outside the organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, - - - Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

Risk Management and Analysis Step 1: Estimate Potential Loss SLE = AV ($) x EF (%) SLE: Single Loss Expectancy, AV: Asset Value. EF: Exposure Factor (percentage of asset value) Step 2: Conduct Threat Likelihood Analysis ARO Annual Rate of Occurrence Number of times per year that an incident is likely to occur Step 3: Calculate ALE ALE: Annual Loss Expectancy ALE = SLE x ARO

Security Best Practices Job Rotation Separation of Duty Security Awareness training Ethics Education