© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson.

Slides:



Advertisements
Similar presentations
Security Controls – What Works
Advertisements

Security+ Guide to Network Security Fundamentals
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Disaster Prevention and Recovery. Team Members   Gwenn Cooper   Kristy Short   John knieling   Carissa Vancleave   Matthew Owens.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Managing Risk in Information Systems Strategies for Mitigating Risk
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Introduction to Network Defense
Security Guide for Interconnecting Information Technology Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
David N. Wozei Systems Administrator, IT Auditor.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Business Continuity and Disaster Recovery Chapter 8 Part 1 Pages 897 to 914.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Introduction to Information Security
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
SecSDLC Chapter 2.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IS3220 Information Technology Infrastructure Security
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
 What threat assessments are  What vulnerability assessments are  What exploit assessments are.
Information Systems Security
Safeguarding CDI - compliance with DFARS
CS457 Introduction to Information Security Systems
WSU IT Risk Assessment Process
Working at a Small-to-Medium Business or ISP – Chapter 8
Processing Integrity and Availability Controls
I have many checklists: how do I get started with cyber security?
What a non-IT auditor needs to know about IT & IT controls
INFORMATION SYSTEMS SECURITY and CONTROL
How to Mitigate the Consequences What are the Countermeasures?
Continuous Monitoring
Presentation transcript:

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson 4 Key Components of Risk Assessment

Page 2 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objectives  Identify assets and activities to protect within an organization.  Identify threats, vulnerabilities, and exploits.  Identify and analyze risk mitigation security controls.

Page 3 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts  Identification of key activities and assets  Recognize value of data  Basic planning steps of a BIA  Techniques used to identify relevant threats, vulnerabilities, and exploits  Identify and compare procedural, technical, physical, and functional controls

Page 4 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

Page 5 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Risk Assessment Approaches

Page 6 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Quantitative Risk Assessment

Page 7 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices for Risk Assessment

Page 8 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Activities System Access System Availability System Functions: Manual and Automated Identifying Activities  Eliminate single points of failure (SPOF) Part of a system that can cause entire system to fail If SPOF fails, entire system fails

Page 9 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Access and Availability  Goal: percent up time  Failover cluster  RAID

Page 10 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Identifying Assets  People can also be single points of failure Hire additional personnel Cross train Job rotation Assets Hardware Assets Software Assets Personnel Assets

Page 11 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Identifying Data Assets  Protect data  Ensure methods are available to retrieve data Data warehousing Data mining Data and Information Customer Intellectual Property Data bases

Page 12 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Types of Assessments Threat AssessmentVulnerability AssessmentsExploits Assessments

Page 13 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Threat Assessments  Identifies and evaluates threats Determines i mpact on confidentiality Determines i mpact on integrity Determines i mpact on availability

Page 14 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Vulnerability Assessments  Vulnerabilities are any weaknesses in an IT infrastructure.  Assessments identify vulnerabilities within an organization: Servers Networks Personnel  Entire networks can be vulnerable if access controls aren’t implemented

Page 15 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Internal/External Vulnerability Assessments Security professionals exploit internal systems to learn about vulnerabilities Internal assessments Personnel outside the company exploit systems to learn about vulnerabilities External assessments

Page 16 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Intrusion Detection System Outputs  IDS uses logs  Logs can be used in assessments

Page 17 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Verifying Rights and Permissions  Verify user rights and permissions Principle of least privilege

Page 18 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Exploit Assessments  Exploit assessments attempt to exploit vulnerabilities They simulate an attack to determine if attack can succeed  An exploit test: Uually starts with a vulnerability test to determine vulnerabilities Follows with an attempt to exploit the vulnerability

Page 19 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. In-Place Controls  Installed in an operational system  Replace in-place controls that don’t meet goals  Three primary objectives of controls: Prevent Recover Detect

Page 20 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Planned Controls  Those that have been approved but not yet installed  Identify planned controls before approving others  Vulnerabilities that planned controls mitigate still exist  Evaluate effectiveness of a planned control through research

Page 21 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Functional Controls Controls Based on Function Being Performed Preventive Hardening Patching Detective Audit trails IDS Corrective Backups File Recovery

Page 22 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. NIST SP Control Families  Access Control (AC)  Audit and Accountability (AU)  Awareness and Training (AT)  Configuration Management (CM)  Contingency Planning (CP)  Identification and Authentication (IA)  Incident Response (IR)  Maintenance (MA)  Media Protection (MP)  Personnel Security (PS)

Page 23 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. NIST SP Control Families (Cont.)  Physical and Environment Protection (PE)  Planning (PL)  Program Management (PM)  Risk Assessment (RA)  Security Assessment and Authorization (CA)  System and Communications Protection (SC)  System and Information Integrity (SI)  System and Services Acquisition (SA)

Page 24 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Procedural Control Examples Policies and proceduresSecurity plansInsurance and bondingBackground and financial checks

Page 25 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Procedural Control Examples (Cont.) Data loss prevention programAwareness trainingRules of behaviorSoftware testing

Page 26 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Technical Control Examples Login identifierSession timeoutSystem logs and audit trailsData range and reasonableness checks Firewalls and routers EncryptionPublic key infrastructure (PKI)

Page 27 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Firewalls and Routers  Filters traffic Access control lists (ACLs)

Page 28 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Using Digital Signatures

Page 29 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Physical Control Examples Locked doors, guards, CCTVFire detection and suppressionWater detectionTemperature and humidity detectionElectrical grounding and circuit breakers

Page 30 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

Page 31 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Business Impact Analysis (BIA) A Business impact analysis (BIA) differentiates critical (urgent) and non- critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned: Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example is it acceptable for the company to lose 2 days of data Recovery Time Objective (RTO) – the acceptable amount of time to restore the function. The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.

Page 32 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. BIA Planning Introduction  Identifies impact of sudden loss Define the scopeIdentify objectives Identify mission-critical functions and processes Map functions and processes to IT systems

Page 33 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Assessing Vulnerabilities Documentation reviewReview logsVulnerability scansAudits and personnel interviewsProcess and output analysisSystem testing

Page 34 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Process Analysis and Output Analysis  Firewall has five rules Use process analysis  Firewall has 100 rules Use output analysis

Page 35 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Procedure for Assessing Exploits IdentificationMitigationImplementationRemediation

Page 36 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Suggested Steps for Implementing Security Controls  Selection of security control  Documentation of each control  Implementation of each control Insurance Avoidance Reduction Retention

Page 37 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: ROLES

Page 38 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Data and Information Assets  Data protected by: Access controls Backups

Page 39 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Data Classifications  Organization Classifications Proprietary Private Public Freely available Protected Internally Highest Level of Protection Government  Top Secret  Secret  Confidential

Page 40 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Data and Information Asset Categories OrganizationCustomer Intellectual property Data warehousing Data mining

Page 41 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Internal Threats  Internal threats Users with unintentional access Users responding to phishing attempts Users forwarding viruses Disgruntled ex-employees Equipment failure Data loss Attacks

Page 42 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. External Threats  Attack public-facing servers  Weather conditions and natural disasters

Page 43 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Risk Mitigation Functions  Senior management  IT management  Functional management and employees  Contractors/vendors

Page 44 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONTEXTS

Page 45 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Identify Assets  First step in risk management You can’t plan the protection if you don’t know what you’re protecting  When do you want to identify a single point of failure? Before it fails? Or after if fails?

Page 46 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Threat Modeling  What system are you trying to protect?  Is the system susceptible to attacks?  Who are the potential adversaries?  How might a potential adversary attack?  Is the system susceptible to hardware or software failure?  Who are the users?  How might an internal user misuse the system?

Page 47 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key to Risk Management  Risk = Threat X Vulnerability Threat assessments -Help reduce impact of threats Vulnerability assessments -Help reduce vulnerabilities Exploit assessments -Help validate actual threats and vulnerabilities

Page 48 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Controls Mitigate Risk  Controls reduce impact of threats  Controls reduce vulnerabilities to an acceptable level  Hundreds of controls Best to evaluate based on categories

Page 49 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: RATIONALE

Page 50 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Identify Valuable Assets  Ask a system owner How much downtime can you accept? -Answer: “None” How much data loss can you accept? -Answer: “None”  Then ask “How much money are you willing to spend?”

Page 51 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Testing  Functionality testing ~ Defining requirements  Access controls ~ Verifying user rights and allocations  Penetration testing ~ Verifying security countermeasures  Tests transactions with applications

Page 52 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Variety of Controls Needed  What is missed if only technical controls are used?  What is missed if only procedural controls are used?  What is missed if only physical controls are used?

Page 53 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary  Identification of key activities and assets  Recognize value of data  Basic planning steps of a BIA  Techniques used to identify relevant threats, vulnerabilities, and exploits  Identify and compare procedural, technical, physical, and functional controls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.