CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.

Slides:



Advertisements
Similar presentations
QA Programs for Local Health Departments
Advertisements

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 2 Tom Olzak, MBA, CISSP.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Investment Appraisal and Management Chapter 1 The Role of Project Evaluation.
Information Security Policies Larry Conrad September 29, 2009.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Forensic and Investigative Accounting
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
SOX & ISO Protect your data and be ready to be audited!!!
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Fox & Sons Company: IT Change Management Policy Presentation Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David Lanter Leonardo Serrano.
Network security policy: best practices
Fraud Prevention and Risk Management
Application Threat Modeling Workshop
Introduction to Network Defense
Planning an Internal Audit JM García Merced. Brainstorm.
Software Project Management
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.
SEC835 Database and Web application security Information Security Architecture.
CMGT 442 Philip Robbins – December 5, 2012 (Week 4) University of Phoenix Mililani Campus Information Systems Risk Management.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Information Systems Security Computer System Life Cycle Security.
Chapter Three IT Risks and Controls.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
The Audit as a Management Tool Vermont State Auditor’s Office – April 2009.
The UNIVERSITY of GREENWICH 1 October 2009 L8a Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8a Internal audit.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
Advanced Accounting Information Systems Day 19 Control and Security Frameworks October 7, 2009.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
CMGT 411 Week 2 DQ 1 Why is managing technical vulnerabilities so important to an organization managing their security environment? Check this A+ tutorial.
CMGT 430 Week 1 DQ 1 What are two important security issues that enterprise systems commonly face? How do these issues threaten information and what high-level.
CMGT 430 Week 2 DQ 2 Imagine you are a security consultant. What are four specific enterprise system threats? For each threat, what mitigation steps should.
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Alia Al-Nujaidi
Team 4 – Mack, Josh, Felicia, Kevin and Walter
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
COMPTIA CAS-003 Dumps VCE
CMGT 431 Competitive Success/snaptutorial.com
CMGT 431 Education for Service/tutorialrank.com
CMGT 430 Education for Service/snaptutorial.com
CMGT 431 STUDY Education for Service- -cmgt431study.com.
I have many checklists: how do I get started with cyber security?
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
INTERNAL CONTROLS AND THE ASSESSMENT OF CONTROL RISK
Albeado - Enabling Smart Energy
Presentation transcript:

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP

Source  Chapter 2 – Risk Management in Olzak, T. (2012). Enterprise security: A practitioner's guide. Chicago, Illinois: InfoSec Institute.

Threat Modeling

 Requires a baseline assessment  ISRM Process Steps  Assess  System Definition  Threat identification  Vulnerability identification  Attack path controls assessment  Impact analysis  Risk determination  Controls recommendations

Threat Modeling  ISRM Process Steps (cont’)  Mitigate  Action plan and proposal creation/presentation  Implement controls  Manage  Measure and adjust

Attack Trees  Trace probable attack path for a threat (new or existing)  Check for existing vulnerabilities along the path  Determine risk  Design controls or processes to reduce risk  Apply controls and processes  Verify with attack tree analysis

Attack Tree Example

Software Testing

Types of Testing Unit Development team Usually use “buddy checking” Quality Assurance (QA) Formal test plan Test against functional requirements User Acceptance Users verify that they will get what they expect Post Implementation Check Verify that all technical requirements, including security, were met

Audits

Purpose of Audits  Not the same as risk assessments, penetration tests, or vulnerability scans  Ensure outcomes match management’s expectations as specified in policy, standards, and guidelines  Auditors and security personnel must work together; avoid adversarial relationship  Internal audits often only check financial issues (e.g., SOX compliance).

Sample Termination Audit 1.Select a target application (financials, Active Directory, etc.). 2.Obtain from the HR system a list of all job terminations since the last audit. (A terminated employee is one who left the company for any reason.) 3.Randomly select 25% of the termination set. 4.Check to ensure terminations were properly managed according to policy for the target application 5.If more than n terminations were missed, mark the key control for the target application as failed. (The value of n depends on the size of the tested population set. The larger the test population, the more failures audit teams will accept.)

Audit Frequency  Frequency depends on  Data classification  Results of past audits  Management’s appetite for risk

And again…  Be sure to read ALL assigned reading. Your success in this class depends on it.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.