Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

Published byEugenia Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1."— Presentation transcript:

1 Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1

2 Information security Polices  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization 2 CIT 460 Information Security Dr.Khalid Dr. Mohannad

3 The Information Security Functions 3 CIT 460 Information Security Dr.Khalid Dr. Mohannad

4 Managing Information Security 4 CIT 460 Information Security Dr.Khalid Dr. Mohannad

5 Polices Purpose Provide a framework for the management of security across the enterprise 5 CIT 460 Information Security Dr.Khalid Dr. Mohannad

6 Definitions  Policies  High level statements (rules) defining what the organization will do to protect information.  Standards  Requirement statements that provide specific technical specifications and help enforce and support information security, like length of keys …  Procedures  Specific operation steps or manual that workers will follow to implement the goal of the written policies and standards  Guidelines  Optional but recommended specifications 6 CIT 460 Information Security Dr.Khalid Dr. Mohannad

7 Security Policy Access to network resource will be granted through a unique user ID and password Passwords should include one non-alpha and not found in dictionary Passwords will be 8 characters long 7 CIT 460 Information Security Dr.Khalid Dr. Mohannad

8 Chapter 8 : Management of Security Lecture #2-Week 13 Dr.Khalid Dr. Mohannad Information Security 8 CIT 460 Information Security Dr.Khalid Dr. Mohannad

9 Policies should……  Clearly identify and define the information security goals and the goals of the university. 9 CIT 460 Information Security Dr.Khalid Dr. Mohannad

10 Policy Lifecycle 10 CIT 460 Information Security Dr.Khalid Dr. Mohannad

11 The Ten-Step Approach 11 CIT 460 Information Security Dr.Khalid Dr. Mohannad

12 Policy Hierarchy Governance Policy Access Control Policy User ID Policy Access Control Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines 12 CIT 460 Information Security Dr.Khalid Dr. Mohannad

13 Security Risk Analysis & Management 13 CIT 460 Information Security Dr.Khalid Dr. Mohannad

14 Security in System Development  Risk Analysis & Management needs to be a part of system development, not tacked on afterwards  Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved [Baskerville, R. (1993). Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25 (4): 375-414.] 14 CIT 460 Information Security Dr.Khalid Dr. Mohannad

15 Introduction Risk Analysis and Management Framework AssetsThreatsVulnerabilities Risks Security Measures } } Analysis Management 15 CIT 460 Information Security Dr.Khalid Dr. Mohannad

16 Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following  Asset: what you want to protect  Threat : Harm that can happen to an asset  Vulnerability : a weakness in the system that makes an attack more likely to succeed  Risk : a quantified measure of the likelihood of a threat being realised R=A+T+V 16 CIT 460 Information Security Dr.Khalid Dr. Mohannad

17  Impact : A measure of the seriousness of a threat  Attack : A threatening event  Attacker : The agent causing an attack (not necessarily human) CIT 460 Information Security Dr.Khalid M.O Nahar 17

18 Chapter 8 : Management of Security Lecture #3-Week 13 Dr.Khalid Dr. Mohannad Information Security 18

19 Definitions 2  Risk Analysis involves the identification and assessment of the levels of risk, calculated from the  Values of assets  Threats to the assets  Their vulnerabilities and likelihood of exploitation  Risk Management involves the identification, selection and adoption of security measures justified by  The identified risks to assets  The reduction of these risks to acceptable levels 19 CIT 460 Information Security Dr.Khalid Dr. Mohannad

20 Goals of Risk Analysis  All assets have been identified  All threats have been identified  Their impact on assets has been valued  All vulnerabilities have been identified and assessed 20 CIT 460 Information Security Dr.Khalid Dr. Mohannad

21 Problems of Measuring Risk Businesses normally wish to measure in money, but  Many of the entities do not allow this  Valuation of assets  Value of data and in-house software - no market value  Value of goodwill and customer confidence  Likelihood of threats  How relevant is past data to the calculation of future probabilities?  The nature of future attacks is unpredictable  The actions of future attackers are unpredictable  Measurement of benefit from security measures  Problems with the difference of two approximate quantities  How does an extra security measure affect a ~10 -5 probability of attack? 21 CIT 460 Information Security Dr.Khalid Dr. Mohannad

22 Risk Levels  Precise monetary values give a false precision  Better to use levels, e.g.  High, Medium, Low  High: major impact on the organisation  Medium: noticeable impact (“material” in auditing terms)  Low: can be absorbed without difficulty  1 - 10  Express money values in levels, e.g.  For a large University Department a possibility is  High  Medium  Low £1,000,000+ £1,000+ < £1,000 22 CIT 460 Information Security Dr.Khalid Dr. Mohannad

23 Risk Analysis Steps  Decide on scope of analysis  Set the system boundary  Identification of assets & business processes  Identification of threats and valuation of their impact on assets (impact valuation)  Identification and assessment of vulnerabilities to threats  Risk assessment 23 CIT 460 Information Security Dr.Khalid Dr. Mohannad

24 Risk Analysis – Defining the Scope  Draw a context diagram  Decide on the boundary  It will rarely be the computer!  Make explicit assumptions about the security of neighbouring domains  Verify them! 24 CIT 460 Information Security Dr.Khalid Dr. Mohannad

25 Risk Analysis - Identification of Assets  Types of asset  Hardware  Software: purchased or developed programs  Data  People: who run the system  Documentation: manuals, administrative procedures, etc  Supplies: paper forms, magnetic media, printer liquid, etc  Money  Intangibles  Goodwill  Organisation confidence  Organisation image 25 CIT 460 Information Security Dr.Khalid Dr. Mohannad

26 Chapter 8 : Management of Security Lecture #1-Week 14 Dr.Khalid Dr. Mohannad Information Security 26 CIT 460 Information Security Dr.Khalid Dr. Mohannad

27 Risk Analysis – Impact Valuation Identification and valuation of threats - for each group of assets  Identify threats, e.g. for stored data  Loss of confidentiality  Loss of integrity  Loss of completeness  Loss of availability (Denial of Service)  For many asset types the only threat is loss of availability  Assess impact of threat  Assess in levels, e.g H-M-L or 1 - 10  This gives the valuation of the asset in the face of the threat 27 CIT 460 Information Security Dr.Khalid Dr. Mohannad

28 Risk Analysis – Process Analysis  Every company or organisation has some processes that are critical to its operation  The criticality of a process may increase the impact valuation of one or more assets identified So  Identify critical processes  Review assets needed for critical processes  Revise impact valuation of these assets 28 CIT 460 Information Security Dr.Khalid Dr. Mohannad

29 Risk Analysis – Vulnerabilities 1  Identify vulnerabilities against a baseline system  For risk analysis of an existing system  Existing system with its known security measures and weaknesses  For development of a new system  Security facilities of the envisaged software, e.g. Windows NT  Standard good practice, e.g. BS 7799 recommendations of good practice 29 CIT 460 Information Security Dr.Khalid Dr. Mohannad

30 Risk Analysis – Vulnerabilities 2 For each threat  Identify vulnerabilities  How to exploit a threat successfully;  Assess levels of likelihood - High, Medium, Low  Of attempt  Expensive attacks are less likely (e.g. brute-force attacks on encryption keys)  Successful exploitation of vulnerability;  Combine them Vulnerability Likelihood of Attempt Likelihood of Success Low Med Low MedHigh Med Low 30 CIT 460 Information Security Dr.Khalid Dr. Mohannad

31 Risk Assessment Assess risk  If we had accurate probabilities and values, risk would be  Impact valuation x probability of threat x probability of exploitation  Plus a correction factor for risk aversion  Since we haven't, we construct matrices such as Risk Impact valuation Low Med Low MedHigh Med Low Vulnerability 31 CIT 460 Information Security Dr.Khalid Dr. Mohannad

32 Responses to Risk Responses to risk  Avoid it completely by withdrawing from an activity  Accept it and do nothing  Reduce it with security measures  Transfer 32 CIT 460 Information Security Dr.Khalid Dr. Mohannad

33 Security Measures Possible security measures  Transfer the risk, e.g. insurance  Reduce vulnerability  Reduce likelihood of attempt  e.g. publicise security measures in order to deter attackers  e.g. competitive approach - the lion-hunter’s approach to security  Reduce likelihood of success by preventive measures  e.g. access control, encryption, firewall  Reduce impact, e.g. use fire extinguisher / firewall  Recovery measures, e.g. restoration from backup 33 CIT 460 Information Security Dr.Khalid Dr. Mohannad

Download ppt "Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
IT Service Continuity Management

IT Service Continuity Management
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Security Risk Analysis & Management

Security Risk Analysis & Management
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Security Policies and Standards

Information Security Policies and Standards
A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.

A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security

Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Chapter 4 Internal Controls McGraw-Hill/Irwin

Chapter 4 Internal Controls McGraw-Hill/Irwin
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google