1. IS3230 Access Security Unit 5 Mapping Business Challenges and Managing Human Resources Risks

2. Class Agenda 10/15/15 Learning Objectives Lesson Presentation and Discussions. Class project outline due Quiz 2 will be held today. Lab Activities will be performed in class.. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: All Assignment and labs due today.

3. Business Continuity Organization’s ability to maintain operations after a disruptive event or aftermath of a disaster. Examples of disruptive events – Power outage – Hurricane – Tsunami Business continuity planning and testing steps – Identify exposure to threats – Create preventative and recovery procedures – Test procedures to determine if they are sufficient 3

4. Class Agenda 10/8/15 Learning Objectives Lesson Presentation and Discussions. Class project outline due Lab Activities will be performed in class.. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: All Assignment and labs due today.

5. Business Continuity Organization’s ability to maintain operations after a disruptive event or aftermath of a disaster. Examples of disruptive events – Power outage – Hurricane – Tsunami Business continuity planning and testing steps – Identify exposure to threats – Create preventative and recovery procedures – Test procedures to determine if they are sufficient 5

6. Business Continuity Succession planning – Determining in advance who is authorized to take over if key employees die or are incapacitated Business impact analysis (BIA) – Analyzes most important business functions and quantifies impact of their loss – Identifies threats through risk assessment – Determines impact if threats are realized 6

7. Dissaster Preventive Measures Be proactive Fortification of the facility in its construction materials Redundant servers and communications links Power lines coming in through different transformers Redundant vendor support Purchasing of insurance Purchasing of UPS and generators Data backup technologies Media protection safeguards Increased inventory of critical equipment Fire detection and suppression systems

8. Disaster Recovery Subset of business continuity planning and testing Also known as contingency planning Focuses on protecting and restoring information technology functions Mean time to restore (MMTR) – Measures average time needed to reestablish services Disaster recovery activities – Create, implement, and test disaster recovery plans 8

9. Disaster Recovery Minimize the effects of a disaster ensure that the resources, personnel, and business processes are able to resume operation in a timely manner The goal is to handle the disaster and its ramifications right after the disaster hits the disaster recovery plan is usually very information technology (IT) focused

10. Steps in Risk Management (continued) Risk mitigation – The final step is to determine what to do about the risks Options when confronted with a risk: – Risk avoidance-Avoid activity with risk – Risk acceptance-Accepting that there is risk – Risk transference-Shift responsibility – Risk Mitigation-Strategies to minimize risk 10

11. Threat Mitigation Threat mitigation should ensure – Information Confidentiality – Information Integrity – Information Availability

12. Business challenges Business Access control strategies focuses on – Users: individuals who need access to resources – Application: Application access file systems and connect to database, write and read files – Network devices: one network could request resources from another

13. Best Practices for Access Control Establishing best practices for limiting access – Can help secure systems and data Examples of best practices – Separation of duties – Job rotation – Least privilege – Implicit deny – Mandatory vacations 13

14. Separation of responsibility The principle to ensure that attacker compromising one account can not cannot get access to another. – Fraud can result from single user being trusted with complete control of a process – Requiring two or more people responsible for functions related to handling money – System is not vulnerable to actions of a single person 14

15. Practices for Access Control Separation of duties – Requires that if the fraudulent application of a process could potentially result in a breach of security Then the process should be divided between two or more individuals Job rotation – Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another 15

16. Least privilege The principle that an entity should be given a minimal level of right necessary to perform legitimate function. – Limiting access to information based on what is needed to perform a job function – Helps reduce attack surface by eliminating unnecessary privileges – Should apply to users and processes on the system – Processes should run at minimum security level needed to correctly function – Temptation to assign higher levels of privilege is great 16

17. Practices for Access Control Least privilege – Each user should be given only the minimal amount of privileges necessary to perform his or her job function Implicit deny – If a condition is not explicitly met, then it is to be rejected 17

18. 18 Table 9-4 Challenges of least privilege

19. Access Control Models Standards that provide a predefined framework for hardware or software developers Used to implement access control in a device or application Four major access control models – Mandatory Access Control (MAC) – Discretionary Access Control (DAC) – Role Based Access Control (RBAC) – Rule Based Access Control (RBAC) 19

20. 20 Table 9-3 Access control models

21. What Is a Security Policy? Security policy – A written document that states how an organization plans to protect the company’s information technology assets An organization’s information security policy can serve several functions: – It can be an overall intention and direction – It details specific risks and how to address them – It can create a security-aware organizational culture – It can help to ensure that employee behavior is directed and monitored 21

22. Ethics Policy Ethics policy – A written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making – Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct 22

23. Types of Security Policies Most organizations have security policies that address: – Acceptable use – Security-related human resources – Password management and complexity – Personally identifiable information – Disposal and destruction – Service level agreements – Classification of information – Change management – Ethics 23

24. Reducing Risks of Social Engineering Social engineering – Relies on tricking and deceiving someone to provide secure information Phishing – One of the most common forms of social engineering – Involves sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information – Both the e-mails and the fake Web sites appear to be legitimate 24

25. Designing a Security Policy (continued) The security policy cycle – The first phase involves a risk management study Asset identification Threat identification Vulnerability appraisal Risk assessment Risk mitigation – The second phase of the security policy cycle is to use the information from the risk management study to create the policy – The final phase is to review the policy for compliance 25

26. Reducing Risks of Social Engineering Variations on phishing attacks: – Spear phishing – Pharming – Google phishing Ways to recognize phishing messages include: – Deceptive Web links – E-mails that look like Web sites – Fake sender’s address – Generic greeting – Pop-up boxes and attachments 26

27. Reducing Risks of Social Engineering (continued) Dumpster diving – Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away Shoulder surfing – Watching an individual enter a security code or password on a keypad Computer hoax – An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet 27

28. Education and Training Education and training involve understanding the importance of organizational training – And how it can be used to reduce risks, such as social engineering 28

29. Organizational Training All computer users in an organization share a responsibility to protect the assets of that organization – Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks All users need: – Continuous training in the new security defenses – To be reminded of company security policies and procedures 29

30.  Defining appropriate policies and procedures governing employee behavior  Educating employees about the policies and procedures relevant to them  Verifying employees’ understanding of relevant policies and procedures  Discovering and addressing behavioral shortcomings  Managing change over time Best Practices for Managing Human Risks

31. Unit 5 Lab Activities Lab # 5: Enhance Security Control for Access Sensitive Data. Complete the lab activities and submit the answers to the next class.

32. Unit 5 Assignments Unit 5 Assignment 1: Implementing Comprehensive Human Resources Risk Management Plan Assignment will be given in class. Reading assignment: Read Chapters 6 and 7