Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand mechanisms to control organisational IT security

Published byAusten Grant Modified over 6 years ago

Similar presentations

Presentation on theme: "Understand mechanisms to control organisational IT security"— Presentation transcript:

1 Understand mechanisms to control organisational IT security
Unit 48 I.T. Security Management HND in Computing and Systems Development

2 Understand mechanisms to control organisational IT security
Risk assessment Data protection Physical security

3 Information Security Risk
Information Security Risk Analysis or risk assessment, fundamental to the security of any organization. Information Security in any system should be commensurate with its risks. the process to determine which security controls are appropriate and cost effective is quite often complex sometimes a subjective matter. It is essential to ensure that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

4 Questions to ask! What are the resources that need protecting?
What is the value of those resources, monetary or otherwise? What are the all the possible threats that that those resources face? What is the likelihood of those threats being realized? What would be the impact of those threats if they were realized?

5 Information Asset Definition
Information Assets are the resources of a computing system that once compromised will release sensitive, not disclosed system information to the threat agent. physical, hardware, software, data, communications, administrative personnel

6 Defining Risk The term risk is used to describe the possibility of a threat taking advantage of an asset’s vulnerability

7 Risk Management Risk management Risk control Risk assessment
Reduce risks, provide contingency Risk assessment Identify and analyse risks

8 Defining Risk Management
Risk management is the process of Establishing and maintaining information system security within an organization The identification and management of opportunities and threats

9 Risk Management Approaches
Quantitative Approach This approach employs two fundamental elements – the probability of an event occurring the likely loss should it occur requires probabilities which are rarely precise thus data may be unreliable and inaccurate time consuming and expensive exercise Qualitative Approach most widely used approach to risk analysis (COBRA) involves less uncertainty (no probabilities) uses interrelated elements of threats, vulnerabilities & controls based on expert knowledge parameters are: high, medium, low 3 possibilities read slide and enlarge

10 Problems of Measuring Risk
Businesses wish to measure in money, but many of the entities don’t permit this - Valuation of assets Value of data and in-house software - no market value Value of goodwill and customer confidence Likelihood of threats How relevant is past data to the calculation of future probabilities? The nature of future attacks is unpredictable The actions of future attackers are unpredictable Measurement of benefit from security measures

11 Risk vs Threat Reference point Impact Relationship
Risk : you examine the system Threat: you examine the environment around it Impact Sometimes a major threat may correspond in the context of the business to a minor risk Relationship Risks and threats do not have a one-to-one relationship. Some threats may contribute to more than one risk, and some risks have properties that are not directly related to individual threats?

12 Risk Analysis Steps Decide on scope of analysis
Set the system boundary Identification of assets & business processes Identification of threats and valuation of their impact on assets Identification and assessment of vulnerabilities to threats Risk assessment

13 1. Risk Analysis – Defining the Scope
Draw a context diagram Decide on the boundary It will rarely be the computer! Make explicit assumptions about the security of neighbouring domains Verify them!

14 2. Risk Analysis - Identification of Assets
Hardware Software: purchased or developed programs Data Users Documentation: manuals, admin procedures Supplies: paper, printer cartridges, pens, etc Money Intangibles Goodwill Reputation

15 3. Risk Analysis – Impact Valuation
Identification and valuation of threats for assets Identify threats, e.g. for stored data Loss of confidentiality Loss of integrity Loss of completeness Loss of availability (Denial of Service) For many asset types the only threat is loss of availability Assess impact of threat in levels, e.g H-M-L This gives the valuation of the asset in the face of the threat

16 4. Risk Analysis – Process Analysis
Every company or organisation has some processes that are critical to its operation The criticality of a process may increase the impact valuation of one or more assets identified So Identify critical processes Review assets needed for critical processes Revise impact valuation of these assets

17 5. Risk Analysis – Vulnerabilities 1
Identify vulnerabilities against a baseline system For risk analysis of an existing system Existing system with its known security measures and weaknesses For development of a new system Security facilities of the envisaged software, e.g. Windows NT Standard good practice, e.g. BS 7799 recommendations of good practice

18 5. Risk Analysis – Vulnerabilities 2
For each threat – Identify vulnerabilities How likely to exploit a threat successfully; Assess levels of likelihood - High, Medium, Low Of attempt Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) Successful exploitation of vulnerability; Combine them

19 6. Risk Assessment & Response
Should have all the information to produce the Risk Assessment Responses to risk Avoid it completely by withdrawing from an activity Accept it and do nothing Reduce it with security measures

20 Example Asset: Risk Impact Estimate examples -
Internal mailbox of Bill Gates Risk Impact Estimate examples - Risk of loss: Medium impact Risk of access by staff: High impact Risk of access by press: Catastrophic impact Risk of access by a competitor: High impact Risk of temporary no access by Bill: Low impact Risk of change of content: Medium impact

21 Some examples of UK real life risks
Chances are your death will be by: being shot by a stranger… 1 in 22,500 drowning in the bath… 1 in 17,500 plane crash… in 800,000 car accident… in 300 suicide… in 160 accidental fall… in 150 cancer… in 4 This year in England and Wales: 130,000 will die of heart disease 24 due to adverse weather conditions 1 from lightning

22

23 Risk assessment - Task Based on a case-study of a very small business

24 Risk ratings Some useful (?) principles: (using qualitative terms)
Nothing has a higher risk rating than its impact If something does not have a huge impact, it is not a huge risk Anything that that has a high impact must be at least a medium risk

25 Assessing risk – 2 approaches
Vulnerability-driven Identify all possible vulnerabilities in the system Asset-driven Look at each asset and identify what could threaten the: Confidentiality Integrity Availability of the data.

26 Assess responses to the risks
Too much security: very restrictive use high cost Too little security unrestricted use low visible cost high danger Need to know: Value of the information Value of processes

27 Risk assessment potential loss probability of occurrence
data intellectual property hardware and software probability of occurrence disaster, Theft staff responsibilities “Impact measures the level of ‘pain’ to the organization,” “Likelihood measures the probability of feeling the impact.” Kimmelman, Jeff. “Risk Assessment and Management.” April 17, 2002. URL: (September 6, 2003) (now 404) quoted in file:///S:/HNDUnits/Unit%2048%20I.T.%20Security%20Management/REsources/case-study-risk-audit-small-business-1243complete.pdf (19th October 2015)

28 Possible responses Ignore – accept the risk and focus on other things
Very low risks Risks which are beyond any reasonable counter-measure Mitigate Reduce impact Reduce likelihood Reduce both Transfer E.g. insurance Avoid Don’t do the activity! Some counter-measures may be effective against multiple potential threats

29 Risk assessment - Task Read: A Risk Audit of a Very Small Business
Respond to the task brief, write a report which gives your solutions to the following: Determine what must be protected (assets) Identify and define possible threats to those assets Determine and prioritize the risks

30 Task – report back Major findings Further information Comments
Did you use vulnerability-driven or asset-driven to assess the risks?

31 Read the rest of the case study – including the appendices
Task: Add to your report. Do you agree with the recommendations the author makes? This was written in 2003, what would be different about this business today? What implications would that have for security? This business is based in the US. What difference would it make if it was based in the UK?

Download ppt "Understand mechanisms to control organisational IT security"

Similar presentations

Security Risk Analysis & Management

Security Risk Analysis & Management
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security Risk Analysis Prepared By: Ahmed Alkhamaiseh Supervised By: Dr. Lo’a i Tawalbeh Arab Academy for Banking & Financial Sciences (AABFS) 2007.

Security Risk Analysis Prepared By: Ahmed Alkhamaiseh Supervised By: Dr. Lo’a i Tawalbeh Arab Academy for Banking & Financial Sciences (AABFS) 2007.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. Yau CSE , Fall Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Assessment Frameworks

Risk Assessment Frameworks
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Introduction to Network Defense

Introduction to Network Defense
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27.

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations

Ads by Google