Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Governance and Risk Management

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Governance and Risk Management"— Presentation transcript:

1 Information Security Governance and Risk Management
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Information Security Governance and Risk Management

2 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

3 C. I.A. Confidentiality: Preventing from unauthorized disclosure
Integrity: Preventing from unauthorized modification Availability: Preventing denial of service

4 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

5 Security Best Practices
Job Rotation Separation of Duty Security Awareness training Information Classification Risk Analysis Ethics Education

6 Roles and Responsibilities
Specific General Communicated at hiring Verified capabilities and limitations 3rd party considerations Good practices Reinforced via training

7 Internal Roles Executive Management
Information Systems Security Professionals Owners Custodians Operations Staff Security Staff Data and System Owners Users

8 External Roles Vendors/Suppliers Contractors Temporary Employees
Customers Business Partners Outsourced Relationships Outsourced Security

9 Human Resources and Related Issues
Employee development Employee management Hiring and Termination Consult the Human Resources Department Low-level checks Termination Procedures Hiring New Staff Background checks/security clearances Verify references and educational records Signed Employment Agreements Acceptable use Non-disclosure Non-compete Ethics

10 Personnel andSecurity AwraenessTraining / Good Pratices
Job descriptions / Defined roles and responsibilities Least privilege Need to know Separation of duties Job rotation Mandatory vacations Security Awareness training Job training Professional education Good Practices Be relevant Scope properly Address the audience

11 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

12 Security Blueprints and Single Point of Failure
Documnted Security Program Focus on the mission Organizations are different Cost-effective Blueprints Identify and design security requirements Infrastructure security blueprints Holistic Single Point of Failure Identify processes Identify risks to the plan Be prepared

13 ISO/IEC 27000 Series = ISMS Blueprints
27000 – Glossary of terms 27001: Attainment certification 27002:2005/Cor1:2007 – Code of practice 27003 – ISMS Implementation guidance under development as of Sept 08 27004 – Information security measurement – Information security – Risk management 27006:2007 – Certification vendor process 27799:2008 – Information Security for Health Care Organizations

14 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

15 Security Management, Administration and Governance
Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. The risks to these assets can be calculated by analysis of the following issues: Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets Vulnerabilities. How susceptible your assets are to attack Impact. The magnitude of the potential loss or the seriousness of the event.

16 Security Management, Administration and Governance
Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations

17 Security Management, Administration and Governance
Develop the information security strategy in support of business strategy and direction. Obtain senior management commitment and support Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. Establish reporting and communication channels that support information security governance activities. Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. Establish and maintain information security policies that support business goals and objectives. Ensure the development of procedures and guidelines that support information security policies. Develop business case for information security program investments.

18 Management’s Security Policy
Management’s goals and objectives in writing Documents compliance Creates security culture

19 Define the following Area IV Buddy System Policy
THIS AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION. ALL PERSONNEL WILL CARRY S.O.F.A. AND AN EMERGENCY TELEPHONE NUMBER CARD AST ALL TIMES. LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES. BY ORDER OF THE AREA IV COMMANDER

20 Policies, Standards, Guidelines and Procedures
Policies are the top tier of formalized security documents. These high-level documents offer a general statement about the organization’s assets and what level of protection they should have. Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.. Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.

21 Policies, Standards, Guidelines and Procedures
A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. A guideline points to a statement in a policy or procedure by which to determine a course of action. It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations. A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. A security model is a scheme for specifying and enforcing security policies. Examples include: Bell and LaPadula, Biba, Access control lists

22 Information Classification
It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. A system of classification should ideally be: simple to understand and to administer effective in order to determine the level of protection the information is given. applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).

23 Information Classification
With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. Violations of the Information Classification Policy should result in disciplinary proceedings against the individual. Number of information classification levels in an organization should be a manageable number as having too many makes maintenance and compliance difficult.

24 Information Classification
Top Secret: Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible. Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

25 Information Classification
Proprietary: Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high. Internal Use Only: Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal. Public Documents: Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.

26 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

27 Roles and Responsibilities
Internal Roles Executive Management; Information System Security Professionals; Owners: Data and System Owners; Custodians Operational Staff; Users; Legal, Compliance and Privacy Officers; Internal Auditors; Physical Security Officers External Roles Vendors and Supplies; Contractors; Temporary Employees; Customers; Business Partners; Outsourced Relationships; Outsourced Security Human Resources Employee development and management; Hiring and termination; Signed employee agreements; Education

28 Risk Management and Analysis
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

29 Risk Managementg and Analysis
A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion (scenarios), or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business.

30 Risk Management and Analysis
Identification of assets and estimating their value. Include: people, buildings, hardware, software, data supplies. Conduct a threat assessment. Include: Acts of nature, accidents, malicious acts originating from inside or outside the organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, - - - Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

31 Risk Management and Analysis
Step 1: Estimate Potential Loss SLE = AV ($) x EF (%) SLE: Single Loss Expectancy, AV: Asset Value. EF: Exposure Factor (percentage of asset value) Step 2: Conduct Threat Likelihood Analysis ARO Annual Rate of Occurrence Number of times per year that an incident is likely to occur Step 3: Calculate ALE ALE: Annual Loss Expectancy ALE = SLE x ARO

32 Risk Management Identifying and reducing total risks
Choosing mitigation strategies Setting residual risk at an acceptable level Integrating risk management processes into the organization

33 Risk Management The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, including but not limited to its IT assets. Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization.

34 Risk Management Benefits
Focuses policy and resources Identifies areas with specific risk requirements Directs budget Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

35 Risk Management Definitions
Assets Threat-source/agent Threat Exposure Vulnerability Likelihood Attack Controls Countermeasures Safeguards Total risk Residual risk

36 Risk Assessment / Analysis Steps: SP 800-30
System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation

37 Information Valuation Considerations
Exclusive possession Utility Cost to acquire or create Liability Convertibility Operational impact Timing Methods Modified – Delphi Facilitated sessions Survey Interview Checklist

38 Quantitative Risk Analysis
Assign monetary values Labor and time intensive Difficult to achieve Steps Estimate potential losses Conduct a threat likelihood analysis Calculate annual loss expectancy

39 Step One: Estimate Potential Losses
SINGLE LOSS EXPECTANCY SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor)

40 Step Two: Conduct Threat Likelihood Analysis
ARO - Annual Rate of Occurrence Number of exposures or incidents that can be expected in a given year Likelihood of an unwanted event occurring

41 Step Three: Calculate ALE
ALE –Annual Loss Expectancy ALE = SLE x ARO Magnitude of risk = ALE Purpose: Justify security countermeasures

42 Quantitative and Hybrid Risk Analysis
Scenario-oriented No $ values Rank seriousness of threats and sensitivity of assets Perform a carefully reasoned risk assessment Hybrid Qualitative FMEA (Failure Modes and Effect Analysis) FTA (Fault Tree Analysis)

43 Risk Mitigation and Assurance
Acceptance = Absorb the effect of an incident Reduction = Implement controls Transference = Insurance Avoidance = Stop it Risk Assurance Cyclical nature Liability

44 Countermeasure Selection Principles
Cost/benefit analysis Accountability Absence of design secrecy Audit capability Vendor trustworthiness Independence of control and subject Universal application Compartmentalization Defense in depth Isolation, economy and least common mechanism Acceptance and tolerance by personnel Minimum human intervention Sustainability Reaction and recovery Override and fail-safe defaults Residuals and reset

45 Domain Agenda Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

46 Ethical Environments and Reponsibilities
Ethics are difficult to define Begin with senior management “Set the example” Encourage adoption of ethical guidelines and standards Inform users about ethical responsibilities through security awareness training Responsibilities Global responsibility National Organizational Personal

47 Basis and Origin of Ethics
Religion Law National interest Individual rights Common good/interest Enlightened self-interest Professional ethics/practices Standards of good practice Tradition/culture Formal Ethical Theories Teleology Ethics in terms of goals, purposes or ends Deontology Ethical behavior is a duty

48 Relevant Professional Codes of Ethics
(ISC)2 RFC 1087 Access and use of the Internet is a PRIVILEGE and should be treated as such by all users RFC 1087 refers to “Negligence in the conduct of Internet-wide experiments” as “irresponsible and unacceptable”, but does not specifically label such conduct as “unethical”. Internet Architecture Board ISC2 Code of Ethics and Cannons “Safety of the commonwealth, duty to our principals and to each other requires that we adhere and be seen to adhere, to the highest ethical standards of behavior” “Therefore, strict adherence to this code is a condition of certification”. “Protect society, the commonwealth and the infrastructure” “Act honorably, honestly, justly, responsibly and legally” “Provide diligent and competent service to principals” “Advance and protect the profession”

49 Internet Architecture Board (IAB)
Any activity is unethical and unacceptable that purposely: Seeks to gain unauthorized access to Internet resources Disrupts the intended use of the Internet Waste resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of Internet-wide experiments

50 Domain Summary Information Security Management System ISMS)
Business drivers Governance Roles and responsibilities Security planning Security administration Risk management Ethics

Download ppt "Information Security Governance and Risk Management"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
IS Audit Function Knowledge

IS Audit Function Knowledge
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
ISA 562 Internet Security Theory & Practice

ISA 562 Internet Security Theory & Practice

Similar presentations

Ads by Google