1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative Risk Analysis Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities  Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary

2. Module 3 Determine Threats and Controls

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: Identify threats Understand different types of controls Recognize the different functions of controls Determine Threats and Controls Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerabilities Malicious –Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) –Spoofing or Masquerading –Sequential or Dictionary Scanning –Snooping (electronic monitoring or “shoulder surfing”) –Scavenging (“dumpster diving” or automated scanning of data) –Spamming –Tunneling Unintentional –Equipment or Software Malfunction –Human error (back door or user error) Physical –Power loss, vandalism, fire/flood/lightning damage, destruction Determine Threats and Controls Identification of Threats Source: http://www.caci.com/business/ia/threats.htmlhttp://www.caci.com/business/ia/threats.html

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Security Controls- Implementations to reduce overall risk and vulnerability Deter –Avoid or prevent the occurrence of an undesirable event Protect –Safeguard the information assets from adverse events Detect –Identify the occurrence of an undesirable event Respond –React to or counter an adverse effect Recover –Restore integrity, availability and confidentiality of information assets Determine Threats and Controls Functions of Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Organizational & Management Controls –Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits Physical & Environmental Controls –Secure areas, equipment security, clear desk and screen policy, removal of property Determine Threats and Controls Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Operational Controls –Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Determine Threats and Controls Operational Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Technical Controls –Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Determine Threats and Controls Technical Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Determine Threats and Controls Summary Threats exploit vulnerabilities to harm assets. Controls are used to diminish or prevent the impact of threats. Controls come in three types: –Organizational and Management Controls –Physical and Environmental Controls –Operational Controls