Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1 Information Security Management

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 1 Information Security Management"— Presentation transcript:

1 Chapter 1 Information Security Management
COMP4690, HKBU

2 Objective Concept of Information Security Management
Information Classification Process Security Policy Implementation The roles and responsibilities of Security Administration Risk Management Assessment Security Awareness Training COMP4690, HKBU

3 Introduction Information Security is to protect an organizations’ valuable resources. It ensures that all resources are protected, and available to an organization, at all times, when needed. This leads to information classification, and security policy. However, security issues cannot be eliminated completely. This leads to the Risk management. COMP4690, HKBU

4 Purposes of Information Security Management
Three basic requirements Availability Assure that a computer system is accessible by authorized users whenever needed. Integrity To protect the system information from intentional or accidental unauthorized changes. Confidentiality Assure that unauthorized people cannot access the protected information. COMP4690, HKBU

5 Other Concepts in Security Management
Identification The means in which users claim their identities to a system. Used for access control. Authentication The testing or reconciliation of evidence of a user’s identity. Accountability Audit trails and logs. Authorization The rights and permissions granted to an individual. Privacy The level of confidentiality and privacy protection. COMP4690, HKBU

6 Information Classification
Why do we need information classification? Not all data has the same value to an organization. Should focus the protection and control on the information that need it the most. Can be used to comply with privacy laws, or to enable regulatory compliance. COMP4690, HKBU

7 Classification Terms In governmental data classification
Unclassified: can be released to public Sensitive but unclassified: minor secret, no serious damage if disclosed Confidential: unauthorized disclosure could cause some damage Secret: unauthorized disclosure could cause serious damage Top secret: unauthorized disclosure could cause exceptionally grave damage to national security COMP4690, HKBU

8 Classification Terms In private sector Public: similar to unclassified
Sensitive: requires a high level of classification than normal data Private: intended for company use only, such as salary levels Confidential: very sensitive data, unauthorized disclosure could seriously and negatively impact a company COMP4690, HKBU

9 Classification Procedures
The following steps are listed in priority order Identify the administrator/custodian Specify the criteria of how the information will be classified and labeled Classify the data by its owner, who is subject to review by a supervisor Specify and document any exceptions to the classification policy Specify the controls that will be applied to each classification level Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity Create an enterprise awareness program about the classification controls COMP4690, HKBU

10 Information Classification Roles
Owner Information owner may be an executive or manager of an organization. He is responsible for the asset of information that must be protected. He makes the original determination to decide what level of classification the information requires. He delegates the responsibility of data protection duties to the custodian. Custodian Information custodian is delegated the responsibility of protecting the information by its owner. This role is commonly executed by IT systems personnel. User End user can be anyone (operator, employee, or external party) that routinely uses the information as part of their job. COMP4690, HKBU

11 Policies, Standards, Guidelines, Procedures
Security policies are the basis for a sound security implementation. Questions: What are policies, standards, guidelines, and procedures? Why do we use policies, standards, guidelines, and procedures? What are the common policy types? COMP4690, HKBU

12 Polices Polices are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, and guidelines flow. Usually are general statements. COMP4690, HKBU

13 Polices hierarchy COMP4690, HKBU

14 Policies Senior Management Statement of Policy
The first policy of any policy creation process A general, high-level statement which contains An acknowledgement of the importance of the computing resources to the business model A statement of support for information security throughout the enterprise A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines COMP4690, HKBU

15 Standards, Guidelines, Procedures
These are the three elements of policy implementation, which contain the actual details of the policy. They should be separate documents from the general policies. Standards: specify the use of specific technologies in a uniform way. It is compulsory. Guidelines: similar to standards, but more flexible, not compulsory, just recommendations. Procedures: embody the detailed steps that are followed to perform a specific task. The lowest level in the policy chain. COMP4690, HKBU

16 Roles and Responsibilities
Description Senior Manager Has the ultimate responsibility for security InfoSec Officer Has the functional responsibility for security Owner Determines the data classification Custodian Preserves the information’s C.I.A. User/Operator Performs the stated policies Auditor Examines security COMP4690, HKBU

17 Risk Analysis and Assessment
Risk Management Identifying, analyzing and assessing, mitigating, or transferring risk Core problems: What could happen (threat event) ? If it happened, how bad could it be (threat impact) ? How often could it happen (threat frequency, annualized) ? How certain are the answers to the first three questions (recognition of uncertainty) ? COMP4690, HKBU

18 Cont. Risk Analysis Risk Assessment
The process of analyzing a target environment and the relationships of its risk-related attributes. It should identify threat vulnerabilities, associate these vulnerabilities with affected assets, identify the potential for and nature of an undesirable result, and identify and evaluate risk-reducing countermeasures. Risk Assessment The assignment of value to assets, threat frequency, consequence, and other elements of chance. It is used to characterize both the process and the result of analyzing and assessing risk. COMP4690, HKBU

19 Cont. After risk analysis and assessment, three more questions:
What can be done (risk mitigation) ? How much will it cost (annualized) ? Is it cost-effective (cost/benefit analysis) ? It’s essential that the process of analyzing and assessing risk is well understood by all parties and executed on a timely basis. COMP4690, HKBU

20 Terms and definitions Single Loss Expectancy or Exposure (SLE)
The monetary loss for each occurrence of a threatened event SLE = Asset Value x Exposure Factor Exposure Factor (EF) Represent a measure of the magnitude of loss or impact on the value of an asset. Expressed as a percent, ranging from 0 to100%, of asset value loss arising from a threat event. A threat event could be a tornado, theft, or computer virus infection. COMP4690, HKBU

21 Cont. Annualized Rate of Occurrence (ARO)
The frequency with which a threat is expected to occur. E.g., a threat occurring 50 times in a given year has an ARO of 50, and a threat occurring 1 time in 10 years has an ARO of 0.1. Annualized Loss Expectancy (ALE) ALE = SLE x ARO COMP4690, HKBU

22 Example Asset Risk Asset Value Potential Loss (SLE)
Annualized Frequency (ARO) Annual Loss Expectancy (ALE) Facility Fire $560,000 $230,000 .25 $57,500 Trade Secret Stolen $43,500 $40,000 .75 $30,000 File Server Failed $11,500 .5 $5,750 Data Virus $8,900 $6,500 .8 $5,200 Customer Credit Card Info $323,500 $300,000 .65 $195,000 COMP4690, HKBU

23 Central Tasks Establish Information Risk Management (IRM) Policy
Establish and Fund an IRM Team Establish IRM Methodology and Tools Identify and Measure Risk Project Sizing COMP4690, HKBU

24 Risk analysis process Asset valuation process
Determine the value of an asset Quantitative risk analysis Assign independently objective numeric values to the components of the risk assessment and to the assessment of potential losses Qualitative risk analysis Address intangible values of data loss Safeguard selection Cost/benefit analysis Value of safeguard = (ALE before) – (ALE after) – annual safeguard cost COMP4690, HKBU

25 Security Awareness and Training
People are often the weakest link in a security chain. Employees must be aware of the need to secure information and to protect the information assets of an enterprise. Operators need training in the skills to fulfill their job functions securely. COMP4690, HKBU

26 Chapter 2 Business Continuity Planning and Disaster Recovery Planning
COMP4690, HKBU

27 Overview Business Continuity Planning (BCP)
Make the plans and create the framework to ensure that the business can continue in an emergency. It includes: Scope and plan initiation Business impact analysis (BIA) Business continuity plan development Disaster Recovery Planning (DRP) Recover from an emergency with the minimum of impact to the organization. It includes: Disaster recovery planning processes Testing the disaster recovery plan Disaster recovery procedures COMP4690, HKBU

28 Business Continuity Planning
Objectives To prevent interruptions to normal business activity To protect critical business processes from natural or man-made failures or disasters To minimize the effect of disturbances and to allow for resumption of business processes To reduce the risk of financial loss and enhance a company’s ability to recover from a disruptive event promptly To minimize the cost associated with the disruptive event and mitigate the risk associated with it COMP4690, HKBU

29 Disruptive Events Natural events: Man-made events:
Fires, explosions, hazardous material spills of environmental toxins Earthquakes, storms, floods, and fires due to acts of nature Power outages or other utility failures Man-made events: Bombings, sabotages, or other intentional attacks Strikes and job actions Employee or operator unavailability due to emergency evacuation or other issues Communications infrastructure failures COMP4690, HKBU

30 BCP (I) Scope and Plan Initiation The first step to create a BCP
Create the scope for the plan, and the other elements needed to define the parameters of the plan Examine the company’s operations and support services Scope activities: Create a detailed account of the work required List the resources to be used Define the management practices to be employed COMP4690, HKBU

31 BCP (I): roles and responsibilities
Who Does What Executive management staff Initiates the project, gives final approval, and gives ongoing support Senior business unit management Identifies and prioritizes time-critical systems BCP committee Directs the planning, implementation, and test processes Functional business units Participate in implementation and testing COMP4690, HKBU

32 BCP (II) Business Impact Analysis (BIA) Three primary goals
To create a document to be used to help understand what impact a disruptive event would have on the business Three primary goals Criticality prioritization: time-critical business process vs. Non-time-critical business process Downtime estimation: what is the longest period of time a critical process can remain interrupted before the company can never recover – maximum tolerable downtime (MTD) Resource requirements: the most time-sensitive processes may need the most resource allocation COMP4690, HKBU

33 BCP (II): BIA Steps Gathering assessment materials
Which business units are critical to continuing an acceptable level of operations Organizational chart, functional interrelationships of the organization Performing vulnerability assessment Quantitative: financial assessment Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution Additional operational expenses incurred due to the disruptive event Incurring financial losses from violation of contract agreements, violation of regulatory or compliance requirements Qualitative: operational assessment Loss of competitive advantage or market share Loss of public confidence or credibility, or public embarrassment Define the Critical support areas that must be present to sustain continuity of the business processes Telecommunications, data communications, information technology areas Physical infrastructure or plant facilities, transportation services Accounting, payroll, transaction processing, customer service, purchasing COMP4690, HKBU

34 BCP (II): BIA Steps Analyzing the information
Documenting required processes, identifying interdependencies, and determining what an acceptable interruption period would be To describe what support the defined critical areas will require to preserve the revenue stream and maintain pre-defined processes Documentation and recommendation Full documentation of all the processes, procedures, analysis, and results, and the presentation of recommendations to the appropriate senior management. Contain the gathered material, list the identified critical support areas, summarize the quantitative and qualitative impact statements, and provide the recommended recovery priorities generated from the analysis COMP4690, HKBU

35 BCP (III) Business Continuity Plan Development
Use the information collected in BIA to create the recovery strategy plan to support the critical business functions. Defining the continuity strategy, should include the following elements: Computing: to preserve the elements of hardware, software, communication lines, applications, and data Facilities: to address to use of the main buildings or campus and any remote facilities People: operators, management, and technical support personnel will have defined roles in implementing the continuity strategy Supplies and equipment: paper, forms, or specialized security equipment must be defined Documenting the continuity strategy COMP4690, HKBU

36 BCP (IV) Plan Approval and Implementation Senior management approval
Create an awareness of the pan enterprise-wide Specific training may be required for certain personnel to carry out their tasks Maintenance of the plan Use job descriptions that centralize responsibility for updates Create audit procedures that can report regularly on the state of the plan Ensure multiple versions of the plan do not exist COMP4690, HKBU

37 Disaster Recovery Planning
Objective To provide an organized way to make decisions if a disruptive event occurs To reduce confusion and enhance the ability of the organization to deal with the crisis To protect an organization from major computer services failure To minimize the risk to the organization from delays in providing services To guarantee the reliability of standby systems through testing and simulation To minimize the decision-making required by personnel during a disaster COMP4690, HKBU

38 I. DRP Process This phase involves the development and creation of the recovery plans. Define the steps we will need to perform to protect the business in the event of an actual disaster. Two steps: Data processing continuity planning Planning for the disaster and creating the plans to cope with it Data recovery plan maintenance Keeping the plans up-to-date and relevant COMP4690, HKBU

39 Processing Backup Services
Processing backup services are very important to the disaster recovery plan Most common alternate processing types Mutual aid agreements Subscription services Multiple centers Service bureaus Other data center backup alternatives COMP4690, HKBU

40 Mutual aid agreements An arrangement with another company that may have similar computing needs. Both parties agree to support each other in the case of a disruptive event. Assume each organization’s operations area will have the capacity to support the other’s in time of need. Advantages: Allow an organization to obtain a disaster processing site at very little or no cost. Disadvantages: Difficult to have extra unused capacity to enable full operational processing during the event. What happens if both organizations are affected by a large disaster? Should be considered only if there is a perfect partner, and there is no other alternative to disaster recovery. COMP4690, HKBU

41 Subscription services
Rely on third-party, commercial services Three basic forms of subscription services Hot site Fully configured computer facility with electrical power and HVAC (heating, ventilation, air conditioning), and functioning servers and workstations. 24/7 availability, exclusivity of use, immediately available after the disruptive event occurs The most expensive one, intensive administrative overhead Cold site A room with electrical power and HVAC, communications links may be ready or not. It is ready for equipment to be brought in during an emergency, but no computer hardware resides at the site. Warm site A cross between hot site and cold site. Computer facilities are ready with electrical power and HVAC. But the applications may not be installed or configured. Without full complement of workstations. Takes some time and effort to start production processing at the new site. COMP4690, HKBU

42 Multiple centers The processing is spread over several operations centers Could be owned and managed by the same organization or used in conjunction with some sort of reciprocal agreement. Has the same disadvantage as for mutual aid. COMP4690, HKBU

43 Service Bureaus Contract with a service bureau to fully provide all alternate backup processing services Quick response and availability, possible testing Disadvantages: Expense Resource contention during a large emergency COMP4690, HKBU

44 Transaction Redundancy Implementations
Electronic vaulting The transfer of backup data to an off-site location Remote journaling The parallel processing of transactions to an alternate site. A communications line is used to transmit live data as it occurs. Database shadowing To create event more redundancy by duplicating the database sets to multiple servers. COMP4690, HKBU

45 Disaster Recovery Plan Maintenance
Disaster recovery plans often get out of date. Like BCP maintenance To build maintenance procedures into the organization To create audit procedures that can report regularly on the state of the plan COMP4690, HKBU

46 II. Testing the DRP Regular disaster recovery drills and tests are a cornerstone of any disaster recovery plan. Reasons for testing Verify the accuracy of the recovery procedures and identify deficiencies Prepare and train the personnel to execute their emergency duties Verify the processing capability of the alternate backup site COMP4690, HKBU

47 Five Test Types Checklist Structured walk-through Simulation Parallel
Distribute copies of the plan to each business unit for review, to ensure the plan addresses all procedures and critical areas of the organization. This is a preliminary step to a real test. Structured walk-through Business unit management representatives meet to walk through the plan. To ensure that the plan accurately reflects the organization’ ability to recover successfully. Simulation All the operational and support personnel expected to perform during an actual emergency meet in a practice session. To test the ability of the personnel to respond to a simulated disaster. Parallel A full test of the recovery plan, utilizing all personnel. Critical systems are run at an alternate site. Full-interruption A disaster is replicated even to the point of ceasing normal production operations. The plan is totally implemented as if it were a real disaster. COMP4690, HKBU

48 III. Disaster recovery procedures
This part details what roles various personnel will take on what tasks must be implemented to recover and salvage the site how the company interfaces with external groups financial considerations. COMP4690, HKBU

49 Primary element The recovery team The salvage team
To implement the recovery procedures at the declaration of the disaster. To get the pre-defined critical business functions operating at the alternate backup processing site. The salvage team To return the primary site to normal processing environmental conditions. To identify sources of expertise, equipment, and supplies that can make the return to the site possible. The normal operations resume To return production processing from alternate site to the primary site with the minimum of disruption and risk Other recovery issues Interfacing with external groups; employee relations; fraud and crime; financial disbursement; media relations COMP4690, HKBU

Download ppt "Chapter 1 Information Security Management"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
IT Service Continuity Management

IT Service Continuity Management
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
Auditing Concepts.

Auditing Concepts.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Auditing Computer Systems

Auditing Computer Systems
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Security Controls – What Works

Security Controls – What Works
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
The Business of Security Chapter 4. Building a Business Case A business exists to satisfy business objectives –Security programs are there to support.

The Business of Security Chapter 4. Building a Business Case A business exists to satisfy business objectives –Security programs are there to support.
Information Systems Security Officer

Information Systems Security Officer
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Planning for Contingencies

Planning for Contingencies
Risk Management.

Risk Management.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Similar presentations

Ads by Google