Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson.

Published byLeslie Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson."— Presentation transcript:

1 © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson 4 Key Components of Risk Assessment

2 Page 2 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objectives  Identify assets and activities to protect within an organization.  Identify threats, vulnerabilities, and exploits.  Identify and analyze risk mitigation security controls.

3 Page 3 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts  Identification of key activities and assets  Recognize value of data  Basic planning steps of a BIA  Techniques used to identify relevant threats, vulnerabilities, and exploits  Identify and compare procedural, technical, physical, and functional controls

4 Page 4 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONCEPTS

5 Page 5 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Risk Assessment Approaches

6 Page 6 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Quantitative Risk Assessment

7 Page 7 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices for Risk Assessment

8 Page 8 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Activities System Access System Availability System Functions: Manual and Automated Identifying Activities  Eliminate single points of failure (SPOF) Part of a system that can cause entire system to fail If SPOF fails, entire system fails

9 Page 9 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Access and Availability  Goal: 99.999 percent up time  Failover cluster  RAID

10 Page 10 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Identifying Assets  People can also be single points of failure Hire additional personnel Cross train Job rotation Assets Hardware Assets Software Assets Personnel Assets

11 Page 11 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Identifying Data Assets  Protect data  Ensure methods are available to retrieve data Data warehousing Data mining Data and Information Customer Intellectual Property Data bases

12 Page 12 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Types of Assessments Threat AssessmentVulnerability AssessmentsExploits Assessments

13 Page 13 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Threat Assessments  Identifies and evaluates threats Determines i mpact on confidentiality Determines i mpact on integrity Determines i mpact on availability

14 Page 14 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Vulnerability Assessments  Vulnerabilities are any weaknesses in an IT infrastructure.  Assessments identify vulnerabilities within an organization: Servers Networks Personnel  Entire networks can be vulnerable if access controls aren’t implemented

15 Page 15 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Internal/External Vulnerability Assessments Security professionals exploit internal systems to learn about vulnerabilities Internal assessments Personnel outside the company exploit systems to learn about vulnerabilities External assessments

16 Page 16 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Intrusion Detection System Outputs  IDS uses logs  Logs can be used in assessments

17 Page 17 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Verifying Rights and Permissions  Verify user rights and permissions Principle of least privilege

18 Page 18 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Exploit Assessments  Exploit assessments attempt to exploit vulnerabilities They simulate an attack to determine if attack can succeed  An exploit test: Uually starts with a vulnerability test to determine vulnerabilities Follows with an attempt to exploit the vulnerability

19 Page 19 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. In-Place Controls  Installed in an operational system  Replace in-place controls that don’t meet goals  Three primary objectives of controls: Prevent Recover Detect

20 Page 20 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Planned Controls  Those that have been approved but not yet installed  Identify planned controls before approving others  Vulnerabilities that planned controls mitigate still exist  Evaluate effectiveness of a planned control through research

21 Page 21 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Functional Controls Controls Based on Function Being Performed Preventive Hardening Patching Detective Audit trails IDS Corrective Backups File Recovery

22 Page 22 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. NIST SP 800-53 Control Families  Access Control (AC)  Audit and Accountability (AU)  Awareness and Training (AT)  Configuration Management (CM)  Contingency Planning (CP)  Identification and Authentication (IA)  Incident Response (IR)  Maintenance (MA)  Media Protection (MP)  Personnel Security (PS)

23 Page 23 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. NIST SP 800-53 Control Families (Cont.)  Physical and Environment Protection (PE)  Planning (PL)  Program Management (PM)  Risk Assessment (RA)  Security Assessment and Authorization (CA)  System and Communications Protection (SC)  System and Information Integrity (SI)  System and Services Acquisition (SA)

24 Page 24 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Procedural Control Examples Policies and proceduresSecurity plansInsurance and bondingBackground and financial checks

25 Page 25 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Procedural Control Examples (Cont.) Data loss prevention programAwareness trainingRules of behaviorSoftware testing

26 Page 26 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Technical Control Examples Login identifierSession timeoutSystem logs and audit trailsData range and reasonableness checks Firewalls and routers EncryptionPublic key infrastructure (PKI)

27 Page 27 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Firewalls and Routers  Filters traffic Access control lists (ACLs)

28 Page 28 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Using Digital Signatures

29 Page 29 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Physical Control Examples Locked doors, guards, CCTVFire detection and suppressionWater detectionTemperature and humidity detectionElectrical grounding and circuit breakers

30 Page 30 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: PROCESS

31 Page 31 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Business Impact Analysis (BIA) A Business impact analysis (BIA) differentiates critical (urgent) and non- critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned: Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example is it acceptable for the company to lose 2 days of data Recovery Time Objective (RTO) – the acceptable amount of time to restore the function. The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded. http://en.wikipedia.org/wiki/Business_continuity_planning#Business_impact_analysis_.28BIA.29

32 Page 32 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. BIA Planning Introduction  Identifies impact of sudden loss Define the scopeIdentify objectives Identify mission-critical functions and processes Map functions and processes to IT systems

33 Page 33 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Assessing Vulnerabilities Documentation reviewReview logsVulnerability scansAudits and personnel interviewsProcess and output analysisSystem testing

34 Page 34 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Process Analysis and Output Analysis  Firewall has five rules Use process analysis  Firewall has 100 rules Use output analysis

35 Page 35 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Procedure for Assessing Exploits IdentificationMitigationImplementationRemediation

36 Page 36 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Suggested Steps for Implementing Security Controls  Selection of security control  Documentation of each control  Implementation of each control Insurance Avoidance Reduction Retention

37 Page 37 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: ROLES

38 Page 38 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Data and Information Assets  Data protected by: Access controls Backups

39 Page 39 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Data Classifications  Organization Classifications Proprietary Private Public Freely available Protected Internally Highest Level of Protection Government  Top Secret  Secret  Confidential

40 Page 40 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Data and Information Asset Categories OrganizationCustomer Intellectual property Data warehousing Data mining

41 Page 41 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Internal Threats  Internal threats Users with unintentional access Users responding to phishing attempts Users forwarding viruses Disgruntled ex-employees Equipment failure Data loss Attacks

42 Page 42 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. External Threats  Attack public-facing servers  Weather conditions and natural disasters

43 Page 43 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Risk Mitigation Functions  Senior management  IT management  Functional management and employees  Contractors/vendors

44 Page 44 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONTEXTS

45 Page 45 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Identify Assets  First step in risk management You can’t plan the protection if you don’t know what you’re protecting  When do you want to identify a single point of failure? Before it fails? Or after if fails?

46 Page 46 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Threat Modeling  What system are you trying to protect?  Is the system susceptible to attacks?  Who are the potential adversaries?  How might a potential adversary attack?  Is the system susceptible to hardware or software failure?  Who are the users?  How might an internal user misuse the system?

47 Page 47 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key to Risk Management  Risk = Threat X Vulnerability Threat assessments -Help reduce impact of threats Vulnerability assessments -Help reduce vulnerabilities Exploit assessments -Help validate actual threats and vulnerabilities

48 Page 48 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Controls Mitigate Risk  Controls reduce impact of threats  Controls reduce vulnerabilities to an acceptable level  Hundreds of controls Best to evaluate based on categories

49 Page 49 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: RATIONALE

50 Page 50 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Identify Valuable Assets  Ask a system owner How much downtime can you accept? -Answer: “None” How much data loss can you accept? -Answer: “None”  Then ask “How much money are you willing to spend?”

51 Page 51 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Testing  Functionality testing ~ Defining requirements  Access controls ~ Verifying user rights and allocations  Penetration testing ~ Verifying security countermeasures  Tests transactions with applications

52 Page 52 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Variety of Controls Needed  What is missed if only technical controls are used?  What is missed if only procedural controls are used?  What is missed if only physical controls are used?

53 Page 53 Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary  Identification of key activities and assets  Recognize value of data  Basic planning steps of a BIA  Techniques used to identify relevant threats, vulnerabilities, and exploits  Identify and compare procedural, technical, physical, and functional controls

Download ppt "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson."

Similar presentations

Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Disaster Prevention and Recovery. Team Members   Gwenn Cooper   Kristy Short   John knieling   Carissa Vancleave   Matthew Owens.

Disaster Prevention and Recovery. Team Members   Gwenn Cooper   Kristy Short   John knieling   Carissa Vancleave   Matthew Owens.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Introduction to Network Defense

Introduction to Network Defense
Security Guide for Interconnecting Information Technology Systems

Security Guide for Interconnecting Information Technology Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google