Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation.

Published byArthur Day Modified over 9 years ago

Similar presentations

Presentation on theme: "ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation."— Presentation transcript:

1 ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation of duties / responsibilities Job rotation Mandatory vacations

2 ISA 562 Summer 2008 Security Awareness Awareness training –Remind employees of security responsibility –Motivate personnel to comply with them –Videos –Newsletters –Posters –Key-chains

3 ISA 562 Summer 2008 Training and Education Job training –Provide skills to perform security functions. Focus on security-related job skills Address security requirements of the organization, etc. Professional Education –Provide decision-making and security management skills important for success of security program.

4 ISA 562 Summer 2008 4 Good training practice Address all the audience –Management –Data Owner and custodian –Operations personnel –User –Support personnel

5 ISA 562 Summer 2008 Risk in NIST SP 800-30 Risk is a function of the likelihood of a given threat-source ’ s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization

6 ISA 562 Summer 2008 Risk related Definitions Vulnerability: A Flaw or weakness in system procedures, design, implementation or internal controls that could be used breach or violate the system Likelihood: probability that a vulnerability may be used in the threat environment. Threat: the Potential for a mal-actor to exercise a vulnerability. Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)

7 ISA 562 Summer 2008 Risk Management concept flow

8 ISA 562 Summer 2008 8 Risk Management Definitions Asset: something valued (to accomplish goals and objectives) Threat Agent: anything that can pose or cause a threat. Exposure: situation when a threat can cause loss. Vulnerability: weakness that could be exploited. Attack: Intentional action attempting to cause harm. Risk: probability that some event can occur Residual Risk: risk remaining after countermeasures and safeguards have been applied

9 ISA 562 Summer 2008 9 Risk Management To identify possible problems before they occur so that risk- handling activities may be planned and invoked as needed during the life of the product or project

10 ISA 562 Summer 2008 10 The Risk Equation

11 ISA 562 Summer 2008 11 Risk Management Identify and reduce risks –Mitigating controls [Safeguards & Countermeasures] –Residual Risk when countermeasures exist but are not sufficient  should be at acceptable level

12 ISA 562 Summer 2008 12 Purpose of Risk Analysis Identify and justify risk mitigation –Assess threats to business processes and IS –Justify use of countermeasures Describe security based on risk to the organization

13 ISA 562 Summer 2008 13 Benefits of Risk Analysis Focus on policy and resources Identify areas with specific risk –good IT Governance, supporting –Business continuity –Insurance and liability decisions –Legitimize security awareness program

14 ISA 562 Summer 2008 14 Emerging threats Risk Assessment must address new threats –New technology –Change in culture of the organization –Unauthorized use of technology. May be discovered by periodic risk assessment

15 ISA 562 Summer 2008 15 Sources of identity threats Users –System administrators –Security officers –Auditors Operations –Facility records –Community and government records Vendor/security provider alerts Other threats: –Natural disasters – flood, tornado, etc. –Environment -- overcrowding or poor morale –Facility -- physical security or location of building

16 ISA 562 Summer 2008 16 Risk analysis key factors Obtain senior management support Establish risk assessment team Define and approve purpose and scope Select team members State their authority and responsibility Have management review findings and recommendations Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc

17 ISA 562 Summer 2008 17 Use of automated tools for risk management Objective: to minimize manual effort May be time consuming in setup Perform calculations quickly –Estimate future expected loss –Determine benefit of security measures

18 ISA 562 Summer 2008 18 Preliminary security evaluation Identify vulnerabilities Review existing security measures Document findings Obtain management review and approval

19 ISA 562 Summer 2008 19 Risk analysis types Two types –Quantitative –Qualitative Both provide valuable metrics Both required for a full picture

20 ISA 562 Summer 2008 20 Quantitative risk analysis Determine monetary value Fully quantitative if all elements are quantified, but this is difficult to achieve. Requires much time and personnel effort

21 ISA 562 Summer 2008 21 Determining Asset Value Cost to acquire, develop, and maintain Value to owners, custodians, or users Liability for protection Recognize real world cost and value –Price others are willing to pay for it –Value of intellectual property –Convertibility/negotiability

22 ISA 562 Summer 2008 22 Quantitative analysis steps 1.Estimate potential single loss expectancy SLE = Asset Value ($) * Exposure Factor Exposure Factor=% of asset loss when threat succeeds Types of loss –Physical destruction, theft, Loss of data, etc 2.Conduct threat analysis ARO-Annual Rate of Occurrence Expected number of exposures/incidents per year Likelihood of unwanted event happening 3.Determine Annual Loss Expectancy (ALE) Magnitude of risk = Annual Loss Expectancy Purpose  to justify security countermeasures ALE=SLE * ARO

23 ISA 562 Summer 2008 23 Qualitative Risk analysis Scenario oriented Does not assign numeric values to risk components Qualitative risk analysis is possible Qualitative risk analysis factors –Rank seriousness of threats and sensitivity of assets –Perform a reasoned risk assessment

24 ISA 562 Summer 2008 24 Other risk analysis methods Failure modes and effects analysis –Potential failures of each part or module –Examine effects of failure at three levels Immediate (part or module) Intermediate (process or package) System-wide Fault tree or spanning tree analysis –Create a “ tree ” of all possible threats and faults “ Branches ” are general categories [network threats, physical threats, component failures, etc.] Prune “ branches ” that do not apply Concentrate on remaining threats.

25 ISA 562 Summer 2008 25 Risk mitigation options Risk Acceptance Risk Reduction Risk Transference Risk Avoidance

26 ISA 562 Summer 2008 26 The right amount of security Cost/Benefit analysis- balance cost of protection versus asset value Need to assess: Threats, Adversary, means, motives, and opportunity. Vulnerabilities and Resulting risk Risk tolerance

27 ISA 562 Summer 2008 27 Countermeasures Selection Principles Based on cost/benefit analysis, cost of safeguard Selection and acquisition Construction and placement Environment modification Nontrivial operating cost Maintenance, testing Potential side effects Cost justified by potential loss Accountability –At least one person for each safeguard –Associate directly with performance review Absence of design secrecy

28 ISA 562 Summer 2008 28 Countermeasures Selection Principles (Cont.) Audit capability –Must be testable –Include auditors in design and implementation Vendor Trustworthiness –Review past performance Independence of control and subject –Safeguards control/constrain subjects –Controllers administer safeguards –Controllers and subject have different populations Universal application –Impose safeguards uniformly –Minimize exceptions

29 ISA 562 Summer 2008 29 Countermeasures Selection Principles (Cont.) Compartmentalization and defense in depth Role of Safeguards –to improve security through layers Isolation, economy, and least common mechanism –Isolate from other safeguards –Simple design is cost effective and reliable, etc Acceptance and tolerance by personnel –Care taken to avoid implementing controls that pose unreasonable constraints –Less intrusive controls more acceptable Minimize human intervention –Reduce possibility of errors and “ exceptions ” by reducing reliance on administrative staff to maintain control

30 ISA 562 Summer 2008 30 Countermeasures Selection Principles (Cont.) Sustainability Reaction and recovery Countermeasures, when activated, should: Avoids asset destruction and stop further damage Prevent disclosure of sensitive information through a covert channel Maintain confidence in system security Capture information related to the attack and attacker Override and fail-safe defaults Residual and reset

31 ISA 562 Summer 2008 31 Basis and Origin of Ethics Religion, law, tradition, culture National interest Individual rights Enlightened self interest Common good/interest Professional ethics/practices Standards of good practice

32 ISA 562 Summer 2008 32 Ethics Formal ethical theories –Teleology: Ethics in terms of goals, purposes, or ends –Deontology: Ethical behavior is duty Common ethical fallacies –Computers are a game –Law-abiding citizen, Gentlemanly conduct, Free information –Shatterproof –Candy-from-a-baby –Hackers Difficult to define –Start with senior management

33 ISA 562 Summer 2008 33 Professional Codes of ethics Internet Activities Board (IAB) –Any activity is unethical & unacceptable that purposely: Seeks to gain unauthorized access to the internet resources Disrupts the intended use of the internet Wastes resources through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of internet-wide experiments ACM and IEEE (look them up) (ISC)2 –Protect society, the commonwealth, and the infrastructure –Provide diligent and competent services to principals, etc Auditors Professional codes may have legal importance

Download ppt "ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Control and Accounting Information Systems

Control and Accounting Information Systems
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Information Security Governance and Risk Management

Information Security Governance and Risk Management
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Purpose of the Standards

Purpose of the Standards
ISA 562 Internet Security Theory & Practice

ISA 562 Internet Security Theory & Practice
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google