Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.

Published byLorraine Rosalind Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP."— Presentation transcript:

1 CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP

2 Source  Chapter 2 – Risk Management in Olzak, T. (2012). Enterprise security: A practitioner's guide. Chicago, Illinois: InfoSec Institute.

3 Threat Modeling

4  Requires a baseline assessment  ISRM Process Steps  Assess  System Definition  Threat identification  Vulnerability identification  Attack path controls assessment  Impact analysis  Risk determination  Controls recommendations

5 Threat Modeling  ISRM Process Steps (cont’)  Mitigate  Action plan and proposal creation/presentation  Implement controls  Manage  Measure and adjust

6 Attack Trees  Trace probable attack path for a threat (new or existing)  Check for existing vulnerabilities along the path  Determine risk  Design controls or processes to reduce risk  Apply controls and processes  Verify with attack tree analysis

7 Attack Tree Example

8

9

10 Software Testing

11 Types of Testing Unit Development team Usually use “buddy checking” Quality Assurance (QA) Formal test plan Test against functional requirements User Acceptance Users verify that they will get what they expect Post Implementation Check Verify that all technical requirements, including security, were met

12 Audits

13 Purpose of Audits  Not the same as risk assessments, penetration tests, or vulnerability scans  Ensure outcomes match management’s expectations as specified in policy, standards, and guidelines  Auditors and security personnel must work together; avoid adversarial relationship  Internal audits often only check financial issues (e.g., SOX compliance).

14 Sample Termination Audit 1.Select a target application (financials, Active Directory, etc.). 2.Obtain from the HR system a list of all job terminations since the last audit. (A terminated employee is one who left the company for any reason.) 3.Randomly select 25% of the termination set. 4.Check to ensure terminations were properly managed according to policy for the target application 5.If more than n terminations were missed, mark the key control for the target application as failed. (The value of n depends on the size of the tested population set. The larger the test population, the more failures audit teams will accept.)

15 Audit Frequency  Frequency depends on  Data classification  Results of past audits  Management’s appetite for risk

16 And again…  Be sure to read ALL assigned reading. Your success in this class depends on it.

Download ppt "CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP."

Similar presentations

QA Programs for Local Health Departments

QA Programs for Local Health Departments
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 2 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 2 Tom Olzak, MBA, CISSP.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Investment Appraisal and Management Chapter 1 The Role of Project Evaluation.

Investment Appraisal and Management Chapter 1 The Role of Project Evaluation.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Fox & Sons Company: IT Change Management Policy Presentation Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David Lanter Leonardo Serrano.

Fox & Sons Company: IT Change Management Policy Presentation Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David Lanter Leonardo Serrano.
Network security policy: best practices

Network security policy: best practices
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
Planning an Internal Audit JM García Merced. Brainstorm.

Planning an Internal Audit JM García Merced. Brainstorm.
Software Project Management

Software Project Management
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

Similar presentations

Ads by Google