Computer Security course

Similar documents
Computer Security Lecture 13

Computer Security: Principles and Practice

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Information Security: Business Assurance Guidelines

Four Top Emagined Security Services

Risk Management Policy

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Information Security Services

UoB Risk Assessment Methodology

ISMS Implementation Guide

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

Preparing for the HIPAA Security Rule

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Evaluation: Designs and Approaches

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

Risk Management Guide for Information Technology Systems. NIST SP Overview

RISK MANAGEMENT FOR INFRASTRUCTURE

How small and medium-sized enterprises can formulate an information security management system

NIST National Institute of Standards and Technology

The new Family of Standards & ISO/IEC 27001

ISO Information Security Management Systems Foundation

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Information Services IT Security Policies B. Business continuity management and planning

Analyzing Risks in Healthcare. February 12, 2014

Security Officer s Checklist in a Sourcing Deal

Information security risk management using ISO/IEC 27005:2008

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

(Instructor-led; 3 Days)

Performing Effective Risk Assessments Dos and Don ts

IS INFORMATION SECURITY POLICY

DISASTER RECOVERY PLAN

Information Security Awareness Training

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

SECURITY RISK MANAGEMENT

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

How to implement an ISO/IEC information security management system

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Managing internet security

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Information Security Incident Management Policy and Procedure

Security Controls What Works. Southside Virginia Community College: Security Awareness

Social Media Policy For Staff

SCHOOL ONLINE SAFETY SELF REVIEW TOOL

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015

Table of Contents... 1

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Towards Continuous Information Security Audit

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology

CMS Information Security Risk Assessment (RA) Methodology

Office of Inspector General

Network Security: Policies and Guidelines for Effective Network Management

FACT SHEET: Ransomware and HIPAA

SCDHSC0032 Promote health, safety and security in the work setting

Information Security Team

Why organizations need to archive ? The underlying reasons why corporate archiving is important

Can Your Diocese Afford to Fail a HIPAA Audit?

IMPLEMENTATION DETAILS

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Risk Management Policy and Framework

HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions

Guide to Vulnerability Management for Small Companies

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ISO27001 Controls and Objectives

ITIL and Business Continuity (Service Perspective)

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

V1.0 - Eurojuris ISO 9001:2008 Certified

AfDB New Procurement Policy: Training Program for the Bank s Procurement Staff. Risk-based design of Procurement Arrangements - Introduction

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Security Incident Procedures Response and Reporting Policy

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

WHITE PAPER. Mitigate BPO Security Issues

A Risk Management Standard

Data Protection Breach Management Policy

Developing National Frameworks & Engaging the Private Sector

Data Security Breach Incident Management Policy

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW

Information security PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

SEC s Cybersecurity Risk Alert Part 2 of 3

IT Security Management Risk Analysis and Controls

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

RISK ASSESSMENT GUIDELINES

The potential legal consequences of a personal data breach

Data Security Best Practices & Reasonable Methods

Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan

NSW Government Digital Information Security Policy

Operational Risk Publication Date: May Operational Risk... 3

Transcription:

Computer Security course Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden

Security Management Overview Security requirements means asking what assets do we need to protect? how are those assets threatened? what can we do to counter those threats? IT Security management means determine security objectives and risk profile perform security risk assessment of assets select, implement, monitor controls

IT Security Management IT Security Management: a process used to achieve and maintain appropriate levels of security (including confidentiality, integrity, availability, accountability, authenticity and reliability.) IT security management functions include: determining organizational IT security objectives, strategies, policies and security requirements identifying and analyzing security threats to IT assets identifying and analyzing risks specifying appropriate safeguards implementation and operation of safeguards developing and implement a security awareness program incident handling

ISO 27000 Security Standards ISO27000 ISO27001 ISO27002 (ISO17799) ISO27003 ISO27004 ISO27005 ISO13335 a proposed standard which will define the vocabu lary and definitions used in the 27000 family of standards. defines the information security management system specification and requirements against which organizations are formally certified. It replaces the older Australian and British national standards AS7799.2 and BS7799.2. currently published and better known as ISO17799, this standard specifies a code of practice detailing a comprehens ive set of information security control objectives and a m enu of best-practice security controls. It replaces the older Australian and British national standards AS7799.1 and BS7799.1. a proposed standard containing implementation guidance on the use of the 27000 series of standards following the Plan-Do-Check-Act process quality cycle. Publication is proposed for late 2008. a draft standard on information security management measurement to help organizations measure and repo rt the effectiveness of their information security management systems. It will address both the security management processes and con trols. Publication is proposed for 2007. a proposed standard on information security risk management. It will replace the recently released British national standard BS7799.3. Publication is proposed for 2008/9. provides guidance on the management of IT security. This standard comprises a number of parts. Part 1 defines concepts and models for information and communications techno logy security management. Part 2, currently in draft, will provide operational guidance on ICT security. These replace the older series of 5 technical reports ISO/IEC TR 13335 parts 1-5.

Risk assessment approaches Baseline approach Implements a basic general level of security controls and industry best practice ( best effort ) identify likelihood of risk and consequences hence have confidence controls appropriate Informal approach Some kind of informal, pragmatic risk analysis (mainly for SMEs), cheap and fast Detailed risk analysis uses a formal structured process Combined approach

Detailed Risk Analysis most comprehensive alternative assess using formal structured process with a number of stages identify likelihood of risk and consequences hence have confidence controls appropriate costly and slow, requires expert analysts may be a legal requirement to use suitable for large organizations with IT systems critical to their business objectives

Detailed Risk Analysis Process - outline Prepare/check status Identify threat sources Identify vulnerabilities Determine likelihood Determine impact (consequences) Determine risk Take action

Risk Assessment Process

Establish Context determine the broad risk exposure of the organisation related to wider political / social environment and legal and regulatory constraints provide baseline for organization s risk exposure specify organization s risk appetite set boundaries of risk assessment partly based on risk assessment approach used decide on risk assessment criteria used

Asset Identification identify assets anything which needs to be protected items of value to organization to meet its objectives tangible or intangible in practice try to identify significant assets draw on expertise of people in relevant areas of organization to identify key assets identify and interview such personnel see checklists in various standards

Threat Identification threats are anything that hinders or prevents an asset to provide the appropriate levels of the key security services: confidentiality, integrity, availability, accountability, authenticity and reliability to identify threats or risks to assets, ask 1. who or what could cause it harm? 2. how could this occur? assets may have multiple threats

Threat Identification Consider reasons and capabilities for human threat sources motivation (why?, goals, rewards) capability (skill) resources (time, tools, money, etc) deterrence (e.g. possible lawsuit) probability of an attack (ab. the combination of the above)

Vulnerability Identification identify exploitable flaws or weaknesses in organization s IT systems or processes hence determine applicability and significance of threat to organization note that you need a combination of a threat and a vulnerability to create a risk to an asset use lists of potential vulnerabilities in standards etc

Analyse Risks specify likelihood of occurrence of each identified threat to asset given existing controls management, operational, technical processes and procedures to reduce risk exposure specify consequence should the threat occur hence derive overall risk rating for each threat: risk = probability threat occurs x cost to organization in practice very hard to determine probabilities exactly, thus you may need to use qualitative (rather than quantitative) ratings for each aim to order resulting risks in order to treat them

Determine Likelihood Rating Likelihood Expanded Definition Description 1 Rare May occur only in exceptional circumstances and may deemed as unlucky or very unlikely. 2 Unlikely Could occur at some time but not expected given current controls, circumstances, and recent events. 3 Possible Might occur at some time, but just as likely as not. It may be difficult to control its occurrence due to external influences. 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later.

Determine Consequence Rating Consequence Expanded Definition. 1 Insignificant Generally a result of a minor security breach in a single area. Impact is likely to last less than several days and requires only minor expend iture to rectify. 2 Minor Result of a security breach in one or two areas. Impact is likely to last less than a week, but can be dealt with at the segment or project level without management intervention. Can gene rally be rectified within project or team resources. 3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact is likely to last up to 2 weeks and generally requires management intervention. Will have ongoing compliance costs to overcome. 4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks and require significant management intervention and resources to overcome, and co mpliance costs are expected to be substantial. Loss of business or organizational outcomes is possible, but not expected, especially if this is a once off. 5 Catastrophic Major systemic security breach. Impact will last for 3 months or more and senior management will be requ ired to intervene for the duration of the event to overcome shortcomings. Compliance costs are expected to be very substantial. Substantial public or political debate about, and loss of confidence in, the organization is likely. Possible criminal or disciplinary action is likely. 6 Doomsday Multiple instances of major systemic security breaches. Impact duration cannot be de termined and senior management will be required to place the company under voluntary administration or other form of major restructuring. Criminal proceedings against senior management is expected, and sub stantial loss of bus iness and failure to meet organizational objectives is unavo idable.

Determine Resultant Risk Level Consequences Likelihood Doomsday Catastrophic Major Moderate Minor Insignificant Almost E E E E H H Certain Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L Risk Level Extreme (E) High (H) Medium (M) Low (L) Description Will require detailed research and management planning at an execu tive/director level. Ongoing planning and monitoring will be requ ired with regular reviews. Substantial adjustment of controls to manage the risk are expected, with costs possibly exceeding original forecasts. Requires management attention, but management and planning can be left to senior project or team leaders. Ongoing planning and monitoring with regular reviews are likely, though ad justment of controls are likely to be met from within existing resources. Can be managed by ex isting specific monitoring and response p rocedures. Management by e mployees is suitable with appropriate monitoring and reviews. Can be managed through routine procedures.

Document in Risk Register and Evaluate Risks Asset Internet Router Destruction of Data Center Threat/ Vulnerability Outside Hacker attack Accidental Fire or Flood Existing Controls Admin password only None (no disaster recovery plan) Likelihood Consequence Level of Risk Risk Priority Possible Moderate High 1 Unlikely Major High 2

Risk Treatment Alternatives

Risk Treatment Alternatives Three major alternatives for risk treatment: risk acceptance take the risk risk avoidance do not do it risk transferral insure yourself, look for partners Plus two alternatives that are really normal security measures: reduce consequence back-ups, recovery plans reduce likelihood better security mechanisms and controls

Summary risk assessment is an important part of the IT security management process detailed risk assessment process involves context including asset identification identify threats, vulnerabilities, risks analyse and evaluate risks deal with the risk assessment correctly

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information