Introduction to Information Security Management



Similar documents
Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Security and Risk Management

KEY TRENDS AND DRIVERS OF SECURITY

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Cybersecurity. Are you prepared?

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

Cybersecurity Awareness. Part 1

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

CYBERSECURITY NEXUS ROBERT E STROUD INTERNATIONAL PRESIDENT, ISACA RAMSÉS GALLEGO INTERNATIONAL VICE PRESIDENT, ISACA

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Research Topics in the National Cyber Security Research Agenda

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Chapter 1 The Principles of Auditing 1

Enterprise Cybersecurity: Building an Effective Defense

U. S. Attorney Office Northern District of Texas March 2013

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Security Intelligence

Certified Information Security Manager (CISM)

Cybersecurity: Protecting Your Business. March 11, 2015

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Collateral Effects of Cyberwar

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

FINRA Publishes its 2015 Report on Cybersecurity Practices

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

CONSULTING IMAGE PLACEHOLDER

Introduction to Cyber Security / Information Security

Middle Class Economics: Cybersecurity Updated August 7, 2015

Logging In: Auditing Cybersecurity in an Unsecure World

CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY. Sazali Sukardi Vice President Research CyberSecurity Malaysia

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

CYBER SECURITY FOUNDATION - OUTLINE

TCOM 562 Network Security Fundamentals

External Supplier Control Requirements

A Cyber Security Integrator s perspective and approach

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Top Ten Technology Risks Facing Colleges and Universities

Security Risk Management Strategy in a Mobile and Consumerised World

Department of Management Services. Request for Information

SECURITY. Risk & Compliance Services

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Microsoft s cybersecurity commitment

Cyber Incident Management Planning Guide. For IIROC Dealer Members

Policy Title: HIPAA Security Awareness and Training

PROPOSED INTERPRETIVE NOTICE

2015 TRUSTWAVE GLOBAL SECURITY REPORT

Adopting a Cybersecurity Framework for Governance and Risk Management

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cyber Risk Management with COBIT 5

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cyber Risks in the Boardroom

Perspectives on Cybersecurity in Healthcare June 2015

Cybersecurity Vulnerability Management:

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE

Attachment A. Identification of Risks/Cybersecurity Governance

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cyber Security. John Leek Chief Strategist

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

WRITTEN TESTIMONY OF

FACT SHEET: Ransomware and HIPAA

Create Extraordinary Online Consumer Experiences. Your Journey Begins with Nominum

PROPOSAL 20. Resolution 130 of Marrakesh on the role of ITU in information and communication network security

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Bellevue University Cybersecurity Programs & Courses

Transcription:

Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville Georgia State University 1 Principles Information Security Management Assumptions PFirst Principle: T-F-O model of information security P Second Principle: Incident-centered security management 2

Theory of Secure Information Systems Hoffman, L., Michelman, E., and Clements, D. "SECURATE - Security evaluation and analysis using fuzzy metrics," in: AFIPS National Computer Conference Proceedings, 1978, pp. 531-540. The natural relationship involves the association of potential intrusion activities associated with each member of the set of system objects. These threat-object relations defined a set of edges T i O j that manifest the components of insecurity or risk in systems. T 1 T 2 T 3 T 4 O 1 O 2 O 3 T n T O m O 3 Theory of Secure Information Systems The relationship between a set of system objects (each with a loss value), a set of threats (each with a likelihood), and a set of system security features (each with a resistance). In a protected system, all edges are instead prescribed in the form T i F k and F k O j that represents the insertion of security features between threats and system objects. T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 4

Security Objects T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 5 Types of Security Objects P Physical Assets < Computers and communications machinery < Attack with physical assaults PSoft Assets < Protocols and software < Attack with cracking and malicious code P Psychic Assets < Perceptions and information < Attack with data falsification 6

Security Threats T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 7 Security Incidents Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-securitysurvey/download.html 8

Sources of Cyberthreats US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey, PricewaterhouseCoopers. p. 4 9 Frequency of Data Breach Patterns 10 Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 31

Malicious Spam Cisco 2015 Annual Security Report, pp. 24-26. http://www.cisco.com/web/offer/gist_ty2_asset/cisco_2014_asr.pdf 11 Vulnerability: Expertise ISACA 2015 Global Cybersecurity Status Report www.isaca.org/cybersecurityreport 12

Industry Victims 13 Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 5 Cost of Information Security Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 25, http://www.pwc.com/gx/en/issues/cyber-security/information-securitysurvey/download.html 14

Cost per Compromised Record Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 28 15 Contrasts: Insider or Outsider? 16

Data Breach Actors 17 Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 4 Sources of Security Incidents Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-securitysurvey/download.html 18

Contrasts: Mobile/IoT Risks? 19 Non-adnoyance Mobile Malware Infections Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 19 20

Attacks on IoT Devices & Systems Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 11 http://www.pwc.com/gx/en/issues/cyber-security/information-securitysurvey/download.html 21 Security Features T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 22

Security Features International Treaties Standards CobiT ISO 27002 ISO 27001 NIST Laws Institutions Security Policies & Organizations Practices & Safeguards 23 Regulatory Compliance Improves Security Applicable regulations from: 2010/2011 CSI Computer Security Survey 24

Double-Edged Complexity T 1 T 2 T 3 T 4 O 1 O 2 O 3 T n T O m O T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 25 Incident-Centered Security Management Baskerville, R., Spagnoletti, P., and Kim, J. 2014. "Incident-Centered Information Security: Managing a Strategic Balance between Prevention and Response," Information & Management (51:1), pp 138-151. LEFT OF BANG RIGHT OF BANG t Prof. Merrill Warkentin of Mississippi State University recognized the conceptual value of this IED management approach for general security management. 26

Modes of Protection Prevention Response t 27 Different Action Paradigms Risk Management Forensics and Incident Response t 28

Model Assumptions 29 Logical Structure of Models 30

Organizing Principles 31 Interaction of Left & Right Paradigms Left of Incident Right of Incident Indications & Warnings Prevent Refine Information System Resource Contain, Recover, Harden Threat Incident Detect Respond Deter Legislate & Policy Setting Investigate, Notify, Sue, Prosecute, Retaliate Adapted from Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley. 32

Incidents Prevention Recovery t 33 Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville Georgia State University 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information