![Page 1: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/1.jpg)
Information Security and Its Impact on Business
Prof. Chi-Chun Lo
National Chiao-Tung University
Oct. 5, 2006
![Page 2: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/2.jpg)
INTRODUCTION
![Page 3: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/3.jpg)
What if someone asks your CEO “How Secure is Your Corporation?"
• One foot in ice water and one foot in boiling water does not mean that on average you are at room temperature.– Corporations are not monolithic, and all parts
of the business don’t have (or necessarily need) the same level of security
– Security is not an end state, nor can it be judged by measuring any single variable at any single point in time
![Page 4: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/4.jpg)
Selling Security is Still a Challenge
• Is the glass half empty, or is it half full?
• Security is like the brakes on your car.– Their function is to slow you down– But their purpose is to allow you to go
fast.
Bill Malick, Gartner
![Page 5: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/5.jpg)
Scope of Security
• System Security - Mostly Technical Issues - Hardware & Software Solutions, e.g.; Cryptography, Protocol, Security System etc. • Information Security - Mostly Managerial Issues - Business Solutions, e.g.; Organization, Culture (Behavior), Policy, Risk Management, Standards, Legal Rights etc.
![Page 6: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/6.jpg)
Causes of Information Damage Common Causes of
damage
52%
10%
10%
15%
10%3%
Human errorDishonest peopleTechnical sabotageFireWaterTerrorism
Who causes damage
81%
13%6%
Current employees
Outsiders
Former employees
Types of computer crime
44%
16%
16%
12%
10% 2%
Money theft Damage of software
Theft of information Alteration of data
Theft of services Trespass
![Page 7: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/7.jpg)
Information Security • High dependence on information as a contributing factor of success or
failure, created the need for information security and control
• Information security definition:
“preservation of confidentiality, integrity and availability of information and information systems”
• The objective of information security is to ensure the continuity of business management and to reduce interruptions of business by preventing and minimizing the consequences of security incidents. Information security relates to all controls aimed at protecting the availability, integrity and confidentiality of information
![Page 8: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/8.jpg)
Information Security Components
Reliability
Confidentiality / Exclusivity
Integrity
Availability
The degree to which the organization can depend uponan information system forits provision of information
![Page 9: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/9.jpg)
Business Model for Information Security
Vulnerabilities
Threats
Legislation
Identity Mgmt Assurance
Controls
BusinessImpacts
ConfidentialityIntegrity
Availability
Assets
BusinessRisks
exposing To a loss of
causing
causing
which are mitigated by
which requirecausing
exploit +
which protect against
reduce
+
+
![Page 10: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/10.jpg)
Security Systems Development Life Cycle(SSDLC)
• A systematic way of providing information security
• Phases:
-Phase 1: Investigation, including policy and procedure etc.
-Phase 2: Analysis, including risk management etc.
-Phase 3: Logical Design, including standards etc.
-Phase 4: Physical Design, including technology selection etc.
-Phase 5: Implementation
-Phase 6: Maintenance and Change
![Page 11: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/11.jpg)
POLICY and PROCEDURE
![Page 12: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/12.jpg)
Policy and Procedure
• A policy is typically a document that outlines specific requirements or rules that must be met.
• In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.
• A standard is typically a collections or system-specific or procedural-specific requirements that must be meet by everyone.
– For example, you might have a standard that describes to how to harden a Windows NT workstation for placement on an external (DMZ) network.
– People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice.
– They are not requirements to be met, but are strongly recommended.
• Effective security policies make frequent references to standards and guidelines that exist within an organization.
![Page 13: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/13.jpg)
A Security Policy Framework
• Policies define appropriate behavior.
• Policies set the stage in terms of what tools and procedures are needed.
• Policies communicate a consensus.
• Policies provide a foundation for HR action in response to inappropriate behavior.
• Policies may help prosecute cases.
![Page 14: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/14.jpg)
Importance of Security Policies
• Security policies are an absolute must for any organization.
• They provide the virtual glue to hold it all together.
• Policies lay the ground-work. • Imagine a small city that did not have any
rules? What would life be like? The same applies to your organization .
![Page 15: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/15.jpg)
Who and What to Trust• Trust is a major principle underlying the development
of security policies.• Initial step is to determine who gets access.• Deciding on level of trust is a delicate balancing act.• Too much trust may lead to eventual security problems• Too little trust may make it difficult to find and keep
employees or get jobs done• How much should you trust people regarding to their
access or usage of computer and network resources?
![Page 16: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/16.jpg)
Possible Trust Models• Trust everyone all of the time:
– easiest to enforce, but impractical– one bad apple can ruin the whole barrel
• Trust no one at no time:– most restrictive, but also impractical– difficult to staff positions
• Trust some people some of the time:– exercise caution in amount of trust given– access is given out as needed– technical controls are needed to ensure trust is not violated
![Page 17: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/17.jpg)
Why the Political Turmoil?• People view policies as:
– an impediment to productivity
– measures to control behavior
• People have different views about the need
for security controls.
• People fear policies will be difficult to follow
and implement.
• Policies affect everyone within the
organization.
![Page 18: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/18.jpg)
Who Should Be Concerned?• Users - policies will affect them the most.• System support personnel - they will be required
to implement, comply with and support the policies.
• Managers - they are concerned about protection of data and the associated cost of the policy.
• Company lawyers and auditors - they are concerned about company reputation, responsibility to clients/customers.
![Page 19: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/19.jpg)
The Policy Design Process• Choose the policy development team.• Designate a person or a group to serve as the official policy
interpreter.• Decide on the scope and goals of the policy.
– Scope should be a statement about who is covered by the policy.
• Decide on how specific to make the policy– not meant to be a detailed implementation plan– don’t include facts which change frequently
![Page 20: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/20.jpg)
The Policy Design Process
• A sample of people affected by the policy should be provided an opportunity to review and review and commentcomment.
• A sampling of the support staff effected by policy should have an opportunity to review it.
• Incorporate policy awarenesspolicy awareness as a part of employee orientation.
• Provide a refresher overview courserefresher overview course on policies once or twice a year.
![Page 21: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/21.jpg)
Basic Policy Requirements• Policies must:
– be implementable and enforceable– be concise and easy to understand– balance protection with productivity
• Policies should:– state reasons why policy is needed– describe what is covered by the policies– define contacts and responsibilities– discuss how violations will be handled
![Page 22: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/22.jpg)
Level of Control • Security needs and culture play major role.• Security policies MUST balance level of
control with level of productivity.• If policies are too restrictive, people will find
ways to circumvent controls.• Technical controls are not always possible.• You must have management commitment on
the level of control.
![Page 23: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/23.jpg)
Policy Structure• Dependent on company size and goals.
• One large document or several small ones?
– smaller documents are easier to maintain/update
• Some policies appropriate for every site, others are specific to certain environments.
• Some key policies:
– acceptable use
– remote access
– information protection
– perimeter security
– baseline host/device security
![Page 24: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/24.jpg)
The Acceptable Use Policy
• Discusses and defines the appropriate use of the computing resources.
• Users should be required to read and sign account account usage policyusage policy as part of the account request process.
• A key policy that all sites should have.
![Page 25: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/25.jpg)
Remote Access Policy
• Outlines and defines acceptable methods of remotely connecting to the internal network.
• Essential in large organization where networks are geographically dispersed and even extend into the homes.
• Should cover all available methods to remotely access internal resources:– dial-in (SLIP, PPP)– ISDN/frame relay– telnet/ssh access from internet– cable modem/VPN/DSL
![Page 26: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/26.jpg)
Information Protection Policy
• Provides guidelines to users on the processing, storage and transmission of sensitive information.
• Main goal is to ensure information is appropriately protected from modification or disclosure.
• May be appropriate to have new employees sign policy as part of their initial orientation.
• Should define sensitivity levels of information.
![Page 27: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/27.jpg)
The Perimeter Security Policy
• Describes, in general, how perimeter security is maintained.
• Describes who is responsible for maintaining it.
• Describes how hardware and software changes to perimeter security devices are managed and how changes are requested and approved.
![Page 28: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/28.jpg)
Virus Protection and Prevention Policy
• Provides baseline requirements for the use of virus protection software.
• Provides guidelines for reporting and containing virus infections.
• Provides guidelines for several levels of virus risk.• Should discuss requirements for scanning email
attachments.• Should discuss policy for the download and installation
of public domain software.
![Page 29: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/29.jpg)
Virus Protection and Prevention Policy
• Should discuss frequency of virus data file updates.
• Should discuss testing procedures for installation of new software.
![Page 30: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/30.jpg)
Password Policy• Provides guidelines for how user level and system
level passwords are managed and changed.• Discusses password construction rules.• Provides guidelines for how passwords are
protected from disclosure.• Discusses application development guidelines for
when passwords are needed.• Discusses the use of SNMP community strings
and pass-phrases.
![Page 31: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/31.jpg)
Other Important Policies• A policy which addresses forwarding of email to
offsite addresses.
• A policy which addresses wireless networks.
• A policy which addresses baseline lab security standards.
• A policy which addresses baseline router configuration parameters.
• A policy which addresses requirements for installing devices on a dirty network.
![Page 32: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/32.jpg)
Security Procedures • Policies only define "what" is to be protected. • Procedures define "how" to protect resources and are the
mechanisms to enforce policy.• Procedures define detailed actions to take for specific
incidents.• Procedures provide a quick reference in times of crisis.• Procedures help eliminate the problem of a single point
of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).
![Page 33: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/33.jpg)
Configuration Management Procedure
• Defines how new hardware/software is tested and installed.
• Defines how hardware/software changes are documented.
• Defines who must be informed when hardware and software changes occur.
• Defines who has authority to make hardware and software configuration changes.
![Page 34: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/34.jpg)
Data Backup and Off-site Storage Procedures
• Defines which file systems are backed up.• Defines how often backups are performed.• Defines how often storage media is rotated.• Defines how often backups are stored off-site.• Defines how storage media is labeled and
documented.
![Page 35: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/35.jpg)
Incident Handling Procedure
• Defines how to handle anomaly investigation and intruder attacks.
• Defines areas of responsibilities for members of the response team.
• Defines what information to record and track.• Defines who to notify and when.• Defines who can release information and the procedure
for releasing the information. • Defines how a follow-up analysis should be performed
and who will participate.
![Page 36: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/36.jpg)
RISK MANAGEMENT
![Page 37: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/37.jpg)
Risk
Risk is the likelihood of the occurrence of
a vulnerability multiplied by the value of
the information asset minus the percentage
of risk mitigated by current controls plus
the uncertainty of current knowledge of the
vulnerability
![Page 38: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/38.jpg)
What is Risk
• A definable event
• Probability of occurrence
• Impact of occurrence
• A risk occurs when the problem happens
• Loss expectancy that a threat might exploit a vulnerability.
![Page 39: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/39.jpg)
Relationship among different security components
ThreatAgent Threat
Vulnerability
RISK
Asset
ExposureSafeguard
Gives rise to
Exploits
Leads to
Can damage
And causes an
Can be counter measured by a
Directly affects
![Page 40: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/40.jpg)
Risk
Well-Formed Risk Statement Well-Formed Risk Statement
ImpactWhat is the impact to the
business?
ProbabilityHow likely is the threat given the
controls?
AssetWhat are you
trying to protect?
AssetWhat are you
trying to protect?
ThreatWhat are you
afraid of happening?
ThreatWhat are you
afraid of happening?
VulnerabilityHow could the threat occur?
VulnerabilityHow could the threat occur?
MitigationWhat is currently
reducing the risk?
MitigationWhat is currently
reducing the risk?
![Page 41: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/41.jpg)
Vulnerability Identification• Vulnerability – is a software, hardware, or procedural weakness
that may provide an attacker the open door to enter a system. • Specific avenues threat agents can exploit to attack an
information asset are called vulnerabilities
• Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities
• Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions
• At the end of risk identification process, list of assets and their vulnerabilities is achieved
![Page 42: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/42.jpg)
Risk Mitigation
• Understand security risk• Understand technology• Accept Risk
– Documentation of risk acceptance is a form of mitigation.
• Defer or transfer risk– Insurance
• Mitigate risk– Technology can mitigate risk
![Page 43: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/43.jpg)
Risk Management Process
![Page 44: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/44.jpg)
How to Develop a Security Risk Management Process?
• Security risk management process:
– A process for identifying, prioritizing, and managing risk to an acceptable level within the organization
• Developing a formal security risk management process must address the following:
– Threat response time
– Regulatory compliance
– Infrastructure management costs
– Risk identification and assessment (prioritization)
![Page 45: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/45.jpg)
Successful Factors for Security Risk Management Process
Key factors to implementing a successful security risk management process include:
– Executive sponsorship
– Well-defined list of risk management stakeholders
– Organizational maturity in terms of risk management
– An atmosphere of open communications and teamwork
– A holistic view of the organization
– Security risk management team’s authority
![Page 46: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/46.jpg)
Risk Management Process
Implementing Controls
Implementing Controls
33
Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44 Assessing RiskAssessing Risk11
![Page 47: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/47.jpg)
Risk Assessment Flowchart
Step 1. System Characterization
Input Risk Assessment Activities Output
Step 2. Threat Identification
Step 3. Vulnerability Identification
Step 4. Control Analysis
Step 5. Likelihood Determination
Step 6. Impact Analysis• Loss of Integrity
• Loss of Availability • Loss of Confidentiality
Step 7. Risk Determination
Step 8.Control Recommendations
Step 9.Results Documentation
• Hardware / Software• System interfaces• Data and information• People • System mission
• History of system attack• Data from intelligence agencies, NIPC, OIG,FedCIRC, mass media,
• Reports from prior risk assessments• Any audit comments• Security requirements• Security test results
• Mission impact analysis• Asset criticality assessment• Data criticality• Data sensitivity
• Current controls• Planned controls
• Threat-source motivation• Threat capacity• Nature of vulnerability• Current controls
• System Boundary• System Functions• System and Data Criticality• System and Data Sensitivity
Impact Rating
Threat Statement
List of Potential Vulnerabilities
List of Current and Planned Controls
Likelihood Rating
• Likelihood of threat exploitation• Magnitude of impact• Adequacy of planned or current controls
Risks and Associated Risk Levels
Recommended Controls
Risk Assessment Report
![Page 48: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/48.jpg)
Risk Mitigation FlowchartInput Risk Mitigation Activities Output
Step 1. Prioritize Actions
Step 2. Evaluate RecommendedControl Options
• Associated costs• Feasibility
Step 3. Conduct Cost-Benefit Analysis • Impact of implementing
• Impact of not implementing• Associated costs
Step 4. Select Controls
Step 5. Assign Responsibility
Step 6. Develop SafeguardImplementation Plan• Risks and Associated Risk Levels• Prioritized Actions• Recommended Controls• Selected Planned Controls• Responsible Persons• Start Date• Target Completion Date• Maintenance Requirements
Step 7.Implement SelectedControls
• Risk levels from the risk assessment report
• Risk assessment report
Actions ranking fromHigh to Low
Safeguard implementation plan
List of possible
controls
Cost-benefit analysis
Selected Controls
List ofresponsible persons
Residual Risks
![Page 49: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/49.jpg)
Risk Analysis Method
![Page 50: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/50.jpg)
Risk Management Risk Analysis(Identification + Assessment)
Goal Manage risks across business to acceptable level
Identify and prioritize risks
Cycle Overall program across all four phases
Single phase of risk management program
Schedule Scheduled activity Continuous activity
Alignment Aligned with budgeting cycles
Not applicable
![Page 51: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/51.jpg)
Risk Analysis Method
Two types of risk analysis:
– Quantitative – attempts to assign real numbers to the costs of safeguards and the amount of damage that can take place
– Qualitative – An analysis that judges an organization’s risk to threats, which is based on judgment, intuition, and the experience versus assigning real numbers to this possible risks and their potential loss; e.g.,
Analytical Hierarchy Process (AHP)
![Page 52: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/52.jpg)
Steps of Quantitative Risk Analysis
• Assign value to information assets (tangible and intangible)
• Estimate potential loss per risk• Perform a threat analysis• Derive the overall loss potential per risk• Choose safeguards / countermeasure for each risk• Determine risk response (e.g. mitigation,
avoidance, acceptance)
![Page 53: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/53.jpg)
Quantitative Risk Analysis• Exposure Factor (EF) = Percentage of asset loss caused by identified threat;
ranges from 0 to 100%
• Single Loss Expectancy (SLE) = Asset Value x Exposure Factor; 1,000,000 @ 10% likelihood = $100,000
• Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur with in a year and is characterized on an annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 50 times in a year has an ARO of 50
• Annualized Loss Expectancy (ALE) = Single Loss Expectancy x Annualized Rate of Occurrence
• Safeguard cost/benefit analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) == value of safeguard to the company
![Page 54: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/54.jpg)
Quantitative Risk Analysis - Summary
• Pros– Uses probability concepts –
the likelihood that an risk will occur or will not occur
– The value of information is expressed in monetary terms with supporting rationale
– Risk assessment results are derived and expressed in management speak
• Cons– Purely quantitative risk
analysis not possible because quantitative measures must be applied to qualitative elements
– Can be less ambiguous but using numbers can give appearance of specificity that does not really exist
– Huge amount of data must be gathered and managed
![Page 55: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/55.jpg)
Qualitative Risk Analysis
• Does not assign numbers and monetary value to components and losses.
• Walks through different scenarios of risk possibilities and rank the seriousness of the threats for the sensitivity of the assets.
![Page 56: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/56.jpg)
Identifying Qualitative Risks
• Expert Interviews
• Brainstorming
• Nominal Group Technique
• Affinity Diagram
• Analogy Techniques
![Page 57: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/57.jpg)
Qualitative Risks Matrix
![Page 58: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/58.jpg)
100%
4
12Example Qualitative Risk Matrix
Hostage / KidnapStrike / WalkoutHostile Takeover
Major Explosion
TerrorismIndustrial Espionage
0% Sabotage Comm. Disease
Flood
SuicideTelecomm Failure.
Maj. Operator Error
Child Care IncidentTransportation Incident
Minor Explosion
Neighbor Issue
Civil Unrest
Employee Violence
Tornado
Breach IT Security
Organized Crime
Blizzard
Bribery / Extortion
ProtestersInjury / DeathAccusation / Libel / Slander
Fog
Bomb ThreatEquipment Malfunc.Power Failure
Ice Storm
Media Investigation
Chemical Spill / Contamination
Major Fire
Class Action Lawsuit
Management Issues
Security Breach
Loss of IT / Virus
Major Electrical Storm
HIGH RISK
LOW RISK
MEDIUM HIGH
MEDIUM LOW
![Page 59: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/59.jpg)
Qualitative Risk Analysis - Summary
• Pros– Is simple and readily
understood and executed.
– Provides a general indication of significant areas of risk that should be addressed
• Cons– Is difficult to enforce
in uniformity and consistency but provides some order of measurement
– Is subjective in both process and metrics.
– Can not provide cost/benefit analysis
![Page 60: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/60.jpg)
Quantitative versus QualitativeQuant
.Attributes Qual.
+ Independent & Objective Metrics -
+ Cost / Benefit analysis -
+ Monetary based -
- Amount of work, cost, time +
- Amount of information required +
+ Easily automated -
- Degree of guesswork +
+ Value of information understood -
+ Threat frequency and impact data required -* Source: CISSP Common Body of Knowledge Review Seminar, ISC2
![Page 61: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/61.jpg)
Corporate Risk Analysis Strategy
![Page 62: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/62.jpg)
Corporate Risk Analysis Strategy
Corporate Risk Analysis Strategy
BaselineApproach
InformalApproach
DetailedApproach
CombinedApproach
Combined Approach
High Level Risk Analysis
Detailed Risk Analysis Baseline Approach
Selection of Safeguards
Risk Acceptance
IT System Security Policy
IT Security Plan
![Page 63: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/63.jpg)
Baseline Approach• Establish a minimum set of safeguards to protect
all or some IT systems of an organization• Achieved through the use of safeguard catalogues
which suggest a set of safeguards to protect an IT system against the most common threats
• The level of baseline security can be adjusted to the needs of the organization
Advantages Disadvantages
1. Minimum amount of resources
2. Cost-effective
1. Excessive level of security
2. A lack of security
3. Security relevant changes
![Page 64: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/64.jpg)
Informal Approach
• Conduct informal pragmatic risk analysis
• Exploit the knowledge and experience of individuals
Advantages Disadvantages
1. Not require a lot of resources or time
2. Quicker than a detailed risk analysis
1. Missing some important details
2. Influenced by subjective views
![Page 65: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/65.jpg)
Detailed Approach• Involves the identification of the related risks, and
an assessment of their magnitude for all IT systems
• The result of the analysis should be saved– Asset and their values– Threat, vulnerability, and risk levels– Safeguards identified
Advantages Disadvantages
1. Appropriate safeguards are
identified for all systems
2. Management of security changes
1. A considerable amount of time,
effort, and expertise
![Page 66: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/66.jpg)
Combined Approach• First it is necessary to conduct an initial high level risk
analysis to identify which approach (baseline or detailed approach) is appropriate for each IT system
• Input for the decision as to which approach is suitable for which IT system:– The business values of the IT systems– The level of investment in this IT system– The asset’s value of the IT system
Advantages Disadvantages
1. Provide a good balance between(1) Minimizing the time and effort spent in identifying safeguards
(2) Ensuring the high risk systems are appropriately protected.
1. Some systems may not be
identified as requiring
detailed risk analysis
![Page 67: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/67.jpg)
The Process of Risk Analysis
Establishment of Review Boundary
Identification of Assets
Valuation of Assetsand Establishment of Dependencies Between Assets
ThreatAssessment
VulnerabilityAssessment
Identificationof Existing/Planning
Safeguards
Assessment of Risks
Selection of Safeguards
Risk Acceptance
IT System Security Policy
IT Security Plan
IdentificationReview ofConstraints
NoYes
Detailed Approach
Risk Management
![Page 68: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/68.jpg)
INFORMATION SECURITY STANDARD
![Page 69: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/69.jpg)
Introduction• ISO 17799/BS 7799-1 is an international standard that sets
out the requirements of good practice for Information Security Management.
• ISO 27001/BS 7799-2 defines the specification for an Information Security Management System (ISMS).
- The scope of an ISMS includes:
peopleprocesses
IT Systems Policies
![Page 70: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/70.jpg)
History of ISMS Standards
ISO17799:2000International
BS7799-1:1999
BS7799-2:1999
UK
BS7799-Part 2: 2002
BS7799-1:2000
ISO17799:2005
ISO27001:2005
BS7799:1995
= copy/translation
= revision
![Page 71: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/71.jpg)
What is BS7799-1 / ISO 17799?
• The goal of BS7799-1 / ISO 17799 is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”
![Page 72: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/72.jpg)
Who is BS7799-1/ISO 17799 for?
• BS7799-1 / ISO 17799 meets the needs of organizations and companies of all types, both private and public.
• For any organization that stores confidential information on internal or external systems, depends on such systems to run its operations, or indeed wishes to demonstrate its information security by conforming to a known standard, BS7799-1 / ISO 17799 would be of very great interest.
![Page 73: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/73.jpg)
The Eleven Key Context of ISO 17799 • Security policy - This provides management direction and
support for information security • Organization of information security - To help you manage
information security within the organization • Asset management - To help you identify your assets and
appropriately protect them • Human resources security - To reduce the risks of human error,
theft, fraud or misuse of facilities • Physical and environmental security - To prevent unauthorized
access, damage and interference to business premises and information
• Communications and operations management - To ensure the correct and secure operation of information processing facilities
![Page 74: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/74.jpg)
The Eleven Key Context of ISO 17799 (cont’d)• Access control - To control access to information• Information systems acquisition, development and
maintenance - To ensure that security is built into information systems
• Information security incident management-To make sure that all information security events and weaknesses can be reported and solve effectively.
• Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
• Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement
![Page 75: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/75.jpg)
Information Security Management System (ISMS)
Definition:• that part of the overall management system, based on a
business risk approach, to - establish, - implement, - operate, - monitor, - maintain and- improve information security
• The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources
![Page 76: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/76.jpg)
Plan-Do-Check-Act Cycle (PDCA)
Interested parties
Interested parties
Establish ISMS Context & Risk
Assessment
Plan
Design and Implement ISMS
Do
Maintain and Improve the ISMS
Act
Monitor and Review ISMS
Check
Information security
requirements and expectations
Managed information
security
Development, Maintenance and
Improvement cycle
![Page 77: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/77.jpg)
PDCA
Establish the ISMS
Define the scope of the ISMS Define an ISMS policy Define a systematic approach to risk management Identify the risks Assess the risks Identify and evaluate options for the treatment of risks Select control objectives and controls for the treatment of risks Prepare a Statement of Applicability Obtain management approval for residual risks and authorization to
implement and operate the ISMS
![Page 78: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/78.jpg)
PDCAImplement and operate the ISMS
• Formulate a risk treatment plan and its documentation, including planned process and detailed procedures
• Implement the risk treatment plan planned controls • Implement training and awareness programs• Manage operations and resources• Implement procedures and controls to detect and
response to security incidents
![Page 79: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/79.jpg)
PDCA
Monitor and review the ISMS
• Execute monitoring procedures• Undertake regular reviews• Review level of residual risk• Conduct internal audits• Undertake a management review• Record actions and events
![Page 80: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/80.jpg)
PDCA
Maintain and improve the ISMS
• Implement the identified improvements• Take appropriate corrective and
preventive actions• Communicate results• Ensure effectiveness
![Page 81: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/81.jpg)
ISO27001 versus ISO17799
ISO27001
• formal standard
• certification possible
• requirements for a management system
• requirements for controls(if applicable)
ISO 17799
• code of practice(set of best practices)
• implementation advice and guidance
![Page 82: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/82.jpg)
What are ISO 17799 and ISO 27001 not
• limited to information technology
• a security checklist
• an insurance policy against security breaches
• an audit method
• a risk analysis method
![Page 83: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/83.jpg)
POSSIBLE RESEARCH DIRECTION
![Page 84: Information Security and Its Impact on Business Prof. Chi-Chun Lo National Chiao-Tung University Oct. 5, 2006](https://reader030.vdocument.in/reader030/viewer/2022032707/56649e365503460f94b253e4/html5/thumbnails/84.jpg)
• Assessment of factors influencing the effectiveness of information security management
• Risk assessment using fuzzy consensus measures• Online privacy: Issues and Concerns• Organizational changes pertaining to information security• Culture impact on the success of information security
management• Information security disaster recovery planning: crisis
management• Conforming information security standards