information security bimitm03 college 1 paul j. cornelisse/george m.j. pluimakers
TRANSCRIPT
![Page 1: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/1.jpg)
Information Security BIMITM03 College 1
Paul J. Cornelisse/George M.J. Pluimakers
![Page 2: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/2.jpg)
▸ 8 weken college▸ Afsluiting dmv tentamen
▸ George M.J. Pluimakers▸ [email protected]; liever: [email protected] ▸ Med.hr.nl/plugm/ibk-security
Introductie
![Page 3: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/3.jpg)
▸ Goal▸ The purpose of information security is to protect an organization’s
valuable resources, such as information, hardware, and software.
▸ How?▸ Through the selection and application of appropriate safeguards,
security helps an organization to meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
What is Information Security
![Page 4: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/4.jpg)
▸ What will we do?▸ We will examine the elements of computer security, employee’s
roles and responsibilities, and common threats
▸ What will we consider?▸ We will also examine the need for management controls, policies
and procedures, and risk management.
▸ Examples?▸ we will include current examples of procedures, policies, and
examples that can be used to help implement the security program at your organization.
Wat is Information Security
![Page 5: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/5.jpg)
Elements of Information security
![Page 6: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/6.jpg)
▸ Information security
should support the business objectives or mission of the enterprise.
1
![Page 7: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/7.jpg)
▸ This idea cannot be stressed enough▸ Often, information security personnel lose track
of their goals and responsibilities▸ The position of information security professional
has been created to support the enterprise, not the other way around.
1
![Page 8: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/8.jpg)
▸ Information security is
an integral element of fiduciary duty.*
2
A legal obligation of one party to act in the best interest of another. The obligated party is typically a fiduciary, that is, someone entrusted with the care of money or property. Also called: fiduciary obligation.
Source: http://www.businessdictionary.com/
*
![Page 9: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/9.jpg)
▸ Senior management is charged with two basic responsibilities:
▸ a duty of loyalty▸ duty of care
2
![Page 10: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/10.jpg)
▸ a duty of loyalty—this means that whatever decisions they make must be made in the best interest of the enterprise.
2
![Page 11: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/11.jpg)
▸ duty of care—this means that senior management is required to implement reasonable and prudent controls to protect the assets of the enterprise and make informed business decisions.
2
![Page 12: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/12.jpg)
▸ An effective information security program will assist senior management in meeting these duties
2
![Page 13: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/13.jpg)
▸ Information security must be cost-effective.
3
![Page 14: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/14.jpg)
▸ Implementing controls based on edicts (“aankondiging van wetten”) is counter to the business climate.
▸ Before any control can be proposed, it will be necessary to confirm that a significant risk exists.
▸ Implementing a timely risk management process can complete this task.
3
![Page 15: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/15.jpg)
▸ By identifying risks and then proposing appropriate controls, the mission and business objectives of the enterprise will be better met.
3
![Page 16: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/16.jpg)
▸ Information security responsibilities and accountabilities should be made explicit.
4
![Page 17: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/17.jpg)
▸ For any program to be effective, it will be necessary to:
▸ publish an information security policy statement and
▸ Publish a group mission statement.
4
![Page 18: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/18.jpg)
▸ The policy should identify the roles and responsibilities of all employees.
▸ To ensure third parties comply with our policies and procedures, the contract language indicating these requirements must be incorporated into the purchase agreements for all contract personnel and consultants.
4
![Page 19: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/19.jpg)
▸ System owners have information security responsibilities outside their own organization.
5
![Page 20: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/20.jpg)
▸ Access to information will often extend beyond the business unit or even the enterprise.
▸ It is the responsibility of the information owner (normally the senior level manager in the business that created the information or is the primary user of the information).
5
![Page 21: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/21.jpg)
▸ One of the main responsibilities is to monitor usage to ensure that it complies with the level of authorization granted to the user.
5
![Page 22: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/22.jpg)
▸ Information security requires a comprehensive and integrated approach.
6
![Page 23: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/23.jpg)
▸ To be as effective as possible, it will be necessary for information security issues to be part of the system development life cycle.
6
![Page 24: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/24.jpg)
▸ During the initial or analysis phase, information security should receive as its deliverables
▸ a risk assessment, ▸ a business impact analysis, ▸ and an information classification document.
6
![Page 25: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/25.jpg)
▸ Additionally,
because information is resident in all departments throughout the enterprise,
each business unit should establish an individual responsible for implementing an information security program to meet the specific business needs of the department.
6
![Page 26: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/26.jpg)
▸ Information security should be periodically reassessed.
7
![Page 27: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/27.jpg)
▸ As with anything, time changes the needs and objectives.
▸ A good information security program will examine itself on a regular basis and make changes wherever and whenever necessary.
▸ This is a dynamic and changing process and therefore must be reassessed at least every 18 months.
7
![Page 28: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/28.jpg)
▸ Information security is constrained by the culture of the organization.
8
![Page 29: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/29.jpg)
▸ The information security professional must understand that the basic information security program will be implemented throughout the enterprise.
▸ However, each business unit must be given the latitude to make modifications to meet their specific needs.
8
![Page 30: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/30.jpg)
▸ If your organization is multinational, it will be necessary to make adjustments for each of the various countries.
▸ These adjustments will have to be examined throughout the United States too. What might work in Des Moines, Iowa, may not fly in Berkley, California.
▸ Provide for the ability to find and implement alternatives.
8
![Page 31: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/31.jpg)
▸ Information security:▸ should support the business objectives or mission of
the enterprise.▸ is an integral element of fiduciary duty.▸ must be cost-effective. ▸ responsibilities and accountabilities should be made
explicit. ▸ System owners have information security
responsibilities outside their own organization. ▸ requires a comprehensive and integrated approach. ▸ should be periodically reassessed.▸ is constrained by the culture of the organization.
Resume
![Page 32: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/32.jpg)
▸ Information security is a means to an end and not the end in itself.
▸ In business, having an effective information security program is usually secondary to the need to make a profit.
▸ In the public sector, information security is secondary to the agency’s services provided to its constancy.
Resume
![Page 33: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/33.jpg)
![Page 34: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/34.jpg)
Information SecurityBIMITM03 College 2
Paul J. Cornelisse
![Page 35: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/35.jpg)
▸ Information systems and the information processed on them are often considered to be critical assets that support the mission of an organization.
Basis
![Page 36: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/36.jpg)
▸ The cost and benefits of information security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed the expected benefits.
Cost
![Page 37: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/37.jpg)
▸ Information security controls should be appropriate and proportionate.
Controls
![Page 38: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/38.jpg)
▸ responsibilities and accountabilities of the▸ information owners▸ providers, ▸ and users of computer services and other parties concerned with the protection of information and computer assets should be explicit.
R & A
![Page 39: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/39.jpg)
▸ If a system has external users,
its owners have a responsibility to share appropriate knowledge about the existence
and general extent of control measures
so that other users can be confident that the system is adequately secure.
External users
![Page 40: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/40.jpg)
▸ As we expand the user base to include
suppliers,vendors,clients,customers,shareholders, and the like,
it is incumbent upon the enterprise to have clear and identifiable controls.
External users
![Page 41: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/41.jpg)
▸ For many organizations, the initial sign-on screen is the first indication that there are controls in place.
First sign
![Page 42: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/42.jpg)
▸ It should contain three basic elements:
1. The system is for authorized users only 2. Activities are monitored 3. By completing the sign-on process, the user agrees
to the monitoring
Basic elements of logon screen
![Page 43: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/43.jpg)
▸ An information security program is more than establishing controls for the computer-held data.
More than Just Computer Security
![Page 44: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/44.jpg)
▸ the “paperless office” ▸ To be an effective program, information security
must move beyond the narrow scope of IT and address the issues of information security.
More than Just Computer Security
![Page 45: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/45.jpg)
▸ Employee Mindset Toward Controls1. Offices secured 2. Desks and cabinets secured 3. Workstations secured 4. Information secured 5. Electronic media secured
More than Just Computer Security
![Page 46: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/46.jpg)
▸ the typical office environment will have a 90% to 95% noncompliance rate with at least one of these basic control mechanisms.
▸ When conducting a review, employee privacy issues must be remembered.
More than Just Computer Security
![Page 47: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/47.jpg)
Developing Policies
Policy Is the Cornerstone• The cornerstone of an effective
information security architecture is a well-written policy statement.
• This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring.
![Page 48: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/48.jpg)
Developing Policies
• The internal portion tells employees what is expected of them and how their actions will be judged
• The external portion tells the world how the enterprise sees its responsibilities.
![Page 49: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/49.jpg)
Developing Policies
Definitions
![Page 50: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/50.jpg)
Developing Policies
Policy• A policy is a high-level statement of• enterprise beliefs• goals• objectives and the general means for their attainment for a specified subject area
![Page 51: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/51.jpg)
Developing Policies
Standards• Standards are mandatory requirements
that support individual policies• Standards can range from what software
or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what
![Page 52: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/52.jpg)
Developing Policies
Procedures• Procedures are • Mandatory• step-by-step• detailed actions requiredto successfully complete a task
![Page 53: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/53.jpg)
Developing Policies
Guidelines• Guidelines are documented suggestions
for the regular and consistent implementation of accepted practices
![Page 54: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/54.jpg)
Policy Key Elements
To meet the needs of an organization, a good policy should:
• Be easy • Be applicable to understand• Be doable• Be enforceable• Be phased in• Be proactive• Avoid absolutes• Meet business objectives
![Page 55: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/55.jpg)
Developing Policies
Policy Format• Depends on the policies look and feel in
your own organization• Content
• Topic• Scope• Responsibilities• Compliance or Consequences
![Page 56: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/56.jpg)
Developing Policies
The three types of policies are1. Global (tier 1)2. Topic-specific (tier 2)3. Application-specific (tier 3)
![Page 57: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/57.jpg)
Developing Policies
Global (tier 1)• used to create the organization’s overall
vision and direction
![Page 58: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/58.jpg)
Developing Policies
Topic-specific (tier 2)address particular subjects of concern.
![Page 59: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/59.jpg)
Developing Policies
Application-specific policies• focus on decisions taken by
management to control particular applications
• (financial reporting, payroll, etc.) or systems (budgeting system)
![Page 60: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/60.jpg)
Developing Policies
More on tier 3:◾ Who has the authority to read or modify
data?◾ Under what circumstances can data be
read or modified?◾ How is remote access to be controlled?
![Page 61: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/61.jpg)
Resume
Reason:To provide direction regarding the protection of .... information resources from unauthorized access, modification, duplication, destruction or disclosure
![Page 62: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/62.jpg)
Resume
• The policy applies to all .... personnel including employees, interns, vendors, contractors, and volunteers
• The policy pertains to all information resources used to conduct .... business or used to transmit or store .... Restricted or Confidential information
![Page 63: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/63.jpg)
Developing Policies
• Information Resource• Information Owner• Business Owner• Information Classification Categories
• Restricted• Confidential• Public
• Reclassification• Custodian• Users
![Page 64: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/64.jpg)
Developing Policies
Information includes, but is not limited to:a. Personally identifiable information (PII)b. Reports, files, folders, memorandac. Statements, examinations, transcriptsd. Images, ande. Communications
![Page 65: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/65.jpg)
Developing Policies
Information Owner• the Director of a Division where the
information resource is created, or who is the primary user of the information resource
![Page 66: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/66.jpg)
Developing Policies
Business Owner• Where multiple information owners for
the same information resource occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource
![Page 67: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/67.jpg)
Developing Policies
Information Classification Categories• All information shall be classified by the
information owner into one of three classification categories:• Restricted• Confidential• Public
![Page 68: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/68.jpg)
Developing Policies
Reclassification• the information owner is to establish a
review cycle for all information classified as Restricted or Confidential
• Reclassify it when it no longer meets the criteria established for such information
• This cycle should be commensurate with the value of the information but should not exceed 1 year
![Page 69: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/69.jpg)
Developing Policies
Custodian• the individual or entity designated by the
information owner that is responsible for maintaining safeguards established by the information owner
![Page 70: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/70.jpg)
Developing Policies
Users• authorized personnel responsible for
using and safeguarding the information resources under their control according to the directions of the information owner
![Page 71: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/71.jpg)
Developing Policies
The information owner has the responsibility to
a. Identify the classification level of all information resources within their division
b. Define and verify implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource
c. Monitor the safeguards to ensure their compliance and report instances of noncompliance
d. Authorize access to those who have a demonstrated business need for the information resource, and
e. Remove access to those who no longer have a business need for the information resource
![Page 72: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/72.jpg)
Developing Policies
The Custodian has the responsibility toa. Implement integrity controls and access control
requirements specified by the information ownerb. Advise the information owner of any major deficiency or
vulnerability encountered that results in a failure to meet requirements
c. Comply with all specific guidelines and procedures to implement, support, and maintain information security
![Page 73: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/73.jpg)
Developing Policies
The Users have the responsibility toa. Access only the information for which they have been
authorizedb. Use the information only for the purpose intendedc. Ensure that authenticating information (e.g., password) is
in compliance with existing security standardsd. Maintain the integrity, confidentiality and availability of
information accessed consistent with the information owner’s expectations while under their control
e. Comply with all specific guidelines and procedures to implement, support, and maintain Information Security policies and standards
f. Report violations or suspected violations of policies and standards to the appropriate management or Information Security Project Manager
![Page 74: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/74.jpg)
![Page 75: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/75.jpg)
Information SecurityBIMITM03 College 3
Paul J. Cornelisse
![Page 76: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/76.jpg)
Organization of Information Security
The Internal Information Security Organization
![Page 77: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/77.jpg)
Organization of Information Security
• To protect their information assets, public and private organizations need to consider how best to manage their information security efforts
![Page 78: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/78.jpg)
Organization of Information Security
To ensure comprehensive protection for all the organization’s information, the approach should address information security comprehensively, organization-wide
![Page 79: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/79.jpg)
Organization of Information Security
• An enterprise-wide approach also facilitates management oversight and coordination of information security efforts
![Page 80: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/80.jpg)
Organization of Information Security
• The design of the information security management framework should ensure it is properly tuned to the operational needs of the organization, which should primarily focus on the management of risks to its information assets
![Page 81: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/81.jpg)
Organization of Information Security
• The design of the information security function must provide a management framework
• The framework permits• effective initiation• Implementation• and control
• of information security activities within the organization
![Page 82: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/82.jpg)
Organization of Information Security
This includes• Planning• Coordination• management
of major information security projectsas well as
• Monitoring• Measuring• Tracking
![Page 83: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/83.jpg)
Organization of Information Security
• As well as overseeing the implementation of all aspects of the organization information security program
![Page 84: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/84.jpg)
Organization of Information Security
To have the requisite level of authority, the information security function must• be led by a member of the organization’s
management staff• be positioned in the organizational
management structure where the visibility of information security can be ensured
![Page 85: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/85.jpg)
Organization of Information Security
• Today, leadership of the information security organization resides at the executive level with most large organizations.
• The position is that of the Chief Information Security Officer (CISO)
![Page 86: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/86.jpg)
Organization of Information Security
• The process of organizing information security must address factors such as • its mission• its composition• its placement within the organizational
structure• its authority towards other elements of the
organization• its responsibilities• the functions it must perform• its lines of communication and coordination
![Page 87: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/87.jpg)
Organization of Information Security
• Based on knowledge of the current state of the organization’s information security posture, as well as the future state, organizations must then perform a
• gap analysis • to identify unmet requirements, and a
path forward for meeting them
![Page 88: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/88.jpg)
Organization of Information Security
• The organization should clearly define the boundaries of the information security function to address interfaces with other internal elements that perform security-related functions
![Page 89: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/89.jpg)
Organization of Information Security
These may include:• information technology operations • personnel security function• privacy staff• the physical security office
![Page 90: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/90.jpg)
Organization of Information Security
Relationships should be documented in coordinated operational agreements • charters• concepts of operations or CONOPs• procedures, etc.
![Page 91: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/91.jpg)
Organization of Information Security
Management Support• Management must also recognize • its own responsibility for information
security by communicating this fact both in written and oral means
![Page 92: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/92.jpg)
Organization of Information Security
It is within management’s purview to ensure that the goals for the security of organization information are established through • strategic and tactical planning • maintained, emphasized, and measured
![Page 93: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/93.jpg)
Organization of Information Security
• Management must act to ensure the organization has a mechanism for creating an information security policy that facilitates goal achievement
![Page 94: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/94.jpg)
Organization of Information Security
Management must ensure:• the approved information security policy
is properly implemented
and consequently must take action to• ensure that it has a mechanism for
monitoring implementation activities for effectiveness
![Page 95: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/95.jpg)
Organization of Information Security
Organizational management must • render appropriate direction and support
for initiatives relating to its information security program
![Page 96: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/96.jpg)
Organization of Information Security
• awareness campaign• rollout of a new security strategy• introduction of a new security process or
solutionThrough such efforts, management can promote and foster a culture of security
![Page 97: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/97.jpg)
Organization of Information Security
The security of organization information requires a multidisciplinary approach involving:• all organizational elements• personnel
![Page 98: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/98.jpg)
• engage expertise available within the organization to include:• the general counsel• public affairs• facility security and
engineering• personnel security• union management• human resources• Training• Contracting
• Finance• internal audit• information technology
operations• system development• capital planning• Insurance• enterprise architecture• Privacy• and records
management
Organization of Information Security
![Page 99: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/99.jpg)
The objective of cross-organization coordination should be collaboration and cooperation.
Organization of Information Security
![Page 100: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/100.jpg)
Organization of Information Security
Contact with AuthoritiesContact with Special Interest GroupsManagement AuthorizationConfidentiality AgreementsExternal PartiesAssessment of External Risks
![Page 101: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/101.jpg)
Volgende week: Cryptology
Sleep de afbeelding naar de tijdelijke aanduiding of klik op het pictogram als u een afbeelding wilt toevoegen
![Page 102: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/102.jpg)
![Page 103: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/103.jpg)
Information SecurityBIMITM03 College 4
Paul J. Cornelisse
![Page 104: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/104.jpg)
Cryptology
Through the centuries, the need for information protection persistsCombat has evolved from hand-to-hand to modern warfare, or cyber warfareProtecting sensitive data is critical to preserving trade secrets, government communications, or military strategies
![Page 105: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/105.jpg)
Cryptology
Protection is achieved in part through the use of cryptology—more specifically, encryptionvital for everyday use in today’s cyber society;
online shopping and bankingATM usagedigital media
require encryption protection to avoid abuse
![Page 106: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/106.jpg)
Cryptology
Unfortunately, many of today’s systems lack appropriate protectionPasswords and authentication requirements are not protected themselvesEither through encryption or encrypted databasesThis leaves sensitive information vulnerable to unauthorized, prying eyes
![Page 107: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/107.jpg)
Cryptology
Cryptology is not a new conceptIt is “the science of keeping secrets secret” (Delfs and Knebl 2007)is the study of encrypting algorithms and the art of creating and solving such algorithms, and is composed of bothCryptographyCryptanalysis
![Page 108: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/108.jpg)
Cryptology
Cryptography is the art or science of cipher systems used for protection informationThe term originates from the GreekKryptos, meaning “hidden” Graphia, meaning “writing”
![Page 109: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/109.jpg)
Cryptology
CryptographyProtects sensitive informationIdentifies corruptionIdentifies unauthorized accessTries to compromise between expense and time consumption.
![Page 110: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/110.jpg)
Cryptology
Cryptography has four basic purposes:ConfidentialityAuthenticationIntegrityNonrepudiation
![Page 111: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/111.jpg)
Cryptology
Confidentialitykeeps information secret from unauthorized use
![Page 112: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/112.jpg)
Cryptology
Authentication:Corroboration of an entity’s identity, achieved through initial identification between communicators.
![Page 113: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/113.jpg)
Cryptology
Integrityassures that the message was not illegitimately altered during transmission or during storage and retrieval
![Page 114: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/114.jpg)
Cryptology
Nonrepudiationguarantees that the sender will not deny previous commitments or actions unless they admit the cryptographic signing key has been compromised
![Page 115: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/115.jpg)
Cryptology
Cryptanalysisthe practice of breaking ciphers,or decrypting messages without the key,to discover the original form of the message
![Page 116: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/116.jpg)
Cryptology
Someone wishes to send a message, which begins as plaintextPlaintext is the original, humanly readable form of a message, which is then encryptedThis could be text, numerical data, a program, or any other message form (Delfs and Knebl 2007)
![Page 117: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/117.jpg)
Cryptology
When plaintext is encrypted, or enciphered, the original message is obscured using an algorithm or pattern only known to the sender and authorized recipient(s).
![Page 118: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/118.jpg)
Cryptology
Encryption must be reversibleThe algorithm is known as the cipher
![Page 119: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/119.jpg)
Cryptology
Once encrypted, the message is referred to as ciphertext, and is only readable when the cipherkey is used in conjunction with the decrypting algorithm
![Page 120: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/120.jpg)
Cryptology
Protecting the key, and to whom it is known, is crucial to ensuring the
AuthenticityIntegrityConfidentiality
of the transmitted message
![Page 121: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/121.jpg)
Cryptology
the work factor, often forgotten, describes not if the algorithm can be broken, but how long until it is broken
![Page 122: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/122.jpg)
Cryptology
Two ancient ciphers are the Spartan scytale and the Caesar cipherIn the Spartan scytale, a segment of parchment is wrapped around a cylinder of certain radius and the message is written lengthwise. The recipient must have a cylinder of equal radius to decryptThe Caesar cipher is a “classical” cipher, using a simple shift of the plaintext alphabet.
![Page 123: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/123.jpg)
Cryptology
![Page 124: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/124.jpg)
Cryptology
In the early twentieth century, cryptography broadened its horizons
![Page 125: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/125.jpg)
Cryptology
One of the first among the more complicated cryptosystems used an electronic machine The Enigma rotor machineEnigma, used by the Germans in World War II, applied a substitution cipher multiple times per message.
![Page 126: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/126.jpg)
Cryptology
![Page 127: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/127.jpg)
Cryptology
As more users access the Internet, the need for digital information security is greaterThis has led to the “standardization” of cryptography in a scientific senseCurrently, many systems are secure, but rely on plausible assumptions that may one day be discovered
![Page 128: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/128.jpg)
Cryptology
So basically the standardization and mathematical focus of modern cryptosystems shares the same issue suffered by earlier ciphers
![Page 129: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/129.jpg)
Cryptology
Universally, plaintext is written in lowercase when explaining applied cryptographyCiphertext is written in all capitalsKeys or keywords are also always written in capitals
![Page 130: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/130.jpg)
Cryptology
When referring to those who use cryptosystems, certain names typically are used as the placeholdersRather than referring to the sender as “Party A” and the recipient as “Party B,” Party A would be Alice and Party B would be Bob.
![Page 131: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/131.jpg)
Cryptology
Alice and Bob are always trying to communicate. Each associate communicating continues alphabetically, for example, Charlie and David want to speak with Alice and Bob. Eve is an eavesdropper, who does not have authorized access to the message. Eve is a passive listener; she does not modify the messageMallory is a malicious attacker and modifies, sends her own, or repeats previous messages Victor is a verifying agent who demonstrates that the intended transaction was successfully executed.
![Page 132: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/132.jpg)
Cryptology
Introhttp://www.youtube.com/watch?v=Kf9KjCKmDcU
![Page 133: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/133.jpg)
Cryptology
Kerckhoff’s Six Principles1. The system must be practically or mathematically
undecipherable2. The system is not required to be secret and should be able
to fall in enemy hands3. The key must be communicable and retained without
effort, and changeable at the will of the correspondents4. The system must be compatible with the communication
channel5. The system must be portable and not require functioning
by multiple people6. The system must be easy, requiring minimal knowledge of
the system rules
![Page 134: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/134.jpg)
Cryptology
There are two generations of encrypting methods; Classicalmodern
![Page 135: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/135.jpg)
Cryptology
Classical ciphers are those that were historically used, like the scytale and Caesar’s, but became impractical either resulting from popular use or advances in technologyModern ciphers consist of substitution or transposition ciphers
![Page 136: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/136.jpg)
Cryptology
Classical ciphers use an alphabet of letters, implemented using simple mathClassical ciphers can be broken using brute force attacks or frequency analysisBrute force is a standard attack, running possible keys with a decrypting algorithm until the plaintext is exposed
![Page 137: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/137.jpg)
Cryptology
Modern ciphers are typically divided into two criteria:the key type used the data input type
![Page 138: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/138.jpg)
When referring to key types, modern ciphers branch intosymmetric (private key cryptography) asymmetric (public key cryptography)
![Page 139: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/139.jpg)
Substitution CiphersMonoalphabetic substitutions include the Caesar, Atbash, and Keyword ciphers
![Page 140: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/140.jpg)
example of a substitution cipher is the Caesar shift cipher, which is typically a three-character shift
![Page 141: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/141.jpg)
This shift would change the plaintext “purple” into the ciphertext “MROMIB.”
![Page 142: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/142.jpg)
Cryptology
![Page 143: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/143.jpg)
If the shift was a three-character subtraction, the plaintext message “purple” would then become ciphertext “SXUSOH.”
![Page 144: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/144.jpg)
Cryptology
![Page 145: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/145.jpg)
The Atbash cipher flips the entire alphabet back on itself; the plaintext alphabet is “A–Z” and the ciphertext alphabet is “Z–A,” shown in the next slide. The Atbash cipher would obscure the plaintext “purple” as “KFIKOV.”
![Page 146: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/146.jpg)
![Page 147: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/147.jpg)
Another cipher, the Keyword cipher establishes a keyword such as “HEADY.” This begins the ciphertext alphabet, and the rest is completed using the remaining letters in alphabetic orderUsing “HEADY” as the keyword The Keyword cipher changes the plaintext “purple” to “OTQOKY.”
![Page 148: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/148.jpg)
![Page 149: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/149.jpg)
Polyalphabetic substitutions are ciphers using multiple substitution alphabets. The Vigenère cipher is the most famous of this genre, introduced in the sixteenth century by Blaise de Vigenère.
![Page 150: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/150.jpg)
it encrypts plaintext by using a series of Caesar ciphers, based on the keywordThe keyword is written as many times as necessary above the plaintext message
![Page 151: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/151.jpg)
Using the Vigenère square, one will use a letter from the plaintext and its associated keyword letterPlaintext letters are listed on the top, creating columns, which intersect with the keyword alphabet along the left side of the square, creating rows
![Page 152: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/152.jpg)
The letter found at the intersection of these two letters is the cipher letter used to encrypt the messageThe beginning of the plaintext “O” and keyword letter “K” intersect at ciphertext letter “Y.” Therefore, “once upon a time” would become “YVPKM ZWAGL SUR.”
![Page 153: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/153.jpg)
The 25 variations of the Caesar cipher (shifts 0–25) are contained in the square. Each row is a single shift to the right from the row or letter preceding. Therefore, the first row, labeled “A,” is a shift of one. Row “X” is a shift of 23
![Page 154: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/154.jpg)
![Page 155: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/155.jpg)
![Page 156: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/156.jpg)
Information SecurityBIMITM03 College 5
Paul J. Cornelisse
![Page 157: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/157.jpg)
To decrypt the ciphertext using the known keyword, do the reverse of the above stepsFirst, write the keyword above the ciphertext, Then, find the first letter of the keyword, in this instance “K,” and follow the column down until the associated ciphertext letter is encountered, which is “Y.”
![Page 158: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/158.jpg)
Follow the row to the left and the letter found on the outmost column is the plaintext letter, being “O.” Continue this process until the message is decrypted
![Page 159: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/159.jpg)
The second major family of substitution is transposition ciphersthese ciphers use the same letters as the plaintext but reorganize them until the message is scrambledThe Spartan scytale is an example of a simple form of transposition
![Page 160: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/160.jpg)
![Page 161: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/161.jpg)
![Page 162: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/162.jpg)
Cryptographic Keys
More complex ciphers use secret keys that control long sequences of intricate substitutions and transpositionspartnership between simple ciphers creates a powerful and modern form of communication security
![Page 163: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/163.jpg)
Private, or secret key encryption, often referred to as a symmetric key, is a class of algorithm that uses a single key to encrypt or decrypt messagesFor maximum security, each pair of correspondents has a separate key; it is vital that both parties keep the key secret
![Page 164: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/164.jpg)
Cryptology
Somewhat morehttp://www.youtube.com/watch?v=CR8ZFRVmQLg
![Page 165: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/165.jpg)
![Page 166: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/166.jpg)
DES is a nonlinear block cipher. The plaintext is broken into 64-bit blocks and encrypted using 56-bit key and 8 parity bits, totaling 64 bitsEncryption is achieved through dividing the blocks in a left (L) and right (R) parts and applying a series of permutations and substitutions 16 times.DES is insecure because its key length is relatively short
![Page 167: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/167.jpg)
AES resulted from a worldwide competition that started in 1997 under the sponsorship of the National Institute of Standards and Technology (NIST)AES is an iterative block cipher based on substitutions and permutations. The fixed blocks are each 128 bits long, or 16 bytes. This is double the length used by DES, increasing the number of possible blocks by 264This algorithm uses key lengths of 128, 192, or 256 bits.
![Page 168: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/168.jpg)
The first public key encryption cryptosystem was proposed by Ralph Merkle in 1974, and introduced two years later, in 1976, by Professor Martin Hellman from Stanford University and Whitfield Diffie, then at Northern Telecom (Bosworth et al. 2009)
![Page 169: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/169.jpg)
Public key encryption uses two separate keys to encrypt and decrypt. Another name for public key encryption is asymmetric encryptionEach correspondent has a public key and a private key; what is encrypted using one key is decrypted using the other key
![Page 170: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/170.jpg)
Public key encryption enables secure electronic business transactions, applied through keys and certificatesThis cryptosystem supports confidentiality, access control, integrity, authentication, and nonrepudiation services
![Page 171: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/171.jpg)
Risk ManagementBIMITM03 College 6
![Page 172: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/172.jpg)
Risk Management
Just because there is a threat does not mean that the organization is at riskThis is what risk assessment is all about
![Page 173: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/173.jpg)
Risk Management
Facilitated Risk Analysis and Assessment Process (FRAAP)First used in 1995
![Page 174: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/174.jpg)
Risk Management
FRAAPIs driven by the business ownersTakes days instead of weeks or monthsIs cost-effectiveUses in-house experts
![Page 175: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/175.jpg)
Risk Management
The FRAAP was developed as an efficient and disciplined process for ensuring that threats to business operations areIdentifiedExamineddocumented
![Page 176: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/176.jpg)
Risk Management
The process involves analyzing onesystemapplicationplatformbusiness process orsegment of business operation
at a time
![Page 177: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/177.jpg)
Risk Management
team of internal subject matter expertsIncludes:
business managerssystem users, familiar with the mission needs of the asset under review
Andinfrastructure staff who have a detailed understanding of potential system vulnerabilities and related controls
![Page 178: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/178.jpg)
Risk Management
A sample FRAAP procedure has been included Appendix A of the book
![Page 179: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/179.jpg)
Risk Management
The team’s conclusions as towhat threats existwhat their risk levels areand what controls are needed
are documented for the business owner’s use in developing the FRAAP
![Page 180: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/180.jpg)
Risk Management
divided into three phases:The pre-FRAAPThe FRAAP sessionThe post-FRAAP
![Page 181: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/181.jpg)
Risk Management
The team does not attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates unless the data for determining such factors is readily available
![Page 182: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/182.jpg)
Risk Management
the team will rely on their general knowledge of threats and probabilitiesThese are obtained from national incident response centers, professional associations and literature, and their own experience
![Page 183: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/183.jpg)
Risk Management
additional efforts to develop precisely quantified risks are not cost-effective
![Page 184: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/184.jpg)
Risk Management
estimates take an inordinate amount of time and effort to identify and verify or developThe risk documentation becomes too voluminous to be of practical useSpecific loss estimates are generally not needed to determine if a control is needed
![Page 185: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/185.jpg)
Risk Management
After identifying the threats and establishing the relative risk level for each threat, the team identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls
![Page 186: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/186.jpg)
Risk Management
Once the FRAAP session is complete, the security professional can assist the business owner in determining which controls are cost-effective and meet their business needs
![Page 187: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/187.jpg)
Risk Management
Once each threat has been assigned a control measure or has been accepted as a risk of doing business, the senior business manager and technical expert participating sign the completed document
![Page 188: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/188.jpg)
Risk Management
The document and all associated reports are owned by the business unit sponsor and are retained for a period to be determined by the records management procedures (usually 7 years but depending on common law)
![Page 189: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/189.jpg)
Risk Management
Each risk assessment process is divided into three distinct sessions:
![Page 190: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/190.jpg)
Risk Management
The pre-FRAAP meetingnormally takes about an hour and has the business owner, project lead, scribe and facilitator
![Page 191: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/191.jpg)
Risk Management (Pre FRAAP)
Assess current level of risk assessment understandingDetermine what the managers and employees want to learnExamine the level of receptiveness to the security programMap out how to gain acceptanceIdentify possible allies
![Page 192: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/192.jpg)
Risk Management (Deliverables Pre FRAAP)
Prescreening resultsScope statement Visual diagram Establish the FRAAP team (15 to 30 members)
Meeting mechanics Agreement on definitionsPre FRAAP Meeting summary
![Page 193: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/193.jpg)
Risk Management
The FRAAP sessiontakes approximately 4 hours and includes 15 to 30 people, although sessions with as many as 50 and as few as 4 people have occurred.
![Page 194: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/194.jpg)
Risk Management
![Page 195: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/195.jpg)
Risk Management
The business manager/owner will present the project scope statementThe technical support will give a five-minute overview of the process using an information flow model or diagramThe facilitator will review the term definitions to be used for this FRAAP session
![Page 196: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/196.jpg)
Risk Management
The facilitator will then reiterate the objectives and deliverables of this initial stageAt this point, stage two of this process should be briefly discussed
![Page 197: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/197.jpg)
Risk Management
the FRAAP session definitions should be included in the meeting noticealso it will be necessary to notify those individuals that are needed to be present for stage two that they will be staying for an additional hour
![Page 198: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/198.jpg)
Risk Management
Have each member introduce themselves and provide the following information for the scribe to capture:
Team member name (first and last)DepartmentLocationPhone number
![Page 199: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/199.jpg)
Risk Management
![Page 200: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/200.jpg)
Risk Management
Identify Threats Using a ChecklistIdentifying Existing ControlsEstablish Risk Levels
![Page 201: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/201.jpg)
Risk Management
![Page 202: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/202.jpg)
Risk Management
![Page 203: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/203.jpg)
Risk Management
![Page 204: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/204.jpg)
Risk Management
![Page 205: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/205.jpg)
Risk Management
A total of four deliverables come out of the FRAAP sessions:
Threats were identifiedRisk level establishedCompensating controls selectedControl “owner” identified
![Page 206: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/206.jpg)
Risk Management
Post-FRAAP is where the results are analyzed and the Management Summary Report is completedThis process can take up to five workdays to complete.
![Page 207: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/207.jpg)
Risk Management
Management Summary Report:Title PageTable of ContentsAttendee ListScope Statement SummaryAssessment Methodology UsedSummary of Assessment FindingsWhere to Obtain Full DocumentationConclusions
![Page 208: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/208.jpg)
Risk Management
1. Restricted physical access areas should be considered throughout GLBA
Action Plan: A physical security risk assessment will be conducted to determine if there is a need to create restricted access areas and/or increase physical access controls.
![Page 209: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/209.jpg)
Risk Management
2. Power failure could cause corruption of information or prevent access to the system
Action Plan: Network UPS may not be adequate for a power outage out of regular business hours. Install a backup domain controller at Ualena Street and connect it to the Ualena Street UPS.
![Page 210: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/210.jpg)
Risk Management
Complete the Action Plan
![Page 211: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/211.jpg)
![Page 212: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/212.jpg)
Data Center RequirementsBIMITM03 College 7
Paul J. Cornelisse
![Page 213: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/213.jpg)
The nature of physical security for a data center should be one of concentric rings of defensewith requirements for entry getting more difficult the closer we get to the center of the rings
Data Center Requirements
![Page 214: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/214.jpg)
The reason for this is obviousif we take a number of precautions to protect information accessed at devices throughout the organization, then we must at least make sure that no damage or tampering can happen to the hardware on which the information is stored and processed
Data Center Requirements
![Page 215: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/215.jpg)
we should start by considering the data center itself
Is the building that houses the data center standing by itself or is the data center in a building that houses other functions?If the data center is in a dedicated building, what approaches are open to the buildinghow well-protected are staff as they enter and leave the building?
Data Center Requirements
![Page 216: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/216.jpg)
RememberThe cost of controls must be consistent with the value of the asset being protected The definition of “consistent” depends on what risks your organization’s management decides to accept
Data Center Requirements
![Page 217: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/217.jpg)
Data Center Requirements
![Page 218: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/218.jpg)
Data Center Requirements
Everyone
![Page 219: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/219.jpg)
Data Center Requirements
EveryoneEmployees, Authorised
Visitors & Vendors
![Page 220: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/220.jpg)
Data Center Requirements
EveryoneEmployees, Authorised
Visitors & Vendors
Emps andAccompaniedVendors only
![Page 221: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/221.jpg)
Data Center Requirements
![Page 222: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/222.jpg)
When considering the physical access controls that are appropriate for (and consistent with) your organization, we must take into account a number of variables—including:the assets to be protectedthe potential threat to those assetsand your organization’s attitude to risk
Data Center Requirements
![Page 223: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/223.jpg)
The amount of effort put into protecting physical assets being spent on different forms of protection depends on varianles such as:
Centralisation (Serverfarms)DecentralisationAttitude of management
Data Center Requirements
![Page 224: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/224.jpg)
Assess Potential threatsAssess the companies attitude towards risk
Data Center Requirements
![Page 225: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/225.jpg)
Daily business activities involve constant risk assessmentEvery decision that is taken and that will influence how an organization does business involves a form of risk assessment in the act of making the decision.
Data Center Requirements
![Page 226: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/226.jpg)
It is no different with information security decisionsWhen facts and opinions have been made available to management and senior management, it is their function to decide on how risks will be managed
Data Center Requirements
![Page 227: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/227.jpg)
no “one-size-fits-all” solution exists
Data Center Requirements
![Page 228: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/228.jpg)
consider
Data Center Requirements
![Page 229: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/229.jpg)
Defined perimeters through strategically located barriers throughout the organization consistent with the value of the assets or services being protected Support functions and equipment are on sitePhysical barriers, where they are necessary, are extended from floor to ceiling Personnel other than those working in a secure area are not informed of the activities within the secure area
Data Center Requirements
![Page 230: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/230.jpg)
Working alone and unsupervised in sensitive areas must be prohibited Computer equipment managed by the organization is housed in dedicated areas separate from third party–managed computer equipmentSecure areas, when vacated, must be physically locked and periodically checkedPersonnel supplying or maintaining support services are granted access to secure areas only when required and authorized, their access restricted, and their activities monitored
Data Center Requirements
![Page 231: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/231.jpg)
Unauthorized photography, recording, or video equipment must be prohibited within the security perimetersEntry controls over secure areas must be established to ensure only authorized personnel can gain access and a rigorousauditable procedure for authorizing access must be put in place
Data Center Requirements
![Page 232: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/232.jpg)
Visitors to secure areas must be supervised and their date and time of entry and departure will be recorded.Visitors to secure areas are granted access only for specific, authorized purposes.All personnel must be required to wear visible identification within the secure area.Access rights to secure areas are to be revoked immediately for staff members who leave employment.
Data Center Requirements
![Page 233: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/233.jpg)
Data Center Requirements
“No smoking” is the first ruleAll flammable material—such as
printer paperplastic wrappingand tapes
should be stored in an area separated from the main server or computer room by a fire-rated wall
![Page 234: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/234.jpg)
Data Center Requirements
Flammable or highly combustible materials must also be kept out of the premisesVentilation and grounding are the keysKeep the temperature around 23 deg C.Put in appropriate fire detection systems
![Page 235: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/235.jpg)
Data Center Requirements
Fire fightingFire fighting can result in as much damage as the fire doesPassive systemsActive systems
![Page 236: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/236.jpg)
Data Center Requirements
Examples of passive systemsSprinklers
FloodedDry
GasHalon 1301FM200CO2
One shot!
![Page 237: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/237.jpg)
Data Center Requirements
Active systemsDetectorsPre flooding of dry system pipesWait until 2nd criteria is met
![Page 238: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/238.jpg)
Data Center Requirements
Disposal of documentsVerifiableunder policies and standards for the protection of data throughout the workplaceIt makes sense that if we are to spend any money or effort to protect information, then the “circle of protection” ought to surround the information all the way to its destruction
![Page 239: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/239.jpg)
Data Center Requirements
Avoid using large receptacles clearly marked “Confidential Documents Only.”Every single department in the organization must have easy access to the containers usedCollection at fixed points in receptacles lined with opaque bagsLocked bins? Attracts attention!
![Page 240: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/240.jpg)
Data Center Requirements
Ways of disposing:Certified recyclerShredders
Cheap ones are unsafeLabor intensive
Shredding service (Certified)
![Page 241: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/241.jpg)
Data Center Requirements
Everyone outside the organization involved in the destruction of the documents (waste haulers, recycling facilities, landfill, and incinerator owners) should sign an agreement stating they know they will be handling confidential information and agree to maintain the confidentiality of the information
![Page 242: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/242.jpg)
Data Center Requirements
ContractsSpecify the method of destruction/disposalSpecify the time that will elapse between acquisition and destruction/disposal of documents (or electronic media, if that is also to be disposed of)Establish safeguards against breaches in confidentialityIndemnify the organization from loss due to unauthorized disclosureRequire that the vendor maintain liability insurance in specified amounts at all times the contract is in effectProvide proof of destruction/disposal
![Page 243: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/243.jpg)
Data Center Requirements
Ensure that the loading dock is secure at all timesA container for the documents and the loading dock itself must be designed to minimize or eliminate the risk of documents blowing around in the wind before or while they are being collected for disposal
![Page 244: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/244.jpg)
Data Center Requirements
Duress AlarmsSilent alarms
Intrusion Detection SystemsThe simplest intrusion detection system is a guard patrol
![Page 245: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/245.jpg)
Data Center Requirements
Elements to be considered Video surveillanceIlluminationMotion detection sensorsHeat sensorsAlarm systems for windows and doors“Break-glass” sensors (these are noise sensors that can detect the sound made by broken glass)Pressure sensors for floors and stairs
![Page 246: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/246.jpg)
![Page 247: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/247.jpg)
Disaster Recovery and Business Continuity
Planning BIMITM03 College 8
Paul J. Cornelisse
![Page 248: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/248.jpg)
Data Center Requirements
My children will live with the mistakes I make
![Page 249: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/249.jpg)
Disaster recovery
![Page 250: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/250.jpg)
Data Center Requirements
Many organizations voluntarily spend money and time attempting to design DR systems, processes, and methodologies that will enable them to continue business operations in the event of a disaster.
![Page 251: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/251.jpg)
Disaster recovery
It is important that organizations are able to:contact the resources neededhave methods in place to ensure that resources can actually make it to the recovery areaActivate strong leadership roles for the responding resources (of critical importance for successful DR postevent recovery)
![Page 252: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/252.jpg)
Disaster recovery
Necessary component of successful recovery are:Ensuring that time is spent testing hardware and equipment neededto make sure the organization can recover business critical systems in the time required
![Page 253: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/253.jpg)
Data Center Requirements
![Page 254: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/254.jpg)
Disaster recovery
Tulane University, like many organizations in New Orleans, was prepared for an event like Katrina but
it did not have plans on how to recover from such an event and ended up missing its August payroll run,
an event that compounded the trauma that many families were already going through (Anthes 2008).
![Page 255: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/255.jpg)
Disaster recovery
“We did have to face the music. We stopped paying adjuncts on August 29. We stopped paying part-time faculty and staff members on September
30. Beginning November 1, we began using vacation and sick leave to help pay full-time faculty and staff members” (The Chronicle of
Higher Education 2005, p. B.203).
![Page 256: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/256.jpg)
Disaster recovery
![Page 257: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/257.jpg)
Disaster recovery
![Page 258: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/258.jpg)
Data Center Requirements
Develop a Business Continuity Contingency PolicyAs with any policy, alignment with organizational senior management is the first thing that needs to take place.
![Page 259: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/259.jpg)
Data Center Requirements
“Tulane did not have a formal DR plan for replacement of machines with any outside vendor
or institutionThat was a cabinet-level decision, made during times of fiscal stress. We had just shifted to a
decentralized system for fiscal management, so IT was a shared resource.
When I presented the plan for off-site DR, it was for $300,000 a year or so. We decided that we could not ask the deans to pay for that as they
were already upset about recent budget cuts and increased IT recharge rates” (The Chronicle of
Higher Education 2005, p. B.201)
![Page 260: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/260.jpg)
Data Center Requirements
Of interest to note is that John Lawson, the CIO of Tulane, has related publicly that after Katrina, his off-site DR plan was approved at a cost of approximately $600,000 per year, double the amount Tulane management turned down before Katrina.
![Page 261: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/261.jpg)
Data Center Requirements
Business Impact AnalysisA discussion on BIA and a sample procedure are included in Appendix B.
![Page 262: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/262.jpg)
Data Center Requirements
What drives decisions of our management?
![Page 263: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/263.jpg)
Data Center Requirements
Bergland and Pedersen (1997), in a report on the effects of safety regulation on the safety and well-being of Norwegian fisherman, found that costly regulation induced “the individual rational fisherman to behave in a way which increases their risks” of injury
![Page 264: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/264.jpg)
Data Center Requirements
Apparently this behavior also goes for business management
![Page 265: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/265.jpg)
Data Center Requirements
Will it cost me more to implement the required business continuity and DR infrastructure than it would for me to recover from a catastrophic event that may or may not occur sometime in the future?
![Page 266: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/266.jpg)
Data Center Requirements
Will it cost me more to implement the required business continuity and DR infrastructure than it would for me to recover from a catastrophic event that may or may not occur sometime in the future?Also, in our current economy downtrend that is causing organizations to pull back from IT spending which is in line with the current economic downward trends
![Page 267: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/267.jpg)
Data Center Requirements
![Page 268: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/268.jpg)
Disaster recovery
![Page 269: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/269.jpg)
Disaster recovery
X
![Page 270: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/270.jpg)
Disaster recovery
![Page 271: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/271.jpg)
Data Center Requirements
The goal is not to eliminate the risk but to design business continuity and DR strategies that generate more benefits to the community than the negative effect of the costs incurred (Viscusi and Gayer 2002)
![Page 272: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/272.jpg)
Data Center Requirements
Cold
A cold site is essentially just data center space, power, and network connectivity, ready and waiting for whenever a company might need it.If disaster strikes, you move your hard- and software into the data center and get back up and running.
![Page 273: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/273.jpg)
Data Center Requirements
Warm
A warm site contains your pre-installed hardware and has your bandwidth need spre-configured. If disaster strikes, all you have to do is load your software and data to restore your business systems.
![Page 274: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/274.jpg)
Data Center Requirements
Hot
A hot site allows you to keep servers and a live backup site up and running in the event of a disaster.Basically, you replicate your production environment in a DR center allowing for an immediate cutover in case of disaster at the primary site.
A hot site should be considered for mission critical sites
![Page 275: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/275.jpg)
Disaster recovery
http://www.csc-inc1.com/disaster-recovery.asp
![Page 276: Information Security BIMITM03 College 1 Paul J. Cornelisse/George M.J. Pluimakers](https://reader037.vdocument.in/reader037/viewer/2022110213/5697bf941a28abf838c90280/html5/thumbnails/276.jpg)