information systems 365 lecture three - performing an it security risk analysis

Information Security 365/765, Fall Semester, 2014

Course Instructor, Nicholas DavisLecture 2, Course Introduction

04/13/23 UNIVERSITY OF WISCONSIN 2

Lecture TopicsLecture TopicsSecurity management responsibilitiesDifference between Administrative, Technical and Physical ControlsThe three main security principlesRisk management How to perform a risk analysis


Defining SecurityDefining SecurityManagementManagement

Risk management method (see next slide)Information Security PoliciesProceduresStandardsGuidelinesBaselinesInformation ClassificationSecurity OrganizationSecurity Education


Process of SecurityProcess of SecurityManagementManagement

Determination of needsAssessment of risksMonitoring and evaluation of existing systems and practicesPromote awareness of existing issuesImplementation of policies and controls to address needs

Use a “Top Down” approach, not a “Bottom Up” approach


Three Types of SecurityThree Types of SecurityControlsControls

AdministrativeTechnicalPhysical


AdministrativeAdministrativeControlsControls

These include the developing and publishing of policies, standards, procedures and guidelines for risk management, the screening of personnel, conducting security awareness training, and implementing change control procedures


Technical ControlsTechnical Controls(Also Called Logical (Also Called Logical

Controls)Controls)These consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices and the configuration of the infrastructure

Opinion note from the lecturer


Physical ControlsPhysical Controls

These entail controlling individual access into the facilities, locking systems, removing un-necessary access points to systems such as CD drives and USB ports, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls


All Three ControlsAll Three ControlsMust Work TogetherMust Work Together


Three Core GoalsThree Core Goalsof Information Securityof Information Security

ConfidentialityIntegrityAvailability


AvailabilityAvailability

The systems and networks should provide adequate capacity to perform in a predictable manner, with an acceptable level of performanceThey should be able to quickly recover from disruptionSingle points of failure should be avoidedBackup measures should be taken


IntegrityIntegrity

Is defined as maintaining the accuracy and reliability of information systems, preventing any unauthorized modificationAttacks or mistakes by users do not compromise the integrity of the dataViruses, Logic Bombs, or back doors can all compromise the integrity of an information system


ConfidentialityConfidentiality

Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.This level of confidentiality should prevail while data resides on systems within the network, as it is transmitted and once it reaches its destination.


More TerminologyMore Terminology

VulnerabilityThreatRiskExposure


VulnerabilityVulnerability

Software, hardware, physical or procedural weakness which may provide an attacker an open door into your information systems environment


ThreatThreat

A potential danger to an information system. The treat is that someone or something will identify and take advantage of a vulnerability. The entity which takes advantage of a vulnerability is called a threat entity


RiskRisk

A risk is the likelihood of a of a threat agent taking advantage of a vulnerability


ExposureExposure

Exposure is a single instance of the damages caused by a vulnerability being exploited by threat agent

Way too many terms here for a normal human to remember!!!


CountermeasureCountermeasure

A safeguard put into place to mitigate a potential risk


Security Through ObscuritySecurity Through Obscurity

Trying to keep things safe by keeping them hidden

Bad idea – not a true security control


Security PlanningSecurity PlanningAreasAreas

Strategic TacticalOperational


StrategicStrategicLong and Broad HorizonLong and Broad Horizon

Make sure that risks are properly understoodEnsure compliance with laws and regulationsIntegrate security responsibilities throughout the organizationCreate a maturity model to allow for continual improvementUse security as a business achievement to attract more customers


TacticalTacticalInitiatives Supporting Initiatives Supporting

StrategyStrategyInitiatives and planning put in place to support the larger strategic plan

Putting together teams to address specific issuesHiring new employees to be responsible for specific areas such as HIPAA or PCI compliance


OperationalOperational

Perform security risk assessmentDo not allow security changes to decrease productivityMaintain and implement controlsContinually scan for vulnerabilities and roll out patchesTrack compliance with policies


Judge Against StandardsJudge Against StandardsISO 17799ISO 17799

If you know this, you will be golden in the job interview!ISO is a British organization, recognized around the world for standardsHigh level recommendations of enterprise IT security


Information SecurityInformation SecurityPolicy For the OrganizationPolicy For the Organization

Map of objectives to security management’s support, security goals and responsibilities


Creation of an InformationCreation of an InformationSecurity InfrastructureSecurity InfrastructureCreate and maintain an organizational security structure through the use of a security forum, a security officer, defining responsibilities, a method for authorizing projects, outsourcing and independent audits and reviews


Asset ClassificationAsset Classificationand Controland Control

Develop a security infrastructure to protect organizational assets through accountability through inventory, classification, and handling procedures


Personnel SecurityPersonnel Security

Reduce the risks which are inherent in human action by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations


Physical and EnvironmentalPhysical and EnvironmentalSecuritySecurity

Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, physical access control, and protecting equipment


Communications and Communications and Operations ManagementOperations Management

Carry out operations through documented procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling


Access ControlAccess Control

Control electronic access based upon business requirements, user management, authentication methods and monitoring


System DevelopmentSystem Developmentand Maintenanceand Maintenance

Make security an integral part of all life phases of system development and management


Business Continuity Business Continuity ManagementManagement

Counter disruptions of normal operations by using continuity planning and testing


ComplianceCompliance

Comply with regulatory, contractual and statutory requirements by using technical controls, systems audits and continuous legal and regulatory awareness Cost effective, relevant, timely, and responsive


Risk AnalysisRisk Analysis

A method for identifying risks and threats


Risk AnalysisRisk AnalysisHas Four Main GoalsHas Four Main GoalsIdentify assets and their valuesIdentify vulnerabilities and threatsQuantify the probability and business impact of these potential threatsProvide an economic balance between the impact of the threat and the cost of the countermeasure


Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset

What is the value of this asset to the company?How much does it cost to maintain?How much does it make in profits for the company?How much would it be worth to the competition?How much would it cost to re-create or recover?


Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset

How much did it cost to acquire or develop this asset?How much liability do you face if the asset is compromised?


Risk Analysis – Step 2Risk Analysis – Step 2Estimate Potential Loss Per Estimate Potential Loss Per

ThreatThreatWhat physical damage could the threat cause and how much would that cost?How much loss of productivity could the threat cause and how much would that cost?What is the value lost if the confidential information is disclosed?What is the cost of recovering from this threat?What is the value of the loss if critical devices were to fail?What is the Single Loss Expectancy (SLE) for each asset and each threat?


Risk Analysis – Step ThreeRisk Analysis – Step ThreePerform a Threat AnalysisPerform a Threat Analysis

Gather information about the likelihood of each threat taking place, from people in each department. Examine past records which provide this type of dataCalculate the Annualized Rate of Occurrence (ARO), which is the number of times the threat can take place in a twelve month period


Risk Analysis – Step FourRisk Analysis – Step FourDerive the Overall Annual Loss Derive the Overall Annual Loss

Per ThreatPer ThreatCombine potential loss and probabilityCalculate the Annualized Loss Expectancy (ALE) per threat, by using the information calculated in the first three stepsChoose remedial measures to counteract each threatCarry out cost-benefit analysis on the identified countermeasures04/13/23 UNIVERSITY OF WISCONSIN 43

Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or

Accept the RiskAccept the RiskInstall security controlsImprove proceduresAlter the environmentProvide early detection methods to catch the threat as it is happening and reduce possible damage it can causeProduce a contingency plan of how a business can continue if a specific threat takes place, reducing further damages


Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or

Accept the RiskAccept the RiskPut up barriers to the threatCarry out security awareness trainingPerform risk transfer (buy insurance and make it someone else’s problem)Risk acceptance (live with the risks and spend no more money for protection)Risk avoidance (discontinue the activity that is causing the risk)


Results of the Risk AnalysisResults of the Risk Analysis

1. Monetary values are assigned to assets

2. You have a comprehensive list of all possible and significant threats

3. You have a probability of the occurrence rate of each threat

4. You have the loss potential which the company can endure per threat, annually.

5. A list of recommended safeguards, countermeasures and actions


Countermeasure SelectionCountermeasure Selection

Product costsDesign and planning costsImplementation costsEnvironment modificationsCompatibility with other countermeasuresMaintenance requirementsTesting requirements


Countermeasure SelectionCountermeasure Selection

Repair, replacement or update costsOperating and support costsEffects on productivitySubscription costsExtra person hoursTolerance for headaches caused by new countermeasure


Next TimeNext Time

Security policiesInformation classificationSecurity awareness training


information systems 365 lecture three - performing an it security risk analysis

Documents

security devices

resource management

necessary level ofsecrecy

physical controlsthe

course instructor

advantage of avulnerability

place tosupport

course introduction