MIS: Information Security Management
Upcoming SlideShare
Loading in...5
×
 

MIS: Information Security Management

on

  • 607 views

 

Statistics

Views

Total Views
607
Views on SlideShare
607
Embed Views
0

Actions

Likes
0
Downloads
38
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

MIS: Information Security Management MIS: Information Security Management Presentation Transcript

  • IS Security Management 4/18/2013
  • The Elephant in the ServerRoom• Absolute security is a myth.• IS managers take the blame.
  • Risk Management• Risk management: process of identifying and controlling risks facing an organization• Risk identification: process of examining an organization’s current information technology security situation• Risk control: applying controls to reduce risks to an organizations data and information systems 3
  • Components of RiskManagement Risk Management Risk Identification Risk Control Risk Assessment is the documented result of the risk identification process Selecting Strategy Inventorying Assets Justifying Controls Classifying Assets Identifying Threats & Vulnerabilities
  • An Overview of RiskManagement• Know yourself – Understand the technology and systems in your organization• Know the enemy – Identify, examine, understand threats• Role of Communities of Interest – Information Security – Management and Users – Information Technology 5
  • Risk Identification• Assets are targets of various threats and threat agents• Risk management involves identifying organization’s assets and identifying threats/vulnerabilities• Risk identification begins with identifying organization’s assets and assessing their value 6
  • 7
  • Asset Identification andValuation• List all elements of an organization’s system.• Classify and categorize assets. 8
  • Table 4-1 - Categorizing Components & Valuation Asset IdentificationTraditional System SecSDLC and risk management system componentsComponentsPeople Employee Trusted employees Other staff Non-employees People at trusted organizations / StrangersProcedures Procedures IT & business standards procedures IT & business standards proceduresData Information Transmission, Processing, StorageSoftware Software Applications, Operating systems, Security componentsHardware System devices and Systems and peripherals peripherals Security devices Networking components Intranet components Internet or DMZ components
  • Data / People /Procedural Assets• Human resources, documentation, and data information assets are more difficult to identify• People with knowledge, experience, and good judgment should be assigned this task• These assets should be recorded using reliable data-handling process 10
  • Hardware / Software /Network Assets• Name (device or program name)• IP address• Media access control (MAC) address• Element type – server, desktop, etc. Device Class, Device OS, Device Capacity 11
  • Hardware / Software /Network Assets• serial number• manufacturer name; model/part number• software versions• physical or logical location• Software version, update revision
  • Information AssetClassification• Many organizations have data classification schemes (e.g., confidential, internal, public data)• Classification must be specific enough to allow determination of priority• Comprehensive – all info fits in list somewhere• Mutually exclusive – fits in one place 13
  • Information Asset Valuation• What is most critical to organization’s success?• What generates the most revenue?• What generates the most profit?• What would be most expensive to replace?
  • Information Asset Valuation (continued)• What would be most expensive to protect?• What would be most embarrassing or cause the greatest liability is revealed?
  • Figure 4-3 – ExampleWorksheet 16
  • Listing Assets in Order ofImportance• Weighted factor analysis• Each info asset assigned score for each critical factor (0.1 to 1.0)• Each critical factor is assigned a weight (1- 100)• Multiply and add
  • Table 4-2 – ExampleWeighted Factor Analysis CPSC375@UTC/CS 18
  • Data Classification andManagement• Information owners responsible for classifying their information assets• Information classifications must be reviewed periodically• Most organizations do not need detailed level of classification used by military or federal agencies.
  • Data Classification andManagement• Organizations may need to classify data to provide protection – Public – For official use only – Sensitive – classified CPSC375@UTC/CS 20
  • Data Classification andManagement• Assign classification to all data• Grant access to data based on classification and need• Devise some method of managing data relative to classification CPSC375@UTC/CS 21
  • Security Clearances• Security clearance structure: each data user assigned a single level of authorization indicating classification level• Before accessing specific set of data, employee must meet need-to-know requirement• Extra level of protection ensures information confidentiality is maintained
  • Potential ThreatsThreat ExampleActs of human error or failure Accidents, employee mistakesCompromises to intellectual Piracy, copyright infringementpropertyDeliberate acts of espionage or Unauthorized access and/or datatrespass collectionDeliberate acts of information Blackmail or informationextortion disclosureDeliberate acts of theft Illegal confiscation of equipment or informationDeliberate acts of sabotage or Destruction of systems orvandalism information
  • Potential ThreatsCategories of Threat ExamplesDeliberate acts of software attacks Viruses, worms, macros, denial-of- serviceForces of nature Fire, flood, earthquake, lightningDeviations in quality of service ISP, power, WAN service issues from service providersTechnical hardware failures or errors Equipment failureTechnical software failures or errors Bugs, code problems, unknown loopholesTechnological obsolescence Antiquated or outdated technologies 24
  • Threat Assessment• Which threats present a danger to an organization’s assets?• Which threats represent the most danger?• How much would it cost to recover?• Which threat requires the greatest expenditure to prevent? 25
  • VulnerabilityIdentification• Identify each asset and each threat it faces• Create a list of vulnerabilities• Examine how each of the threats are likely to be perpetrated
  • Risk Assessment• Risk assessment evaluates the relative risk for each vulnerability• Assigns a risk rating or score to each information asset 27
  • Risk Assessment likelihood of occurrence * value of the information asset - percent mitigated + uncertainty
  • Probability Computation• Assign number between 0.1 – 1• Data is available for some factors – Likelihood of fire – Likelihood of receiving infected email – Number of network attacks 29
  • Valuation of InformationAssetsUsing info from asset identificationassign weighted score for the value. – 1 -100 – 100 – stop company operations – May use broad categories – NIST has some predefined 30
  • Risk Control Strategies• Apply safeguards that eliminate or reduce residual risks (avoidance)• Transfer the risk to other areas or outside entities (transference)• Reduce the impact should the vulnerability be exploited (mitigation)• Understand the consequences and accept the risk without control or mitigation (acceptance) 31
  • Mitigation• When a vulnerability can be exploited -- apply layered protections, architectural designs, and administrative controls• When attacker’s cost is less than potential gain -- apply protection to increase attackers costs• When potential loss is substantial -- redesign, new architecture, controls
  • Conclusion“The goal of information security is notto bring residual risk to zero; it is tobring residual risk into line with anorganization’s comfort zone or riskappetite” 33