4. Overview: Gain Security Awareness When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security. ______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization. Presented by. Peleg Holzmann, CISSP
5. A few questions 1. What is your corporate vision for security? 2. Where are you today? 3. Where do you want to be? 4. How do we get there? 5. Did we get there? 6. How do we keep the momentum going? Presented by. Peleg Holzmann, CISSP
6. One Answer Sorry Image Redacted for Privacy We can help you answer all these questions! Presented by. Peleg Holzmann, CISSP
8. Risk Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus - the percentage of risk mitigated by current controls plus + the uncertainty of the current knowledge of the vulnerability. Presented by. Peleg Holzmann, CISSP
10. Layered Approach– Defense in Depth Redundancy Security Planning (IR, DR, BC) Monitoring Systems Patches & Updates Education and Training Host IDS Firewalls Authorized Personnel Network IDS Information Network IPS Proxy Servers Systems Encryption Backups People Networks Policies and Laws Access Controls Internet Technology People Presented by. Peleg Holzmann, CISSP
23. Step 1 – Example HIPPA Some areas which need to be addressed and documented would include: Physical Security Systems should be located in physically secure locations, whenever possible. Secure Locations Secure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security. Access Control Systems Access control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available. Media Destruction and Recycling Back-up Systems and Procedures Account Management and Access Review Emergency Access Disaster Recovery… Presented by. Peleg Holzmann, CISSP
25. Step 2 – Project Plan Utilizing Microsoft Project design and maintain a feasible and detailed project plan. Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met. Presented by. Peleg Holzmann, CISSP
32. Step 4 – Perform Risk Analysis Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus - the percentage of risk mitigated by current controls plus + the uncertainty of the current knowledge of the vulnerability. Presented by. Peleg Holzmann, CISSP
33. System Boundary System Functions Systems & Data Criticality System & Data Sensitivity Hardware Software System Interfaces Data & Information People System Mission History of system attacks Outside agency data Step 6: Impact Analysis Loss of CIA Threat Statement Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 7: Risk Determination Step 5: Likelihood determination Step 1: System Characterization Prior Risk Assessments Prior Audits Security Requirements Security Test Results List of Potential Vulnerabilities Current Controls Planned Controls List of current & planned controls Threat Source Motivation Threat Capacity Nature of Vulnerability Current Controls Impact Rating Mission impact analysis Asset criticality assessment Data criticality Data sensitivity Impact Ratings Likelihood of threat exploitation Magnitude of impact Adequacy of planned & Implemented controls Risk & Associated Risk Levels Presented by. Peleg Holzmann, CISSP
34. Step 4 – Perform Risk Analysis (Quantitative) Quantitative Approach (more detailed and longer time frame) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) Annualized Loss Expectancy (ALE) SLE x ARO = ALE Cost Basis Analysis (CBA) Annualized Cost of Safeguard (ACS) CBA = ALE (prior) – ALE (Post) - ACS Presented by. Peleg Holzmann, CISSP
35. Step 4 – Perform Risk Analysis (Qualitative) Qualitative Approach (Faster and Cheaper) Low, Medium, High, Very High Assign a degree to the asset then create a RISK Matrix Chart similar to sample shown. Presented by. Peleg Holzmann, CISSP
36. Step 4 – Perform Risk Analysis At ______ we use both in combination: Quantitative and Qualitative to produce the most accurate risk matrix. Sorry Image Redacted for Privacy Quantitative Qualitative Presented by. Peleg Holzmann, CISSP
37. Step 4 – Perform Risk Analysis At ______ we use both in combination: Quantitative and Qualitative to produce the most accurate risk matrix. Identify Information Assets Implement Control Plan for Maintenance Vulnerability Worksheet Access Control Measure Risk to Asset Control Strategy And Plan Adequate Controls? Adequate Risk? YES NO YES NO Presented by. Peleg Holzmann, CISSP