Understanding an organization's risk environment involves taking a holistic approach to information security risk management. This includes identifying the organization's business processes, resources, threats, vulnerabilities and risks through techniques such as business impact analysis and risk evaluation. Risk evaluation aims to identify risk scenarios and their potential business impacts by collecting relevant data, analyzing risks while considering business impacts, and maintaining an up-to-date risk profile. Understanding an organization's business processes, dependencies, resources and the risks that could disrupt them are key to developing and implementing effective security and business continuity strategies.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
Is your organization ready to respond to an incident? More specifically, do you have the people, process, and technology in place that is required to cope with today's threats?
This webinar will provide practical steps on how to assess your organization's risks, threats, and current capabilities through a methodical and proven approach. From there, it will detail the people, process, and technology considerations when standing up or revitalizing an incident response (IR) program.
Specifically it will cover the four pillars of a modern IR function:
- Identify what must be protected
- Scope potential breach impact to the organization
- Define IR management capabilities
- Determine likely threats and their potential impact
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Richard White, Solutions Principal, HP
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
Cyber Security presentation for the GS-GMIS in Columbia, SC on 7-19-2018, 125 people present, discussion at an Executive level to help Project Managers better understand Cyber Security and recent updates and guidance to help you plan for your company
Assignment You will conduct a systems analysis project by .docxfestockton
Assignment:
You will conduct a systems analysis project by performing 3 phases of SDLC (planning, analysis and
design) for a small (real or imaginary) organization. The actual project implementation is not
required. You need to apply what you have learned in the class and to participate in the team
project work.
Deliverables
This project should follow the main steps of the first three phases of the SDLC (phase 1, 2 and 3).
Details description and diagrams should be included in each phase.
1- Planning:
Should cover the following:
• Project Initiation: How will it lowers costs or increase revenues?
• Project management: the project manager creates a work plan, staffs the project, and puts
techniques in place to help the project team control and direct the project through the
entire SDLC.
2- Analysis
Should cover the following:
• Analysis strategy: This is developed to guide the projects team’s efforts. This includes an
analysis of the current system.
• Requirements gathering: The analysis of this information leads to the development of a
concept for a new system. This concept is used to build a set of analysis models.
• System proposal: The proposal is presented to the project sponsor and other key
individuals who decide whether the project should continue to move forward.
3- Design
Should cover the following:
• Design Strategy: This clarifies whether the system will be developed by the company or
outside the company.
• Architecture Design: This describes the hardware, software, and network infrastructure that
will be used.
• Database and File Specifications: These documents define what and where the data will be
stored.
• Program Design: Defines what programs need to be written and what they will do.
The Course Presentations can be downloaded from here:
https://seu2020.com/wp-content/uploads/2019/09/Slides-IT243-Seu2020.com_.zip
In addition to the above please include
Points to be covered:
• Project Plan
• Staff Plan
• Cost
• Who will develop it? Self or vendor
• Project Methodology: need to consider the below factors when choosing a methodology
Clarity of User Requirements, Familiarity with Technology, System Complexity, System
Reliability, Short Time Schedules and Schedule Visibility
• Project timeline and timeframe.
• Risk Management
• Gantt Chart
• Project Requirements: Functional and Non-Functional
• Activity-Based Costing
• Outcome Analysis
• Technology Analysis
https://seu2020.com/wp-content/uploads/2019/09/Slides-IT243-Seu2020.com_.zip
• Include use cases
• Include Processing Model
• Data flow diagrams
• Relationship among Levels of DFDs
• Using the ERD to Show Business Rules
Please consider the slides as a reference of what topics to be covered for this assignment which falls
under the (planning, analysis and design) only.
Special Publication 800-86
Guide to Integrating Forensic
Techniques into Inciden ...
MCGlobalTech presentation to manufacturing sector executives on managing cybersecurity risks by implementing an enterprise information security management program.
Is your organization ready to respond to an incident? More specifically, do you have the people, process, and technology in place that is required to cope with today's threats?
This webinar will provide practical steps on how to assess your organization's risks, threats, and current capabilities through a methodical and proven approach. From there, it will detail the people, process, and technology considerations when standing up or revitalizing an incident response (IR) program.
Specifically it will cover the four pillars of a modern IR function:
- Identify what must be protected
- Scope potential breach impact to the organization
- Define IR management capabilities
- Determine likely threats and their potential impact
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Richard White, Solutions Principal, HP
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
Cyber Security presentation for the GS-GMIS in Columbia, SC on 7-19-2018, 125 people present, discussion at an Executive level to help Project Managers better understand Cyber Security and recent updates and guidance to help you plan for your company
Assignment You will conduct a systems analysis project by .docxfestockton
Assignment:
You will conduct a systems analysis project by performing 3 phases of SDLC (planning, analysis and
design) for a small (real or imaginary) organization. The actual project implementation is not
required. You need to apply what you have learned in the class and to participate in the team
project work.
Deliverables
This project should follow the main steps of the first three phases of the SDLC (phase 1, 2 and 3).
Details description and diagrams should be included in each phase.
1- Planning:
Should cover the following:
• Project Initiation: How will it lowers costs or increase revenues?
• Project management: the project manager creates a work plan, staffs the project, and puts
techniques in place to help the project team control and direct the project through the
entire SDLC.
2- Analysis
Should cover the following:
• Analysis strategy: This is developed to guide the projects team’s efforts. This includes an
analysis of the current system.
• Requirements gathering: The analysis of this information leads to the development of a
concept for a new system. This concept is used to build a set of analysis models.
• System proposal: The proposal is presented to the project sponsor and other key
individuals who decide whether the project should continue to move forward.
3- Design
Should cover the following:
• Design Strategy: This clarifies whether the system will be developed by the company or
outside the company.
• Architecture Design: This describes the hardware, software, and network infrastructure that
will be used.
• Database and File Specifications: These documents define what and where the data will be
stored.
• Program Design: Defines what programs need to be written and what they will do.
The Course Presentations can be downloaded from here:
https://seu2020.com/wp-content/uploads/2019/09/Slides-IT243-Seu2020.com_.zip
In addition to the above please include
Points to be covered:
• Project Plan
• Staff Plan
• Cost
• Who will develop it? Self or vendor
• Project Methodology: need to consider the below factors when choosing a methodology
Clarity of User Requirements, Familiarity with Technology, System Complexity, System
Reliability, Short Time Schedules and Schedule Visibility
• Project timeline and timeframe.
• Risk Management
• Gantt Chart
• Project Requirements: Functional and Non-Functional
• Activity-Based Costing
• Outcome Analysis
• Technology Analysis
https://seu2020.com/wp-content/uploads/2019/09/Slides-IT243-Seu2020.com_.zip
• Include use cases
• Include Processing Model
• Data flow diagrams
• Relationship among Levels of DFDs
• Using the ERD to Show Business Rules
Please consider the slides as a reference of what topics to be covered for this assignment which falls
under the (planning, analysis and design) only.
Special Publication 800-86
Guide to Integrating Forensic
Techniques into Inciden ...
MCGlobalTech presentation to manufacturing sector executives on managing cybersecurity risks by implementing an enterprise information security management program.
Epcon is One of the World's leading Manufacturing Companies.EpconLP
Epcon is One of the World's leading Manufacturing Companies. With over 4000 installations worldwide, EPCON has been pioneering new techniques since 1977 that have become industry standards now. Founded in 1977, Epcon has grown from a one-man operation to a global leader in developing and manufacturing innovative air pollution control technology and industrial heating equipment.
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business Venturesgreendigital
Willie Nelson is a name that resonates within the world of music and entertainment. Known for his unique voice, and masterful guitar skills. and an extraordinary career spanning several decades. Nelson has become a legend in the country music scene. But, his influence extends far beyond the realm of music. with ventures in acting, writing, activism, and business. This comprehensive article delves into Willie Nelson net worth. exploring the various facets of his career that have contributed to his large fortune.
Follow us on: Pinterest
Introduction
Willie Nelson net worth is a testament to his enduring influence and success in many fields. Born on April 29, 1933, in Abbott, Texas. Nelson's journey from a humble beginning to becoming one of the most iconic figures in American music is nothing short of inspirational. His net worth, which estimated to be around $25 million as of 2024. reflects a career that is as diverse as it is prolific.
Early Life and Musical Beginnings
Humble Origins
Willie Hugh Nelson was born during the Great Depression. a time of significant economic hardship in the United States. Raised by his grandparents. Nelson found solace and inspiration in music from an early age. His grandmother taught him to play the guitar. setting the stage for what would become an illustrious career.
First Steps in Music
Nelson's initial foray into the music industry was fraught with challenges. He moved to Nashville, Tennessee, to pursue his dreams, but success did not come . Working as a songwriter, Nelson penned hits for other artists. which helped him gain a foothold in the competitive music scene. His songwriting skills contributed to his early earnings. laying the foundation for his net worth.
Rise to Stardom
Breakthrough Albums
The 1970s marked a turning point in Willie Nelson's career. His albums "Shotgun Willie" (1973), "Red Headed Stranger" (1975). and "Stardust" (1978) received critical acclaim and commercial success. These albums not only solidified his position in the country music genre. but also introduced his music to a broader audience. The success of these albums played a crucial role in boosting Willie Nelson net worth.
Iconic Songs
Willie Nelson net worth is also attributed to his extensive catalog of hit songs. Tracks like "Blue Eyes Crying in the Rain," "On the Road Again," and "Always on My Mind" have become timeless classics. These songs have not only earned Nelson large royalties but have also ensured his continued relevance in the music industry.
Acting and Film Career
Hollywood Ventures
In addition to his music career, Willie Nelson has also made a mark in Hollywood. His distinctive personality and on-screen presence have landed him roles in several films and television shows. Notable appearances include roles in "The Electric Horseman" (1979), "Honeysuckle Rose" (1980), and "Barbarosa" (1982). These acting gigs have added a significant amount to Willie Nelson net worth.
Television Appearances
Nelson's char
WRI’s brand new “Food Service Playbook for Promoting Sustainable Food Choices” gives food service operators the very latest strategies for creating dining environments that empower consumers to choose sustainable, plant-rich dishes. This research builds off our first guide for food service, now with industry experience and insights from nearly 350 academic trials.
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...MMariSelvam4
The carbon cycle is a critical component of Earth's environmental system, governing the movement and transformation of carbon through various reservoirs, including the atmosphere, oceans, soil, and living organisms. This complex cycle involves several key processes such as photosynthesis, respiration, decomposition, and carbon sequestration, each contributing to the regulation of carbon levels on the planet.
Human activities, particularly fossil fuel combustion and deforestation, have significantly altered the natural carbon cycle, leading to increased atmospheric carbon dioxide concentrations and driving climate change. Understanding the intricacies of the carbon cycle is essential for assessing the impacts of these changes and developing effective mitigation strategies.
By studying the carbon cycle, scientists can identify carbon sources and sinks, measure carbon fluxes, and predict future trends. This knowledge is crucial for crafting policies aimed at reducing carbon emissions, enhancing carbon storage, and promoting sustainable practices. The carbon cycle's interplay with climate systems, ecosystems, and human activities underscores its importance in maintaining a stable and healthy planet.
In-depth exploration of the carbon cycle reveals the delicate balance required to sustain life and the urgent need to address anthropogenic influences. Through research, education, and policy, we can work towards restoring equilibrium in the carbon cycle and ensuring a sustainable future for generations to come.
UNDERSTANDING WHAT GREEN WASHING IS!.pdfJulietMogola
Many companies today use green washing to lure the public into thinking they are conserving the environment but in real sense they are doing more harm. There have been such several cases from very big companies here in Kenya and also globally. This ranges from various sectors from manufacturing and goes to consumer products. Educating people on greenwashing will enable people to make better choices based on their analysis and not on what they see on marketing sites.
Characterization and the Kinetics of drying at the drying oven and with micro...Open Access Research Paper
The objective of this work is to contribute to valorization de Nephelium lappaceum by the characterization of kinetics of drying of seeds of Nephelium lappaceum. The seeds were dehydrated until a constant mass respectively in a drying oven and a microwawe oven. The temperatures and the powers of drying are respectively: 50, 60 and 70°C and 140, 280 and 420 W. The results show that the curves of drying of seeds of Nephelium lappaceum do not present a phase of constant kinetics. The coefficients of diffusion vary between 2.09.10-8 to 2.98. 10-8m-2/s in the interval of 50°C at 70°C and between 4.83×10-07 at 9.04×10-07 m-8/s for the powers going of 140 W with 420 W the relation between Arrhenius and a value of energy of activation of 16.49 kJ. mol-1 expressed the effect of the temperature on effective diffusivity.
Artificial Reefs by Kuddle Life Foundation - May 2024punit537210
Situated in Pondicherry, India, Kuddle Life Foundation is a charitable, non-profit and non-governmental organization (NGO) dedicated to improving the living standards of coastal communities and simultaneously placing a strong emphasis on the protection of marine ecosystems.
One of the key areas we work in is Artificial Reefs. This presentation captures our journey so far and our learnings. We hope you get as excited about marine conservation and artificial reefs as we are.
Please visit our website: https://kuddlelife.org
Our Instagram channel:
@kuddlelifefoundation
Our Linkedin Page:
https://www.linkedin.com/company/kuddlelifefoundation/
and write to us if you have any questions:
info@kuddlelife.org
Climate Change All over the World .pptxsairaanwer024
Climate change refers to significant and lasting changes in the average weather patterns over periods ranging from decades to millions of years. It encompasses both global warming driven by human emissions of greenhouse gases and the resulting large-scale shifts in weather patterns. While climate change is a natural phenomenon, human activities, particularly since the Industrial Revolution, have accelerated its pace and intensity
2. Contextual security architecture:
Understanding an Organization’s Risk Environment
Information security means protecting information and information systems
confidentiality, integrity and availability from:
• Unauthorized access, use, disclosure
• Modification
• Disruption and destruction
(Confidentiality)
(Integrity)
(Availability)
4. Risk Evaluation Risk evaluation is the process
of identifying risk scenarios
and describing their potential
business impact
5. Risk Evaluation - Key Components
Collect
Data
Identify relevant data to enable
effective IT-related risk
identification, analysis and
reporting
Analyze
Risk
Develop useful information to
support risk decisions that take
into account the business
impact of risk factors
Maintain
Risk
Profile
Maintain and up-to-date and
complete inventory of known
risks and attributes as
understood in the context of IT
controls and business
processes
7. Business Impact Analysis (BIA)
Business Continuity
Plan (BCP)
Provides procedures for sustaining
mission/business operations while
recovering from a significant disruption
caused by a natural or human-induced
disaster
The purpose of the business impact analysis (BIA) is to identify which business
units/departments and processes are essential to the survival of the business.
The BIA will identify how quickly essential business units and/or processes have to
return to full operation following a disaster situation. The BIA will also identify the
resources required to resume business operations
8. Business Continuity Management
• The Business Continuity Plan (BCP) is developed to help assure the
organization’s ability to maintain, resume, and recover the business
It is not just about recovering information technology capabilities
• Planning focuses on the entire enterprise’s mission critical
infrastructure
1. People
2. Processes
3. Technology
• Thorough business impact analysis (BIA) and risk assessment form
the foundation of an effective Business Continuity Plan
9. Business Continuity Management (BCM)
An important and big topic:
• How to maintain the continued operation of the business’
processes?
10. Business Continuity Management (BCM)
Prerequisite: Good documented models of the business’
processes, broken down into a series of hierarchical layers of
sub-processes, sub-sub processes…
1. Business processes
2. Resources needed to run processes
3. Threats, vulnerabilities and risks
4. Business Impact Analysis (BIA)
5. Develop recovery strategies
6. Plan, design and implement recovery plans
7. Testing
– Maintenance (update), Awareness, Training (practice)
… Repeat
Including disaster recovery plan
11. Each process can be decomposed into a
further level of detailed sub-processes
• some run in parallel
• some in sequence…
Business Impact Analysis: Meta processes of large
enterprises
There may be 5 or 10 high-level information processes (“meta-processes”) essential
to the business, for example:
1. Develop product offerings
2. Bring product offerings to market
3. Acquire customer orders
4. Fulfill customer orders
5. Manage and administer the business
• For example has 6 sub-processes…
Sherwood, J., Clark, A. and Lynas D. (2005)
12. Business Continuity Management Process
Step 1
• Identify and map business processes
• Assess the business impact of loss of each business
process
• Classify and rank the business processes into 3 or 4
groups
1. Critical – Loss of this process will destroy the business
2. Severe – Loss will cause persistent, severe damage to the
business
3. Significant (optional) – Loss will cause significant
damage
4. Other – Damage caused by loss of this process can be
absorbed
BIA – Business Impact Analysis
Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
13. Business Continuity Management Process
Step 2
• Select each Critical and Severe process
• Analyze all sub-processes
• Down to single functional steps to discover all the
process and functional components needed to keep
this high-level process in continuous operation
Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
14. Work processes to support
Service requests and utility maintenance
management work orders
• City’s Public Works Department
• 4 Divisions (230 employees)
• Operations
• Transportation
• Sewer
• Water
15. Service Request / Work Order
Computerized Maintenance Management System (CMMS)
25. Business Continuity Management Process
Step 3
• For each sub-process or function
identified in Step 2:
– What resources are needed
– How much of each resource is needed
• People
• Information and communications technology
• Data
• Equipment
• Raw materials
• Accommodations
• Communications
• …
Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
26.
27. Business Continuity Management Process
Step 4
• For each information resource
identified in Step 3, what is the
high-level threat scenarios put
that resource at risk?
• Focus on effects, not cause
Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
28. Inventory of Work Processes and Staff needed from a Single Organizational Unit
30. Gaining an Understanding of Staff Needed
to Support Mission Critical Work
DPW work is often supported by staff of a number of DPW Divisions,
other City offices, and outside agencies
32. Risk Evaluation - Key Components
Collect
Data
Identify relevant data to enable
effective IT-related risk
identification, analysis and
reporting
Analyze
Risk
Develop useful information to
support risk decisions that take
into account the business
impact of risk factors
Maintain
Risk
Profile
Maintain and up-to-date and
complete inventory of known
risks and attributes as
understood in the context of IT
controls and business
processes
39. Overview of a risk model
NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 21 and page 32
40. Risk assessment process
NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 32
…
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”,
page 95
41. Key concepts
Threat Potential for the occurrence of a harmful event such as an attack
Vulnerability Weakness that makes targets susceptible to an attack
Risk Potential of loss from an attack
Risk Mitigation Strategy for dealing with risk
42. What is a threat?
Anything that has the potential to
lead to:
• Unauthorized access, use, disclosure
• Modification
• Disruption or Destruction
Physical
Technical
Administrative
of an enterprises’ information
43. What is a threat…
Threats to information and information systems include:
1. Purposeful attacks (“Human malicious”)
2. Human errors (“Human ignoramus”)
3. Structural Failures
4. Environmental disruptions
44. Taxonomy of threat
sources
44
NIST SP 800-30r1 “Guide for Conducting Risk
Assessments”, page 66
Cybersecurity Awareness for GIS Professionals
45. Adversarial/Purposeful threat sources (i.e. attackers)
Are often aggressive, disciplined, well-organized, well-funded, and
in a growing number of documented cases, very sophisticated
Successful attacks on private and public information systems can
result in serious or grave damage to businesses, organizations,
nations and their economic security…
The significance and growing danger or these threats make it
imperative for leaders at all levels of an organization understand
their responsibilities for achieving adequate information security
and for managing information system-related security risks
45
47. Human malicious threat examples
viruses identified)
• Corporate espionage (spies)
• Crackers/scriptkiddies (amateurs, novices; considerably less skilled
than hackers)
• Cybercrime/fraud
• Data diddling
• Denial-of-service attacks
• Dumpster diving
• Employees, management (greed, vices, financial pressure,
extravagant lifestyle, real or imagined grievances, workplace
pressure/stress)
• High-energy radio frequency attacks (laser-like device aimed at
buildings housing computers; high-frequency radio waves melt
computer chips)
• Accessing public material (80 percent unclassified and open to
public)
• Black-hat hackers (lightweights to heavyweights)
• Bombing
• Career criminals
• Computer viruses (stealth, polymorphic, macro; over 6,500 different •
• Impersonation/spoofing (e-mail spoofs, anonymous eMailers, use of
someone’s login and password)
• Intelligence agencies
• Looping Internet Protocol ISP address (always-on Internet
connections vulnerable)
• Password crackers (such as Cracker and LoPht Crack software)
Physical attacks
• Remote access control software (examples include PCAnywhere,
Timbuktu, NetBus, BackOrifice)
• Sabotage
• Social engineering (attacks against persons; using fake badges,
blackmail, threat, harassment, bribery and impersonation)
• Surveillance (shoulder surfing, high-powered photography)
• Terrorists
• Trojan horses
• Unshredder software
• Van Eck receptors
• Vendors/suppliers/customers
• Vulnerability scanning software (such as Nessus, CyberCop software)
• War dialing
• Web crawlers
48. Malicious threats
Howard’s process-based taxonomy, from Hansman, S. and Hunt, R., 2004, “A taxonomy of
network and computer attacks”, Computers & Security, page 3, Elsevier Ltd. Cited from Howard,
JD, 1997, “An analysis of security incidents on the internet 1989-1995. PhD thesis, Carnegie
Mellon University.
49. Anatomy of an Attack
(McAfee, 2011)
Threat landscape
50. 5/20/201
5
Anatomy of an Attack
(MANDIANT, 2015)
1. Attacker sends spear fishing e-mail
2. Victim opens attachment
• Custom malware is installed
3. Custom malware communicates to control web site
• Pulls down additional malware
4. Attacker establishes multiple backdoors
5. Attacker accesses system
• Dumps account names and passwords from domain controller
6. Attacker cracks passwords
• Has legitimate user accounts to continue attack undetected
7. Attacker reconnaissance
• Identifies and gathers data
8. Data collected on staging server
9. Data exfiltrated
10. Attacker covers tracts
• Deletes files
• Can return any time
Advanced threats usually maintain remote access
to target environments for 6-18 months before
being detected (i.e. they are persistent
(Holcomb & Stapf, 2014)
Threat landscape
54. The Non-Malicous insider threat
1. A current or former employee, contractor, or business partner
2. Has or had authorized access to an organization’s network, system, or
data
3. Through action or inaction without malicious intent…
4. Causes harm or substantially increases the probability of future
serious harm to…
confidentiality, integrity, or availability of the organization’s information
or information systems
Major characteristic is ‘failure in human performance’
Carnegie Mellon University’s Software Engineering Institute’s
(SEI) Computer Emergency Response Team (CERT) Definition
(2013)
55. How accidental human (non-malicious insider) threats can happen…
55
• Most people feel security is not part of their job
• People underestimate the value of information
• Security technologies give people a false sense of protection from attack
• We have a culture of trust that can be taken advantage of with dubious
intent
56. Characterizing insiders’ mistakes
• Ignorant
• An unintentional accident
• Negligent
• Willingly ignores policy to make things easier
• Well meaning
• Prioritizes completing work and “getting ‘er done” takes over
following policy
Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc.,
FISSA (Federal Information Systems Security Awareness) Working Group
http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
57. Examples of insiders’ accidents
• Accidental Disclosure
• Posting sensitive data on public website
• Sending sensitive data to wrong email address
• Malicious Code
• Clicking on suspicious link in email
• Using ‘found’ USB drive
• Physical data release
• Losing paper records
• Portable equipment
• Losing laptop, tablet
• Losing portable storage device (USB drive, CD)
Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc.,
FISSA (Federal Information Systems Security Awareness) Working Group
http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
58. Example of an accident made by a well meaning
employee…
“Terrific employee”:
• Account Manager handling Medicaid data for Utah
• Employee had trouble uploading a file requested by State Health Dept.
• Copied 6,000 medical records to USB drive
• Lost the USB drive
• CEO admits the employee probably didn’t even know she was breaking
policy
• this makes it accidental i.e. “well meaning…”
59. Human non-malicious threat examples
• Computer operator errors
• Data entry (input) errors
• Inadequate access controls
• Inadequate training
• Inadequate human resource policies
• Inadequate program testing/controls
incorporated into computer programs
• Inadequate risk analysis undertaken
• Inadequate supervision
• Lack of ethics
• Mislaid disk files
• Physical damage to disk
• Poor management
philosophy/attitude
• Unlocked trash containers
• Update of wrong file
• Weak internal controls
64. Structural Threat Examples
• Air conditioning failure
• Building collapse
• Destruction of data, disks, documents, reports
• Destruction of water mains, sewer lines
• Failure of hardware
• Failure of fire alarms, smoke detectors
• Failure of computer programs
• Freak accidents
• Gas line explosions
• Power outages (brownouts, blackouts, transients, spikes, sags and power
surges)
• Product failure
• Software failure (operating system, database software)
65. Taxonomy of threat
sources
65
NIST SP 800-30r1 “Guide for Conducting Risk
Assessments”, page 66
Cybersecurity Awareness for GIS Professionals
68. What is a Vulnerability?
Any unaddressed
susceptibility to a
physical, technical or
administrative
information security
threat
Physical
Technical
Administrative
69. Vulnerabilities can be classified by asset class
• Physical examples
• Buildings in environmental hazard zones (e.g. low floor in flood zone)
• Unlocked and unprotected doors to data center
• Unreliable power sources
• Technical examples
• Hardware – susceptibility to humidity, dust, soiling, unprotected storage
• Software – insufficient testing, lack of audit trail, poor or missing user
authentication and access control
• Data – unencrypted transfer or storage, lack of backup
• Network – Unprotected communication lines, insecure architecture
• Organizational examples
• Inadequate screening and recruiting process, lack of security awareness and
training
• Lack of regular audits
• Lack of security and IT related business continuity plans
http://www.infosightinc.com/collaterals/CVA-PT_March2016.pdf
70. What is a Risk?
• Access, use, disclosure
• Modification
• Disruption or destruction
A measure of threat
Potential loss resulting from unauthorized:
Physical
Technical
Administrative
(organizational,
governance)
…of an enterprises’ information
Can be expresses in quantitative and qualitative terms
71. Information security risks
• Loss of Life
• Economic impact and financial loss
• Replacement costs (software, hardware, other)
• Backup restoration and recovery costs
• Reprocessing, reconstruction costs
• Bankruptcy
• Business interruption
• Crime (non-computer, computer)
• Losses due to fraud, theft, larceny, bribery
• Impact of
– lost competitive edge
– lost data
– lost time
– lost productivity
– lost business
• Frustration
• Ill will
• Injury
• Impacts of inaccurate data
72. Examples of types of information security risk
1. Safety
2. Compliance and regulatory
3. Financial
4. Legal
5. Reputational
6. Political
7. Strategic (competitive)
8. Program/acquisition (cost, schedule, performance)
9. Project
10. Operational (mission/business)
11. Supply chain
73. Steps in a risk assessment methodology
1. What are your business assets ?
2. What possible threats put your business assets at risk ?
3. Which vulnerabilities and weaknesses may allow a threat to exploit
your assets ?
4. For each threat, if it materialized, what would be the business
impact on your assets ?
76. FIPS 199: Risk assessment based on security objectives and
impact ratings
77. Risk categorization is based on CIA security objectives and
an ordinal impact measure …
Low: Limited adverse effect
Moderate: Serious adverse effect
High: Severe or catastrophic adverse effect
78.
79.
80.
81. FIPS Pub 199 Standards for Security Categorization
81
Example with multiple information types:
Low: Limited adverse effect
Medium: Serious adverse effect
High: Severe or catastrophic adverse effect
= MODERATE rating
= LOW rating
= MODERATE rating
82. Qualitative to quantitative transformation of ordinal
risk measures into “interval scale” risk measures
82
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99
Requires the risk analyst to contribute additional
information to move ordinal onto interval scale…
83. 83
A single risk model cannot meet the diverse needs of the organizations in the private and
public sectors. The expectation is for each organization to define a risk model appropriate
to its view of risk with formulas reflecting:
• Which risk factors must be considered
• Which risk factors can be combined
• Which factors must be further decomposed
• How assessed values should be combined algorithmically
86. 2 Broad types of Information and
Information systems
1. Mission-based Information and Information
Systems
2. Management and Support Information and
Information Systems
A. Services Delivery Support Functions and Information
Types
B. Government Resource Management Functions and
Information Types
87. Mission-based Information and Information Systems
10. Community and Social Services
11. Transportation
12. Education
13. Workforce Management
14. Health
15. Income Security
16. Law Enforcement
17. Litigation and Judicial Activities
1. Defense and National Security
2. Homeland Security
3. Intelligence Operations
4. Disaster Management
5. International Affairs and Commerce 18. Federal Correctional Activities
6. Natural Resources
7. Energy
8. Environmental Management
9. Economic Development
19. General Sciences and Innovation
20. Knowledge Creation and Management
21. Regulatory Compliance and Enforcement
22. Public Goods Creation and Management
23. Federal Financial Assistance
24. Credit and Insurance
25. Transfers to State/Local Governments
26. Direct Services for Citizens
88.
89. Services Delivery Support Functions and Information Types
1. Controls and Oversight
2. Regulatory Development
3. Planning and Budgeting
4. Internal Risk Management and Mitigation
5. Revenue Collection
6. Public Affairs
7. Legislative Relations
8. General Government
91. Government Resource Management Functions and Information Types
1. Administrative Management
2. Financial Management
3. Human Resources Management
4. Supply Chain Management
5. Information and Technology Management
100. Assignment deliverable for Week 5 to be started in class 4:
Select an information system to assess from either:
• Mission area (bold heading in Table 4 from NIST 800-60 Volume I Revision 1)
• Management support function (Table 5) or
• Government resource support function (Table 6)
which will include and the associated information types under the heading
Draw conceptual diagram and annotate with text descriptions that answer
the following:
1. What are the impact ratings of each information type in the information
system you chose?
2. What is the single overall impact rating for each information type?
3. What is the system security rating for each of the CIA dimensions of the
system?
4. What is the overall system security rating for the system ?
You can use Visio, PowerPoint or any drawing software tool.
Save your annotated diagram as a PDF file in your MIS5214 Google Drive folder, name
it with the following naming convention: “yourfirstname”-”lastname”_MIS5214-
Week5.pdf
For example: dave-lanter_MIS5214-week5.pdf