SlideShare a Scribd company logo

CONTEXTUAL ARCHITECTURE.pptx

Download as PPTX, PDF
Pandiya Rajan
Pandiya Rajan

Understanding an organization's risk environment involves taking a holistic approach to information security risk management. This includes identifying the organization's business processes, resources, threats, vulnerabilities and risks through techniques such as business impact analysis and risk evaluation. Risk evaluation aims to identify risk scenarios and their potential business impacts by collecting relevant data, analyzing risks while considering business impacts, and maintaining an up-to-date risk profile. Understanding an organization's business processes, dependencies, resources and the risks that could disrupt them are key to developing and implementing effective security and business continuity strategies.

Environment
1 of 100
Contextual Security Architecture
Contextual security architecture: Understanding an Organization’s Risk Environment Information security means protecting information and information systems confidentiality, integrity and availability from: • Unauthorized access, use, disclosure • Modification • Disruption and destruction (Confidentiality) (Integrity) (Availability)
ISACA RiskIT NIST Risk Management Framework Holistic Approach to Information Security Risk Management ISACA RiskIT NIST Risk Management Framework
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
Collect Data
Business Impact Analysis (BIA) Business Continuity Plan (BCP) Provides procedures for sustaining mission/business operations while recovering from a significant disruption caused by a natural or human-induced disaster The purpose of the business impact analysis (BIA) is to identify which business units/departments and processes are essential to the survival of the business. The BIA will identify how quickly essential business units and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations
Business Continuity Management • The Business Continuity Plan (BCP) is developed to help assure the organization’s ability to maintain, resume, and recover the business It is not just about recovering information technology capabilities • Planning focuses on the entire enterprise’s mission critical infrastructure 1. People 2. Processes 3. Technology • Thorough business impact analysis (BIA) and risk assessment form the foundation of an effective Business Continuity Plan
Business Continuity Management (BCM) An important and big topic: • How to maintain the continued operation of the business’ processes?
Business Continuity Management (BCM) Prerequisite: Good documented models of the business’ processes, broken down into a series of hierarchical layers of sub-processes, sub-sub processes… 1. Business processes 2. Resources needed to run processes 3. Threats, vulnerabilities and risks 4. Business Impact Analysis (BIA) 5. Develop recovery strategies 6. Plan, design and implement recovery plans 7. Testing – Maintenance (update), Awareness, Training (practice) … Repeat Including disaster recovery plan
Each process can be decomposed into a further level of detailed sub-processes • some run in parallel • some in sequence… Business Impact Analysis: Meta processes of large enterprises There may be 5 or 10 high-level information processes (“meta-processes”) essential to the business, for example: 1. Develop product offerings 2. Bring product offerings to market 3. Acquire customer orders 4. Fulfill customer orders 5. Manage and administer the business • For example has 6 sub-processes… Sherwood, J., Clark, A. and Lynas D. (2005)
Business Continuity Management Process Step 1 • Identify and map business processes • Assess the business impact of loss of each business process • Classify and rank the business processes into 3 or 4 groups 1. Critical – Loss of this process will destroy the business 2. Severe – Loss will cause persistent, severe damage to the business 3. Significant (optional) – Loss will cause significant damage 4. Other – Damage caused by loss of this process can be absorbed BIA – Business Impact Analysis Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Business Continuity Management Process Step 2 • Select each Critical and Severe process • Analyze all sub-processes • Down to single functional steps to discover all the process and functional components needed to keep this high-level process in continuous operation Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Work processes to support Service requests and utility maintenance management work orders • City’s Public Works Department • 4 Divisions (230 employees) • Operations • Transportation • Sewer • Water
Service Request / Work Order Computerized Maintenance Management System (CMMS)
Service Request Work
Business Processes A collection of Swim Lane models document the work processes of each DPW Division’ Sewer Work processes
Business Processes Water work processes
Business Proceses Transportation Work processes
Operations work processes
Business Continuity Management Process Step 3 • For each sub-process or function identified in Step 2: – What resources are needed – How much of each resource is needed • People • Information and communications technology • Data • Equipment • Raw materials • Accommodations • Communications • … Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Business Continuity Management Process Step 4 • For each information resource identified in Step 3, what is the high-level threat scenarios put that resource at risk? • Focus on effects, not cause Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Inventory of Work Processes and Staff needed from a Single Organizational Unit
Understanding cross organizational workflows… Identifying dependencies on critical paths for completing prioritized work processes
Gaining an Understanding of Staff Needed to Support Mission Critical Work DPW work is often supported by staff of a number of DPW Divisions, other City offices, and outside agencies
Business Process Analysis Results in an Integrated Overview of how DPW Work is Coordinated
Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
Analyze Risk
Maintain Risk Profile
38
Overview of a risk model NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 21 and page 32
Risk assessment process NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 32 … NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 95
Key concepts Threat Potential for the occurrence of a harmful event such as an attack Vulnerability Weakness that makes targets susceptible to an attack Risk Potential of loss from an attack Risk Mitigation Strategy for dealing with risk
What is a threat? Anything that has the potential to lead to: • Unauthorized access, use, disclosure • Modification • Disruption or Destruction Physical Technical Administrative of an enterprises’ information
What is a threat… Threats to information and information systems include: 1. Purposeful attacks (“Human malicious”) 2. Human errors (“Human ignoramus”) 3. Structural Failures 4. Environmental disruptions
Taxonomy of threat sources 44 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals
Adversarial/Purposeful threat sources (i.e. attackers) Are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated Successful attacks on private and public information systems can result in serious or grave damage to businesses, organizations, nations and their economic security… The significance and growing danger or these threats make it imperative for leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks 45
Adversarial (i.e. purposeful) threat sources 46 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Human malicious threat examples viruses identified) • Corporate espionage (spies) • Crackers/scriptkiddies (amateurs, novices; considerably less skilled than hackers) • Cybercrime/fraud • Data diddling • Denial-of-service attacks • Dumpster diving • Employees, management (greed, vices, financial pressure, extravagant lifestyle, real or imagined grievances, workplace pressure/stress) • High-energy radio frequency attacks (laser-like device aimed at buildings housing computers; high-frequency radio waves melt computer chips) • Accessing public material (80 percent unclassified and open to public) • Black-hat hackers (lightweights to heavyweights) • Bombing • Career criminals • Computer viruses (stealth, polymorphic, macro; over 6,500 different • • Impersonation/spoofing (e-mail spoofs, anonymous eMailers, use of someone’s login and password) • Intelligence agencies • Looping Internet Protocol ISP address (always-on Internet connections vulnerable) • Password crackers (such as Cracker and LoPht Crack software) Physical attacks • Remote access control software (examples include PCAnywhere, Timbuktu, NetBus, BackOrifice) • Sabotage • Social engineering (attacks against persons; using fake badges, blackmail, threat, harassment, bribery and impersonation) • Surveillance (shoulder surfing, high-powered photography) • Terrorists • Trojan horses • Unshredder software • Van Eck receptors • Vendors/suppliers/customers • Vulnerability scanning software (such as Nessus, CyberCop software) • War dialing • Web crawlers
Malicious threats Howard’s process-based taxonomy, from Hansman, S. and Hunt, R., 2004, “A taxonomy of network and computer attacks”, Computers & Security, page 3, Elsevier Ltd. Cited from Howard, JD, 1997, “An analysis of security incidents on the internet 1989-1995. PhD thesis, Carnegie Mellon University.
Anatomy of an Attack (McAfee, 2011) Threat landscape
5/20/201 5 Anatomy of an Attack (MANDIANT, 2015) 1. Attacker sends spear fishing e-mail 2. Victim opens attachment • Custom malware is installed 3. Custom malware communicates to control web site • Pulls down additional malware 4. Attacker establishes multiple backdoors 5. Attacker accesses system • Dumps account names and passwords from domain controller 6. Attacker cracks passwords • Has legitimate user accounts to continue attack undetected 7. Attacker reconnaissance • Identifies and gathers data 8. Data collected on staging server 9. Data exfiltrated 10. Attacker covers tracts • Deletes files • Can return any time Advanced threats usually maintain remote access to target environments for 6-18 months before being detected (i.e. they are persistent (Holcomb & Stapf, 2014) Threat landscape
51 Threat landscape
Taxonomy of threat sources 52 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals 
Accidental threat sources 53 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
The Non-Malicous insider threat 1. A current or former employee, contractor, or business partner 2. Has or had authorized access to an organization’s network, system, or data 3. Through action or inaction without malicious intent… 4. Causes harm or substantially increases the probability of future serious harm to… confidentiality, integrity, or availability of the organization’s information or information systems Major characteristic is ‘failure in human performance’ Carnegie Mellon University’s Software Engineering Institute’s (SEI) Computer Emergency Response Team (CERT) Definition (2013)
How accidental human (non-malicious insider) threats can happen… 55 • Most people feel security is not part of their job • People underestimate the value of information • Security technologies give people a false sense of protection from attack • We have a culture of trust that can be taken advantage of with dubious intent
Characterizing insiders’ mistakes • Ignorant • An unintentional accident • Negligent • Willingly ignores policy to make things easier • Well meaning • Prioritizes completing work and “getting ‘er done” takes over following policy Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
Examples of insiders’ accidents • Accidental Disclosure • Posting sensitive data on public website • Sending sensitive data to wrong email address • Malicious Code • Clicking on suspicious link in email • Using ‘found’ USB drive • Physical data release • Losing paper records • Portable equipment • Losing laptop, tablet • Losing portable storage device (USB drive, CD) Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
Example of an accident made by a well meaning employee… “Terrific employee”: • Account Manager handling Medicaid data for Utah • Employee had trouble uploading a file requested by State Health Dept. • Copied 6,000 medical records to USB drive • Lost the USB drive • CEO admits the employee probably didn’t even know she was breaking policy • this makes it accidental i.e. “well meaning…”
Human non-malicious threat examples • Computer operator errors • Data entry (input) errors • Inadequate access controls • Inadequate training • Inadequate human resource policies • Inadequate program testing/controls incorporated into computer programs • Inadequate risk analysis undertaken • Inadequate supervision • Lack of ethics • Mislaid disk files • Physical damage to disk • Poor management philosophy/attitude • Unlocked trash containers • Update of wrong file • Weak internal controls
Malicious Attacks Non-Malicious Mistakes Outsiders Insiders Employee Mistakes Intentional Rule Breaking  Hackers  Crackers  Social engineers  ...  Disgruntled employees  ...  IP theft  IT sabotage  Fraud  Espionage  Ignorance  ... The threat landscape…. Information Security Threats What is the role of humans in a breach of information security…? Humans
The threat landscape… What is the role of humans in a breach of information security…?
Taxonomy of threat sources 62 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals  
Structural threat sources 63 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Structural Threat Examples • Air conditioning failure • Building collapse • Destruction of data, disks, documents, reports • Destruction of water mains, sewer lines • Failure of hardware • Failure of fire alarms, smoke detectors • Failure of computer programs • Freak accidents • Gas line explosions • Power outages (brownouts, blackouts, transients, spikes, sags and power surges) • Product failure • Software failure (operating system, database software)
Taxonomy of threat sources 65 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals   
Environmental threat sources 66 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Taxonomy of threat sources 67 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66    
What is a Vulnerability? Any unaddressed susceptibility to a physical, technical or administrative information security threat Physical Technical Administrative
Vulnerabilities can be classified by asset class • Physical examples • Buildings in environmental hazard zones (e.g. low floor in flood zone) • Unlocked and unprotected doors to data center • Unreliable power sources • Technical examples • Hardware – susceptibility to humidity, dust, soiling, unprotected storage • Software – insufficient testing, lack of audit trail, poor or missing user authentication and access control • Data – unencrypted transfer or storage, lack of backup • Network – Unprotected communication lines, insecure architecture • Organizational examples • Inadequate screening and recruiting process, lack of security awareness and training • Lack of regular audits • Lack of security and IT related business continuity plans http://www.infosightinc.com/collaterals/CVA-PT_March2016.pdf
What is a Risk? • Access, use, disclosure • Modification • Disruption or destruction A measure of threat Potential loss resulting from unauthorized: Physical Technical Administrative (organizational, governance) …of an enterprises’ information Can be expresses in quantitative and qualitative terms
Information security risks • Loss of Life • Economic impact and financial loss • Replacement costs (software, hardware, other) • Backup restoration and recovery costs • Reprocessing, reconstruction costs • Bankruptcy • Business interruption • Crime (non-computer, computer) • Losses due to fraud, theft, larceny, bribery • Impact of – lost competitive edge – lost data – lost time – lost productivity – lost business • Frustration • Ill will • Injury • Impacts of inaccurate data
Examples of types of information security risk 1. Safety 2. Compliance and regulatory 3. Financial 4. Legal 5. Reputational 6. Political 7. Strategic (competitive) 8. Program/acquisition (cost, schedule, performance) 9. Project 10. Operational (mission/business) 11. Supply chain
Steps in a risk assessment methodology 1. What are your business assets ? 2. What possible threats put your business assets at risk ? 3. Which vulnerabilities and weaknesses may allow a threat to exploit your assets ? 4. For each threat, if it materialized, what would be the business impact on your assets ?
Assessing risk – quantitative method
Assessing risk – qualitative method
FIPS 199: Risk assessment based on security objectives and impact ratings
Risk categorization is based on CIA security objectives and an ordinal impact measure … Low: Limited adverse effect Moderate: Serious adverse effect High: Severe or catastrophic adverse effect
FIPS Pub 199 Standards for Security Categorization 81 Example with multiple information types: Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect = MODERATE rating = LOW rating = MODERATE rating
Qualitative to quantitative transformation of ordinal risk measures into “interval scale” risk measures 82 NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99 Requires the risk analyst to contribute additional information to move ordinal onto interval scale…
83 A single risk model cannot meet the diverse needs of the organizations in the private and public sectors. The expectation is for each organization to define a risk model appropriate to its view of risk with formulas reflecting: • Which risk factors must be considered • Which risk factors can be combined • Which factors must be further decomposed • How assessed values should be combined algorithmically
NIST SP 800-60 volumes 1 and 2
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
2 Broad types of Information and Information systems 1. Mission-based Information and Information Systems 2. Management and Support Information and Information Systems A. Services Delivery Support Functions and Information Types B. Government Resource Management Functions and Information Types
Mission-based Information and Information Systems 10. Community and Social Services 11. Transportation 12. Education 13. Workforce Management 14. Health 15. Income Security 16. Law Enforcement 17. Litigation and Judicial Activities 1. Defense and National Security 2. Homeland Security 3. Intelligence Operations 4. Disaster Management 5. International Affairs and Commerce 18. Federal Correctional Activities 6. Natural Resources 7. Energy 8. Environmental Management 9. Economic Development 19. General Sciences and Innovation 20. Knowledge Creation and Management 21. Regulatory Compliance and Enforcement 22. Public Goods Creation and Management 23. Federal Financial Assistance 24. Credit and Insurance 25. Transfers to State/Local Governments 26. Direct Services for Citizens
Services Delivery Support Functions and Information Types 1. Controls and Oversight 2. Regulatory Development 3. Planning and Budgeting 4. Internal Risk Management and Mitigation 5. Revenue Collection 6. Public Affairs 7. Legislative Relations 8. General Government
Management and Support Information and Information Systems
Government Resource Management Functions and Information Types 1. Administrative Management 2. Financial Management 3. Human Resources Management 4. Supply Chain Management 5. Information and Technology Management
Management and Support Information and Information Systems
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf Assignment: Determine the security categorization of an information system
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf 1. Each group should pick an information system to focus on
2. Identify information types in your selected information system
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf E.g. Financial management information system…
3. Select Impact Levels
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf 3. Select Impact Level for each information type in the system…
4. Assign System Security Category for the information system…
Assignment deliverable for Week 5 to be started in class 4: Select an information system to assess from either: • Mission area (bold heading in Table 4 from NIST 800-60 Volume I Revision 1) • Management support function (Table 5) or • Government resource support function (Table 6) which will include and the associated information types under the heading Draw conceptual diagram and annotate with text descriptions that answer the following: 1. What are the impact ratings of each information type in the information system you chose? 2. What is the single overall impact rating for each information type? 3. What is the system security rating for each of the CIA dimensions of the system? 4. What is the overall system security rating for the system ? You can use Visio, PowerPoint or any drawing software tool. Save your annotated diagram as a PDF file in your MIS5214 Google Drive folder, name it with the following naming convention: “yourfirstname”-”lastname”_MIS5214- Week5.pdf For example: dave-lanter_MIS5214-week5.pdf

Recommended

IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
Ahmed Sayed-
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 

Recommended

IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
Ahmed Sayed-
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Mash f43
Mash f43Mash f43
Mash f43SelectedPresentations
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
nist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxnist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptx
JkYt1
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Ivanti
 
RISE's Training Catalog
RISE's Training CatalogRISE's Training Catalog
RISE's Training CatalogRISE for Information Technology Services
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
festockton
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
William McBorrough
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar ProposalAbsar Husain
 
C_COHEN_RESUME
C_COHEN_RESUMEC_COHEN_RESUME
C_COHEN_RESUMECarl Cohen
 
CICD.pptx
CICD.pptxCICD.pptx
CICD.pptx
Pandiya Rajan
 
HTML-Advance.pptx
HTML-Advance.pptxHTML-Advance.pptx
HTML-Advance.pptx
Pandiya Rajan
 

More Related Content

Similar to CONTEXTUAL ARCHITECTURE.pptx

Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
nist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxnist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptx
JkYt1
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Ivanti
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
festockton
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
William McBorrough
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
C_COHEN_RESUME
C_COHEN_RESUMEC_COHEN_RESUME
C_COHEN_RESUMECarl Cohen
 

Similar to CONTEXTUAL ARCHITECTURE.pptx (20)

Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Mash f43
Mash f43Mash f43
Mash f43
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
nist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxnist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptx
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
RISE's Training Catalog
RISE's Training CatalogRISE's Training Catalog
RISE's Training Catalog
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
C_COHEN_RESUME
C_COHEN_RESUMEC_COHEN_RESUME
C_COHEN_RESUME
 

More from Pandiya Rajan

CICD.pptx
CICD.pptxCICD.pptx
CICD.pptx
Pandiya Rajan
 
HTML-Advance.pptx
HTML-Advance.pptxHTML-Advance.pptx
HTML-Advance.pptx
Pandiya Rajan
 
css1.pptx
css1.pptxcss1.pptx
css1.pptx
Pandiya Rajan
 
HTML-Basic.pptx
HTML-Basic.pptxHTML-Basic.pptx
HTML-Basic.pptx
Pandiya Rajan
 
UNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptxUNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptx
Pandiya Rajan
 
UNIT-I Introduction to Ansible.pptx
UNIT-I Introduction to Ansible.pptxUNIT-I Introduction to Ansible.pptx
UNIT-I Introduction to Ansible.pptx
Pandiya Rajan
 
UNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptxUNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptx
Pandiya Rajan
 
page_fault pbm.ppt
page_fault pbm.pptpage_fault pbm.ppt
page_fault pbm.ppt
Pandiya Rajan
 
process syn.ppt
process syn.pptprocess syn.ppt
process syn.ppt
Pandiya Rajan
 
Selenium.pptx
Selenium.pptxSelenium.pptx
Selenium.pptx
Pandiya Rajan
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
 
lvm.pptx
lvm.pptxlvm.pptx
lvm.pptx
Pandiya Rajan
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
Pandiya Rajan
 
environmentalpollution-.pptx
environmentalpollution-.pptxenvironmentalpollution-.pptx
environmentalpollution-.pptx
Pandiya Rajan
 
DM.pptx
DM.pptxDM.pptx
DM.pptx
Pandiya Rajan
 
thermal pollution.pptx
thermal pollution.pptxthermal pollution.pptx
thermal pollution.pptx
Pandiya Rajan
 
marinepollution.pptx
marinepollution.pptxmarinepollution.pptx
marinepollution.pptx
Pandiya Rajan
 
logical volume manager.ppt
logical volume manager.pptlogical volume manager.ppt
logical volume manager.ppt
Pandiya Rajan
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
Pandiya Rajan
 
c-c++-java-python programs.docx
c-c++-java-python programs.docxc-c++-java-python programs.docx
c-c++-java-python programs.docx
Pandiya Rajan
 

More from Pandiya Rajan (20)

CICD.pptx
CICD.pptxCICD.pptx
CICD.pptx
 
HTML-Advance.pptx
HTML-Advance.pptxHTML-Advance.pptx
HTML-Advance.pptx
 
css1.pptx
css1.pptxcss1.pptx
css1.pptx
 
HTML-Basic.pptx
HTML-Basic.pptxHTML-Basic.pptx
HTML-Basic.pptx
 
UNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptxUNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptx
 
UNIT-I Introduction to Ansible.pptx
UNIT-I Introduction to Ansible.pptxUNIT-I Introduction to Ansible.pptx
UNIT-I Introduction to Ansible.pptx
 
UNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptxUNIT-I Introduction to CICD.pptx
UNIT-I Introduction to CICD.pptx
 
page_fault pbm.ppt
page_fault pbm.pptpage_fault pbm.ppt
page_fault pbm.ppt
 
process syn.ppt
process syn.pptprocess syn.ppt
process syn.ppt
 
Selenium.pptx
Selenium.pptxSelenium.pptx
Selenium.pptx
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
lvm.pptx
lvm.pptxlvm.pptx
lvm.pptx
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
 
environmentalpollution-.pptx
environmentalpollution-.pptxenvironmentalpollution-.pptx
environmentalpollution-.pptx
 
DM.pptx
DM.pptxDM.pptx
DM.pptx
 
thermal pollution.pptx
thermal pollution.pptxthermal pollution.pptx
thermal pollution.pptx
 
marinepollution.pptx
marinepollution.pptxmarinepollution.pptx
marinepollution.pptx
 
logical volume manager.ppt
logical volume manager.pptlogical volume manager.ppt
logical volume manager.ppt
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
c-c++-java-python programs.docx
c-c++-java-python programs.docxc-c++-java-python programs.docx
c-c++-java-python programs.docx
 

Recently uploaded

Epcon is One of the World's leading Manufacturing Companies.
Epcon is One of the World's leading Manufacturing Companies.Epcon is One of the World's leading Manufacturing Companies.
Epcon is One of the World's leading Manufacturing Companies.
EpconLP
 
Drip Irrigation technology with solar power
Drip Irrigation technology with solar powerDrip Irrigation technology with solar power
Drip Irrigation technology with solar power
anikchanda4
 
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business VenturesWillie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
greendigital
 
International+e-Commerce+Platform-www.cfye-commerce.shop
International+e-Commerce+Platform-www.cfye-commerce.shopInternational+e-Commerce+Platform-www.cfye-commerce.shop
International+e-Commerce+Platform-www.cfye-commerce.shop
laozhuseo02
 
Daan Park Hydrangea flower season I like it
Daan Park Hydrangea flower season I like itDaan Park Hydrangea flower season I like it
Daan Park Hydrangea flower season I like it
a0966109726
 
Sustainable farming practices in India .pptx
Sustainable farming practices in India .pptxSustainable farming practices in India .pptx
Sustainable farming practices in India .pptx
chaitaliambole
 
AGRICULTURE Hydrophonic FERTILISER PPT.pptx
AGRICULTURE Hydrophonic FERTILISER PPT.pptxAGRICULTURE Hydrophonic FERTILISER PPT.pptx
AGRICULTURE Hydrophonic FERTILISER PPT.pptx
BanitaDsouza
 
Q&A with the Experts: The Food Service Playbook
Q&A with the Experts: The Food Service PlaybookQ&A with the Experts: The Food Service Playbook
Q&A with the Experts: The Food Service Playbook
World Resources Institute (WRI)
 
Summary of the Climate and Energy Policy of Australia
Summary of the Climate and Energy Policy of AustraliaSummary of the Climate and Energy Policy of Australia
Summary of the Climate and Energy Policy of Australia
yasmindemoraes1
 
growbilliontrees.com-Trees for Granddaughter (1).pdf
growbilliontrees.com-Trees for Granddaughter (1).pdfgrowbilliontrees.com-Trees for Granddaughter (1).pdf
growbilliontrees.com-Trees for Granddaughter (1).pdf
yadavakashagra
 
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for..."Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
MMariSelvam4
 
UNDERSTANDING WHAT GREEN WASHING IS!.pdf
UNDERSTANDING WHAT GREEN WASHING IS!.pdfUNDERSTANDING WHAT GREEN WASHING IS!.pdf
UNDERSTANDING WHAT GREEN WASHING IS!.pdf
JulietMogola
 
Characterization and the Kinetics of drying at the drying oven and with micro...
Characterization and the Kinetics of drying at the drying oven and with micro...Characterization and the Kinetics of drying at the drying oven and with micro...
Characterization and the Kinetics of drying at the drying oven and with micro...
Open Access Research Paper
 
Artificial Reefs by Kuddle Life Foundation - May 2024
Artificial Reefs by Kuddle Life Foundation - May 2024Artificial Reefs by Kuddle Life Foundation - May 2024
Artificial Reefs by Kuddle Life Foundation - May 2024
punit537210
 
Climate Change All over the World .pptx
Climate Change All over the World .pptxClimate Change All over the World .pptx
Climate Change All over the World .pptx
sairaanwer024
 
Navigating the complex landscape of AI governance
Navigating the complex landscape of AI governanceNavigating the complex landscape of AI governance
Navigating the complex landscape of AI governance
Piermenotti Mauro
 
How about Huawei mobile phone-www.cfye-commerce.shop
How about Huawei mobile phone-www.cfye-commerce.shopHow about Huawei mobile phone-www.cfye-commerce.shop
How about Huawei mobile phone-www.cfye-commerce.shop
laozhuseo02
 
Alert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
Alert-driven Community-based Forest monitoring: A case of the Peruvian AmazonAlert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
Alert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
CIFOR-ICRAF
 
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
zm9ajxup
 
Celebrating World-environment-day-2024.pdf
Celebrating World-environment-day-2024.pdfCelebrating World-environment-day-2024.pdf
Celebrating World-environment-day-2024.pdf
rohankumarsinghrore1
 

Recently uploaded (20)

Epcon is One of the World's leading Manufacturing Companies.
Epcon is One of the World's leading Manufacturing Companies.Epcon is One of the World's leading Manufacturing Companies.
Epcon is One of the World's leading Manufacturing Companies.
 
Drip Irrigation technology with solar power
Drip Irrigation technology with solar powerDrip Irrigation technology with solar power
Drip Irrigation technology with solar power
 
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business VenturesWillie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
Willie Nelson Net Worth: A Journey Through Music, Movies, and Business Ventures
 
International+e-Commerce+Platform-www.cfye-commerce.shop
International+e-Commerce+Platform-www.cfye-commerce.shopInternational+e-Commerce+Platform-www.cfye-commerce.shop
International+e-Commerce+Platform-www.cfye-commerce.shop
 
Daan Park Hydrangea flower season I like it
Daan Park Hydrangea flower season I like itDaan Park Hydrangea flower season I like it
Daan Park Hydrangea flower season I like it
 
Sustainable farming practices in India .pptx
Sustainable farming practices in India .pptxSustainable farming practices in India .pptx
Sustainable farming practices in India .pptx
 
AGRICULTURE Hydrophonic FERTILISER PPT.pptx
AGRICULTURE Hydrophonic FERTILISER PPT.pptxAGRICULTURE Hydrophonic FERTILISER PPT.pptx
AGRICULTURE Hydrophonic FERTILISER PPT.pptx
 
Q&A with the Experts: The Food Service Playbook
Q&A with the Experts: The Food Service PlaybookQ&A with the Experts: The Food Service Playbook
Q&A with the Experts: The Food Service Playbook
 
Summary of the Climate and Energy Policy of Australia
Summary of the Climate and Energy Policy of AustraliaSummary of the Climate and Energy Policy of Australia
Summary of the Climate and Energy Policy of Australia
 
growbilliontrees.com-Trees for Granddaughter (1).pdf
growbilliontrees.com-Trees for Granddaughter (1).pdfgrowbilliontrees.com-Trees for Granddaughter (1).pdf
growbilliontrees.com-Trees for Granddaughter (1).pdf
 
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for..."Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
"Understanding the Carbon Cycle: Processes, Human Impacts, and Strategies for...
 
UNDERSTANDING WHAT GREEN WASHING IS!.pdf
UNDERSTANDING WHAT GREEN WASHING IS!.pdfUNDERSTANDING WHAT GREEN WASHING IS!.pdf
UNDERSTANDING WHAT GREEN WASHING IS!.pdf
 
Characterization and the Kinetics of drying at the drying oven and with micro...
Characterization and the Kinetics of drying at the drying oven and with micro...Characterization and the Kinetics of drying at the drying oven and with micro...
Characterization and the Kinetics of drying at the drying oven and with micro...
 
Artificial Reefs by Kuddle Life Foundation - May 2024
Artificial Reefs by Kuddle Life Foundation - May 2024Artificial Reefs by Kuddle Life Foundation - May 2024
Artificial Reefs by Kuddle Life Foundation - May 2024
 
Climate Change All over the World .pptx
Climate Change All over the World .pptxClimate Change All over the World .pptx
Climate Change All over the World .pptx
 
Navigating the complex landscape of AI governance
Navigating the complex landscape of AI governanceNavigating the complex landscape of AI governance
Navigating the complex landscape of AI governance
 
How about Huawei mobile phone-www.cfye-commerce.shop
How about Huawei mobile phone-www.cfye-commerce.shopHow about Huawei mobile phone-www.cfye-commerce.shop
How about Huawei mobile phone-www.cfye-commerce.shop
 
Alert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
Alert-driven Community-based Forest monitoring: A case of the Peruvian AmazonAlert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
Alert-driven Community-based Forest monitoring: A case of the Peruvian Amazon
 
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
一比一原版(UMTC毕业证书)明尼苏达大学双城分校毕业证如何办理
 
Celebrating World-environment-day-2024.pdf
Celebrating World-environment-day-2024.pdfCelebrating World-environment-day-2024.pdf
Celebrating World-environment-day-2024.pdf
 

CONTEXTUAL ARCHITECTURE.pptx

  • 2. Contextual security architecture: Understanding an Organization’s Risk Environment Information security means protecting information and information systems confidentiality, integrity and availability from: • Unauthorized access, use, disclosure • Modification • Disruption and destruction (Confidentiality) (Integrity) (Availability)
  • 3. ISACA RiskIT NIST Risk Management Framework Holistic Approach to Information Security Risk Management ISACA RiskIT NIST Risk Management Framework
  • 4. Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
  • 5. Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
  • 7. Business Impact Analysis (BIA) Business Continuity Plan (BCP) Provides procedures for sustaining mission/business operations while recovering from a significant disruption caused by a natural or human-induced disaster The purpose of the business impact analysis (BIA) is to identify which business units/departments and processes are essential to the survival of the business. The BIA will identify how quickly essential business units and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations
  • 8. Business Continuity Management • The Business Continuity Plan (BCP) is developed to help assure the organization’s ability to maintain, resume, and recover the business It is not just about recovering information technology capabilities • Planning focuses on the entire enterprise’s mission critical infrastructure 1. People 2. Processes 3. Technology • Thorough business impact analysis (BIA) and risk assessment form the foundation of an effective Business Continuity Plan
  • 9. Business Continuity Management (BCM) An important and big topic: • How to maintain the continued operation of the business’ processes?
  • 10. Business Continuity Management (BCM) Prerequisite: Good documented models of the business’ processes, broken down into a series of hierarchical layers of sub-processes, sub-sub processes… 1. Business processes 2. Resources needed to run processes 3. Threats, vulnerabilities and risks 4. Business Impact Analysis (BIA) 5. Develop recovery strategies 6. Plan, design and implement recovery plans 7. Testing – Maintenance (update), Awareness, Training (practice) … Repeat Including disaster recovery plan
  • 11. Each process can be decomposed into a further level of detailed sub-processes • some run in parallel • some in sequence… Business Impact Analysis: Meta processes of large enterprises There may be 5 or 10 high-level information processes (“meta-processes”) essential to the business, for example: 1. Develop product offerings 2. Bring product offerings to market 3. Acquire customer orders 4. Fulfill customer orders 5. Manage and administer the business • For example has 6 sub-processes… Sherwood, J., Clark, A. and Lynas D. (2005)
  • 12. Business Continuity Management Process Step 1 • Identify and map business processes • Assess the business impact of loss of each business process • Classify and rank the business processes into 3 or 4 groups 1. Critical – Loss of this process will destroy the business 2. Severe – Loss will cause persistent, severe damage to the business 3. Significant (optional) – Loss will cause significant damage 4. Other – Damage caused by loss of this process can be absorbed BIA – Business Impact Analysis Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 13. Business Continuity Management Process Step 2 • Select each Critical and Severe process • Analyze all sub-processes • Down to single functional steps to discover all the process and functional components needed to keep this high-level process in continuous operation Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 14. Work processes to support Service requests and utility maintenance management work orders • City’s Public Works Department • 4 Divisions (230 employees) • Operations • Transportation • Sewer • Water
  • 15. Service Request / Work Order Computerized Maintenance Management System (CMMS)
  • 17.
  • 18.
  • 19.
  • 20.
  • 21. Business Processes A collection of Swim Lane models document the work processes of each DPW Division’ Sewer Work processes
  • 25. Business Continuity Management Process Step 3 • For each sub-process or function identified in Step 2: – What resources are needed – How much of each resource is needed • People • Information and communications technology • Data • Equipment • Raw materials • Accommodations • Communications • … Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 26.
  • 27. Business Continuity Management Process Step 4 • For each information resource identified in Step 3, what is the high-level threat scenarios put that resource at risk? • Focus on effects, not cause Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 28. Inventory of Work Processes and Staff needed from a Single Organizational Unit
  • 29. Understanding cross organizational workflows… Identifying dependencies on critical paths for completing prioritized work processes
  • 30. Gaining an Understanding of Staff Needed to Support Mission Critical Work DPW work is often supported by staff of a number of DPW Divisions, other City offices, and outside agencies
  • 31. Business Process Analysis Results in an Integrated Overview of how DPW Work is Coordinated
  • 32. Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
  • 34.
  • 35.
  • 36.
  • 38. 38
  • 39. Overview of a risk model NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 21 and page 32
  • 40. Risk assessment process NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 32 … NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 95
  • 41. Key concepts Threat Potential for the occurrence of a harmful event such as an attack Vulnerability Weakness that makes targets susceptible to an attack Risk Potential of loss from an attack Risk Mitigation Strategy for dealing with risk
  • 42. What is a threat? Anything that has the potential to lead to: • Unauthorized access, use, disclosure • Modification • Disruption or Destruction Physical Technical Administrative of an enterprises’ information
  • 43. What is a threat… Threats to information and information systems include: 1. Purposeful attacks (“Human malicious”) 2. Human errors (“Human ignoramus”) 3. Structural Failures 4. Environmental disruptions
  • 44. Taxonomy of threat sources 44 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals
  • 45. Adversarial/Purposeful threat sources (i.e. attackers) Are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated Successful attacks on private and public information systems can result in serious or grave damage to businesses, organizations, nations and their economic security… The significance and growing danger or these threats make it imperative for leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks 45
  • 46. Adversarial (i.e. purposeful) threat sources 46 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 47. Human malicious threat examples viruses identified) • Corporate espionage (spies) • Crackers/scriptkiddies (amateurs, novices; considerably less skilled than hackers) • Cybercrime/fraud • Data diddling • Denial-of-service attacks • Dumpster diving • Employees, management (greed, vices, financial pressure, extravagant lifestyle, real or imagined grievances, workplace pressure/stress) • High-energy radio frequency attacks (laser-like device aimed at buildings housing computers; high-frequency radio waves melt computer chips) • Accessing public material (80 percent unclassified and open to public) • Black-hat hackers (lightweights to heavyweights) • Bombing • Career criminals • Computer viruses (stealth, polymorphic, macro; over 6,500 different • • Impersonation/spoofing (e-mail spoofs, anonymous eMailers, use of someone’s login and password) • Intelligence agencies • Looping Internet Protocol ISP address (always-on Internet connections vulnerable) • Password crackers (such as Cracker and LoPht Crack software) Physical attacks • Remote access control software (examples include PCAnywhere, Timbuktu, NetBus, BackOrifice) • Sabotage • Social engineering (attacks against persons; using fake badges, blackmail, threat, harassment, bribery and impersonation) • Surveillance (shoulder surfing, high-powered photography) • Terrorists • Trojan horses • Unshredder software • Van Eck receptors • Vendors/suppliers/customers • Vulnerability scanning software (such as Nessus, CyberCop software) • War dialing • Web crawlers
  • 48. Malicious threats Howard’s process-based taxonomy, from Hansman, S. and Hunt, R., 2004, “A taxonomy of network and computer attacks”, Computers & Security, page 3, Elsevier Ltd. Cited from Howard, JD, 1997, “An analysis of security incidents on the internet 1989-1995. PhD thesis, Carnegie Mellon University.
  • 49. Anatomy of an Attack (McAfee, 2011) Threat landscape
  • 50. 5/20/201 5 Anatomy of an Attack (MANDIANT, 2015) 1. Attacker sends spear fishing e-mail 2. Victim opens attachment • Custom malware is installed 3. Custom malware communicates to control web site • Pulls down additional malware 4. Attacker establishes multiple backdoors 5. Attacker accesses system • Dumps account names and passwords from domain controller 6. Attacker cracks passwords • Has legitimate user accounts to continue attack undetected 7. Attacker reconnaissance • Identifies and gathers data 8. Data collected on staging server 9. Data exfiltrated 10. Attacker covers tracts • Deletes files • Can return any time Advanced threats usually maintain remote access to target environments for 6-18 months before being detected (i.e. they are persistent (Holcomb & Stapf, 2014) Threat landscape
  • 52. Taxonomy of threat sources 52 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals 
  • 53. Accidental threat sources 53 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 54. The Non-Malicous insider threat 1. A current or former employee, contractor, or business partner 2. Has or had authorized access to an organization’s network, system, or data 3. Through action or inaction without malicious intent… 4. Causes harm or substantially increases the probability of future serious harm to… confidentiality, integrity, or availability of the organization’s information or information systems Major characteristic is ‘failure in human performance’ Carnegie Mellon University’s Software Engineering Institute’s (SEI) Computer Emergency Response Team (CERT) Definition (2013)
  • 55. How accidental human (non-malicious insider) threats can happen… 55 • Most people feel security is not part of their job • People underestimate the value of information • Security technologies give people a false sense of protection from attack • We have a culture of trust that can be taken advantage of with dubious intent
  • 56. Characterizing insiders’ mistakes • Ignorant • An unintentional accident • Negligent • Willingly ignores policy to make things easier • Well meaning • Prioritizes completing work and “getting ‘er done” takes over following policy Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
  • 57. Examples of insiders’ accidents • Accidental Disclosure • Posting sensitive data on public website • Sending sensitive data to wrong email address • Malicious Code • Clicking on suspicious link in email • Using ‘found’ USB drive • Physical data release • Losing paper records • Portable equipment • Losing laptop, tablet • Losing portable storage device (USB drive, CD) Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
  • 58. Example of an accident made by a well meaning employee… “Terrific employee”: • Account Manager handling Medicaid data for Utah • Employee had trouble uploading a file requested by State Health Dept. • Copied 6,000 medical records to USB drive • Lost the USB drive • CEO admits the employee probably didn’t even know she was breaking policy • this makes it accidental i.e. “well meaning…”
  • 59. Human non-malicious threat examples • Computer operator errors • Data entry (input) errors • Inadequate access controls • Inadequate training • Inadequate human resource policies • Inadequate program testing/controls incorporated into computer programs • Inadequate risk analysis undertaken • Inadequate supervision • Lack of ethics • Mislaid disk files • Physical damage to disk • Poor management philosophy/attitude • Unlocked trash containers • Update of wrong file • Weak internal controls
  • 60. Malicious Attacks Non-Malicious Mistakes Outsiders Insiders Employee Mistakes Intentional Rule Breaking  Hackers  Crackers  Social engineers  ...  Disgruntled employees  ...  IP theft  IT sabotage  Fraud  Espionage  Ignorance  ... The threat landscape…. Information Security Threats What is the role of humans in a breach of information security…? Humans
  • 61. The threat landscape… What is the role of humans in a breach of information security…?
  • 62. Taxonomy of threat sources 62 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals  
  • 63. Structural threat sources 63 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 64. Structural Threat Examples • Air conditioning failure • Building collapse • Destruction of data, disks, documents, reports • Destruction of water mains, sewer lines • Failure of hardware • Failure of fire alarms, smoke detectors • Failure of computer programs • Freak accidents • Gas line explosions • Power outages (brownouts, blackouts, transients, spikes, sags and power surges) • Product failure • Software failure (operating system, database software)
  • 65. Taxonomy of threat sources 65 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals   
  • 66. Environmental threat sources 66 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 67. Taxonomy of threat sources 67 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66    
  • 68. What is a Vulnerability? Any unaddressed susceptibility to a physical, technical or administrative information security threat Physical Technical Administrative
  • 69. Vulnerabilities can be classified by asset class • Physical examples • Buildings in environmental hazard zones (e.g. low floor in flood zone) • Unlocked and unprotected doors to data center • Unreliable power sources • Technical examples • Hardware – susceptibility to humidity, dust, soiling, unprotected storage • Software – insufficient testing, lack of audit trail, poor or missing user authentication and access control • Data – unencrypted transfer or storage, lack of backup • Network – Unprotected communication lines, insecure architecture • Organizational examples • Inadequate screening and recruiting process, lack of security awareness and training • Lack of regular audits • Lack of security and IT related business continuity plans http://www.infosightinc.com/collaterals/CVA-PT_March2016.pdf
  • 70. What is a Risk? • Access, use, disclosure • Modification • Disruption or destruction A measure of threat Potential loss resulting from unauthorized: Physical Technical Administrative (organizational, governance) …of an enterprises’ information Can be expresses in quantitative and qualitative terms
  • 71. Information security risks • Loss of Life • Economic impact and financial loss • Replacement costs (software, hardware, other) • Backup restoration and recovery costs • Reprocessing, reconstruction costs • Bankruptcy • Business interruption • Crime (non-computer, computer) • Losses due to fraud, theft, larceny, bribery • Impact of – lost competitive edge – lost data – lost time – lost productivity – lost business • Frustration • Ill will • Injury • Impacts of inaccurate data
  • 72. Examples of types of information security risk 1. Safety 2. Compliance and regulatory 3. Financial 4. Legal 5. Reputational 6. Political 7. Strategic (competitive) 8. Program/acquisition (cost, schedule, performance) 9. Project 10. Operational (mission/business) 11. Supply chain
  • 73. Steps in a risk assessment methodology 1. What are your business assets ? 2. What possible threats put your business assets at risk ? 3. Which vulnerabilities and weaknesses may allow a threat to exploit your assets ? 4. For each threat, if it materialized, what would be the business impact on your assets ?
  • 74. Assessing risk – quantitative method
  • 75. Assessing risk – qualitative method
  • 76. FIPS 199: Risk assessment based on security objectives and impact ratings
  • 77. Risk categorization is based on CIA security objectives and an ordinal impact measure … Low: Limited adverse effect Moderate: Serious adverse effect High: Severe or catastrophic adverse effect
  • 78.
  • 79.
  • 80.
  • 81. FIPS Pub 199 Standards for Security Categorization 81 Example with multiple information types: Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect = MODERATE rating = LOW rating = MODERATE rating
  • 82. Qualitative to quantitative transformation of ordinal risk measures into “interval scale” risk measures 82 NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99 Requires the risk analyst to contribute additional information to move ordinal onto interval scale…
  • 83. 83 A single risk model cannot meet the diverse needs of the organizations in the private and public sectors. The expectation is for each organization to define a risk model appropriate to its view of risk with formulas reflecting: • Which risk factors must be considered • Which risk factors can be combined • Which factors must be further decomposed • How assessed values should be combined algorithmically
  • 84. NIST SP 800-60 volumes 1 and 2
  • 86. 2 Broad types of Information and Information systems 1. Mission-based Information and Information Systems 2. Management and Support Information and Information Systems A. Services Delivery Support Functions and Information Types B. Government Resource Management Functions and Information Types
  • 87. Mission-based Information and Information Systems 10. Community and Social Services 11. Transportation 12. Education 13. Workforce Management 14. Health 15. Income Security 16. Law Enforcement 17. Litigation and Judicial Activities 1. Defense and National Security 2. Homeland Security 3. Intelligence Operations 4. Disaster Management 5. International Affairs and Commerce 18. Federal Correctional Activities 6. Natural Resources 7. Energy 8. Environmental Management 9. Economic Development 19. General Sciences and Innovation 20. Knowledge Creation and Management 21. Regulatory Compliance and Enforcement 22. Public Goods Creation and Management 23. Federal Financial Assistance 24. Credit and Insurance 25. Transfers to State/Local Governments 26. Direct Services for Citizens
  • 88.
  • 89. Services Delivery Support Functions and Information Types 1. Controls and Oversight 2. Regulatory Development 3. Planning and Budgeting 4. Internal Risk Management and Mitigation 5. Revenue Collection 6. Public Affairs 7. Legislative Relations 8. General Government
  • 90. Management and Support Information and Information Systems
  • 91. Government Resource Management Functions and Information Types 1. Administrative Management 2. Financial Management 3. Human Resources Management 4. Supply Chain Management 5. Information and Technology Management
  • 92. Management and Support Information and Information Systems
  • 95. 2. Identify information types in your selected information system
  • 99. 4. Assign System Security Category for the information system…
  • 100. Assignment deliverable for Week 5 to be started in class 4: Select an information system to assess from either: • Mission area (bold heading in Table 4 from NIST 800-60 Volume I Revision 1) • Management support function (Table 5) or • Government resource support function (Table 6) which will include and the associated information types under the heading Draw conceptual diagram and annotate with text descriptions that answer the following: 1. What are the impact ratings of each information type in the information system you chose? 2. What is the single overall impact rating for each information type? 3. What is the system security rating for each of the CIA dimensions of the system? 4. What is the overall system security rating for the system ? You can use Visio, PowerPoint or any drawing software tool. Save your annotated diagram as a PDF file in your MIS5214 Google Drive folder, name it with the following naming convention: “yourfirstname”-”lastname”_MIS5214- Week5.pdf For example: dave-lanter_MIS5214-week5.pdf