SlideShare a Scribd company logo

Information security management (bel g. ragad)

R
Rois Solihin

This document discusses the information security life cycle, which includes 6 steps: 1) security planning, 2) security analysis, 3) security design, 4) security implementation, 5) security review, and 6) continual security. It focuses on the first two steps of security planning and security analysis. For security planning, it covers asset definition, security policy, security objectives, and security scope. For security analysis, it describes the key activities of asset analysis, impact analysis, threat analysis, exposure analysis, vulnerability analysis, analyzing existing security controls, and risk analysis to define security requirements.

1 of 52
@mang.roisz Information Security Management (Bel G. Ragad.) 2010 Chapter 3 The Information Life Cycle CRC PressTaylor & Francis Group
@mang.roisz Information Security Life Cycle 1. Security planning 3. Security design 4. Security implementation 5. Security review 2. Security analysis 6. Continual security Risk
@mang.roisz Security Planning Asset definition Security policy Security objectives Security scope
@mang.roisz Asset definition • The identification and definition of assets is the first step in any security analysis. Its needed to identify the information asset for which an approved budget is made available for its protection. • Two approach used in the initial identification of the information assets that are candidates for a security project: problem-based approach and objective based approach
@mang.roisz Security Policy • Security policy of an information asset is its acceptable computing behavior • Security policy should define the acceptable asset interaction with the rest of the components in the computing environment
@mang.roisz Security Policy “Any violation of the acceptable computing behavior of an information asset can therefore only be achieved with strict enforcement of its security policy”
@mang.roisz Security Objective “it is important that these security objectives be closely linked to the business mission of the information asset and that they be well defined. Any incompleteness or ambiguity in their definition will translate into deficient security requirement that will lead to inadequate security for the target information asset”
@mang.roisz Security Scope • Not all security requirement can be met, but enough should be satisfied to establish the acceptable security risk level established by the asset security policy • The scope defines the depth of the security design and the breath of the security requirements that must be addressed to achieve the security objectives set for the information asset • Security must have respect budget constraints and any feasibility conditions established by project feasibility study
@mang.roisz
@mang.roisz Security Analysis Asset analysis Impact analysis Threat analysis Exposure analysis Vulnerability analysis Analysis of effectiveness of existing security controls Risk analysis Security Requirements
@mang.roisz • The objective of security analysis in a security life cycle is to define the security requirements needed to adequately protect the target information asset.The security requirements should reflect the results of risk assessment in terms of risks to the confidentiality, integrity, and availability of the system and its information • Security analysis is an investment for the organization. It includes assessing the threats and risks, managing the risks, and revising or establishing a security policy for the information asset. There is, however, no doubt that the outcomes of these activities should always be in accordance with the existing organizational security policy, which regulates how the organization manages, protects, and distributes resources to achieve the organization’s security objectives (defined earlier)
@mang.roisz
@mang.roisz Any security analysis methodology adopted by an organization should include at least the following activities:
@mang.roisz 1. Asset analysis:The asset has to be studied in terms of its acquisition cost, operating cost, maintenance cost, its benefits, and its contribution in generating the business value of the enterprise. 2. Impact analysis: Estimating potential harm that might be inflicted on the asset as well as resulting impacts for the organization. 3. Threat analysis: Identifying and defining threats to the target information asset, and estimating their likelihood of occurrence. 4. Exposure analysis: Independently of its vulnerabilities, the asset may be exposed in such a way that if the threat materializes the worst of the possible impact levels may be realized. 5. Vulnerability analysis:Analyzing asset vulnerabilities and estimating asset exposure levels. 6. Analysis of current security controls: Estimating the effectiveness of the current security controls. 7. Risk analysis: Measuring the risks using exposure rating, asset vulnerabilities, and the effectiveness of current security controls. 8. Security requirements: Defining the security requirements to use in designing the security of the information asset.
@mang.roisz Aset analysis • We first need to identify all components constituting the information asset and assign value to them • The criticality of the information asset consists of two components: sensitivity, and availability • the criticality of an information asset should be defined in terms of the criticality value • The criticality concept is closely related to business value. If an information asset has no business value, its criticality will be nil. Often, the higher the business value, the higher the criticality of the asset.Criticality can, however, be alternatively defined in terms of potential losses that may take place if the security of the information asset is compromiseds of all of its components.
@mang.roisz Aset analysis • That is, the value of the asset can also alternatively be represented in terms of potential losses. These losses may be presented in terms of the replacement value, the immediate impact of the loss, or any other consequences to the organization. • An easy way to value the asset may be to represent the losses using linguistic terms or qualitative ranking of low, medium, or high losses
@mang.roisz Impact Analysis • The impact of the target information asset may be estimated by measuring the business value of the organization when all assets work as expected, and then measuring the new business value after the asset fails • The occurrence of a threat can, in fact, produce, through information leakage, information corruption, and denial of service, and multiple impacts (presented earlier) such as unauthorized disclosure of information, unauthorized modification to data, disruption of functions/unavailability, and deceptive actions • Once the impacts are known for the target asset, the impact levels have to be estimated for each impact
@mang.roisz Some kind of Impact 1. Unauthorized access: An unauthorized agent (human or process) gains access to the information asset in an unauthorized manner. Even though this situation does not always cause actual harm to the asset, it may lead to other effects such as the ones list here. 2. Unauthorized disclosure of information: An agent (authorized or not; human or process) divulges information processed at the information asset in an unauthorized manner (intentionally or unintentionally). 3. Unauthorized modification to data: An agent (authorized or not; human or process) modifies data/information processed at the information asset in an unauthorized manner (intentionally or unintentionally). 4. Unavailability:This consists of disruption of asset services and functions.The threat temporarily or permanently disrupts services provided by the information asset so that it is not fully available as configured according to its security policy.The disruption of asset services and functions includes the denial of services provided by the information asset, including unavailability of data or services. 5. Deceptive actions:This occurs when the agent (human or process) that disrupts the security of the information asset cannot be detected, identified, or caught.
@mang.roisz
@mang.roisz
@mang.roisz Threat analysis • threats are usually organized into two main categories: natural and man-made • The latter category of made threats may be accidental or intentional • Knowing the distribution of threats originating at the same source is sometimes very useful because the countermeasures and responses are independent
@mang.roisz
@mang.roisz RootThreat Category Effect ofThreat to Asset (Secondary (SecondaryThreat) Threat Impact and Consequences NaturalThreats Earthquake, fires, flooding, thunderstorms Power outage, fires Loss or degradation of communications, destruction of equipment Biological incidents Diseases, death of security experts Disruption of functions/ denial of service AccidentalThreats User error File/data deletion, mishandling of equipment, invalid input Disruption of functions, unauthorized modification to data Administrator error Misconfiguration of information asset Unauthorized access to the information asset, which may lead to unauthorized disclosure of information, modification of data, disruption of asset services, deceptive actions Hardware/software failure Failure of servers, loss of Internet connections, failure of communication devices Disruption of functions/ services, destruction of equipment, unauthorized modification of data IntentionalThreats Hackers Password cracking, eavesdropping, spoofing, trojan horse, virus, masquerading Unauthorized disclosure of information; and unauthorized access to the information asset, which may lead to unauthorized disclosure of information, modification of data, disruption of asset services, deceptive actions
@mang.roisz Exposure analysis • we should all know how to estimate impact levels and likelihood of occurrences • We will now see how to measure exposure levels to threats for the information asset. Exposure rating is a measure the organization may use to determine which threat scenario it is most exposed to. It is important to note that because the exposure rate is not related to asset vulnerabilities or current security controls, the exposure rate we describe here is not a risk level
@mang.roisz Vulnerability analysis • The adequate identification of existing vulnerabilities and existing security controls is essential to correctly assess the level of risk associated with each scenario. But now that we know the exposure ratings, we can identify the vulnerabilities of the asset that the identified threats can exploit to harm the asset.We should also identify existing security controls to determine if the current level of protection is appropriate, considering the asset level of exposure and its vulnerabilities. • An information asset vulnerability describes a characteristic of, or weakness in, an asset or one of its component that tends to support the occurrence of a threat. All known vulnerabilities associated with the asset, technical or nontechnical, should be listed
@mang.roisz Analysis of effectiveness of existing security controls • Evaluating the current security controls will help in determining whether or not adequate protection against specific threats is in place • Existing security controls should also be studied to determine if they are currently providing the prescribed protection • If a control is not providing adequate protection, it can be considered a vulnerability • Existing security controls should be identified for each (asset, threat, impact) scenario. • A security control is retained in the security program if it consists of measures that will prevent or reduce the likelihood of threats that attempt to exploit asset vulnerabilities.Those security controls normally provide functionality in at least one of the following areas: confidentiality, integrity, availability, and physical security • Once appropriate asset vulnerabilities and security controls are identified, the effectiveness of the existing security controls needs to be assessed in order to get an estimate of the risk level associated with each (asset, threat, impact, exposure, vulnerabilities, existing security controls) scenario
@mang.roisz Risk analysis • The definition of cost-effective security solutions that are capable of reducing the risk associated with an information asset to an acceptable level specified in the asset security policy is not an activity that can be performed without the adoption of an effective risk analysis methodology • Such a methodology has to be simple to understand, communicate, and use, but it also has to be complete, effective, and efficient in producing the feasible security controls that work • The risk can be defined as a measure indicating the likelihood and consequences of threat events or undesired events that could compromise the security of the information asset, considering its vulnerabilities and given the effectiveness of existing security controls • The outcome of this process should indicate to the organization the degree of risk associated with the target information asset. • This outcome is important because it is the basis for making security control selection, as needed, and risk mitigation decisions
@mang.roisz Risk Analysis • The following is an example of the exposure level: 1. Very low exposure 2. Low exposure 3. Moderate exposure 4. High exposure 5. Very high exposure • The following is an example of the vulnerability level: 1. Low vulnerability level 2. Moderate vulnerability level 3. High vulnerability level
@mang.roisz • The effectiveness of the existing relevant security controls should be estimated.The effectiveness of a security control is a measure of the effect that a security control has on the probability of a threat to exploit asset vulnerabilities and on the resulting impacts should the threat materialize • We can express the effectiveness rates for a security control as follows: 1. Low: Minimal reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. 2. Moderate: Moderate reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. 3. High: High reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. • The security analysis team now has at hand all the information needed to estimate risks
@mang.roisz
@mang.roisz Security Requirements • So far, we have completed the following steps: 1. We defined the target information asset of the security project. 2. We identified existing threats and estimated their likelihood. 3. We estimated impacts and impact levels for the information asset. 4. We estimated asset exposures based on threat likelihood and impact levels. 5. We estimated asset vulnerabilities. 6. We estimated levels of effectiveness for the existing security controls. 7. We estimated risk levels based on threat likelihood, threat vulnerabilities, and asset exposure levels.
@mang.roisz Security Requirements • we can now define the security requirements for our information asset., but we need to answer the following three questions: 1. How much confidentiality do we need to provide to protect our information asset? 2. How much data integrity do we need to provide to protect our information asset? 3. How much availability do we need to provide to protect the information asset?
@mang.roisz Security Design Risk Mitigation Design of SecurityTraining Programs Design of Security Planning Programs Design of the Risk-Driven Security Programs
@mang.roisz • The security design activity aims at devising security to meet the security objectives defined for the target information asset • The security design activity will therefore consist of five security design tasks: 1. Security design for confidentiality 2. Security design for integrity 3. Security design for availability 4. Security design for authentication 5. Security design for non-repudiation • We now have at hand the following information: 1. Information about the information asset 2. Information about current threats 3. Information about impacts and impact levels 4. Information about asset security exposure levels 5. Information about asset vulnerabilities 6. Information about the effectiveness of existing security controls 7. Information about security risk levels
@mang.roisz • refers to the security activity comprising security design and discussion of the security design objectives listed earlier.There are, however, three possible solutions: 1. design our own security controls for each of the five security objective set for the target information asset; 2. hire security experts who can recommend the appropriate security controls that correspond to the security objectives on hand; and 3. select security controls from prescribed security control catalogs
@mang.roisz Risk Mitigation • The risk mitigation process aims at reducing the security of the asset to its acceptable risk level as specified in its security policy • Before determining the candidate security controls to be selected for risk mitigation, we have to compute the current risk position of the information asset. • The basic risk of the asset is the current risk of the asset before any new security controls for risk mitigation have been implemented • In addition to the effectiveness of the security controls and their cost, the process of selecting security controls takes into account many other factors, such as the corporate security policy, the asset security policy, legislation and regulation, safety and reliability requirements, technical requirements, etc • Once the security program is devised for the purpose of mitigating the asset risk below the acceptable risk level of the asset, it is still not final unless it gets approved by management, including the appropriate authorizing officials • Usually, however, the security control selection process is iterative and, often, final decisions are not immediately obtained
@mang.roisz
@mang.roisz
@mang.roisz Design of SecurityTraining Programs • The security maintenance team is in charge of the continual security of the information asset target of our security life cycle. • Most members of this team have at least professional-level skills in the following areas: 1. Access control systems and methodology 2. Telecommunications and network security 3. Security management practices 4. Security architecture and models 5. Cryptography 6. Physical security 7. Operations security 8. Applications and systems development 9. Business continuity planning 10. Law, investigation, and ethics “In addition to the specialized security training program reserved for the security maintenance team, there is a need to design a security awareness program for users and other individuals who interact in some way with the information asset. Even the janitor who cleans the computer rooms at night has to be trained in physical security matters related to the operations of the information asset.”
@mang.roisz Design of Security Planning Programs • Security planning consists of mainly two aspects: 1. the design of a security plan that defines security requirements of information for the next 3 years, and 2. the design of a business continuity plan that defines the actions to be taken to continue business operations when a disaster takes place
@mang.roisz Design of the Risk-Driven Security Programs
@mang.roisz
@mang.roisz
@mang.roisz Security Implementation
@mang.roisz • The implementation step must ensure both usability and sustainability of the security program • The security implementation staff should develop their own testing procedures, which should simulate real-world intrusion attempts to break or circumvent certain security aspects embedded in the target security design • Even though security design is the territory of capable security specialists, because users of the final system where those security mechanisms are embedded are not security professionals, there are many social factors that will contribute, as much as security, to the performance of the designed security features • In fact, both usability and sustainability are two goals to be incorporated in any security design. While the security implementation team will make any possible effort to hide any added complexity due to embedded security controls, it is imperative that all configurations applied on the target information asset yield to adequate security implementation as specified in the asset security policy
@mang.roisz Security Review
@mang.roisz • The review phase consists of two main steps: 1. Security review for authorization 2. Security auditing • The purpose of this phase is to ensure that the authorizing official and the asset owner agree on the proposed security program, including the asset’s documented security requirements, before the certification agent begins the assessment of the security controls in the information asset
@mang.roisz Continual Security
@mang.roisz • Continual security consists of continuous monitoring activities intended to ensure that security risks stay at accepted levels and that if the effectiveness of current security controls diminish and cause the accepted risk levels to be violated, corrective actions are planned to bring the risk levels back to their accepted levels • The following steps are usually planned to achieve continual security: 1. Configuration management and control 2. Monitoring of security controls 3. Monitoring of the computing environment for any changes 4. Reporting of changes and documentation
@mang.roisz • The continual security phase may include the following activities: 1. Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency 2. Periodic review of policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the security life cycle of the information asset 3. Security awareness training to inform personnel of the information security risks associated with their activities and their responsibilities in complying with organization’s policies and procedures designed to reduce these risks 4. Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be periodically performed 5. A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency 6. Procedures for detecting, reporting, and responding to security incidents
@mang.roisz Summary
@mang.roisz • This chapter presented the security life cycle of an information asset.The security life cycle consists of six phases: planning the security life cycle, security analysis, security design, security implementation, security review, and continual security.The chapter also discussed all the phases of the security life cycle. In particular, we explained how to estimate impacts and impact levels for a target information asset.We also explained how an asset’s security exposures are estimated. • The chapter also discussed how to assess security risks and how to mitigate security risks in the context of a holistic risk-driven security program for the target information asse

Recommended

information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
Robot Mode
 

Recommended

information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
Robot Mode
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
Information Security
Information SecurityInformation Security
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
Hamed Moghaddam
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
cejobelle
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 

More Related Content

What's hot

Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
Information Security
Information SecurityInformation Security
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
Hamed Moghaddam
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 

What's hot (20)

Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Information Security
Information SecurityInformation Security
Information Security
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 

Similar to Information security management (bel g. ragad)

Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
cejobelle
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
Napier University
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr
 
)k
)k)k
)k
Anne Starr
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
shinydey
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
PiBits
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
Zara Nawaz
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
 
PACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment ToolsPACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment Tools
Pace IT at Edmonds Community College
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
msd11
 
IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk
Tanujpandey5
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 

Similar to Information security management (bel g. ragad) (20)

Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
)k
)k)k
)k
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 
Information security background
Information security backgroundInformation security background
Information security background
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
PACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment ToolsPACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment Tools
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
 
IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 

Recently uploaded

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 

Recently uploaded (20)

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 

Information security management (bel g. ragad)

  • 1. @mang.roisz Information Security Management (Bel G. Ragad.) 2010 Chapter 3 The Information Life Cycle CRC PressTaylor & Francis Group
  • 2. @mang.roisz Information Security Life Cycle 1. Security planning 3. Security design 4. Security implementation 5. Security review 2. Security analysis 6. Continual security Risk
  • 3. @mang.roisz Security Planning Asset definition Security policy Security objectives Security scope
  • 4. @mang.roisz Asset definition • The identification and definition of assets is the first step in any security analysis. Its needed to identify the information asset for which an approved budget is made available for its protection. • Two approach used in the initial identification of the information assets that are candidates for a security project: problem-based approach and objective based approach
  • 5. @mang.roisz Security Policy • Security policy of an information asset is its acceptable computing behavior • Security policy should define the acceptable asset interaction with the rest of the components in the computing environment
  • 6. @mang.roisz Security Policy “Any violation of the acceptable computing behavior of an information asset can therefore only be achieved with strict enforcement of its security policy”
  • 7. @mang.roisz Security Objective “it is important that these security objectives be closely linked to the business mission of the information asset and that they be well defined. Any incompleteness or ambiguity in their definition will translate into deficient security requirement that will lead to inadequate security for the target information asset”
  • 8. @mang.roisz Security Scope • Not all security requirement can be met, but enough should be satisfied to establish the acceptable security risk level established by the asset security policy • The scope defines the depth of the security design and the breath of the security requirements that must be addressed to achieve the security objectives set for the information asset • Security must have respect budget constraints and any feasibility conditions established by project feasibility study
  • 10. @mang.roisz Security Analysis Asset analysis Impact analysis Threat analysis Exposure analysis Vulnerability analysis Analysis of effectiveness of existing security controls Risk analysis Security Requirements
  • 11. @mang.roisz • The objective of security analysis in a security life cycle is to define the security requirements needed to adequately protect the target information asset.The security requirements should reflect the results of risk assessment in terms of risks to the confidentiality, integrity, and availability of the system and its information • Security analysis is an investment for the organization. It includes assessing the threats and risks, managing the risks, and revising or establishing a security policy for the information asset. There is, however, no doubt that the outcomes of these activities should always be in accordance with the existing organizational security policy, which regulates how the organization manages, protects, and distributes resources to achieve the organization’s security objectives (defined earlier)
  • 13. @mang.roisz Any security analysis methodology adopted by an organization should include at least the following activities:
  • 14. @mang.roisz 1. Asset analysis:The asset has to be studied in terms of its acquisition cost, operating cost, maintenance cost, its benefits, and its contribution in generating the business value of the enterprise. 2. Impact analysis: Estimating potential harm that might be inflicted on the asset as well as resulting impacts for the organization. 3. Threat analysis: Identifying and defining threats to the target information asset, and estimating their likelihood of occurrence. 4. Exposure analysis: Independently of its vulnerabilities, the asset may be exposed in such a way that if the threat materializes the worst of the possible impact levels may be realized. 5. Vulnerability analysis:Analyzing asset vulnerabilities and estimating asset exposure levels. 6. Analysis of current security controls: Estimating the effectiveness of the current security controls. 7. Risk analysis: Measuring the risks using exposure rating, asset vulnerabilities, and the effectiveness of current security controls. 8. Security requirements: Defining the security requirements to use in designing the security of the information asset.
  • 15. @mang.roisz Aset analysis • We first need to identify all components constituting the information asset and assign value to them • The criticality of the information asset consists of two components: sensitivity, and availability • the criticality of an information asset should be defined in terms of the criticality value • The criticality concept is closely related to business value. If an information asset has no business value, its criticality will be nil. Often, the higher the business value, the higher the criticality of the asset.Criticality can, however, be alternatively defined in terms of potential losses that may take place if the security of the information asset is compromiseds of all of its components.
  • 16. @mang.roisz Aset analysis • That is, the value of the asset can also alternatively be represented in terms of potential losses. These losses may be presented in terms of the replacement value, the immediate impact of the loss, or any other consequences to the organization. • An easy way to value the asset may be to represent the losses using linguistic terms or qualitative ranking of low, medium, or high losses
  • 17. @mang.roisz Impact Analysis • The impact of the target information asset may be estimated by measuring the business value of the organization when all assets work as expected, and then measuring the new business value after the asset fails • The occurrence of a threat can, in fact, produce, through information leakage, information corruption, and denial of service, and multiple impacts (presented earlier) such as unauthorized disclosure of information, unauthorized modification to data, disruption of functions/unavailability, and deceptive actions • Once the impacts are known for the target asset, the impact levels have to be estimated for each impact
  • 18. @mang.roisz Some kind of Impact 1. Unauthorized access: An unauthorized agent (human or process) gains access to the information asset in an unauthorized manner. Even though this situation does not always cause actual harm to the asset, it may lead to other effects such as the ones list here. 2. Unauthorized disclosure of information: An agent (authorized or not; human or process) divulges information processed at the information asset in an unauthorized manner (intentionally or unintentionally). 3. Unauthorized modification to data: An agent (authorized or not; human or process) modifies data/information processed at the information asset in an unauthorized manner (intentionally or unintentionally). 4. Unavailability:This consists of disruption of asset services and functions.The threat temporarily or permanently disrupts services provided by the information asset so that it is not fully available as configured according to its security policy.The disruption of asset services and functions includes the denial of services provided by the information asset, including unavailability of data or services. 5. Deceptive actions:This occurs when the agent (human or process) that disrupts the security of the information asset cannot be detected, identified, or caught.
  • 21. @mang.roisz Threat analysis • threats are usually organized into two main categories: natural and man-made • The latter category of made threats may be accidental or intentional • Knowing the distribution of threats originating at the same source is sometimes very useful because the countermeasures and responses are independent
  • 23. @mang.roisz RootThreat Category Effect ofThreat to Asset (Secondary (SecondaryThreat) Threat Impact and Consequences NaturalThreats Earthquake, fires, flooding, thunderstorms Power outage, fires Loss or degradation of communications, destruction of equipment Biological incidents Diseases, death of security experts Disruption of functions/ denial of service AccidentalThreats User error File/data deletion, mishandling of equipment, invalid input Disruption of functions, unauthorized modification to data Administrator error Misconfiguration of information asset Unauthorized access to the information asset, which may lead to unauthorized disclosure of information, modification of data, disruption of asset services, deceptive actions Hardware/software failure Failure of servers, loss of Internet connections, failure of communication devices Disruption of functions/ services, destruction of equipment, unauthorized modification of data IntentionalThreats Hackers Password cracking, eavesdropping, spoofing, trojan horse, virus, masquerading Unauthorized disclosure of information; and unauthorized access to the information asset, which may lead to unauthorized disclosure of information, modification of data, disruption of asset services, deceptive actions
  • 24. @mang.roisz Exposure analysis • we should all know how to estimate impact levels and likelihood of occurrences • We will now see how to measure exposure levels to threats for the information asset. Exposure rating is a measure the organization may use to determine which threat scenario it is most exposed to. It is important to note that because the exposure rate is not related to asset vulnerabilities or current security controls, the exposure rate we describe here is not a risk level
  • 25. @mang.roisz Vulnerability analysis • The adequate identification of existing vulnerabilities and existing security controls is essential to correctly assess the level of risk associated with each scenario. But now that we know the exposure ratings, we can identify the vulnerabilities of the asset that the identified threats can exploit to harm the asset.We should also identify existing security controls to determine if the current level of protection is appropriate, considering the asset level of exposure and its vulnerabilities. • An information asset vulnerability describes a characteristic of, or weakness in, an asset or one of its component that tends to support the occurrence of a threat. All known vulnerabilities associated with the asset, technical or nontechnical, should be listed
  • 26. @mang.roisz Analysis of effectiveness of existing security controls • Evaluating the current security controls will help in determining whether or not adequate protection against specific threats is in place • Existing security controls should also be studied to determine if they are currently providing the prescribed protection • If a control is not providing adequate protection, it can be considered a vulnerability • Existing security controls should be identified for each (asset, threat, impact) scenario. • A security control is retained in the security program if it consists of measures that will prevent or reduce the likelihood of threats that attempt to exploit asset vulnerabilities.Those security controls normally provide functionality in at least one of the following areas: confidentiality, integrity, availability, and physical security • Once appropriate asset vulnerabilities and security controls are identified, the effectiveness of the existing security controls needs to be assessed in order to get an estimate of the risk level associated with each (asset, threat, impact, exposure, vulnerabilities, existing security controls) scenario
  • 27. @mang.roisz Risk analysis • The definition of cost-effective security solutions that are capable of reducing the risk associated with an information asset to an acceptable level specified in the asset security policy is not an activity that can be performed without the adoption of an effective risk analysis methodology • Such a methodology has to be simple to understand, communicate, and use, but it also has to be complete, effective, and efficient in producing the feasible security controls that work • The risk can be defined as a measure indicating the likelihood and consequences of threat events or undesired events that could compromise the security of the information asset, considering its vulnerabilities and given the effectiveness of existing security controls • The outcome of this process should indicate to the organization the degree of risk associated with the target information asset. • This outcome is important because it is the basis for making security control selection, as needed, and risk mitigation decisions
  • 28. @mang.roisz Risk Analysis • The following is an example of the exposure level: 1. Very low exposure 2. Low exposure 3. Moderate exposure 4. High exposure 5. Very high exposure • The following is an example of the vulnerability level: 1. Low vulnerability level 2. Moderate vulnerability level 3. High vulnerability level
  • 29. @mang.roisz • The effectiveness of the existing relevant security controls should be estimated.The effectiveness of a security control is a measure of the effect that a security control has on the probability of a threat to exploit asset vulnerabilities and on the resulting impacts should the threat materialize • We can express the effectiveness rates for a security control as follows: 1. Low: Minimal reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. 2. Moderate: Moderate reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. 3. High: High reduction of probability that asset vulnerabilities would be exploited when the security control is implemented. • The security analysis team now has at hand all the information needed to estimate risks
  • 31. @mang.roisz Security Requirements • So far, we have completed the following steps: 1. We defined the target information asset of the security project. 2. We identified existing threats and estimated their likelihood. 3. We estimated impacts and impact levels for the information asset. 4. We estimated asset exposures based on threat likelihood and impact levels. 5. We estimated asset vulnerabilities. 6. We estimated levels of effectiveness for the existing security controls. 7. We estimated risk levels based on threat likelihood, threat vulnerabilities, and asset exposure levels.
  • 32. @mang.roisz Security Requirements • we can now define the security requirements for our information asset., but we need to answer the following three questions: 1. How much confidentiality do we need to provide to protect our information asset? 2. How much data integrity do we need to provide to protect our information asset? 3. How much availability do we need to provide to protect the information asset?
  • 33. @mang.roisz Security Design Risk Mitigation Design of SecurityTraining Programs Design of Security Planning Programs Design of the Risk-Driven Security Programs
  • 34. @mang.roisz • The security design activity aims at devising security to meet the security objectives defined for the target information asset • The security design activity will therefore consist of five security design tasks: 1. Security design for confidentiality 2. Security design for integrity 3. Security design for availability 4. Security design for authentication 5. Security design for non-repudiation • We now have at hand the following information: 1. Information about the information asset 2. Information about current threats 3. Information about impacts and impact levels 4. Information about asset security exposure levels 5. Information about asset vulnerabilities 6. Information about the effectiveness of existing security controls 7. Information about security risk levels
  • 35. @mang.roisz • refers to the security activity comprising security design and discussion of the security design objectives listed earlier.There are, however, three possible solutions: 1. design our own security controls for each of the five security objective set for the target information asset; 2. hire security experts who can recommend the appropriate security controls that correspond to the security objectives on hand; and 3. select security controls from prescribed security control catalogs
  • 36. @mang.roisz Risk Mitigation • The risk mitigation process aims at reducing the security of the asset to its acceptable risk level as specified in its security policy • Before determining the candidate security controls to be selected for risk mitigation, we have to compute the current risk position of the information asset. • The basic risk of the asset is the current risk of the asset before any new security controls for risk mitigation have been implemented • In addition to the effectiveness of the security controls and their cost, the process of selecting security controls takes into account many other factors, such as the corporate security policy, the asset security policy, legislation and regulation, safety and reliability requirements, technical requirements, etc • Once the security program is devised for the purpose of mitigating the asset risk below the acceptable risk level of the asset, it is still not final unless it gets approved by management, including the appropriate authorizing officials • Usually, however, the security control selection process is iterative and, often, final decisions are not immediately obtained
  • 39. @mang.roisz Design of SecurityTraining Programs • The security maintenance team is in charge of the continual security of the information asset target of our security life cycle. • Most members of this team have at least professional-level skills in the following areas: 1. Access control systems and methodology 2. Telecommunications and network security 3. Security management practices 4. Security architecture and models 5. Cryptography 6. Physical security 7. Operations security 8. Applications and systems development 9. Business continuity planning 10. Law, investigation, and ethics “In addition to the specialized security training program reserved for the security maintenance team, there is a need to design a security awareness program for users and other individuals who interact in some way with the information asset. Even the janitor who cleans the computer rooms at night has to be trained in physical security matters related to the operations of the information asset.”
  • 40. @mang.roisz Design of Security Planning Programs • Security planning consists of mainly two aspects: 1. the design of a security plan that defines security requirements of information for the next 3 years, and 2. the design of a business continuity plan that defines the actions to be taken to continue business operations when a disaster takes place
  • 41. @mang.roisz Design of the Risk-Driven Security Programs
  • 45. @mang.roisz • The implementation step must ensure both usability and sustainability of the security program • The security implementation staff should develop their own testing procedures, which should simulate real-world intrusion attempts to break or circumvent certain security aspects embedded in the target security design • Even though security design is the territory of capable security specialists, because users of the final system where those security mechanisms are embedded are not security professionals, there are many social factors that will contribute, as much as security, to the performance of the designed security features • In fact, both usability and sustainability are two goals to be incorporated in any security design. While the security implementation team will make any possible effort to hide any added complexity due to embedded security controls, it is imperative that all configurations applied on the target information asset yield to adequate security implementation as specified in the asset security policy
  • 47. @mang.roisz • The review phase consists of two main steps: 1. Security review for authorization 2. Security auditing • The purpose of this phase is to ensure that the authorizing official and the asset owner agree on the proposed security program, including the asset’s documented security requirements, before the certification agent begins the assessment of the security controls in the information asset
  • 49. @mang.roisz • Continual security consists of continuous monitoring activities intended to ensure that security risks stay at accepted levels and that if the effectiveness of current security controls diminish and cause the accepted risk levels to be violated, corrective actions are planned to bring the risk levels back to their accepted levels • The following steps are usually planned to achieve continual security: 1. Configuration management and control 2. Monitoring of security controls 3. Monitoring of the computing environment for any changes 4. Reporting of changes and documentation
  • 50. @mang.roisz • The continual security phase may include the following activities: 1. Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency 2. Periodic review of policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the security life cycle of the information asset 3. Security awareness training to inform personnel of the information security risks associated with their activities and their responsibilities in complying with organization’s policies and procedures designed to reduce these risks 4. Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be periodically performed 5. A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency 6. Procedures for detecting, reporting, and responding to security incidents
  • 52. @mang.roisz • This chapter presented the security life cycle of an information asset.The security life cycle consists of six phases: planning the security life cycle, security analysis, security design, security implementation, security review, and continual security.The chapter also discussed all the phases of the security life cycle. In particular, we explained how to estimate impacts and impact levels for a target information asset.We also explained how an asset’s security exposures are estimated. • The chapter also discussed how to assess security risks and how to mitigate security risks in the context of a holistic risk-driven security program for the target information asse