SlideShare a Scribd company logo

Information security risk

Etsegenet Fisseha
Etsegenet Fisseha

The risk of cyber threat is high for organizations that manage sensitive data. Therefore, a need to have a robust security and compliance program. By doing so, protects the information system resources from a wide range of threats and brings the company into compliance with regulatory regulatory requirements. As meeting industry standard does not guarantee protection from data breaches, the security & compliance program should start by identifying and analyzing organizational security needs rather than solely meeting compliance requirements. Following risk management approach is, therefore, a best practice instead of relying on checklists. By following this method, organizations avoid unnecessary compliance effort and cost on insignificant threats and will have sustainable security and compliance program. Accordingly, the program should identify, analyze and prioritize risks. Consequently, selecting a comprehensive set of appropriate security controls by referencing from established frameworks such as National Institution of Standards and Technologies (NIST) risk assessment framework. NIST is a prescriptive guideline for implementing security controls. However, an organization should first develop a risk assessment methodology/framework that is tailored to its environment. When following a risk-based approach the security and compliance program has to align with the business objectives of the organization. Risk needs to be identified and prioritized not only from an information system perspective but also from a business perspective. By doing so, the program will ensure information security risk identified, analyzed and prioritized from input across the organization. This will provide clear justification and assurance on the information security investments. It will also increase a sense of ownership for information security efforts among all stakeholder.

Technology
1 of 19
Download to read offline
IT Risk Management for XXX By Etsegenet F. Gebreabe University of Dallas This Paper Submitted in Partial Fulfillment of the Requirements for CYBS 7351 -, Strategic Cyber Security Management Summer 2016 Presented to XXX
XXX July 5, 2016 Revision Number Summary of Revision Revision Author Date Accepted by V1.0 Initial document Etsegenet Gebreabe 07-05- 2016
XXX July 5, 2016 Table of Contents IT RISK MANAGEMENT COMPLETION........................................................................................3 IT RISK MANAGEMENT ACCEPTANCE........................................................................................3 SYSTEM CATEGORIZATION AND RISK MANAGEMENT..........................................................4 IT RISK MITIGATION STRATEGY................................................................................................14 GENERAL IT RISK MANAGEMENT INFORMATION ................................................................16 ACRONYM .........................................................................................................................................17 REFERENCE......................................................................................................................................17
XXX July 5, 2016 IT Risk Management Completion This document describes the initial IT Risk Management for XXX Submitted by Etsegenet Gebreabe Printed name Title Etsegenet F. June 05, 2016 Signature Date Contracting Company Contract Number IT Risk Management Acceptance Approval Printed name Title Signature Date Approval Printed name Title Signature Date Approval Printed name Title Signature Date
XXX July 5, 2016 System Categorization and Risk Management The following assets identification and categorization is done based on the level of impact to the organization should there be a breach to security (confidentiality, Integrity and availability) as per FIPS 199 and FIPS 200 standards. The risk analysis is based on qualitative measurement. The impact level values are high, medium and critical. The categorization of these assets is according to the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) in which the resulting value is the highest values (i.e., high water mark). (NIST, 2004). Five assets are identified that have high impact value which indicates the assets are very sensitive for the profitability of the organization. System Name/ID: Application Development Systems Description/purpose: The application development systems perform software and website development. It consists of information related to front end and back end application. System Type: Major Application System operation status: Operational System Owner: Michael Cave, Department Manager for system development Mark Clark, Chief Information Officer Vulnerability: The System lacks change control process that ensures alteration to the application is implemented based on approved procedures. Hence, there is no control mechanism to track the change in the code. This can be a security hole that an attacker can exploit. In addition, it creates difficulty in troubleshooting. Issues on the system may kept undiscovered until a major failure happens on the application. Consequently, alteration of application will disrupt the normal operation of the application that will adversely impact the business. The outcome ranges from poor customer service to disruption of service and huge financial loss.
XXX July 5, 2016 Minimum Security controls: Develops, disseminates, and reviews/updates documented policy and procedure that explains the process for application change management Impact Rating: High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the application development from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of information could be expected to have limited adverse effect on operations and assets. It requires that attackers be knowledgeable about the in-house system operation to exploit the system if they get hold of the application development data. Integrity Protect data contained within the Application Development system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of information could be expected to have serious adverse effect on operations and assets. Availability The Application Development system is expected to be available during work hours. H M L The disruption of access to or use of Application development information systems could be expected to have a limited adverse effect on operations, assets, or employees. Overall System Categorization:
XXX July 5, 2016 Low Moderate High Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall system sensitivity is MODERATE. The effect of the loss, misuse or unauthorized access to Application development data could have a serious adverse effect on operations and assets. System Name/ID: Desktop Support System Description/purpose Desktop Support system is IT asset which includes Active Directory, Mail Server and DNS Server. The information residing in desktop support system is sensitive network information an attacker can use to exploit the network. System Type: General Support System System Operation Status: operational System Owner: Brendan Liddick, Department Manager for System Administration and desktop support Mark Clark, Chief Information Officer Vulnerability: Risk associated with access control where too many people may have access to devices and data that they have no need to access. desktop support information such as DNS information could lead in theft of company’s sensitive information which is expected to have serious adverse effect on normal operations. Minimum Security controls Develops, disseminates, and reviews/updates documented policy and procedure for implementing a robust IT Access control. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason
XXX July 5, 2016 Confidentiality Protect the data contained within the desktop Support system from disclosure at all times; Allow only authorized individuals access to data on an “as- needed” basis. H M L Loss of confidentiality of desktop support system expected to have serious adverse effect on operations, assets, or employees, as they can be used to exploit the company’s asset therefore impact the profitability of the company. Security requirements for assuring information confidentiality are therefore an important concern. Integrity Protect data contained within the desktop support system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter system parameters. H M L The unauthorized modification or destruction of information could be expected to have severe adverse effect on operations, assets, or employees, therefore impact the profitability of the company. Security requirements for assuring information integrity are therefore an important concern. Availability The desktop support system is expected to be available during work hours. H M L The disruption of access to or use of desktop support system could be expected to have severe adverse effect on operations, assets, or employees, therefore impact the profitability of the company. Security requirements for assuring information availability are therefore an important concern. Overall System Categorization Low Moderate High Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to desktop support data could have a sever adverse effect on operations and assets.
XXX July 5, 2016 System Name/ID: Network and Infrastructure Description/purpose Network and Infrastructure includes Private and public network such as servers, routers and firewall. It’s designed to manage communication between systems and manage bandwidth. System Type: Major Application System operation status: operational System owner: Sean Laur, Department Manager for Network infrastructure and telecommunication Mark Clark, Chief Information Officer Herbig Chris, Server Manager Vulnerability: XXX have a flat network which a major security weakness. Flat network avoids the needs for layer 3 routing and firewalls, therefore lacks enough security. Minimum Security controls: Revision of network topology to segment networks and provide multi-layer protection for more sensitive assets. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the network and infrastructure from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of network and infrastructure information can be expected to have a serious adverse effect on operations and assets. Security requirements for assuring information confidentiality are therefore an important concern.
XXX July 5, 2016 Integrity Protect data contained within the network and infrastructure from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of network and infrastructure information could be expected to have a serious adverse effect on operations and assets. Assurance of information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The network and infrastructure system is expected to be available during work hours. H M L The disruption of access to use of network and infrastructure could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to network and infrastructure data could have severe adverse effect on operations and assets. System Name/ID: Data Base System Description/purpose The data base system is a centralized data base system for XXX that consists of storage servers and database software, the information contained in database system includes sensitive product design information, customer’s health related and credit card information which are very sensitive. System Type: Major Application System operation status: operational
XXX July 5, 2016 System Owner: Ahmed Asrar, Department Manager for Data Administration Mark Clark, Chief Information Officer Vulnerability: Information stored in XXX database are sensitive as it consists of product design Information, customer’s health and payment information. XXX has weak protection on the database system. If the database system is compromised, it can cause XXX to serious legal issues due to the violation of compliance standards such as HIPAA and PCI-DSS Minimum Security controls: Implement strong Database encryption to all database containing Company’s design information, customer payment and heath information. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the Database System from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of company’s product design information and customer information such as health related and payment card information. Loss of confidentiality of these information could lead to severe legal consequence and loss of sensitivity company’s information Security requirements for assuring information confidentiality are therefore very important concern.
XXX July 5, 2016 Integrity Protect data contained within the database system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of sensitive customer information could be expected to have a severe adverse effect on operations and assets. Information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The database system is expected to be available during work hours. H M L The disruption of access to or use of information or information systems could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to database system could have a severe adverse effect on operations and assets. System Name/ID: Human Resource Description/purpose Human resources are one of the major asset of XXX. The human resource includes employees and third party (customers and vendors) System Type: Major Application System operation status: operational
XXX July 5, 2016 System Owner: Krabacher Jon, VP for Human Resource Angelin Andreen, Department Manager for Training Paul Lee, Department Manager for Personal Security and safety Vulnerability: Not having adequate awareness for cyber security is a major weakness that jeopardize the security of XXX. Minimum Security controls: Plan, Develop and implement employee and third party (customer and vendor) training and awareness program. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the Web Server from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of company’s sales transaction and customer information such as payment card information could lead to severe legal consequence and loss of sensitive company’s information Security requirements for assuring information confidentiality are therefore very important concern.
XXX July 5, 2016 Integrity Protect data contained within the Web Server from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of sensitive customer information could be expected to have a severe adverse effect on operations and assets. Information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The Web Server is expected to be available during work hours. H M L The disruption of access to or use of information or information systems could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to Web Server could have a severe adverse effect on operations and assets.
XXX July 5, 2016 E= Extreme Risk: immediate action required H=High Risk: Senior management attention required M=Moderate Risk Management responsibility must be specified L=Low Risk: management by routine procedure required IT Risk Mitigation Strategy Risk Mitigation strategy is needed to define the overall approach used for reducing risk. The risk mitigation strategy for XXX is done not only from system perspective but also from a business perspective. By doing so, the risk mitigation strategy aims to prioritize risk that are major from both business and technical perspective. An appropriate risk management methodology is selected to ensure results are repeatable and comparable for future use. The NIST 800-39- Risk Management Model is chosen as it is flexible and can easily be integrated into the broader risk management process. Therefore, the risk assessment will be conducted according to risk assessment hierarchy having three-tiered approach. Impact Consequence rare(1) Unlikely(2) Possiby (3) Likely(4) Almost Certain (5) High (3) H E E E E Moderate(2) M M H H E Low(1) L L L M H Likelihood
XXX July 5, 2016 The risk assessment conducted at Tier 1 focused on organizational operation, assets and individuals. It will assess if threats are directed at the corporate level that may affect policy decision. Tier 2 risks assessment will focus on mission/business process which includes multiple information system risks identified at lower level risk assessment. It will evaluate the varying degree of criticality of the different information system with regards to core organizational mission/ business function. Tier 3 risk assessment is a risk assessment conducted in the initial phase by using Risk management framework. It is a system level assessment that will evaluate the anticipated vulnerability affecting confidentiality integrity and availability of the information system and implement corrective action to mitigate risk. The result of risks assessment at a lower level will be an input for risk assessment at a higher level. (NIST 2011) Figure 1: NIST Risk Management Approach (NIST, 2011) The three-tier risk assessment methodology will be integrated to the system level risk assessment methodology namely Risk Management Framework as defined in NIST 800-39. Therefore, risk assessment will be done throughout SDLC. (NIST 2011)
XXX July 5, 2016 Figure 2: Risk Management Framework (NIST, 2011) Five security controls have been proposed based on identified system level problems from an initial risk analysis. The security controls proposed for the identified risk are minimum security controls, and risk mitigation is not a comprehensive set. Finally based on the risk matrix, risk is prioritized. Extreme risk level needs an immediate implementation of security control for mitigating risk followed by high level, moderate level, and low-level risks. General IT Risk Management Information Chief Information Officer (CIO) Name and Contact Information: Name: Title: Telephone Number: Email address:
XXX July 5, 2016 Information Security Officer Name and Contact Information: Name: Etsegenet Gebreabe Title: CISO Telephone Number: 4696840429 Email address: egebreabe@udallas.edu IT Risk Management Approved by: Name Title Telephone Number Email address Date: July 5, 2016 Acronym CIO: Chief Information Officer HIPAA: Health Insurance Portability and Accountability Act PCI: The Payment Card Industry Data Security Standard Reference Whiteman, Mattord (2014) Management of Information security (PP.313-341) “FIPS, 199: Standards for Security Categorization of Federal Information and Information Systems.” National Institute of Standards and Technology, February 2004. Accessed July 4,2016 @ http://csrc.nist.gov “FIPS, 200: Standards for Security Categorization of Federal Information and Information Systems.” National Institute of Standards and Technology, March 2006. Accessed July 4,2016 @ http://csrc.nist.gov “SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View” National Institute of Standards and Technology, March 2011. Accessed July 5,2016 @ http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
XXX July 5, 2016

Recommended

Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Configuration Management: a Critical Component to Vulnerability Management
Configuration Management: a Critical Component to Vulnerability ManagementConfiguration Management: a Critical Component to Vulnerability Management
Configuration Management: a Critical Component to Vulnerability ManagementChris Furton
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 

Recommended

Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Configuration Management: a Critical Component to Vulnerability Management
Configuration Management: a Critical Component to Vulnerability ManagementConfiguration Management: a Critical Component to Vulnerability Management
Configuration Management: a Critical Component to Vulnerability ManagementChris Furton
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3EMC
 
Chapter006
Chapter006Chapter006
Chapter006Jeanie Delos Arcos
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliancesJonathan Suldo
 
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3EMC
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're InfectedTripwire
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM itaford
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
IRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot SystemIRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot SystemIRJET Journal
 
13 essential log_col_infog
13 essential log_col_infog13 essential log_col_infog
13 essential log_col_infoghuynhvanphuc
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data LeakagePatty Buckley
 
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docxExcel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docxgitagrimston
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 

More Related Content

What's hot

Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3EMC
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3EMC
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're InfectedTripwire
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM itaford
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
IRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot SystemIRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot SystemIRJET Journal
 
13 essential log_col_infog
13 essential log_col_infog13 essential log_col_infog
13 essential log_col_infoghuynhvanphuc
 

What's hot (18)

Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
 
Chapter006
Chapter006Chapter006
Chapter006
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3Continuous Monitoring: Introduction & Considerations – Part 1 of 3
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
 
Information Security
Information SecurityInformation Security
Information Security
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM i
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
 
IRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot SystemIRJET- Data Security using Honeypot System
IRJET- Data Security using Honeypot System
 
13 essential log_col_infog
13 essential log_col_infog13 essential log_col_infog
13 essential log_col_infog
 

Similar to Information security risk

Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data LeakagePatty Buckley
 
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docxExcel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docxgitagrimston
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxStevenTharp2
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS Accelerite
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security NextLabs, Inc.
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxbagotjesusa
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxRunning head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxtodd521
 
Risk Analysis Report review
Risk Analysis Report reviewRisk Analysis Report review
Risk Analysis Report reviewLarry Yurdin
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxjaggernaoma
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comamaranthbeg93
 

Similar to Information security risk (20)

Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docxExcel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 
REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxRunning head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
 
Risk Analysis Report review
Risk Analysis Report reviewRisk Analysis Report review
Risk Analysis Report review
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.com
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Information security risk

  • 1. IT Risk Management for XXX By Etsegenet F. Gebreabe University of Dallas This Paper Submitted in Partial Fulfillment of the Requirements for CYBS 7351 -, Strategic Cyber Security Management Summer 2016 Presented to XXX
  • 2. XXX July 5, 2016 Revision Number Summary of Revision Revision Author Date Accepted by V1.0 Initial document Etsegenet Gebreabe 07-05- 2016
  • 3. XXX July 5, 2016 Table of Contents IT RISK MANAGEMENT COMPLETION........................................................................................3 IT RISK MANAGEMENT ACCEPTANCE........................................................................................3 SYSTEM CATEGORIZATION AND RISK MANAGEMENT..........................................................4 IT RISK MITIGATION STRATEGY................................................................................................14 GENERAL IT RISK MANAGEMENT INFORMATION ................................................................16 ACRONYM .........................................................................................................................................17 REFERENCE......................................................................................................................................17
  • 4. XXX July 5, 2016 IT Risk Management Completion This document describes the initial IT Risk Management for XXX Submitted by Etsegenet Gebreabe Printed name Title Etsegenet F. June 05, 2016 Signature Date Contracting Company Contract Number IT Risk Management Acceptance Approval Printed name Title Signature Date Approval Printed name Title Signature Date Approval Printed name Title Signature Date
  • 5. XXX July 5, 2016 System Categorization and Risk Management The following assets identification and categorization is done based on the level of impact to the organization should there be a breach to security (confidentiality, Integrity and availability) as per FIPS 199 and FIPS 200 standards. The risk analysis is based on qualitative measurement. The impact level values are high, medium and critical. The categorization of these assets is according to the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) in which the resulting value is the highest values (i.e., high water mark). (NIST, 2004). Five assets are identified that have high impact value which indicates the assets are very sensitive for the profitability of the organization. System Name/ID: Application Development Systems Description/purpose: The application development systems perform software and website development. It consists of information related to front end and back end application. System Type: Major Application System operation status: Operational System Owner: Michael Cave, Department Manager for system development Mark Clark, Chief Information Officer Vulnerability: The System lacks change control process that ensures alteration to the application is implemented based on approved procedures. Hence, there is no control mechanism to track the change in the code. This can be a security hole that an attacker can exploit. In addition, it creates difficulty in troubleshooting. Issues on the system may kept undiscovered until a major failure happens on the application. Consequently, alteration of application will disrupt the normal operation of the application that will adversely impact the business. The outcome ranges from poor customer service to disruption of service and huge financial loss.
  • 6. XXX July 5, 2016 Minimum Security controls: Develops, disseminates, and reviews/updates documented policy and procedure that explains the process for application change management Impact Rating: High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the application development from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of information could be expected to have limited adverse effect on operations and assets. It requires that attackers be knowledgeable about the in-house system operation to exploit the system if they get hold of the application development data. Integrity Protect data contained within the Application Development system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of information could be expected to have serious adverse effect on operations and assets. Availability The Application Development system is expected to be available during work hours. H M L The disruption of access to or use of Application development information systems could be expected to have a limited adverse effect on operations, assets, or employees. Overall System Categorization:
  • 7. XXX July 5, 2016 Low Moderate High Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall system sensitivity is MODERATE. The effect of the loss, misuse or unauthorized access to Application development data could have a serious adverse effect on operations and assets. System Name/ID: Desktop Support System Description/purpose Desktop Support system is IT asset which includes Active Directory, Mail Server and DNS Server. The information residing in desktop support system is sensitive network information an attacker can use to exploit the network. System Type: General Support System System Operation Status: operational System Owner: Brendan Liddick, Department Manager for System Administration and desktop support Mark Clark, Chief Information Officer Vulnerability: Risk associated with access control where too many people may have access to devices and data that they have no need to access. desktop support information such as DNS information could lead in theft of company’s sensitive information which is expected to have serious adverse effect on normal operations. Minimum Security controls Develops, disseminates, and reviews/updates documented policy and procedure for implementing a robust IT Access control. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason
  • 8. XXX July 5, 2016 Confidentiality Protect the data contained within the desktop Support system from disclosure at all times; Allow only authorized individuals access to data on an “as- needed” basis. H M L Loss of confidentiality of desktop support system expected to have serious adverse effect on operations, assets, or employees, as they can be used to exploit the company’s asset therefore impact the profitability of the company. Security requirements for assuring information confidentiality are therefore an important concern. Integrity Protect data contained within the desktop support system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter system parameters. H M L The unauthorized modification or destruction of information could be expected to have severe adverse effect on operations, assets, or employees, therefore impact the profitability of the company. Security requirements for assuring information integrity are therefore an important concern. Availability The desktop support system is expected to be available during work hours. H M L The disruption of access to or use of desktop support system could be expected to have severe adverse effect on operations, assets, or employees, therefore impact the profitability of the company. Security requirements for assuring information availability are therefore an important concern. Overall System Categorization Low Moderate High Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to desktop support data could have a sever adverse effect on operations and assets.
  • 9. XXX July 5, 2016 System Name/ID: Network and Infrastructure Description/purpose Network and Infrastructure includes Private and public network such as servers, routers and firewall. It’s designed to manage communication between systems and manage bandwidth. System Type: Major Application System operation status: operational System owner: Sean Laur, Department Manager for Network infrastructure and telecommunication Mark Clark, Chief Information Officer Herbig Chris, Server Manager Vulnerability: XXX have a flat network which a major security weakness. Flat network avoids the needs for layer 3 routing and firewalls, therefore lacks enough security. Minimum Security controls: Revision of network topology to segment networks and provide multi-layer protection for more sensitive assets. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the network and infrastructure from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of network and infrastructure information can be expected to have a serious adverse effect on operations and assets. Security requirements for assuring information confidentiality are therefore an important concern.
  • 10. XXX July 5, 2016 Integrity Protect data contained within the network and infrastructure from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of network and infrastructure information could be expected to have a serious adverse effect on operations and assets. Assurance of information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The network and infrastructure system is expected to be available during work hours. H M L The disruption of access to use of network and infrastructure could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to network and infrastructure data could have severe adverse effect on operations and assets. System Name/ID: Data Base System Description/purpose The data base system is a centralized data base system for XXX that consists of storage servers and database software, the information contained in database system includes sensitive product design information, customer’s health related and credit card information which are very sensitive. System Type: Major Application System operation status: operational
  • 11. XXX July 5, 2016 System Owner: Ahmed Asrar, Department Manager for Data Administration Mark Clark, Chief Information Officer Vulnerability: Information stored in XXX database are sensitive as it consists of product design Information, customer’s health and payment information. XXX has weak protection on the database system. If the database system is compromised, it can cause XXX to serious legal issues due to the violation of compliance standards such as HIPAA and PCI-DSS Minimum Security controls: Implement strong Database encryption to all database containing Company’s design information, customer payment and heath information. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the Database System from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of company’s product design information and customer information such as health related and payment card information. Loss of confidentiality of these information could lead to severe legal consequence and loss of sensitivity company’s information Security requirements for assuring information confidentiality are therefore very important concern.
  • 12. XXX July 5, 2016 Integrity Protect data contained within the database system from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of sensitive customer information could be expected to have a severe adverse effect on operations and assets. Information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The database system is expected to be available during work hours. H M L The disruption of access to or use of information or information systems could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to database system could have a severe adverse effect on operations and assets. System Name/ID: Human Resource Description/purpose Human resources are one of the major asset of XXX. The human resource includes employees and third party (customers and vendors) System Type: Major Application System operation status: operational
  • 13. XXX July 5, 2016 System Owner: Krabacher Jon, VP for Human Resource Angelin Andreen, Department Manager for Training Paul Lee, Department Manager for Personal Security and safety Vulnerability: Not having adequate awareness for cyber security is a major weakness that jeopardize the security of XXX. Minimum Security controls: Plan, Develop and implement employee and third party (customer and vendor) training and awareness program. High (H): a critical concern Medium (M): an important concern, but not necessarily paramount in the organization’s priorities Low (L): some minimal level or security is required, but not to the same degree as the previous two categories Category Need Impact Level Reason Confidentiality Protect the data contained within the Web Server from disclosure at all times; Allow only authorized individuals access to data on an “as-needed” basis. H M L Loss of confidentiality of company’s sales transaction and customer information such as payment card information could lead to severe legal consequence and loss of sensitive company’s information Security requirements for assuring information confidentiality are therefore very important concern.
  • 14. XXX July 5, 2016 Integrity Protect data contained within the Web Server from unauthorized changes; The system must: - allow only authorized individuals the ability to alter records, and - track to the specific individual who made and/or authorized each change to system records. H M L The unauthorized modification or destruction of sensitive customer information could be expected to have a severe adverse effect on operations and assets. Information integrity is required to the extent that destruction of information would require a major investment of time and effort to restore to an operational state once it was determined that the integrity of the information was compromised. Availability The Web Server is expected to be available during work hours. H M L The disruption of access to or use of information or information systems could be expected to have severe effect on operations, assets, or employees. Overall System Categorization Low Moderate High Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to Web Server could have a severe adverse effect on operations and assets.
  • 15. XXX July 5, 2016 E= Extreme Risk: immediate action required H=High Risk: Senior management attention required M=Moderate Risk Management responsibility must be specified L=Low Risk: management by routine procedure required IT Risk Mitigation Strategy Risk Mitigation strategy is needed to define the overall approach used for reducing risk. The risk mitigation strategy for XXX is done not only from system perspective but also from a business perspective. By doing so, the risk mitigation strategy aims to prioritize risk that are major from both business and technical perspective. An appropriate risk management methodology is selected to ensure results are repeatable and comparable for future use. The NIST 800-39- Risk Management Model is chosen as it is flexible and can easily be integrated into the broader risk management process. Therefore, the risk assessment will be conducted according to risk assessment hierarchy having three-tiered approach. Impact Consequence rare(1) Unlikely(2) Possiby (3) Likely(4) Almost Certain (5) High (3) H E E E E Moderate(2) M M H H E Low(1) L L L M H Likelihood
  • 16. XXX July 5, 2016 The risk assessment conducted at Tier 1 focused on organizational operation, assets and individuals. It will assess if threats are directed at the corporate level that may affect policy decision. Tier 2 risks assessment will focus on mission/business process which includes multiple information system risks identified at lower level risk assessment. It will evaluate the varying degree of criticality of the different information system with regards to core organizational mission/ business function. Tier 3 risk assessment is a risk assessment conducted in the initial phase by using Risk management framework. It is a system level assessment that will evaluate the anticipated vulnerability affecting confidentiality integrity and availability of the information system and implement corrective action to mitigate risk. The result of risks assessment at a lower level will be an input for risk assessment at a higher level. (NIST 2011) Figure 1: NIST Risk Management Approach (NIST, 2011) The three-tier risk assessment methodology will be integrated to the system level risk assessment methodology namely Risk Management Framework as defined in NIST 800-39. Therefore, risk assessment will be done throughout SDLC. (NIST 2011)
  • 17. XXX July 5, 2016 Figure 2: Risk Management Framework (NIST, 2011) Five security controls have been proposed based on identified system level problems from an initial risk analysis. The security controls proposed for the identified risk are minimum security controls, and risk mitigation is not a comprehensive set. Finally based on the risk matrix, risk is prioritized. Extreme risk level needs an immediate implementation of security control for mitigating risk followed by high level, moderate level, and low-level risks. General IT Risk Management Information Chief Information Officer (CIO) Name and Contact Information: Name: Title: Telephone Number: Email address:
  • 18. XXX July 5, 2016 Information Security Officer Name and Contact Information: Name: Etsegenet Gebreabe Title: CISO Telephone Number: 4696840429 Email address: egebreabe@udallas.edu IT Risk Management Approved by: Name Title Telephone Number Email address Date: July 5, 2016 Acronym CIO: Chief Information Officer HIPAA: Health Insurance Portability and Accountability Act PCI: The Payment Card Industry Data Security Standard Reference Whiteman, Mattord (2014) Management of Information security (PP.313-341) “FIPS, 199: Standards for Security Categorization of Federal Information and Information Systems.” National Institute of Standards and Technology, February 2004. Accessed July 4,2016 @ http://csrc.nist.gov “FIPS, 200: Standards for Security Categorization of Federal Information and Information Systems.” National Institute of Standards and Technology, March 2006. Accessed July 4,2016 @ http://csrc.nist.gov “SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View” National Institute of Standards and Technology, March 2011. Accessed July 5,2016 @ http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
  • 19. XXX July 5, 2016