Lecture 3 slides for the Information Systems 365/765 class I teach at UW-Madison. If you ever had the urge to perform a 5 step quantitative IT Security Risk Analysis, then this is for you!
Describes a model to analyze software systems and determine areas of risk. Discusses limitations of typical test design methods and provides an example of how to use the model to create high volume automated testing framework.
Information Systems Security 365/765 UW-MadisonNicholas Davis
I was very fortunate to be offered an opportunity to teach a semester long undergraduate and graduate student class, at the University of Wisconsin-Madison. The class has 50 students and every one of them is so friendly, outgoing and kind. The UW should be proud of the quality of the students it admits. I am lucky to be an employee of this massive and fantastic university. Here is the lecture I gave today. This module of the course is entitled Physical Security, which is an integral part of Information Security. It isn't all about hackers and spies. A lot of Information Security is derived from having solid documented and tested business processes.
Quantified Risk Assessment as a decision support for the protection of the Cr...Community Protection Forum
by Micaela Demichela
SAfeR – Centro Studi su Sicurezza Affidabilità e Rischi Dipartimento di Scienza Applicata e Tecnologia - Politecnico di Torino
e-mail: micaela.demichela@polito.it
Information Security 365 -- Policies, Data Classification, Employee Training ...Nicholas Davis
This is a sample of a lecture from the Information Security 365/765 semester long course, which I am teaching at the University of Wisconsin-Madison, this Fall.
Describes a model to analyze software systems and determine areas of risk. Discusses limitations of typical test design methods and provides an example of how to use the model to create high volume automated testing framework.
Information Systems Security 365/765 UW-MadisonNicholas Davis
I was very fortunate to be offered an opportunity to teach a semester long undergraduate and graduate student class, at the University of Wisconsin-Madison. The class has 50 students and every one of them is so friendly, outgoing and kind. The UW should be proud of the quality of the students it admits. I am lucky to be an employee of this massive and fantastic university. Here is the lecture I gave today. This module of the course is entitled Physical Security, which is an integral part of Information Security. It isn't all about hackers and spies. A lot of Information Security is derived from having solid documented and tested business processes.
Quantified Risk Assessment as a decision support for the protection of the Cr...Community Protection Forum
by Micaela Demichela
SAfeR – Centro Studi su Sicurezza Affidabilità e Rischi Dipartimento di Scienza Applicata e Tecnologia - Politecnico di Torino
e-mail: micaela.demichela@polito.it
Information Security 365 -- Policies, Data Classification, Employee Training ...Nicholas Davis
This is a sample of a lecture from the Information Security 365/765 semester long course, which I am teaching at the University of Wisconsin-Madison, this Fall.
This presentation was delivered by Chris Seifert of Wilson Perumal & Company at the Canadian National Energy Board's 2015 Pipeline Safety Forum. It discusses the impact of increasing complexity on safety and environmental risk, and lessons that can be learned from high reliability organizations to mitigate that risk.
SAFETY MANAGEMENT ISSUES, BENEFITS AND CHALLENGES.pptxSUJAN GHIMIRE
Safety management is the way of managing the project activities to prevent risk of safety issues accessing injuries and accidents in the construction as well as the project itself. System to manage safety elements in the workplaceIncludes plans, policies, objectives and responsibilities of any organization to manage safety risk
A number of safety measures and analyses have to be considered during the entire life cycle of a project.
The implementation and effectiveness of these safety measures have to be assessed and controlled by proper safety management procedures and safety policy.
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
3. LLeeccttuurree TTooppiiccss
Security management responsibilities
Difference between Administrative,
Technical and Physical Controls
The three main security principles
Risk management
How to perform a risk analysis
09/10/14 UNIVERSITY OF WISCONSIN 3
4. DDeeffiinniinngg SSeeccuurriittyy
MMaannaaggeemmeenntt
Risk management method (see next slide)
Information Security Policies
Procedures
Standards
Guidelines
Baselines
Information Classification
Security Organization
Security Education
09/10/14 UNIVERSITY OF WISCONSIN 4
5. PPrroocceessss ooff SSeeccuurriittyy
MMaannaaggeemmeenntt
Determination of needs
Assessment of risks
Monitoring and evaluation of existing
systems and practices
Promote awareness of existing issues
Implementation of policies and controls
to address needs
Use a “Top Down” approach, not a
“Bottom Up” approach
09/10/14 UNIVERSITY OF WISCONSIN 5
6. TThhrreeee TTyyppeess ooff SSeeccuurriittyy
CCoonnttrroollss
Administrative
Technical
Physical
09/10/14 UNIVERSITY OF WISCONSIN 6
7. AAddmmiinniissttrraattiivvee
CCoonnttrroollss
These include the developing and
publishing of policies, standards,
procedures and guidelines for risk
management, the screening of
personnel, conducting security
awareness training, and implementing
change control procedures
09/10/14 UNIVERSITY OF WISCONSIN 7
8. TTeecchhnniiccaall CCoonnttrroollss
((AAllssoo CCaalllleedd LLooggiiccaall CCoonnttrroollss))
These consist of implementing and
maintaining access control mechanisms,
password and resource management,
identification and authentication
methods, security devices and the
configuration of the infrastructure
Opinion note from the lecturer
09/10/14 UNIVERSITY OF WISCONSIN 8
9. PPhhyyssiiccaall CCoonnttrroollss
These entail controlling individual
access into the facilities, locking
systems, removing un-necessary access
points to systems such as CD drives and
USB ports, protecting the perimeter of
the facility, monitoring for intrusion,
and environmental controls
09/10/14 UNIVERSITY OF WISCONSIN 9
11. TThhrreeee CCoorree GGooaallss
ooff IInnffoorrmmaattiioonn SSeeccuurriittyy
Confidentiality
Integrity
Availability
09/10/14 UNIVERSITY OF WISCONSIN 11
12. AAvvaaiillaabbiilliittyy
The systems and networks should
provide adequate capacity to perform in
a predictable manner, with an
acceptable level of performance
They should be able to quickly recover
from disruption
Single points of failure should be
avoided
Backup measures should be taken
09/10/14 UNIVERSITY OF WISCONSIN 12
13. IInntteeggrriittyy
Is defined as maintaining the accuracy
and reliability of information systems,
preventing any unauthorized
modification
Attacks or mistakes by users do not
compromise the integrity of the data
Viruses, Logic Bombs, or back doors can
all compromise the integrity of an
information system
09/10/14 UNIVERSITY OF WISCONSIN 13
14. CCoonnffiiddeennttiiaalliittyy
Ensures that the necessary level of
secrecy is enforced at each junction of
data processing and prevents
unauthorized disclosure.
This level of confidentiality should
prevail while data resides on systems
within the network, as it is transmitted
and once it reaches its destination.
09/10/14 UNIVERSITY OF WISCONSIN 14
16. VVuullnneerraabbiilliittyy
Software, hardware, physical or
procedural weakness which may provide
an attacker an open door into your
information systems environment
09/10/14 UNIVERSITY OF WISCONSIN 16
17. TThhrreeaatt
A potential danger to an information
system. The treat is that someone or
something will identify and take
advantage of a vulnerability.
The entity which takes advantage of a
vulnerability is called a threat entity
09/10/14 UNIVERSITY OF WISCONSIN 17
18. RRiisskk
A risk is the likelihood of a of a threat
agent taking advantage of a vulnerability
09/10/14 UNIVERSITY OF WISCONSIN 18
19. EExxppoossuurree
Exposure is a single instance of the
damages caused by a vulnerability being
exploited by threat agent
Way too many terms here for a normal
human to remember!!!
09/10/14 UNIVERSITY OF WISCONSIN 19
23. SSttrraatteeggiicc
LLoonngg aanndd BBrrooaadd HHoorriizzoonn
Make sure that risks are properly
understood
Ensure compliance with laws and
regulations
Integrate security responsibilities
throughout the organization
Create a maturity model to allow for
continual improvement
Use security as a business achievement
to attract more customers
09/10/14 UNIVERSITY OF WISCONSIN 23
24. TTaaccttiiccaall
IInniittiiaattiivveess SSuuppppoorrttiinngg SSttrraatteeggyy
Initiatives and planning put in place to
support the larger strategic plan
Putting together teams to address
specific issues
Hiring new employees to be responsible
for specific areas such as HIPAA or PCI
compliance
09/10/14 UNIVERSITY OF WISCONSIN 24
25. OOppeerraattiioonnaall
Perform security risk assessment
Do not allow security changes to
decrease productivity
Maintain and implement controls
Continually scan for vulnerabilities and
roll out patches
Track compliance with policies
09/10/14 UNIVERSITY OF WISCONSIN 25
26. JJuuddggee AAggaaiinnsstt SSttaannddaarrddss
IISSOO 1177779999
If you know this, you will be golden in
the job interview!
ISO is a British organization, recognized
around the world for standards
High level recommendations of
enterprise IT security
09/10/14 UNIVERSITY OF WISCONSIN 26
27. IInnffoorrmmaattiioonn SSeeccuurriittyy
PPoolliiccyy FFoorr tthhee OOrrggaanniizzaattiioonn
Map of objectives to security
management’s support, security goals
and responsibilities
09/10/14 UNIVERSITY OF WISCONSIN 27
28. CCrreeaattiioonn ooff aann IInnffoorrmmaattiioonn
SSeeccuurriittyy IInnffrraassttrruuccttuurree
Create and maintain an organizational
security structure through the use of a
security forum, a security officer,
defining responsibilities, a method for
authorizing projects, outsourcing and
independent audits and reviews
09/10/14 UNIVERSITY OF WISCONSIN 28
29. AAsssseett CCllaassssiiffiiccaattiioonn
aanndd CCoonnttrrooll
Develop a security infrastructure to
protect organizational assets through
accountability through inventory,
classification, and handling procedures
09/10/14 UNIVERSITY OF WISCONSIN 29
30. PPeerrssoonnnneell SSeeccuurriittyy
Reduce the risks which are inherent in
human action by screening employees,
defining roles and responsibilities,
training employees properly and
documenting the ramifications of not
meeting expectations
09/10/14 UNIVERSITY OF WISCONSIN 30
31. PPhhyyssiiccaall aanndd EEnnvviirroonnmmeennttaall
SSeeccuurriittyy
Protect the organization’s assets by
properly choosing a facility location,
erecting and maintaining a security
perimeter, physical access control, and
protecting equipment
09/10/14 UNIVERSITY OF WISCONSIN 31
32. CCoommmmuunniiccaattiioonnss aanndd
OOppeerraattiioonnss MMaannaaggeemmeenntt
Carry out operations through
documented procedures, proper change
control, incident handling, separation of
duties, capacity planning, network
management and media handling
09/10/14 UNIVERSITY OF WISCONSIN 32
33. AAcccceessss CCoonnttrrooll
Control electronic access based upon
business requirements, user
management, authentication methods
and monitoring
09/10/14 UNIVERSITY OF WISCONSIN 33
34. SSyysstteemm DDeevveellooppmmeenntt
aanndd MMaaiinntteennaannccee
Make security an integral part of all life
phases of system development and
management
09/10/14 UNIVERSITY OF WISCONSIN 34
36. CCoommpplliiaannccee
Comply with regulatory, contractual and
statutory requirements by using
technical controls, systems audits and
continuous legal and regulatory
awareness
Cost effective, relevant, timely, and
responsive
09/10/14 UNIVERSITY OF WISCONSIN 36
38. RRiisskk AAnnaallyyssiiss
HHaass FFoouurr MMaaiinn GGooaallss
Identify assets and their values
Identify vulnerabilities and threats
Quantify the probability and business
impact of these potential threats
Provide an economic balance between
the impact of the threat and the cost of
the countermeasure
09/10/14 UNIVERSITY OF WISCONSIN 38
39. RRiisskk AAnnaallyyssiiss -- SStteepp OOnnee
AAssssiiggnn aa VVaalluuee ttoo tthhee AAsssseett
What is the value of this asset to the
company?
How much does it cost to maintain?
How much does it make in profits for
the company?
How much would it be worth to the
competition?
How much would it cost to re-create or
recover?
09/10/14 UNIVERSITY OF WISCONSIN 39
40. RRiisskk AAnnaallyyssiiss -- SStteepp OOnnee
AAssssiiggnn aa VVaalluuee ttoo tthhee AAsssseett
How much did it cost to acquire or
develop this asset?
How much liability do you face if the
asset is compromised?
09/10/14 UNIVERSITY OF WISCONSIN 40
41. RRiisskk AAnnaallyyssiiss –– SStteepp 22
EEssttiimmaattee PPootteennttiiaall LLoossss PPeerr TThhrreeaatt
What physical damage could the threat cause
and how much would that cost?
How much loss of productivity could the threat
cause and how much would that cost?
What is the value lost if the confidential
information is disclosed?
What is the cost of recovering from this threat?
What is the value of the loss if critical devices
were to fail?
What is the Single Loss Expectancy (SLE) for
each asset and each threat?
09/10/14 UNIVERSITY OF WISCONSIN 41
42. RRiisskk AAnnaallyyssiiss –– SStteepp TThhrreeee
PPeerrffoorrmm aa TThhrreeaatt AAnnaallyyssiiss
Gather information about the likelihood
of each threat taking place, from people
in each department. Examine past
records which provide this type of data
Calculate the Annualized Rate of
Occurrence (ARO), which is the number
of times the threat can take place in a
twelve month period
09/10/14 UNIVERSITY OF WISCONSIN 42
43. RRiisskk AAnnaallyyssiiss –– SStteepp FFoouurr
DDeerriivvee tthhee OOvveerraallll AAnnnnuuaall LLoossss
PPeerr TThhrreeaatt
Combine potential loss and probability
Calculate the Annualized Loss
Expectancy (ALE) per threat, by using
the information calculated in the first
three steps
Choose remedial measures to counteract
each threat
Carry out cost-benefit analysis on the
identified countermeasures
09/10/14 UNIVERSITY OF WISCONSIN 43
44. RRiisskk AAnnaallyyssiiss –– SStteepp 55
RReedduuccee,, TTrraannssffeerr,, AAvvooiidd oorr AAcccceepptt
tthhee RRiisskk
Install security controls
Improve procedures
Alter the environment
Provide early detection methods to catch
the threat as it is happening and reduce
possible damage it can cause
Produce a contingency plan of how a
business can continue if a specific threat
takes place, reducing further damages
09/10/14 UNIVERSITY OF WISCONSIN 44
45. RRiisskk AAnnaallyyssiiss –– SStteepp 55
RReedduuccee,, TTrraannssffeerr,, AAvvooiidd oorr AAcccceepptt
tthhee RRiisskk
Put up barriers to the threat
Carry out security awareness training
Perform risk transfer (buy insurance
and make it someone else’s problem)
Risk acceptance (live with the risks and
spend no more money for protection)
Risk avoidance (discontinue the activity
that is causing the risk)
09/10/14 UNIVERSITY OF WISCONSIN 45
46. RReessuullttss ooff tthhee RRiisskk AAnnaallyyssiiss
1. Monetary values are assigned to assets
2. You have a comprehensive list of all
possible and significant threats
3. You have a probability of the occurrence
rate of each threat
4. You have the loss potential which the
company can endure per threat,
annually.
5. A list of recommended safeguards,
countermeasures and actions
09/10/14 UNIVERSITY OF WISCONSIN 46
47. CCoouunntteerrmmeeaassuurree SSeelleeccttiioonn
Product costs
Design and planning costs
Implementation costs
Environment modifications
Compatibility with other
countermeasures
Maintenance requirements
Testing requirements
09/10/14 UNIVERSITY OF WISCONSIN 47
48. CCoouunntteerrmmeeaassuurree SSeelleeccttiioonn
Repair, replacement or update costs
Operating and support costs
Effects on productivity
Subscription costs
Extra person hours
Tolerance for headaches caused by new
countermeasure
09/10/14 UNIVERSITY OF WISCONSIN 48
49. NNeexxtt TTiimmee
Security policies
Information classification
Security awareness training
09/10/14 UNIVERSITY OF WISCONSIN 49