Information systems 365 lecture three - Performing an IT Security Risk Analysis

Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas Davis
Lecture 2, Course Introduction

09/10/14 UNIVERSITY OF WISCONSIN 2

LLeeccttuurree TTooppiiccss
Security management responsibilities
Difference between Administrative,
Technical and Physical Controls
The three main security principles
Risk management
How to perform a risk analysis

DDeeffiinniinngg SSeeccuurriittyy
MMaannaaggeemmeenntt
Risk management method (see next slide)
Information Security Policies
Procedures
Standards
Guidelines
Baselines
Information Classification
Security Organization
Security Education

PPrroocceessss ooff SSeeccuurriittyy
Determination of needs
Assessment of risks
Monitoring and evaluation of existing
systems and practices
Promote awareness of existing issues
Implementation of policies and controls
to address needs
Use a “Top Down” approach, not a
“Bottom Up” approach

TThhrreeee TTyyppeess ooff SSeeccuurriittyy
CCoonnttrroollss
Administrative
Technical
Physical

AAddmmiinniissttrraattiivvee
CCoonnttrroollss
These include the developing and
publishing of policies, standards,
procedures and guidelines for risk
management, the screening of
personnel, conducting security
awareness training, and implementing
change control procedures

TTeecchhnniiccaall CCoonnttrroollss
((AAllssoo CCaalllleedd LLooggiiccaall CCoonnttrroollss))
These consist of implementing and
maintaining access control mechanisms,
password and resource management,
identification and authentication
methods, security devices and the
configuration of the infrastructure
Opinion note from the lecturer

PPhhyyssiiccaall CCoonnttrroollss
These entail controlling individual
access into the facilities, locking
systems, removing un-necessary access
points to systems such as CD drives and
USB ports, protecting the perimeter of
the facility, monitoring for intrusion,
and environmental controls

AAllll TThhrreeee CCoonnttrroollss
MMuusstt WWoorrkk TTooggeetthheerr

TThhrreeee CCoorree GGooaallss
ooff IInnffoorrmmaattiioonn SSeeccuurriittyy
Confidentiality
Integrity
Availability

AAvvaaiillaabbiilliittyy
The systems and networks should
provide adequate capacity to perform in
a predictable manner, with an
acceptable level of performance
They should be able to quickly recover
from disruption
Single points of failure should be
avoided
Backup measures should be taken

IInntteeggrriittyy
Is defined as maintaining the accuracy
and reliability of information systems,
preventing any unauthorized
modification
Attacks or mistakes by users do not
compromise the integrity of the data
Viruses, Logic Bombs, or back doors can
all compromise the integrity of an
information system

CCoonnffiiddeennttiiaalliittyy
Ensures that the necessary level of
secrecy is enforced at each junction of
data processing and prevents
unauthorized disclosure.
This level of confidentiality should
prevail while data resides on systems
within the network, as it is transmitted
and once it reaches its destination.

MMoorree TTeerrmmiinnoollooggyy
Vulnerability
Threat
Risk
Exposure

VVuullnneerraabbiilliittyy
Software, hardware, physical or
procedural weakness which may provide
an attacker an open door into your
information systems environment

TThhrreeaatt
A potential danger to an information
system. The treat is that someone or
something will identify and take
advantage of a vulnerability.
The entity which takes advantage of a
vulnerability is called a threat entity

RRiisskk
A risk is the likelihood of a of a threat
agent taking advantage of a vulnerability

EExxppoossuurree
Exposure is a single instance of the
damages caused by a vulnerability being
exploited by threat agent
Way too many terms here for a normal
human to remember!!! 

CCoouunntteerrmmeeaassuurree
A safeguard put into place to mitigate a
potential risk

SSeeccuurriittyy TThhrroouugghh OObbssccuurriittyy
Trying to keep things safe by keeping
them hidden
Bad idea – not a true security control

SSeeccuurriittyy PPllaannnniinngg
AArreeaass
Strategic
Tactical
Operational

SSttrraatteeggiicc
LLoonngg aanndd BBrrooaadd HHoorriizzoonn
Make sure that risks are properly
understood
Ensure compliance with laws and
regulations
Integrate security responsibilities
throughout the organization
Create a maturity model to allow for
continual improvement
Use security as a business achievement
to attract more customers

TTaaccttiiccaall
IInniittiiaattiivveess SSuuppppoorrttiinngg SSttrraatteeggyy
Initiatives and planning put in place to
support the larger strategic plan
Putting together teams to address
specific issues
Hiring new employees to be responsible
for specific areas such as HIPAA or PCI
compliance

OOppeerraattiioonnaall
Perform security risk assessment
Do not allow security changes to
decrease productivity
Maintain and implement controls
Continually scan for vulnerabilities and
roll out patches
Track compliance with policies

JJuuddggee AAggaaiinnsstt SSttaannddaarrddss
IISSOO 1177779999
If you know this, you will be golden in
the job interview!
ISO is a British organization, recognized
around the world for standards
High level recommendations of
enterprise IT security

IInnffoorrmmaattiioonn SSeeccuurriittyy
PPoolliiccyy FFoorr tthhee OOrrggaanniizzaattiioonn
Map of objectives to security
management’s support, security goals
and responsibilities

CCrreeaattiioonn ooff aann IInnffoorrmmaattiioonn
SSeeccuurriittyy IInnffrraassttrruuccttuurree
Create and maintain an organizational
security structure through the use of a
security forum, a security officer,
defining responsibilities, a method for
authorizing projects, outsourcing and
independent audits and reviews

AAsssseett CCllaassssiiffiiccaattiioonn
aanndd CCoonnttrrooll
Develop a security infrastructure to
protect organizational assets through
accountability through inventory,
classification, and handling procedures

PPeerrssoonnnneell SSeeccuurriittyy
Reduce the risks which are inherent in
human action by screening employees,
defining roles and responsibilities,
training employees properly and
documenting the ramifications of not
meeting expectations

PPhhyyssiiccaall aanndd EEnnvviirroonnmmeennttaall
SSeeccuurriittyy
Protect the organization’s assets by
properly choosing a facility location,
erecting and maintaining a security
perimeter, physical access control, and
protecting equipment

CCoommmmuunniiccaattiioonnss aanndd
OOppeerraattiioonnss MMaannaaggeemmeenntt
Carry out operations through
documented procedures, proper change
control, incident handling, separation of
duties, capacity planning, network
management and media handling

AAcccceessss CCoonnttrrooll
Control electronic access based upon
business requirements, user
management, authentication methods
and monitoring

SSyysstteemm DDeevveellooppmmeenntt
aanndd MMaaiinntteennaannccee
Make security an integral part of all life
phases of system development and
management

BBuussiinneessss CCoonnttiinnuuiittyy
Counter disruptions of normal
operations by using continuity planning
and testing

CCoommpplliiaannccee
Comply with regulatory, contractual and
statutory requirements by using
technical controls, systems audits and
continuous legal and regulatory
awareness
Cost effective, relevant, timely, and
responsive

RRiisskk AAnnaallyyssiiss
A method for identifying risks and
threats

RRiisskk AAnnaallyyssiiss
HHaass FFoouurr MMaaiinn GGooaallss
Identify assets and their values
Identify vulnerabilities and threats
Quantify the probability and business
impact of these potential threats
Provide an economic balance between
the impact of the threat and the cost of
the countermeasure

RRiisskk AAnnaallyyssiiss -- SStteepp OOnnee
AAssssiiggnn aa VVaalluuee ttoo tthhee AAsssseett
What is the value of this asset to the
company?
How much does it cost to maintain?
How much does it make in profits for
the company?
How much would it be worth to the
competition?
How much would it cost to re-create or
recover?

RRiisskk AAnnaallyyssiiss -- SStteepp OOnnee
AAssssiiggnn aa VVaalluuee ttoo tthhee AAsssseett
How much did it cost to acquire or
develop this asset?
How much liability do you face if the
asset is compromised?

RRiisskk AAnnaallyyssiiss –– SStteepp 22
EEssttiimmaattee PPootteennttiiaall LLoossss PPeerr TThhrreeaatt
What physical damage could the threat cause
and how much would that cost?
How much loss of productivity could the threat
cause and how much would that cost?
What is the value lost if the confidential
information is disclosed?
What is the cost of recovering from this threat?
What is the value of the loss if critical devices
were to fail?
What is the Single Loss Expectancy (SLE) for
each asset and each threat?

RRiisskk AAnnaallyyssiiss –– SStteepp TThhrreeee
PPeerrffoorrmm aa TThhrreeaatt AAnnaallyyssiiss
Gather information about the likelihood
of each threat taking place, from people
in each department. Examine past
records which provide this type of data
Calculate the Annualized Rate of
Occurrence (ARO), which is the number
of times the threat can take place in a
twelve month period

RRiisskk AAnnaallyyssiiss –– SStteepp FFoouurr
DDeerriivvee tthhee OOvveerraallll AAnnnnuuaall LLoossss
PPeerr TThhrreeaatt
Combine potential loss and probability
Calculate the Annualized Loss
Expectancy (ALE) per threat, by using
the information calculated in the first
three steps
Choose remedial measures to counteract
each threat
Carry out cost-benefit analysis on the
identified countermeasures

RReedduuccee,, TTrraannssffeerr,, AAvvooiidd oorr AAcccceepptt
tthhee RRiisskk
Install security controls
Improve procedures
Alter the environment
Provide early detection methods to catch
the threat as it is happening and reduce
possible damage it can cause
Produce a contingency plan of how a
business can continue if a specific threat
takes place, reducing further damages

RReedduuccee,, TTrraannssffeerr,, AAvvooiidd oorr AAcccceepptt
tthhee RRiisskk
Put up barriers to the threat
Carry out security awareness training
Perform risk transfer (buy insurance
and make it someone else’s problem)
Risk acceptance (live with the risks and
spend no more money for protection)
Risk avoidance (discontinue the activity
that is causing the risk)

RReessuullttss ooff tthhee RRiisskk AAnnaallyyssiiss
1. Monetary values are assigned to assets
2. You have a comprehensive list of all
possible and significant threats
3. You have a probability of the occurrence
rate of each threat
4. You have the loss potential which the
company can endure per threat,
annually.
5. A list of recommended safeguards,
countermeasures and actions

CCoouunntteerrmmeeaassuurree SSeelleeccttiioonn
Product costs
Design and planning costs
Implementation costs
Environment modifications
Compatibility with other
countermeasures
Maintenance requirements
Testing requirements

CCoouunntteerrmmeeaassuurree SSeelleeccttiioonn
Repair, replacement or update costs
Operating and support costs
Effects on productivity
Subscription costs
Extra person hours
Tolerance for headaches caused by new
countermeasure

NNeexxtt TTiimmee
Security policies
Information classification
Security awareness training

Information systems 365 lecture three - Performing an IT Security Risk Analysis

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (18)

Similar to Information systems 365 lecture three - Performing an IT Security Risk Analysis

Similar to Information systems 365 lecture three - Performing an IT Security Risk Analysis (20)

More from Nicholas Davis

More from Nicholas Davis (20)

Information systems 365 lecture three - Performing an IT Security Risk Analysis