1. Information Security Governance & Risk Management.ppt
-
Upload
samirdashyd -
Category
Documents
-
view
151 -
download
28
description
Transcript of 1. Information Security Governance & Risk Management.ppt
1. Information Security Governance and Risk
Management
Objective Information Security Management
The Big Three - CIA
Security Governance
• Policies, Procedures, Standards & Guidelines
• Organizational Structures
• Roles and Responsibilities
Information Classification
Risk Management
Security Awareness training
Information Security Management To protect an organization’s valuable resources,
such as information, hardware, and software
Identification of an organization’s information
assets
The development, documentation, and
implementation of policies, standards,
procedures, and guidelines
Ensure Availability, Integrity and Confidentiality
CIA - ConfidentialityConfidentiality
Protection of information within systems so that unauthorized people, resources, and processes cannot access that information
The Threat Hackers, Masqueraders, Unauthorized user activity Unprotected downloaded files, networks, and
unauthorized programs (e.g., Trojan horses and viruses) Social Engineering
The Action Granting access on a need-to-know (least privilege) basis Well-Formed Transaction Awareness
CIA - IntegrityIntegrity
Protection of Information System or Processes from intentional or accidental unauthorized changes
The Threat Hackers, Masqueraders, Unauthorized user activity Unprotected downloaded files, networks, and
unauthorized programs (e.g., Trojan horses and viruses) Authorized users can corrupt data and programs
accidentally or intentionally
The Action Granting access on a need-to-know (least privilege) basis Separation of duties Rotation of duties
CIA – Integrity Cont…The Action
Granting access on a need-to-know (least privilege) basis Separation of duties Rotation of duties
Separation of Duties No single employee has control of a transaction from
beginning to endRotation of Duties
Change Job assignments periodically Works well when used in conjunction with a separation of
duties Helps organization when losing a key employee
“The security program must employ a careful balance between ideal security and practical
productivity”
CIA - AvailabilityAvailability
Availability is the assurance that a computer system is accessible by authorized users whenever needed.
The Threat Denial of Service & Distributed Denial of Service Natural disasters (e.g., fires, floods, storms, or earthquakes) Human actions (e.g., bombs or strikes)
The Action Contingency planning — which may involve business
resumption planning, alternative-site processing, or simply disaster recovery planning — provides an alternative means of processing, thereby ensuring availability.
Physical, Technical, and Administrative controls are important aspects of security initiatives
CIA – Availability Cont…The Physical controls
Restrict unauthorized persons from coming into contact with computing resources and Facilities
The Technical controls Fault-tolerance mechanisms (e.g., hardware
redundancy, disk mirroring, and application checkpoint restart)
Electronic vaulting (i.e., automatic backup to a secure, off-site location)
Access control software to prevent unauthorized users
The Administrative controls access control policies, operating procedures,
contingency planning, and user training
Ensuring CIA
• Think in terms of the core information
security principles
• How does this threat impact the CIA?
• What controls can be used to reduce
the risk to CIA?
• If we increase confidentiality, will we
decrease availability? And Vice versa
Security Governance
• Security Governance is the
organizational processes and
relationships for managing risk−Policies, Procedures, Standards,
Guidelines, Baselines−Organizational Structures−Roles and Responsibilities
Security Governance - Reference Policy - An information security policy contains senior
management’s directives to create an information
security program, establish its goals, measures, and
target and assign responsibilities
Standards - Standards are mandatory activities,
actions, rules, or regulations designed to provide
policies with the support structure and specific
direction they require to be meaningful and effective
Procedures - Procedures spell out the step-by-step
specifics of how the policy and the supporting
standards and guidelines will actually be implemented
in an operating environment
Security Governance - Reference Guidelines - Guidelines are more general statements
designed to achieve the policy’s objectives by
providing a framework within which to implement
controls not covered by procedures
Baselines - Baselines are similar to standards but
account for differences in technologies and versions
from different vendors
Security Governance - Reference
Organizational Structure
• Audit should be separate from
implementation and operations
• Responsibilities for security should be
defined in job descriptions
• Senior management has ultimate
responsibility for security
• Security officers/managers have
functional responsibility
Organizational Structure
Directors
IT Security
CIO
President
Auditor AnalystArchitect
Compliance
Roles & Responsibilities Information owner - A business executive or
business manager who is responsible for a company business information asset
Information custodian - The information custodian, usually an information technology or operations person, is the system administrator or operator for the Information Owner, with primary responsibilities dealing with running the program for the owner and backup and recovery of the business information
Application owner - Manager of the business unit who is fully accountable for the performance of the business function served by the application
User manager - The immediate manager or supervisor of an employee
Roles & Responsibilities Security administrator - Any company employee who
owns an “administrative” user ID that has been assigned attributes or privileges that are associated with any type of access control system
Security analyst - Person responsible for determining the data security directions (strategies, procedures, guidelines) to ensure information is controlled and secured based on its value, risk of loss or compromise, and ease of recoverability
Change control analyst - Person responsible for analyzing requested changes to the Information Technology infrastructure and determining the impact on applications
Data analyst - This person analyzes the business requirements to design the data structures and recommends data definition standards and physical platforms
Roles & Responsibilities Solution provider - Person who participates in the
solution (application) development and delivery processes in deploying business solutions
End user - Any employee, contractor, or vendor of the company who uses information systems resources as part of their job
Process owner - This person is responsible for the management, implementation, and continuous improvement of a process that has been defined to meet a business need
Product line manager - Person responsible for understanding business requirements and translating them into product requirements, working with the vendor/user area
Information ClassificationInformation Protection Requirements
Data confidentiality, integrity, and availability are improved
because appropriate controls are used for all data across the
enterprise
The organization gets the most for its information protection
dollar because protection mechanisms are designed and
implemented where they are needed most, and less costly
controls can be put in place for non-critical information
The quality of decisions is improved because the data upon
which the decisions are made can be trusted
The company is provided with a process to review all
business functions and informational requirements on a
periodic basis to determine appropriate data classifications
Information Classification Getting started: questions to ask
• Is there an executive sponsor for this project?• What are you trying to protect, and from what?• Are there any regulatory requirements to consider?• Has the business accepted ownership responsibilities for the
data?
Policy• An essential tool in establishing a data classification scheme• Define information as an asset of the business unit• Declare local business managers as the owners of information• Establish IT as the custodians of corporate information• Clearly define roles and responsibilities of those involved in
the ownership and classification of information• Define the classifications and criteria that must be met for
each• Determine the minimum range of controls to be established
for each classification
Data Classification Classification is part of a mandatory access control
model to ensure that sensitive data is properly
controlled and secured
DoD multi-level security policy has 4 classifications: Top Secret Secret Confidential Unclassified
Other levels in use are: Eyes only Officers only Company confidential Public
Data Classification• Criteria
− Value− Age− Useful Life− Personal Association
• Government classifications− Top Secret− Secret− Confidential− Sensitive but Unclassified− Unclassified
• Private Sector
classifications− Confidential− Private− Sensitive− Public
Data Classification Top Secret - applies to the most sensitive business information
which is intended strictly for use within the organization.
Unauthorized disclosure could seriously and adversely impact the
company, stockholders, business partners, and/or its customers
Secret - Applies to less sensitive business information which is
intended for use within a company. Unauthorized disclosure could
adversely impact the company, its stockholders, its business
partners, and/or its customers
Confidential - Applies to personal information which is intended for
use within the company. Unauthorized disclosure could adversely
impact the company and/or its employees
Unclassified - Applies to all other information which does not clearly
fit into any of the above three classifications. Unauthorized
disclosure isn’t expected to seriously or adversely impact the
company
Risk Management The processes of identifying, analyzing and
assessing, mitigating, or transferring risk are generally characterized as Risk Management
Risk Management Process What could happen (threat event)? If it happened, how bad could it be (threat
impact)? How often could it happen (threat frequency,
annualized)? How certain are the answers to the first three
questions (recognition of uncertainty)? What can be done (risk mitigation)? How much will it cost (annualized)? Is it cost-effective (cost/benefit analysis)?
Risk ManagementRisk Analysis
This term represents the process of analyzing a target environment and the relationships of its risk-related attributes
Qualitative / Quantitative Quantitative risk analysis attempts to assign
independently objective numeric numbers (i.e., monetary values) to all elements of the risk analysis
Qualitative risk analysis, on the other hand, does not attempt to assign numeric values at all, but rather is scenario oriented
Risk ManagementRisk Assessment
This term represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance
Information Asset Information is regarded as an intangible asset
separate from the media on which it resides Simple cost of replacing the information The cost of replacing supporting software Costs associated with loss of the information’s
confidentiality, availability, and integrity Supporting hardware and network
Risk ManagementExposure Factor (EF)
A measure of the magnitude of loss or impact on the value of an asset
A percent, ranging from 0 to 100%, of asset value loss arising from a threat event
Single Loss ExpectancySingle Loss Expectancy = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) The frequency with which a threat is expected to occur For example, a threat occurring once in ten years has an
ARO of 1/10 or 0.1
Annualized Loss Expectancy (ALE)Annualized Loss Expectancy = Single Loss Expectancy X
Annualized Rate of Occurrence
Risk ManagementProbability
The chance or likelihood that an event will occur For example, the probability of getting a 6 on a single roll of a
die is 1/6, or 0.16667 The Probability can between 0 to 1
Safeguard Risk Analysis and Assessment Cont… occurrence of a specified
threat or category of threats
Safeguard Effectiveness The degree, expressed as a percent, from 0 to 100%, to which
a safeguard can be characterized as effectively mitigating a vulnerability and reducing associated loss risks
Uncertainty The degree, expressed as a percent, from 0.0% to 100%, to
which there is less than complete confidence in the value of any element of the risk assessment
Risk ManagementEstablish Information Risk Management Policy
IRM policy should begin with a high-level policy statement and supporting objectives, scope, constraints, responsibilities, and approach
Communicate and Enforce
Establish an IRM Team Top Down Approach will work well
Establish IRM Methodology and Tools Determine current status of Information Security Plan Strategic risk assessment
Identify and Measure Risk Perform Risk Assessment based on the IRM policy and
IRM methodology & tools
Risk Management Asset Identification and Valuation
Threat Analysis
Vulnerability Analysis
Risk Evaluation
Interim Reports and Recommendations
Cost/Benefit Analysis
Establish Risk Acceptance Criteria Example : do not accept more than a 1 in 100 chance of
losing $1,000,000
Risk Treatment (Mitigate Risk / Transfer the Risk)
Safeguard Selection and Risk Mitigation Analysis
Final Report
Monitor Information Risk Management Performance
Risk ManagementQualitative versus Quantitative Approach
The Qualitative Approach is much more subjective approach to the valuation of information assets and the scaling of risk
In General the risks are described as “low,” “medium,” or “high”
The Quantitative is talks about real numbers Uses Algorithms ALE=ARO X (Asset Value X Exposure Factor = SLE)
Assume the asset value is $1M, the exposure factor is 50%, and the annualized rate of occurrence is 1/10 (once in ten years)
($1M X 50% = $500K) X 1/10 = $50K
Risk ManagementPros
Calculations, if any, are simple Usually not necessary to determine the monetary value of
Information (CIA) Not necessary to determine quantitative threat frequency
and impact data Not necessary to estimate the cost of recommended risk
mitigation measures and calculate cost/benefit because the process is not quantitative.
A general indication of significant areas of riskCons
The risk assessment and results are essentially subjective in both process and metrics
The perception of value may not realistically reflect actual value at risk
Only subjective indication of a problem It is not possible to track risk management performance
objectively when all measures are subjective
Risk ManagementPros
Meaningful statistical analysis is supported The value of information (CIA), as expressed in monetary terms
with supporting rationale, is better understood. Thus, the basis for expected loss is better understood
Information security budget decision making is supported Risk management performance can be tracked and evaluated. Risk assessment results are derived and expressed in
management’s language, monetary value, percentages, and probability annualized. Thus, risk is better understood.
Cons Calculations are complex. Not practical to execute a quantitative risk assessment without
using a recognized automated tool and associated knowledge bases,
A substantial amount of information gathering is required Standard, independent Threat population and threat frequency
knowledgebase not yet developed and maintained, so vendor dependent
Awareness Training Security policies, standards, procedures, baselines, and
guidelines Threats to physical assets and stored information Threats to open network environments Laws and regulations they are required to follow Specific organization or department policies they are
required to follow How to identify and protect sensitive (or classified)
information How to store, label, and transport information Who they should report security incidents to, regardless
of whether it is just a suspected or an actual incident Email/Internet policies and procedures Social engineering
Implementation (Delivery) Options
Posters Posting motivational and catchy slogans Videotapes Classroom instruction Computer-based delivery, such as CD-ROM, DVD,
intranet access, Web-based access, etc. Brochures/flyers Pens/pencils/key-chains (any type of trinket) with
motivational slogans Post-it notes with a message on protecting the
Information Technology system Stickers for doors and bulletin boards
Implementation (Delivery) Options
Cartoons/articles published monthly or quarterly in an in-house newsletter or specific department notices
Special topical bulletins (security alerts in this instance)
Monthly email notices related to security issues or email broadcasts of security advisories
Security banners or pre-logon messages that appear on the computer monitor
Distribution of items as an incentive
Questions & Feedback
???