Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus...
-
Upload
sophie-mclaughlin -
Category
Documents
-
view
234 -
download
0
Transcript of Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus...
![Page 1: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/1.jpg)
Assessment Presentation
Philip Robbins - July 14, 2012University of Phoenix Hawaii Campus
Fundamentals of Information Systems Security
![Page 2: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/2.jpg)
Scope & Applicability
UOPX Courses- CIS 207 Information Systems Fundamentals- CMGT 244 Intro to IT Security- CMGT 245 IS Security Concepts- CMGT 400 Intro to Information Assurance & Security- CMGT 440 Intro to Information Systems Security- CMGT 441 Intro to Information Systems Security Management- CMGT 430 Enterprise Security- CMGT 442 Information Systems Risk Management
![Page 3: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/3.jpg)
Objectives
• Review of Concepts. What is (are):- Information Systems?- Information Security?- Information Systems Security?- Information Assurance?- Cyber Security?- Defense in Depth?
• Significance / Importance of Concepts• Advanced Topics in Security Risk Analysis• Present & Future Challenges• Q&A
![Page 4: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/4.jpg)
Who am I?
• Information Systems Authorizing Official Representative- United States Pacific Command (USPACOM)- Risk Management Field- Assessments to USPACOM Authorizing Official / CIO
• Former Electronics Engineer• Bachelor of Science in Electrical Engineering• Master of Science in Information Systems• Ph.D. Student in Communication & Information Sciences• Certified Information Systems Security Professional
(CISSP) and Project Management Professional (PMP)
![Page 5: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/5.jpg)
Review of Concepts
• What are Information Systems?- Systems that store, transmit, and process information.
+• What is Information Security?
- The protection of information.
-------------------------------------------------------------------------------
• What is Information Systems Security?- The protection of systems that store, transmit, and
process information.
![Page 6: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/6.jpg)
Review of Concepts
• What is Information Assurance? - Emphasis on Information Sharing- Establishing and controlling trust- Authorization and Authentication (A&A)
• What is Cyber Security?- Protection of information and systems within networks
that are connected to the Internet.
![Page 7: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/7.jpg)
Review of Concepts
• Progression of Terminology
Computer Security(COMPUSEC)
Information Security(INFOSEC)
Information Assurance(IA)
Cyber Security
Legacy Term (no longer used).
Legacy Term (still used).
Term widely accepted today with focus on Information Sharing.
Broad Term quickly being adopted.
![Page 8: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/8.jpg)
Review of Concepts
• What is the Defense in Depth Strategy?- Using layers of defense as protection.
• People, Technology, and Operations.
DATA
APPLICATION
HOST
INTERNAL NETWORK
PERIMETER
PHYSICAL
POLICIES & PROCEDURES
Onion Model
![Page 9: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/9.jpg)
Review of Concepts
Defense in Depth Primary Elements
IntegrityISS
AvailabilityISS
PEOPLE TECHNOLOGY
OPERATIONS
PR
OT
EC
T
DE
TE
CT
RE
AC
T
Information Security Services
INFORMATION SECURITY
ConfidentialityISS
Information Assurance Services
Continuity IAS
Physical IAS
Cyber IASConfiguration IASTraining IAS
Identity A&A IASContent IAS
DiD PDR Paradigm
INFORMATION ASSURANCE
![Page 10: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/10.jpg)
ISS Management
• What is a Backup Plan (BP) vs Disaster Recovery Plan (DRP) vs Emergency Response Plan (ERP) vs Business Recovery Plan (BRP) vs Business Impact Analysis (BIA) vs Incident Response Plan (IRP) vs Continuity of Operations Plan (COOP) vs Contingency Plan?
• Policy & Planning• Test, Audit, Update• Configuration Control
• Protection, Detection, Reaction
(Assessment, CND, Incident Response)
![Page 11: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/11.jpg)
Why is this important?
• Information is valuable.
therefore, • Information Systems are valuable.etc…
• Compromise of Information Security Services (C-I-A) have real consequences (loss)- Confidentiality: death, proprietary info, privacy, theft- Integrity: theft, disruption- Availability: productivity lost, C2, defense, emergency
services
![Page 12: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/12.jpg)
Why is this important?
• Fixed Resources• Sustainable strategies reduce costs
Time
Cos
t
Incidents
PROTECT
DETECTREACT
Without DiD
With DiD
Cost Prohibitive/ Threshold
![Page 13: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/13.jpg)
Advanced Topics: Measuring Risk
• What is Risk?
thus
• Qualitative v.s. Quantitative Methods• Risk Assessments v.s. Risk Analysis• Security Risk Analysis (SRA)• Units for measurement?
![Page 14: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/14.jpg)
Advanced Topics: Measuring Risk
• Risk is conditional, NOT independent.
![Page 15: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/15.jpg)
Advanced Topics: Measuring Risk
• Quantitative, time-dependent (continuous),
Risk Distribution Function:
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems (Master's Thesis). Hawaii Pacific University, Honolulu, HI.
![Page 16: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/16.jpg)
Advanced Topics: Measuring Risk
• Expected Value of Risk = Product of Risks
• Risk is never zero
• Risk Dimension (units): confidence in ISS, C-I-A
![Page 17: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/17.jpg)
Advanced Topics: Measuring Risk
• Expected Value and Risk Loss Confidence vs Cumulative Risk Product
![Page 18: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/18.jpg)
Advanced Topics: Measuring Risk
• Quantitative Risk Determination Expression
• Risk Rate & Risk Variability• Adjudication of Risk
![Page 19: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/19.jpg)
Advanced Topics: Measuring Risk
• Determining Risk Tolerance / Threshold Levels
![Page 20: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/20.jpg)
Advanced Topics: Measuring Risk
• Risk Areas as a function of Probability and Impact
![Page 21: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/21.jpg)
Present Challenges
• Rapid growth of Advanced Persistent Threats (APTs)• Half million cases of cyber related incidents in 2012.• Is this a problem?• What about vulnerabilities
associated with
interconnections?
Source: US-CERT
![Page 22: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/22.jpg)
Future Challenges
• Cyberspace: Are we at war?• Cyber Crime vs Cyber Warfare vs Cyber Conflict
ATTACKDestruction
CYBER CONFLICT
CYBER WARFARE
CYBER CRIME
SABOTAGEDisruption
ESPIONAGESpying / Theft of Information
![Page 23: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/23.jpg)
Closing Thoughts
• Information Systems Security (Cyber Security) is an explosive field.
- Spanning Commercial, Private and Government Sectors
- Demand >> Capacity: Strategies, solutions, workforce
- $
- Evolving field (not fully matured)
• Security will change our communications landscape
- Efficiencies (centralization of services, technology)
- Intelligent design of network interconnections and interdependencies
- Regulations
![Page 24: Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.](https://reader036.fdocuments.us/reader036/viewer/2022081421/56649e8e5503460f94b91d62/html5/thumbnails/24.jpg)
Thank you!
Got Questions?