Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information...
Transcript of Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information...
![Page 1: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/1.jpg)
MIS 5206 Protecting Information Assets
Protecting Information Assets- Week 5 -
Risk Evaluation
![Page 2: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/2.jpg)
MIS 5206 Protecting Information Assets
MIS5206 Week 5
• Brief intro to Team Project
• In the News
• Week 3 & 4 Material Highlights
• Risk Evaluation
• Test Taking Tip
• Quiz
![Page 3: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/3.jpg)
MIS 5206 Protecting Information Assets
Weeks 3&4: Data Classification Process and Models
3
Why is data classification important?
• Focuses attention on the identification and valuation of information assets
• Is the basis for access control policy and processes
![Page 4: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/4.jpg)
MIS 5206 Protecting Information Assets
Weeks 3&4: Data classification process and models
![Page 5: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/5.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
![Page 6: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/6.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
![Page 7: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/7.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE-1)
• Goal: Ensure IT-related risks and opportunities are identified, analyzed and presented in business terms
• Metric: Cumulative business impact from IT-related incidents and events not identified by risk evaluation processes
![Page 8: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/8.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE-1)
• Process Goal: Identify relevant data to enable effective IT-related risk identification, analysis and reporting
• Process Metrics:– # of loss events with key characteristics not captured or
measured
– Degree to which collected data support • Analyzing scenarios and reporting trends
• Visibility and understanding of the control state
• Visibility and understanding of the threat landscape
![Page 9: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/9.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data (RE1)• Activity Goals:
– Establish and maintain a risk data collection model
– Identify risk factors
– Collect data on operating environment
– Collect data on risk events
• Process Metrics:– Existence of a documented risk data collection model
– # of data sources
– # of data items with identified risk factors
– Completeness of • Risk event data
– Affected assets
– Impact data
– Threats
– Controls
– Measures of the effectiveness of controls
• Historical data on risk factors
![Page 10: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/10.jpg)
MIS 5206 Protecting Information Assets
RE1: Collect Data summary of goals and metrics
![Page 11: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/11.jpg)
MIS 5206 Protecting Information Assets
RE-1: Collect Data – Key Activities
RE1.1 Establish and maintain a model for data collection
RE1.2 Collect data on the operating environment
RE1.3 Collect data on risk events
RE1.4 Identify risk factors
![Page 12: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/12.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data: Roles
• Board of directors• Chief Executive Officer (CEO)• Chief Financial Officer (CFO)• Chief Risk Officer (CRO)• Enterprise Risk Committee• Business Management• Business Process Owner • Risk Control Functions• Human Resources• Compliance and Audit
![Page 13: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/13.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Collect Data: Roles
![Page 14: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/14.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
![Page 15: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/15.jpg)
MIS 5206 Protecting Information Assets
Risk Evaluation - Analyze Risk (RE2)
![Page 16: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/16.jpg)
MIS 5206 Protecting Information Assets
![Page 17: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/17.jpg)
MIS 5206 Protecting Information Assets
![Page 18: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/18.jpg)
MIS 5206 Protecting Information Assets
Annualized loss expectancy (ALE) =
Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)
![Page 19: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/19.jpg)
MIS 5206 Protecting Information Assets
![Page 20: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/20.jpg)
MIS 5206 Protecting Information Assets
FIPS 199: Risk event impact ratings
![Page 21: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/21.jpg)
MIS 5206 Protecting Information Assets
FIPS 199: Composite IS risk event impact ratings
Example with multiple information types:
![Page 22: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/22.jpg)
MIS 5206 Protecting Information Assets
Security Categorization of Different Types of Information and Information Systems
![Page 23: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/23.jpg)
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
![Page 24: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/24.jpg)
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
![Page 25: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/25.jpg)
MIS 5206 Protecting Information Assets
![Page 26: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/26.jpg)
MIS 5206 Protecting Information Assets
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
![Page 27: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/27.jpg)
MIS 5206 Protecting Information Assets
![Page 28: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/28.jpg)
MIS 5206 Protecting Information Assets
![Page 29: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/29.jpg)
MIS 5206 Protecting Information Assets
How to prioritize an enterprise’s data for protection ?
![Page 30: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/30.jpg)
MIS 5206 Protecting Information Assets
How to prioritize an enterprise’s data for protection ?
![Page 31: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/31.jpg)
MIS 5206 Protecting Information Assets
Analyzing risk to prioritize protection
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99
Transforming ordinal risk rankings to interval risk measures
![Page 32: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/32.jpg)
MIS 5206 Protecting Information Assets
Analyzing risk example
![Page 33: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/33.jpg)
MIS 5206 Protecting Information Assets
Analyze Risk
![Page 34: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/34.jpg)
MIS 5206 Protecting Information Assets
![Page 35: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/35.jpg)
MIS 5206 Protecting Information Assets
Maintain Risk Profile
![Page 36: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/36.jpg)
MIS 5206 Protecting Information Assets
Maintain Risk Profile
![Page 37: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/37.jpg)
MIS 5206 Protecting Information Assets
…Projected Growth of Data
![Page 38: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/38.jpg)
MIS 5206 Protecting Information Assets
Projected Growth of Data
What is a Zetta Byte?
A zettabyte is a quantity of information or information storage capacity equal to 1021
bytes
Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.
![Page 39: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/39.jpg)
MIS 5206 Protecting Information Assets
Projected Growth of Data
![Page 40: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/40.jpg)
MIS 5206 Protecting Information Assets
Projected Growth of Data
![Page 41: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/41.jpg)
MIS 5206 Protecting Information Assets
Projected Growth of Data
![Page 42: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/42.jpg)
MIS 5206 Protecting Information Assets
Data Retention
Why have a formal data retention policy?
a) Applicable Laws and Regulationsb) Resource Limits c) Privacy d) Access e) Security f) Plagiarism and Copyright g) Enforcement
![Page 43: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/43.jpg)
MIS 5206 Protecting Information Assets
Data Retention
Why companies need to have a formal data retention policy…
• Practical Concerns• Regulatory Concerns• Privacy Concerns
![Page 44: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/44.jpg)
MIS 5206 Protecting Information Assets
Data Retention
Why companies need to have a formal data retention policy…
• Practical Concerns
![Page 45: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/45.jpg)
MIS 5206 Protecting Information Assets
Data RetentionWhy companies need to have a formal data retention policy…
Practical Concerns• Regulatory Concerns
![Page 46: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/46.jpg)
MIS 5206 Protecting Information Assets
Data RetentionWhy companies need to have a formal data retention policy…
Practical Concerns Regulatory Concerns• Privacy Concerns
![Page 47: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/47.jpg)
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
• Establish data classes• Classify data• Establish retention periods• Select archive methods
• Paper-based• Electronic forms
![Page 48: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/48.jpg)
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
• Paper-based• Electronic forms
• Create end-of-life processes• Create policies for destruction of media
![Page 49: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/49.jpg)
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
• Paper-based• Electronic forms
Create end-of-life processes Create policies for destruction of media• Identify roles and responsibilities• Create enforcement mechanisms
Owner Steward Custodian
Manages the business function that generates and/or uses the data
Has business and/or regulatory responsibility for data quality and management
Focuses on managing data content and the business logic behind all data transformations.
Oversees the safe transport and storage of data
Focuses on the underlying infrastructure and activities required to keep the data intact
![Page 50: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/50.jpg)
MIS 5206 Protecting Information Assets
Data RetentionEstablishing a Data Retention Policy
Establish data classes Classify data Establish retention periods Select archive methods
Paper-based Electronic forms
Create end-of-life processes Create policies for destruction of media Identify roles and responsibilities Create enforcement mechanisms
![Page 51: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/51.jpg)
MIS 5206 Protecting Information Assets
Data RetentionHandling Customer Data
• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard
(PA-DSS)
![Page 52: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/52.jpg)
MIS 5206 Protecting Information Assets
Data RetentionHandling Customer Data
• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard
(PA-DSS)• Pilot data tokenization solutions• Implement end-to-end encryption• Restrict Internal access to customer data
![Page 53: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/53.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
53
Focus on the “highest likelihood” answers for test taking efficiency
Here’s why:• Some of the answers use unfamiliar terms and stand out as unlikely and
can therefore be discarded immediately
- Eliminate any “probably wrong” answers first -
• Some answers are clearly wrong and you can recognize them based on your familiarity with the subject
• The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice
![Page 54: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/54.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
54
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
![Page 55: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/55.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
55
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing seems mandatory about this scenario
![Page 56: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/56.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
56
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Maybe ….
![Page 57: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/57.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
57
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing about roles other than manager in the question
![Page 58: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/58.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
58
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Distributed is not relevant to the information in the question
![Page 59: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/59.jpg)
MIS 5206 Protecting Information Assets
Test Taking Tip
59
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
![Page 60: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/60.jpg)
MIS 5206 Protecting Information Assets
Quiz
60
![Page 61: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/61.jpg)
MIS 5206 Protecting Information Assets
![Page 62: Protecting Information Assets - Temple MIS · 2017. 9. 30. · MIS 5206 Protecting Information Assets Risk Evaluation - Collect Data (RE-1) •Process Goal: Identify relevant data](https://reader036.fdocuments.us/reader036/viewer/2022081523/5fd429f605fce134ee57ccc8/html5/thumbnails/62.jpg)
MIS 5206 Protecting Information Assets