-
Components of risk identification
People, Procedures, Data, Software, Hardware
-
three general categories of controls:
-Policies, Programs, Technologies
-
five risk control strategies
Defend, Transfer, Mitigate, Accept, Terminate
-
Three common methods of risk avoidance:
- Application of policy,
- Training and education,
- Applying technology
-
Cost Benefit Analysis (CBA) Formula
CBA = ALE(prior) – ALE(post) – ACS
-
Information Security Governance Five Goals
- -Strategic alignment,
- Risk management,
- Resource management,
- Performance measures,
- Value delivery
-
Components of Issue-Specific Security Policy (ISSP)
- -Statement of Policy,
- -Authorized Access and Usage of Equipment,
- -Prohibited Use of Equipment,
- -Systems Management,
- -Violations of Policy,
- -Policy Review and Modification,
- -Limitations of Liability
-
Stages of Business Impact Analysis (BIA)
- -Threat attack identification and prioritization,
- -Business unit analysis,
- -Attack success scenario development,
- -Potential damage assessment,
- -Subordinate plan classification
-
Six steps in contingency planning process
- –Identifying mission- or business-critical functions
- –Identifying resources that support critical functions
- –Anticipating potential contingencies or disasters
- –Selecting contingency planning strategies
- –Implementing contingency strategies
- –Testing and revising strategy
-
law enforcement agencies disadvantages:
- –Once a law enforcement agency takes over case, organization cannot control chain of events
- –Organization may not hear about case for weeks or months
- –Equipment vital to the organization’s business may be tagged as evidence
- –If organization detects a criminal act, it is legally obligated to involve appropriate law enforcement officials
-
law enforcement agencies advantages:
- –Agencies may be better equipped at processing evidence
- –Organization may be less effective in convicting suspects
- –Law enforcement agencies are prepared to handle any necessary warrants and subpoenas
- –Law enforcement is skilled at obtaining witness statements and other information collection
-
Three components of Contingency planning (CP)
- incident response planning (IRP),
- disaster recovery planning (DRP),
- and business continuity planning (BCP)
-
Enterprise Information Security Policy (EISP) addresses compliance two areas:
- Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components
- Use of specified penalties and disciplinary action
-
Three approaches when creating and managing ISSPs
- Create a number of independent ISSP documents
- Create a single comprehensive ISSP document
- Create a modular ISSP document
-
Systems-specific policies two groups:
- Managerial guidance
- Technical specifications
-
ISO 27000 Series
- •One of the most widely referenced and often discussed security models
- •Framework for information security that states organizational security policy is needed to provide management direction and support
- •Purpose is to give recommendations for information security management
- •Provides a common basis for developing organizational security
-
Design of Security Architecture levels of controls
- Management controls
- Operational controls
- Technical controls
-
NIST Special Publication 800-14
Generally Accepted Principles and Practices for Securing IT Systems
- •Security supports mission of organization; is an integral element of sound management
- •Security should be cost effective; owners have security responsibilities outside their own organizations
- •Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach
- •Security should be periodically reassessed; security is constrained by societal factors
-
Spheres of security:
foundation of the security framework
-
Defense in depth
- –Implementationof security in layers
- –Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls
-
Security perimeter
- Point at which an organization’s security protection ends and outside world begins
- –Does not apply to internal attacks from employee threats or on-site physical threats
-
Firewall:
device that selectively discriminates against information flowing in or out of organization
-
DMZs:
•no-man’s land between inside and outside networks where some place Web servers
-
Intrusion detection systems (IDSs):
•in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
-
Security Education, Training, and Awareness Program
(SETA)
- •SETA is a control measure designed to reduce accidental security breaches
- •Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely
-
•Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs)
primary functions
- –IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP
- –DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP
- –BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources
-
Business Impact Analysis (BIA)
- •Investigation and assessment of the impact that various attacks can have on the organization
- •Assumes security controls have been bypassed, have failed, or have proven ineffective, and attack has succeeded
-
Attacks classified as incidents if they:
- –Are directed against information assets
- –Have a realistic chance of success
- –Could threaten confidentiality, integrity, or availability of information resources
-
Model for a Consolidated Contingency Plan
- •Single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR and DR plans
- •Model is based on analyses of disaster recovery and incident response plans of dozens of organizations
-
Information Security Governance
- •Set of responsibilities and practices exercised by the board and executive management
- •Goal to provide strategic direction, ensuring that objectives are achieved
- •Ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly
-
Enterprise Information Security Policy (EISP)
- •Sets strategic direction, scope, and tone for all security efforts within the organization
- •Executive-level document, usually drafted by or with CIO of the organization
- •EISP elements
-
EISP Elements
- •An overview of the corporate philosophy on security
- •Information on the structure of the information security organization and individuals who fulfill the information security role
- •Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
- •Fully articulated responsibilities for security that are unique to each role within the organization
-
Issue-Specific Security Policy (ISSP)
- –Addresses specific areas of technology
- –Requires frequent updates
- –Contains statement on organization’s position on
- specific issue
-
Systems-Specific Policy (SysSP)
frequently function as standards and procedures used when configuring or maintaining systems
-
Hot sites
•fully operational sites
-
Warm sites
•fully operational hardware but software may not be present
-
Cold sites
•rudimentary services and facilities
-
Crisis management team is responsible for managing event from an enterprise perspective and covers:
- –Supporting personnel and families during crisis
- –Determining impact on normal business operations and, if necessary, making disaster declaration
- –Keeping the public informed
- –Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
-
Risk management
process of identifying and controlling risks facing an organization
-
Risk identification
•process of examining an organization’s current information technology security situation
-
Risk control
applying controls to reduce risks to an organization’s data and information systems
-
Communities of interest are responsible for:
- –Evaluating the risk controls
- –Determining which control options are cost effective for the organization
- –Acquiring or installing the needed controls
- –Ensuring that the controls remain effective
|
|