1 / 9

Unit Outline Qualitative Risk Analysis

Unit Outline Qualitative Risk Analysis. Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities  Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary.

fineen
Download Presentation

Unit Outline Qualitative Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineQualitative Risk Analysis Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities  Module 3:Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary

  2. Module 3Determine Threats and Controls

  3. Determine Threats and ControlsLearning Objectives • Students should be able to: • Identify threats • Understand different types of controls • Recognize the different functions of controls

  4. Determine Threats and ControlsIdentification of Threats • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerabilities • Malicious • Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) • Spoofing or Masquerading • Sequential or Dictionary Scanning • Snooping (electronic monitoring or “shoulder surfing”) • Scavenging (“dumpster diving” or automated scanning of data) • Spamming • Tunneling • Unintentional • Equipment or Software Malfunction • Human error (back door or user error) • Physical • Power loss, vandalism, fire/flood/lightning damage, destruction Source: http://www.caci.com/business/ia/threats.html

  5. Determine Threats and ControlsFunctions of Controls • Security Controls- Implementations to reduce overall risk and vulnerability • Deter • Avoid or prevent the occurrence of an undesirable event • Protect • Safeguard the information assets from adverse events • Detect • Identify the occurrence of an undesirable event • Respond • React to or counter an adverse effect • Recover • Restore integrity, availability and confidentiality of information assets Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  6. Determine Threats and ControlsControls • Organizational & Management Controls • Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits • Physical & Environmental Controls • Secure areas, equipment security, clear desk and screen policy, removal of property Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  7. Determine Threats and ControlsOperational Controls • Operational Controls • Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  8. Determine Threats and ControlsTechnical Controls • Technical Controls • Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  9. Determine Threats and ControlsSummary • Threats exploit vulnerabilities to harm assets. • Controls are used to diminish or prevent the impact of threats. • Controls come in three types: • Organizational and Management Controls • Physical and Environmental Controls • Operational Controls

More Related