Personnel good practice l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

Personnel good practice PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Personnel good practice. Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation of duties / responsibilities Job rotation Mandatory vacations. Security Awareness. Awareness training Remind employees of security responsibility

Download Presentation

Personnel good practice

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Personnel good practice l.jpg

Personnel good practice

Job description; roles and responsibilities

Least privilege/Need to know

Compliance with need to share

Separation of duties / responsibilities

Job rotation

Mandatory vacations

Summer 2008

Security awareness l.jpg

Security Awareness

Awareness training

Remind employees of security responsibility

Motivate personnel to comply with them





Summer 2008

Training and education l.jpg

Training and Education

Job training

Provide skills to perform security functions.

Focus on security-related job skills

Address security requirements of the organization, etc.

Professional Education

Provide decision-making and security management skills important for success of security program.

Summer 2008

Good training practice l.jpg

Good training practice

Address all the audience


Data Owner and custodian

Operations personnel


Support personnel

Summer 2008

Risk in nist sp 800 30 l.jpg

Risk in NIST SP 800-30

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization

Summer 2008

Risk related definitions l.jpg

Risk related Definitions

Vulnerability: A Flaw or weakness in system procedures, design, implementation or internal controls that could be used breach or violate the system

Likelihood: probability that a vulnerability may be used in the threat environment.

Threat: the Potential for a mal-actor to exercise a vulnerability.

Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)

Summer 2008

Risk management concept flow l.jpg

Risk Management concept flow

Summer 2008

Risk management definitions l.jpg

Risk Management Definitions

Asset:something valued (to accomplish goals and objectives)

Threat Agent:anything that can pose or cause a threat.

Exposure: situation when a threat can cause loss.

Vulnerability: weakness that could be exploited.

Attack:Intentional action attempting to cause harm.

Risk:probability that some event can occur

Residual Risk:risk remaining after countermeasures and safeguards have been applied

Summer 2008

Risk management l.jpg

Risk Management

To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project

Summer 2008

The risk equation l.jpg

The Risk Equation

Summer 2008

Risk management11 l.jpg

Risk Management

Identify and reduce risks

Mitigating controls [Safeguards & Countermeasures]

Residual Risk when countermeasures exist but are not sufficient  should be at acceptable level

Summer 2008

Purpose of risk analysis l.jpg

Purpose of Risk Analysis

Identify and justify risk mitigation

Assess threats to business processes and IS

Justify use of countermeasures

Describe security based on risk to the organization

Summer 2008

Benefits of risk analysis l.jpg

Benefits of Risk Analysis

Focus on policy and resources

Identify areas with specific risk

good IT Governance, supporting

Business continuity

Insurance and liability decisions

Legitimize security awareness program

Summer 2008

Emerging threats l.jpg

Emerging threats

Risk Assessment must address new threats

New technology

Change in culture of the organization

Unauthorized use of technology.

May be discovered by periodic risk assessment

Summer 2008

Sources of identity threats l.jpg

Sources of identity threats


System administrators

Security officers



Facility records

Community and government records

Vendor/security provider alerts

Other threats:

Natural disasters – flood, tornado, etc.

Environment -- overcrowding or poor morale

Facility -- physical security or location of building

Summer 2008

Risk analysis key factors l.jpg

Risk analysis key factors

Obtain senior management support

Establish risk assessment team

Define and approve purpose and scope

Select team members

State their authority and responsibility

Have management review findings and recommendations

Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc

Summer 2008

Use of automated tools for risk management l.jpg

Use of automated tools for risk management

Objective: to minimize manual effort

May be time consuming in setup

Perform calculations quickly

Estimate future expected loss

Determine benefit of security measures

Summer 2008

Preliminary security evaluation l.jpg

Preliminary security evaluation

Identify vulnerabilities

Review existing security measures

Document findings

Obtain management review and approval

Summer 2008

Risk analysis types l.jpg

Risk analysis types

Two types



Both provide valuable metrics

Both required for a full picture

Summer 2008

Quantitative risk analysis l.jpg

Quantitative risk analysis

Determine monetary value

Fully quantitative if all elements are quantified, but this is difficult to achieve. Requires much time and personnel effort

Summer 2008

Determining asset value l.jpg

Determining Asset Value

Cost to acquire, develop, and maintain

Value to owners, custodians, or users

Liability for protection

Recognize real world cost and value

Price others are willing to pay for it

Value of intellectual property


Summer 2008

Quantitative analysis steps l.jpg

Quantitative analysis steps

Estimate potential single loss expectancy

SLE = Asset Value ($) * Exposure Factor

Exposure Factor=% of asset loss when threat succeeds

Types of loss

Physical destruction, theft, Loss of data, etc

Conduct threat analysis

ARO-Annual Rate of Occurrence

Expected number of exposures/incidents per year

Likelihood of unwanted event happening

Determine Annual Loss Expectancy (ALE)

Magnitude of risk = Annual Loss Expectancy

Purpose  to justify security countermeasures


Summer 2008

Qualitative risk analysis l.jpg

Qualitative Risk analysis

Scenario oriented

Does not assign numeric values to risk components

Qualitative risk analysis is possible

Qualitative risk analysis factors

Rank seriousness of threats and sensitivity of assets

Perform a reasoned risk assessment

Summer 2008

Other risk analysis methods l.jpg

Other risk analysis methods

Failure modes and effects analysis

Potential failures of each part or module

Examine effects of failure at three levels

Immediate (part or module)

Intermediate (process or package)


Fault tree or spanning tree analysis

Create a “tree” of all possible threats and faults

“Branches” are general categories [network threats, physical threats, component failures, etc.]

Prune “branches” that do not apply

Concentrate on remaining threats.

Summer 2008

Risk mitigation options l.jpg

Risk mitigation options

Risk Acceptance

Risk Reduction

Risk Transference

Risk Avoidance

Summer 2008

The right amount of security l.jpg

The right amount of security

Cost/Benefit analysis- balance cost of protection versus asset value

Need to assess:

Threats, Adversary, means , motives, and opportunity.

Vulnerabilities and Resulting risk

Risk tolerance

Summer 2008

Countermeasures selection principles l.jpg

Countermeasures Selection Principles

Based on cost/benefit analysis, cost of safeguard

Selection and acquisition

Construction and placement

Environment modification

Nontrivial operating cost

Maintenance, testing

Potential side effects

Cost justified by potential loss


At least one person for each safeguard

Associate directly with performance review

Absence of design secrecy

Summer 2008

Countermeasures selection principles cont l.jpg

Countermeasures Selection Principles (Cont.)

Audit capability

Must be testable

Include auditors in design and implementation

Vendor Trustworthiness

Review past performance

Independence of control and subject

Safeguards control/constrain subjects

Controllers administer safeguards

Controllers and subject have different populations

Universal application

Impose safeguards uniformly

Minimize exceptions

Summer 2008

Countermeasures selection principles cont29 l.jpg

Countermeasures Selection Principles (Cont.)

Compartmentalization and defense in depth

Role of Safeguards

to improve security through layers

Isolation, economy, and least common mechanism

Isolate from other safeguards

Simple design is cost effective and reliable, etc

Acceptance and tolerance by personnel

Care taken to avoid implementing controls that pose unreasonable constraints

Less intrusive controls more acceptable

Minimize human intervention

Reduce possibility of errors and “exceptions” by reducing reliance on administrative staff to maintain control

Summer 2008


Countermeasures selection principles cont30 l.jpg

Countermeasures Selection Principles (Cont.)


Reaction and recovery

Countermeasures, when activated, should:

Avoids asset destruction and stop further damage

Prevent disclosure of sensitive information through a covert channel

Maintain confidence in system security

Capture information related to the attack and attacker

Override and fail-safe defaults

Residual and reset

Summer 2008

Basis and origin of ethics l.jpg

Basis and Origin of Ethics

Religion, law, tradition, culture

National interest

Individual rights

Enlightened self interest

Common good/interest

Professional ethics/practices

Standards of good practice

Summer 2008

Ethics l.jpg


Formal ethical theories

Teleology: Ethics in terms of goals, purposes, or ends

Deontology: Ethical behavior is duty

Common ethical fallacies

Computers are a game

Law-abiding citizen, Gentlemanly conduct, Free information




Difficult to define

Start with senior management

Summer 2008

Professional codes of ethics l.jpg

Professional Codes of ethics

Internet Activities Board (IAB)

Any activity is unethical & unacceptable that purposely:

Seeks to gain unauthorized access to the internet resources

Disrupts the intended use of the internet

Wastes resources through such actions

Destroys the integrity of computer-based information

Compromises the privacy of users

Involves negligence in the conduct of internet-wide experiments

ACM and IEEE (look them up)


Protect society, the commonwealth, and the infrastructure

Provide diligent and competent services to principals, etc


Professional codes may have legal importance

Summer 2008

  • Login