1 / 34

Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems

Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems. Dr. Faisal Abdullah. Director of the Master of Science in Information Security Program (MSIS) Associate Professor of MIS Research and Teaching Interests include: Information Security Risk Analysis

shyla
Download Presentation

Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems

  2. Dr. Faisal Abdullah • Director of the Master of Science in Information Security Program (MSIS) • Associate Professor of MIS • Research and Teaching Interests include: • Information Security Risk Analysis • Computer Forensics • Management of Information Security

  3. Lewis University • Founded in 1932 on 376 acre campus in Romeoville, IL • Offers 80 undergraduate and 25 graduate programs to approximately 6,500 students • Guided by its Catholic and Lasallian heritage • Nationally recognized by • Lewis is playing the University of Southern California in NCAA National Collegiate Men’s Volleyball Championship at 8pm PST this evening

  4. MSIS • MSIS Program • This online degree program explores the theory and practice of IT security on a global scale, the latest advances in all of the involved technologies, as well as legal and ethical levels facing IT security professionals. • Outcomes map to eleven certifications including CISSP, CISM, CEH, CRISC • 2 concentrations: Managerial and Technical • To learn more, visit online.lewisu.edu or call 1-866-967-7046

  5. Technology and Non-Profit Organization • Connectivity and Internet presence is vital to any organization • Non-profit organizations use information technology to • disseminate information • raise funds • manage resources.

  6. Information Security and Non-profits • Most non-profits mainly focus their strategies on • fundraising • operations, • Not on information security and data protection.

  7. Information Security and Non-profits • Non-profit organizations face the same information security threats as any other organization • But do not do not have the same resources available to for-profit companies • According to the FBI non-profit organizations are most susceptible to security incidents

  8. Data Assets of a Non-profit organization • Donor records • personal information • Addresses • phone numbers • Donor credit card details • Donor bank information • Organizational data

  9. Data Assets of a Healthcare Non-profit organization • confidential patient information • Patient names, • Patient addresses, • Medical history • Family information

  10. Risks of losses to Non-profit organizations • Financial Loss • Loss of Reputation • Damaged Employee Morale and Defections • Donor Disenchantment and Loss • Litigation

  11. How to protect your organization? • Information security is a technical business discipline. • Protect your organization by mitigating Risks • Use qualitative and quantitative techniques for risk assessment

  12. What is Risk Management? • Process of identifying and controlling risks facing an organization • Involves identifying organization’s assets and identifying threats/vulnerabilities • Know yourself and know the enemy • Management buy-in crucial for Risk Management. Top-down approach

  13. Risk Management • Step 1 Identify Assets • Step 2 Identify Value of Assets • Step 3 Identify Vulnerabilities of Assets • Step 4 Threat Identification • Step 5 Assess the exposure of the asset to a particular Threat

  14. Risk Management • Step 6 Calculate the loss from a single incident • Step 7 Assess the likelihood of occurrence for each Threat • Step 8 Calculate the losses per year from each threat • Step 9 Indentify Controls • Step 10 Constant evaluation and maintenance

  15. Risk Management Step 1 – Identify Assets • Inventory of all Data and Information Assets • IT Department may have a list of all IT Assets

  16. Risk Management Step 1 – Identify Assets • Determine location of the Data Assets • Donor information • Credit card and financial information • Campaign plans • Employee data • Healthcare data • Anything valuable to the organization

  17. Risk Management: Step 2 Value of Tangible Assets • Calculate the Asset value (AV) – Tangible and Intangible • For Tangible Assets consider • Purchase cost • Installation cost • Troubleshooting cost • Contingencies • Loss of business services to outside customers • Loss of business services to internal employees Ding Tan, 2002.

  18. Risk Management: Step 2 Value of Intangible Assets • For Intangible Assets – goodwill, reputation • Income Approach • Economic Benefit of an Asset • Consider Cost of Litigation Ding Tan, 2002.

  19. Risk Management Step 3 Identify Vulnerabilities of Assets • Identify Logical and Physical vulnerabilities • Conduct a vulnerability assessment and a penetration test • For an independent evaluation • Hire an independent firm or outside consultant

  20. Risk Management Step 4 Threat Identification • Realistic threats • Identify threats based on Vulnerabilities identified in Step 3

  21. Risk Management Step 4 Threat Identification • Sources of internal data • IT Help Desk • Users • Managers and Supervisors • Human Resourses Department

  22. Risk Management Step 4 Threat Identification • Sources of external data • Threat advisories • Industry and peer reports • Insurance reports • Government reports • National Weather Bureau

  23. Risk Management Step 5 Exposure of an Asset • Evaluate robustness of existing controls – Exposure Factor (EF) Ding Tan, 2002.

  24. Risk Management Step 5 Exposure of an Asset Start with 100% for the starting exposure factor and answer each of the following questions • Does the system under attack have any redundancies/ backups/ copies ? Subtract 30% if the answer is YES. • Is the system under attack behind a firewall? Subtract 10% if the answer is YES • Is the attack from outside ? Subtract 20% if the answer is YES • What is the potential rate of attack? (10% damage / hour vs. 10% damage / min) Subtract 20% if the answer is less than 20% damage/hr Subtract 40% if the answer is less than 2% damage/hr • What is the likelihood that the attack will go undetected in time for a full recovery? Subtract 10% if the probability of being undetected is less than 20% Subtract 30% if the probability of being undetected is less than 10% • How soon can countermeasures be implemented in time if at all? Subtract 30% if the countermeasure can be implemented within ½ hour Subtract 20% if the countermeasure can be implemented within 1 hour Subtract 10% if the countermeasure can be implemented within 2 hours

  25. Risk Assessment Step 6 Loss from an incident • Calculate the loss from a one time occurrence of a threat • Single Loss Expectancy (SLE) = Asset Value (AV) X Exposure Factor (EF) Ding Tan, 2002.

  26. Risk Assessment: Step 7 Likelihood of Occurrence • Assess the likelihood of occurrence for each threat during a period of one year. • Annual Rate of occurrence (ARO)

  27. Risk Assessment: Step 7 Likelihood of Occurrence • Assess ARO from internal resources • IT Help Desk • Users • Managers and Supervisors • Human Recourses Department

  28. Risk Assessment: Step 7 Likelihood of Occurrence • Assess ARO from External resources • Threat advisories • Industry and peer reports • Insurance reports • Government reports • National Weather Bureau data

  29. Risk Management – Step 8 Loss per year • Calculate the Annual Loss Expectancy (ALE) • Losses per year from each threat • Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) Ding Tan, 2002.

  30. Risk Assessment Example Ding Tan, 2002.

  31. Risk Management Step 9 Identify Controls • Indentify Controls based on the Risk from each threat • Mitigate risks to an acceptable level by applying controls

  32. Risk Management Step 9 Identify Controls • Controls can be • Good Policies • Security Awareness • Employee and user training • Software Controls • Hardware Controls • Personnel Controls

  33. Risk Management Step 9 Identify Controls • Cost-Benefit Analysis • Cost of implementing a control • Benefit – reduction in losses from a threat

  34. Risk Management Step 10 constant evaluation of controls • Test and implement controls • Periodic evaluation to assess efficacy of controls

More Related