1 / 41

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 7: Risk Management Identifying and Assessing Risk. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Discretionary Access Control (DAC) Security Model.

clarkrebecca
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 7: Risk Management Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Discretionary Access Control (DAC) Security Model • The owner of an object controls who and what may access it. • Access is at the owner’s discretion. • Most personal computer operating systems are designed based on the DAC model

  3. Mandatory Access Control (MAC) Security Model • Data classification scheme/model • Data owners classify the information assets • Reviews periodically • Security clearance structure • Subjects labeled by level of security clearance (privilege) • Objects labeled by level of classification/sensitivity

  4. Role-based Access Control (RBAC) Security Model • Nondiscretionary Controls • An improvement over the mandatory access control (MAC) security model • Role-based controls • Task-based controls • Users are given roles with this role determining access

  5. Introduction • Information security departments are created primarily to manage IT risk • In any well-developed risk management program, two formal processes are at work • Risk identification and assessment • Risk control

  6. Risk Management “The process of determining the maximumacceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

  7. Knowing Yourself & The Enemy • Identifying, examining and understanding the information and how it is processed, stored, and transmitted • Identifying, examining, and understanding the threats facing the organization’s information assets

  8. Communities of Interest:All Play a role • Information Security • Information Technology • Management and Users

  9. Risk Terminology • Asset & Asset valuation • Threat • Vulnerability • Exposure • Risk

  10. Risk Terminology

  11. Risk Identification Figure 8-1 Risk identification process Source: Course Technology/Cengage Learning

  12. Asset Identification Identify organization’s information assets • Inventory: software/hardware, and networking elements • More easily tracked (automated inventory system) • People, procedures, data and info • May take more time / ongoing

  13. Creating an Inventory of Information Assets • Determine which attributes of each information asset should be tracked • Potential asset attributes • Name, IP address • MAC address, asset type • Physical location, logical location • Controlling entity

  14. Creating an Inventory of Information Assets (cont’d.) • Identifying people, procedures and data assets • Sample attributes • People - Position name/number/ID • Procedures – Description/Intended purpose • Data – Classification & Owner/creator/manager

  15. Asset: Classifying and Categorizing • Determine whether the asset categories are meaningful • Inventory should also reflect each asset’s sensitivity and security priority • Classification categories must be comprehensive and mutually exclusive • Not one schema for all assets

  16. Asset Valuation • Assign a relative value: • As each information asset is identified, categorized, and classified Goal: assign value to encompass both tangible and intangible costs

  17. Importance of Assets • List the assets in order of importance • Achieved by using a weighted factor analysis worksheet

  18. Risk Terminology

  19. Threat Identification • Any organization typically faces a wide variety of threats

  20. Threat Assessment • Each threat presents a unique challenge to information security • Each must be further examined to determine its potential to affect the targeted information asset

  21. Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

  22. Vulnerability Assessment • Vulnerability Assessment • Review every information asset for each threat • Leads to the creation of a list of vulnerabilities that remain potential risks to the organization • Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

  23. Vulnerability Assessment Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  24. The TVA Worksheet • At the end of the risk identification process, a list of assets and their vulnerabilities has been developed • List serves as the starting point for the next step in the risk management process - risk assessment • Another list prioritizes threats facing the organization based on the weighted table discussed earlier

  25. The TVA Worksheet (cont’d.) Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

  26. Introduction to Risk Assessment • The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

  27. Likelihood • The overall rating of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset

  28. Percentage of Risk Mitigated by Current Controls • If a vulnerability is fully managed by an existing control, it can be set aside • If it is partially controlled, estimate what percentage of the vulnerability has been controlled

  29. Uncertainty • It is not possible to know everything about every vulnerability • The degree to which a current control can reduce risk is also subject to estimation error • Uncertainty is an estimate made by the manager using judgment and experience

  30. Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate Risk: [Asset Value(AV) x Likelihood(L)] – Controls(AV*L) + Uncertainty (AV*L) Risk = [50 x 1.0] – 0.0(50*1.0) + 0.1(50*1.0) = 55

  31. Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: • vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its risk • vulnerability # 2 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate Risk: [Asset Value(AV) x Likelihood(L)] – Controls(AV*L) + Uncertainty (AV*L) Risk1 = [100 x 0.5] – 0.5(100*0.5) + 0.2(100*0.5) = 35 Risk2 = [100 x 0.1] – 0.0(100*0.1) + 0.2(100*0.1) = 12

  32. Qualitative Risk Analysis • Evaluate opinions, feelings, ideas • Scenarios • Brainstorming • Delphi technique • Storyboarding • Focus groups • Surveys, questionnaires, checklists • One-on-one meetings, interviews

  33. Qualitative Risk Assessment • For a given scope of assets, identify: • Vulnerabilities • Threats • Threat probability (Low / medium / high) • Impact (Low / medium / high) • Countermeasures

  34. Example of Qualitative Risk Assessment

  35. Quantitative Risk Assessment • Extension of a qualitative risk assessment. Metrics for each risk are: • Asset value: replacement cost and/or income derived through the use of an asset • Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) • Single Loss Expectancy (SLE) = Asset ($) x EF (%)

  36. Quantitative Risk Assessment • Metrics (cont.) • Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % • Annual Loss Expectancy (ALE) = SLE x ARO

  37. Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: $4,000 Exposure factor ? 100% SLE, ARO, ALE ? • SLE = 4000 * 100% = 4,000 • ARO = 10% chance of theft / year • ALE = 10% * 4000 = 400

  38. Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: $4,000 Exposure factor ? 50% SLE, ARO, ALE ? • SLE = $4,000 x 50% = $2,000 • ARO = 25% chance of damaging / year • ALE = 25% x $2,000 = $500

  39. Qualitative vs. Quantitative

  40. Documenting the Results of Risk Assessment • Goals of the risk management process • To identify information assets and their vulnerabilities • To rank them according to the need for protection • In preparing this list, a wealth of factual information about the assets and the threats they face is collected • The final summarized document is the ranked vulnerability risk worksheet

  41. Table 8-9 Ranked vulnerability risk worksheet Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

More Related