SlideShare ist ein Scribd-Unternehmen logo

Security & Risk Mgmt_WK1.pptx

D
dotco

IT Security

Bildung
1 von 35
SECURITY AND RISK MANAGEMENT • The Security and Risk Management deals with many of the foundational elements of security solutions and focuses on risk analysis and mitigation. • These include elements essential to the design, implementation, and administration of security mechanisms. • This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every section throughout of this course. • In addition to CIA, principle of least privilege and need to know are presented. • Lastly concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter. • Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. • How much security is enough?...Just enough.
Confidentiality, Integrity, and Availability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
CIA Priority • Every organization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
Protection Mechanisms • Protection mechanisms are common characteristics of security controls. • Layering: also known as defence in depth, is simply the use of multiple controls in a series. • Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. • Security through obscurity: attempt to hope something important is not discovered by keeping knowledge of it a secret hence offers no security and should not be used. • Encryption: art and science of hiding the meaning or intent of communication from unintended recipients. • Least Privilege and Need to Know: Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs. • Need to know is more granular than least privilege; the user must need to know that specific piece of information before accessing it.
Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
Security Governance Principles • Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
Security Governance Principles • The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Compliance Requirement • Complying with laws and regulations is a priority for top information security management. • The world of compliance is a legal and regulatory jungle for information technology (IT) and cybersecurity professionals. Things become even more complicated for multinational companies, which must navigate the variations between international law as well. Categories of Laws • Criminal Law: Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences. • Civil Law: designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters that may be judged under civil law include contract disputes, real estate transactions, employment matters, and estate/probate procedures. • Administrative Law: Administrative law or regulatory law is law enacted by government agencies.The executive branch of government charges numerous agencies with wide-ranging responsibilities to ensure that government functions effectively. Due Care and Due Diligence • Due care is doing what a reasonable person would do in a given situation. Due diligence is the management of due care. • Gross negligence is the opposite of due care.
Laws • Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act (CFAA) was the first major piece of cybercrime-specific legislation in the United States. • National Information Infrastructure Protection Act of 1996 • Federal Information Security Management Act (FISMA) • Federal Cybersecurity Laws of 2014 • Copyright and the Digital Millennium Copyright Act • U.S. Privacy Law • Health Insurance Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health Act of 2009 • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark. • NIST SP 800-171: Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations. Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171. • The NIST Cybersecurity Framework (CSF) is a set of standards designed to serve as a voluntary risk- based framework for securing information and systems.
Compliance • Organizations find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations and may be subject to compliance audits, either by their standard internal and external auditors or by regulators or their agents. • For example, an organization’s financial auditors may conduct an IT controls audit designed to ensure that the information security controls for an organization’s financial systems are sufficient to ensure compliance with the Sarbanes-Oxley Act (SOX). Some regulations, such as PCI DSS, may require the organization to retain approved independent auditors to verify controls and provide a report directly to regulators. • The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation. PCI DSS governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions. • In addition to formal audits, organizations often must report regulatory compliance to a number of internal and external stakeholders. For example, an organization’s Board of Directors (or, more commonly, that board’s Audit Committee) may require periodic reporting on compliance obligations and status. Similarly, PCI DSS requires organizations that are not compelled to conduct a formal third-party audit to complete and submit a self-assessment report outlining their compliance status.
Understand and Apply Threat Modeling Concepts and Methodologies • Threat modeling is the security process where potential threats are identified, categorized, and analyzed. • Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. • A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. • This method is based on predicting threats and designing in specific defences during the coding and crafting process, rather than relying on post-deployment updates and patches. • A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. • This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. • Microsoft developed a threat categorization scheme known as the STRIDE threat model.
STRIDE • Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity. • Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. • Repudiation: The ability of a user or attacker to deny having performed an action or activity. • Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. • Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. • Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. Process for Attack Simulation and Threat Analysis (PASTA) Visual, Agile, and Simple Threat (VAST) • Generally, the purpose of STRIDE and other threat modeling methodologies is to consider the range of compromise concerns and tofocus on the goal or end results of an attack.
Understand and Apply Risk Management Concepts • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • Risk management concepts are essential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence. • The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. • It is impossible to design and deploy a totally risk-free environment; however, significant risk reduction is possible, often with little effort. • The primary goal of risk management is to reduce risk to an acceptable level through finding cost effective solution depending on the value of its assets, the size of its budget, and many other factors. • The process by which the goals of risk management are achieved is known as risk analysis. • It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
Risk Terminology • Asset: Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
Risk Management Risk Management Risk Assessment Identify and Valuate Assets Identify Threats and Vulnerabilities Risk Analysis Qualitative: assigns subjective and intangible values to the loss of an asset Quantitative: assigns real dollar figures to the loss of an asset Risk Mitigation/Response Reduce /Avoid Transfer Accept /Reject Ongoing Risk Monitoring • Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavour. • The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.
Identification and Valuation of Assets is the first step in risk assessment. What are we protecting and what is it worth? Is it valuable to me? To my competitors? What damage will be caused if it is compromised How much time was spent in development Are there compliance/legal issues? RISK ANALYSIS Determining a value for a risk Qualitative vs. Quantitative Qualitative Analysis (subjective, judgment-based) Probability and Impact Matrix: Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability. Risk Value is Probability * Impact Probability: How likely is the threat to materialize? Impact: How much damage will there be if it does? Could also be referred to as likelihood and severity. Delphi technique is often used to solicit objective opinions - an anonymous feedback-and-response process Quantitative Analysis (objective, numbers driven) Risk Management
Risk Management Quantitative Risk Analysis • The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. • The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you estimate the potential and frequency of each risk. This information is then used to calculate various cost functions that are used to evaluate safeguards. • AV (Asset Value) • EF (Exposure Factor): percentage of loss that an organization would experience if a specific asset were violated by a realized risk. • ARO (Annual Rate of Occurrence): expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. • SLE (Single Loss Expectancy)=AV * EF: cost associated with a single realized risk against a specific asset. • ALE (Annual Loss Expectancy) SLE*ARO: possible yearly cost of all instances of a specific realized threat against a specific asset. • Cost of control should be the same or less than the potential for loss • Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.
• In addition to determining the annual cost of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented. • EF to an asset remains the same even with an applied safeguard but safeguard changes the ARO. In act, the whole point of a safeguard is to reduce the ARO. • With the new ARO, a new ALE with the application of a safeguard is computed. • If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you should accept the risk. • With the pre-safeguard ALE and the post-safeguard ALE calculated, there is yet one more value needed to perform a cost/benefit analysis. This additional value is the annual cost of the safeguard. • Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit of that safeguard if applied to an infrastructure. As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset loss. • ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard (ACS) = value of the safeguard to the company • If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the annual savings your organization may reap by deploying the safeguard because the rate of occurrence is not a guarantee of occurrence. Risk Management
Risk Mitigation/Responses • Reduce or mitigate: implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. • Assign or transfer: placement of the cost of loss a risk represents onto another entity or organization. Example: insurance and outsourcing. • Accept: management has agreed to accept the consequences and the loss if the risk is realized. • Deter: implementing deterrents to would-be violators of security and policy. Examples: implementation of auditing, security cameras, security guards etc. • Avoid: selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. • Reject or ignore: an unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk. • Once countermeasures are implemented, the risk that remains is known as residual risk. It is the risk that management has chosen to accept rather than mitigate. threats * vulnerabilities * asset value = total risk total risk – controls gap = residual risk
Countermeasure Selection and Implementation • The cost of the countermeasure should be less than the value of the asset. • The cost of the countermeasure should be less than the benefit of the countermeasure. • The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.) • The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. • The countermeasure should have few or no dependencies to reduce cascade failures. • The countermeasure should require minimal human intervention after initial deployment and configuration. • The countermeasure should provide fail-safe and/or fail-secure options. Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business task.
Business Continuity Business continuity planning (BCP) • Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long Term focused. Disaster Recovery Planning • Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster and is often IT focused. Short Term focused. The perspective difference is that business continuity activities are typically strategically focused at a high level and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical in nature and describe technical activities such as recovery sites, backups, and fault tolerance. The overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company’s ability to recover from a disruptive event promptly. The BCP process has four main steps. • Project scope and planning • Business impact assessment • Continuity planning • Approval and implementation The top priority of BCP and DRP is always people.
BCP relationship with Risk Management
Business Continuity Process Project Scope and Planning • Structured analysis of the business’s organization from a crisis planning point of view - to identify all departments and individuals who have a stake in the BCP process. • The creation of a BCP team with the approval of senior management - strike a balance between representing different points of view and creating a team with explosive personality differences. Your goal should be to create a group that is as diverse as possible and still operates in harmony. • An assessment of the resources available to participate in business continuity activities • An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic event
Business Impact Assessment • Identifies and prioritizes all business processes based on criticality • Addresses the impact on the organization in the event of loss of a specific services or process Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.. Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.. • Establishes key metrics for use in determining appropriate counter-measures and recovery strategy (RPO, RTO etc). • IMPORTANCE (relevance) vs. CRITICALITY (downtime) • The Auditing Department is certainly important, though not usually critical. THE BIA FOCUSES ON CRITICALITY Business Continuity Process
Key Metrics to Establish • Service Level Objectives: reliability targets for technology products and services. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • MTD (Maximum Tolerable Downtime) - total time a system can be inoperable before an organization is severely impacted. Comprised of: RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. WRT (Work Recovery Time): time required to configure a recovered system. • MTBF (Mean Time Between Failures): how long a new or repaired system will run before failing. • MTTR (Mean Time To Repair): how long it will take to recover a specific failed system. • MOR (Minimum Operating Requirements): minimum environmental and connectivity requirements in order to operate computer equipment. Business Continuity Process
Results of Business Impact Analysis contain • Identified ALL business processes and assets, not just those considered critical. • Impact company can handle dealing with each risk • Outage time that would be critical vs those which would not be critical • Preventive Controls • Document and present to management for approval • Results are used to create the recovery plans Recovery Strategies: When preventive controls don’t work, recovery strategies are necessary Facility Recovery Hardware and Software Recovery Personnel recovery Data Recovery Business Continuity Process
Recovery Strategies Facility Recovery • Subscription Services Hot, warm, cold sites • Reciprocal Agreements • Others Redundant/Mirrored site (partial or full) Outsourcing Rolling hot site Prefabricated building Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an offsite facility 50-200 miles away. • Data Recovery: Electronic Vaulting: Copy of modified file is sent to a remote location where an original backup is stored. Remote Journaling: Moves the journal or transaction log to a remote location, not the actual files
BCP Plan Three Phases Following a Disruption Notification/Activation • Notifying recovery personnel • Performing a damage assessment • Recovery Phase--Failover Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities—performed by recovery team • Reconstitution--Failback Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
Types of Tests • Checklist Test: Copies of plan distributed to different departments. Functional managers review • Structured Walk-Through (Table Top) Test: Representatives from each department go over the plan • Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite facility • Parallel Test: Systems moved to alternate site, and processing takes place there • Full-Interruption Test: Original site shut down. All of processing moved to offsite facility • BCP/DRP Frameworks • NIST SP 800-34, ISO/IEC-27031, and BCI.
Security Awareness Education • The successful implementation of a security solution requires changes in user behavior. • To develop and manage security education, training, and awareness, all relevant items of knowledge transference must be clearly identified and programs of presentation, exposure, synergy, and implementation crafted. • The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users. • Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen savers,T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos as well as the traditional instructor-led training courses. • The awareness program in an organization should be tied in with its security policy, incident-handling plan, business continuity, and disaster recovery procedures. • Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. • An assessment of the appropriate levels of awareness, training, and education required within the organization should be revised on a regular basis using periodic content reviews.

Empfohlen

crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 

Empfohlen

crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptxrehanmughal18
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Security, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSecurity, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSheldon Byron
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 introKhawar Nehal khawar.nehal@atrc.net.pk
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityAparnaSunil24
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1limsh
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGThumilvannanSambanda
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationRahulBhole12
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Describe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfDescribe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfarchgeetsenterprises
 
My_notes_part1.pdf
My_notes_part1.pdfMy_notes_part1.pdf
My_notes_part1.pdfPhilLopez4
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 

Weitere ähnliche Inhalte

Ähnlich wie Security & Risk Mgmt_WK1.pptx

Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptxrehanmughal18
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Security, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSecurity, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSheldon Byron
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityAparnaSunil24
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1limsh
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGThumilvannanSambanda
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationRahulBhole12
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Describe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfDescribe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfarchgeetsenterprises
 
My_notes_part1.pdf
My_notes_part1.pdfMy_notes_part1.pdf
My_notes_part1.pdfPhilLopez4
 

Ähnlich wie Security & Risk Mgmt_WK1.pptx (20)

Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptx
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Security, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSecurity, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptx
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network security
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Information Security
Information Security Information Security
Information Security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA Certification
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Describe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfDescribe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdf
 
My_notes_part1.pdf
My_notes_part1.pdfMy_notes_part1.pdf
My_notes_part1.pdf
 

Mehr von dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptxdotco
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

Mehr von dotco (13)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptx
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Kürzlich hochgeladen

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 

Kürzlich hochgeladen (20)

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 

Security & Risk Mgmt_WK1.pptx

  • 1. SECURITY AND RISK MANAGEMENT • The Security and Risk Management deals with many of the foundational elements of security solutions and focuses on risk analysis and mitigation. • These include elements essential to the design, implementation, and administration of security mechanisms. • This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every section throughout of this course. • In addition to CIA, principle of least privilege and need to know are presented. • Lastly concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter. • Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. • How much security is enough?...Just enough.
  • 2. Confidentiality, Integrity, and Availability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
  • 3. Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
  • 4. Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
  • 5. Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
  • 6. CIA Priority • Every organization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
  • 7. Protection Mechanisms • Protection mechanisms are common characteristics of security controls. • Layering: also known as defence in depth, is simply the use of multiple controls in a series. • Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. • Security through obscurity: attempt to hope something important is not discovered by keeping knowledge of it a secret hence offers no security and should not be used. • Encryption: art and science of hiding the meaning or intent of communication from unintended recipients. • Least Privilege and Need to Know: Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs. • Need to know is more granular than least privilege; the user must need to know that specific piece of information before accessing it.
  • 8. Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
  • 9. Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
  • 10. Security Governance Principles • Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
  • 11. Security Governance Principles • The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
  • 12. Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
  • 13. Compliance Requirement • Complying with laws and regulations is a priority for top information security management. • The world of compliance is a legal and regulatory jungle for information technology (IT) and cybersecurity professionals. Things become even more complicated for multinational companies, which must navigate the variations between international law as well. Categories of Laws • Criminal Law: Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences. • Civil Law: designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters that may be judged under civil law include contract disputes, real estate transactions, employment matters, and estate/probate procedures. • Administrative Law: Administrative law or regulatory law is law enacted by government agencies.The executive branch of government charges numerous agencies with wide-ranging responsibilities to ensure that government functions effectively. Due Care and Due Diligence • Due care is doing what a reasonable person would do in a given situation. Due diligence is the management of due care. • Gross negligence is the opposite of due care.
  • 14. Laws • Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act (CFAA) was the first major piece of cybercrime-specific legislation in the United States. • National Information Infrastructure Protection Act of 1996 • Federal Information Security Management Act (FISMA) • Federal Cybersecurity Laws of 2014 • Copyright and the Digital Millennium Copyright Act • U.S. Privacy Law • Health Insurance Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health Act of 2009 • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark. • NIST SP 800-171: Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations. Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171. • The NIST Cybersecurity Framework (CSF) is a set of standards designed to serve as a voluntary risk- based framework for securing information and systems.
  • 15. Compliance • Organizations find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations and may be subject to compliance audits, either by their standard internal and external auditors or by regulators or their agents. • For example, an organization’s financial auditors may conduct an IT controls audit designed to ensure that the information security controls for an organization’s financial systems are sufficient to ensure compliance with the Sarbanes-Oxley Act (SOX). Some regulations, such as PCI DSS, may require the organization to retain approved independent auditors to verify controls and provide a report directly to regulators. • The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation. PCI DSS governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions. • In addition to formal audits, organizations often must report regulatory compliance to a number of internal and external stakeholders. For example, an organization’s Board of Directors (or, more commonly, that board’s Audit Committee) may require periodic reporting on compliance obligations and status. Similarly, PCI DSS requires organizations that are not compelled to conduct a formal third-party audit to complete and submit a self-assessment report outlining their compliance status.
  • 16. Understand and Apply Threat Modeling Concepts and Methodologies • Threat modeling is the security process where potential threats are identified, categorized, and analyzed. • Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. • A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. • This method is based on predicting threats and designing in specific defences during the coding and crafting process, rather than relying on post-deployment updates and patches. • A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. • This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. • Microsoft developed a threat categorization scheme known as the STRIDE threat model.
  • 17. STRIDE • Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity. • Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. • Repudiation: The ability of a user or attacker to deny having performed an action or activity. • Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. • Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. • Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. Process for Attack Simulation and Threat Analysis (PASTA) Visual, Agile, and Simple Threat (VAST) • Generally, the purpose of STRIDE and other threat modeling methodologies is to consider the range of compromise concerns and tofocus on the goal or end results of an attack.
  • 18. Understand and Apply Risk Management Concepts • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • Risk management concepts are essential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence. • The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. • It is impossible to design and deploy a totally risk-free environment; however, significant risk reduction is possible, often with little effort. • The primary goal of risk management is to reduce risk to an acceptable level through finding cost effective solution depending on the value of its assets, the size of its budget, and many other factors. • The process by which the goals of risk management are achieved is known as risk analysis. • It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
  • 19. Risk Terminology • Asset: Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
  • 20. Risk Management Risk Management Risk Assessment Identify and Valuate Assets Identify Threats and Vulnerabilities Risk Analysis Qualitative: assigns subjective and intangible values to the loss of an asset Quantitative: assigns real dollar figures to the loss of an asset Risk Mitigation/Response Reduce /Avoid Transfer Accept /Reject Ongoing Risk Monitoring • Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavour. • The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.
  • 21. Identification and Valuation of Assets is the first step in risk assessment. What are we protecting and what is it worth? Is it valuable to me? To my competitors? What damage will be caused if it is compromised How much time was spent in development Are there compliance/legal issues? RISK ANALYSIS Determining a value for a risk Qualitative vs. Quantitative Qualitative Analysis (subjective, judgment-based) Probability and Impact Matrix: Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability. Risk Value is Probability * Impact Probability: How likely is the threat to materialize? Impact: How much damage will there be if it does? Could also be referred to as likelihood and severity. Delphi technique is often used to solicit objective opinions - an anonymous feedback-and-response process Quantitative Analysis (objective, numbers driven) Risk Management
  • 22. Risk Management Quantitative Risk Analysis • The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. • The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you estimate the potential and frequency of each risk. This information is then used to calculate various cost functions that are used to evaluate safeguards. • AV (Asset Value) • EF (Exposure Factor): percentage of loss that an organization would experience if a specific asset were violated by a realized risk. • ARO (Annual Rate of Occurrence): expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. • SLE (Single Loss Expectancy)=AV * EF: cost associated with a single realized risk against a specific asset. • ALE (Annual Loss Expectancy) SLE*ARO: possible yearly cost of all instances of a specific realized threat against a specific asset. • Cost of control should be the same or less than the potential for loss • Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.
  • 23. • In addition to determining the annual cost of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented. • EF to an asset remains the same even with an applied safeguard but safeguard changes the ARO. In act, the whole point of a safeguard is to reduce the ARO. • With the new ARO, a new ALE with the application of a safeguard is computed. • If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you should accept the risk. • With the pre-safeguard ALE and the post-safeguard ALE calculated, there is yet one more value needed to perform a cost/benefit analysis. This additional value is the annual cost of the safeguard. • Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit of that safeguard if applied to an infrastructure. As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset loss. • ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard (ACS) = value of the safeguard to the company • If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the annual savings your organization may reap by deploying the safeguard because the rate of occurrence is not a guarantee of occurrence. Risk Management
  • 24. Risk Mitigation/Responses • Reduce or mitigate: implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. • Assign or transfer: placement of the cost of loss a risk represents onto another entity or organization. Example: insurance and outsourcing. • Accept: management has agreed to accept the consequences and the loss if the risk is realized. • Deter: implementing deterrents to would-be violators of security and policy. Examples: implementation of auditing, security cameras, security guards etc. • Avoid: selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. • Reject or ignore: an unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk. • Once countermeasures are implemented, the risk that remains is known as residual risk. It is the risk that management has chosen to accept rather than mitigate. threats * vulnerabilities * asset value = total risk total risk – controls gap = residual risk
  • 25. Countermeasure Selection and Implementation • The cost of the countermeasure should be less than the value of the asset. • The cost of the countermeasure should be less than the benefit of the countermeasure. • The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.) • The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. • The countermeasure should have few or no dependencies to reduce cascade failures. • The countermeasure should require minimal human intervention after initial deployment and configuration. • The countermeasure should provide fail-safe and/or fail-secure options. Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business task.
  • 26. Business Continuity Business continuity planning (BCP) • Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long Term focused. Disaster Recovery Planning • Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster and is often IT focused. Short Term focused. The perspective difference is that business continuity activities are typically strategically focused at a high level and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical in nature and describe technical activities such as recovery sites, backups, and fault tolerance. The overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company’s ability to recover from a disruptive event promptly. The BCP process has four main steps. • Project scope and planning • Business impact assessment • Continuity planning • Approval and implementation The top priority of BCP and DRP is always people.
  • 27. BCP relationship with Risk Management
  • 28. Business Continuity Process Project Scope and Planning • Structured analysis of the business’s organization from a crisis planning point of view - to identify all departments and individuals who have a stake in the BCP process. • The creation of a BCP team with the approval of senior management - strike a balance between representing different points of view and creating a team with explosive personality differences. Your goal should be to create a group that is as diverse as possible and still operates in harmony. • An assessment of the resources available to participate in business continuity activities • An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic event
  • 29. Business Impact Assessment • Identifies and prioritizes all business processes based on criticality • Addresses the impact on the organization in the event of loss of a specific services or process Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.. Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.. • Establishes key metrics for use in determining appropriate counter-measures and recovery strategy (RPO, RTO etc). • IMPORTANCE (relevance) vs. CRITICALITY (downtime) • The Auditing Department is certainly important, though not usually critical. THE BIA FOCUSES ON CRITICALITY Business Continuity Process
  • 30. Key Metrics to Establish • Service Level Objectives: reliability targets for technology products and services. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • MTD (Maximum Tolerable Downtime) - total time a system can be inoperable before an organization is severely impacted. Comprised of: RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. WRT (Work Recovery Time): time required to configure a recovered system. • MTBF (Mean Time Between Failures): how long a new or repaired system will run before failing. • MTTR (Mean Time To Repair): how long it will take to recover a specific failed system. • MOR (Minimum Operating Requirements): minimum environmental and connectivity requirements in order to operate computer equipment. Business Continuity Process
  • 31. Results of Business Impact Analysis contain • Identified ALL business processes and assets, not just those considered critical. • Impact company can handle dealing with each risk • Outage time that would be critical vs those which would not be critical • Preventive Controls • Document and present to management for approval • Results are used to create the recovery plans Recovery Strategies: When preventive controls don’t work, recovery strategies are necessary Facility Recovery Hardware and Software Recovery Personnel recovery Data Recovery Business Continuity Process
  • 32. Recovery Strategies Facility Recovery • Subscription Services Hot, warm, cold sites • Reciprocal Agreements • Others Redundant/Mirrored site (partial or full) Outsourcing Rolling hot site Prefabricated building Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an offsite facility 50-200 miles away. • Data Recovery: Electronic Vaulting: Copy of modified file is sent to a remote location where an original backup is stored. Remote Journaling: Moves the journal or transaction log to a remote location, not the actual files
  • 33. BCP Plan Three Phases Following a Disruption Notification/Activation • Notifying recovery personnel • Performing a damage assessment • Recovery Phase--Failover Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities—performed by recovery team • Reconstitution--Failback Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
  • 34. Types of Tests • Checklist Test: Copies of plan distributed to different departments. Functional managers review • Structured Walk-Through (Table Top) Test: Representatives from each department go over the plan • Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite facility • Parallel Test: Systems moved to alternate site, and processing takes place there • Full-Interruption Test: Original site shut down. All of processing moved to offsite facility • BCP/DRP Frameworks • NIST SP 800-34, ISO/IEC-27031, and BCI.
  • 35. Security Awareness Education • The successful implementation of a security solution requires changes in user behavior. • To develop and manage security education, training, and awareness, all relevant items of knowledge transference must be clearly identified and programs of presentation, exposure, synergy, and implementation crafted. • The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users. • Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen savers,T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos as well as the traditional instructor-led training courses. • The awareness program in an organization should be tied in with its security policy, incident-handling plan, business continuity, and disaster recovery procedures. • Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. • An assessment of the appropriate levels of awareness, training, and education required within the organization should be revised on a regular basis using periodic content reviews.