SlideShare ist ein Scribd-Unternehmen logo

MIS: Information Security Management

Als PPTX, PDF herunterladen
Jonathan Coleman
Jonathan Coleman
TechnologieBusiness
1 von 33
IS Security Management 4/18/2013
The Elephant in the Server Room • Absolute security is a myth. • IS managers take the blame.
Risk Management • Risk management: process of identifying and controlling risks facing an organization • Risk identification: process of examining an organization’s current information technology security situation • Risk control: applying controls to reduce risks to an organizations data and information systems 3
Components of Risk Management Risk Management Risk Identification Risk Control Risk Assessment is the documented result of the risk identification process Selecting Strategy Inventorying Assets Justifying Controls Classifying Assets Identifying Threats & Vulnerabilities
An Overview of Risk Management • Know yourself – Understand the technology and systems in your organization • Know the enemy – Identify, examine, understand threats • Role of Communities of Interest – Information Security – Management and Users – Information Technology 5
Risk Identification • Assets are targets of various threats and threat agents • Risk management involves identifying organization’s assets and identifying threats/vulnerabilities • Risk identification begins with identifying organization’s assets and assessing their value 6
7
Asset Identification and Valuation • List all elements of an organization’s system. • Classify and categorize assets. 8
Table 4-1 - Categorizing Components & Valuation Asset Identification Traditional System SecSDLC and risk management system components Components People Employee Trusted employees Other staff Non-employees People at trusted organizations / Strangers Procedures Procedures IT & business standards procedures IT & business standards procedures Data Information Transmission, Processing, Storage Software Software Applications, Operating systems, Security components Hardware System devices and Systems and peripherals peripherals Security devices Networking components Intranet components Internet or DMZ components
Data / People / Procedural Assets • Human resources, documentation, and data information assets are more difficult to identify • People with knowledge, experience, and good judgment should be assigned this task • These assets should be recorded using reliable data-handling process 10
Hardware / Software / Network Assets • Name (device or program name) • IP address • Media access control (MAC) address • Element type – server, desktop, etc. Device Class, Device OS, Device Capacity 11
Hardware / Software / Network Assets • serial number • manufacturer name; model/part number • software versions • physical or logical location • Software version, update revision
Information Asset Classification • Many organizations have data classification schemes (e.g., confidential, internal, public data) • Classification must be specific enough to allow determination of priority • Comprehensive – all info fits in list somewhere • Mutually exclusive – fits in one place 13
Information Asset Valuation • What is most critical to organization’s success? • What generates the most revenue? • What generates the most profit? • What would be most expensive to replace?
Information Asset Valuation (continued) • What would be most expensive to protect? • What would be most embarrassing or cause the greatest liability is revealed?
Figure 4-3 – Example Worksheet 16
Listing Assets in Order of Importance • Weighted factor analysis • Each info asset assigned score for each critical factor (0.1 to 1.0) • Each critical factor is assigned a weight (1- 100) • Multiply and add
Table 4-2 – Example Weighted Factor Analysis CPSC375@UTC/CS 18
Data Classification and Management • Information owners responsible for classifying their information assets • Information classifications must be reviewed periodically • Most organizations do not need detailed level of classification used by military or federal agencies.
Data Classification and Management • Organizations may need to classify data to provide protection – Public – For official use only – Sensitive – classified CPSC375@UTC/CS 20
Data Classification and Management • Assign classification to all data • Grant access to data based on classification and need • Devise some method of managing data relative to classification CPSC375@UTC/CS 21
Security Clearances • Security clearance structure: each data user assigned a single level of authorization indicating classification level • Before accessing specific set of data, employee must meet need-to-know requirement • Extra level of protection ensures information confidentiality is maintained
Potential Threats Threat Example Acts of human error or failure Accidents, employee mistakes Compromises to intellectual Piracy, copyright infringement property Deliberate acts of espionage or Unauthorized access and/or data trespass collection Deliberate acts of information Blackmail or information extortion disclosure Deliberate acts of theft Illegal confiscation of equipment or information Deliberate acts of sabotage or Destruction of systems or vandalism information
Potential Threats Categories of Threat Examples Deliberate acts of software attacks Viruses, worms, macros, denial-of- service Forces of nature Fire, flood, earthquake, lightning Deviations in quality of service ISP, power, WAN service issues from service providers Technical hardware failures or errors Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies 24
Threat Assessment • Which threats present a danger to an organization’s assets? • Which threats represent the most danger? • How much would it cost to recover? • Which threat requires the greatest expenditure to prevent? 25
Vulnerability Identification • Identify each asset and each threat it faces • Create a list of vulnerabilities • Examine how each of the threats are likely to be perpetrated
Risk Assessment • Risk assessment evaluates the relative risk for each vulnerability • Assigns a risk rating or score to each information asset 27
Risk Assessment likelihood of occurrence * value of the information asset - percent mitigated + uncertainty
Probability Computation • Assign number between 0.1 – 1 • Data is available for some factors – Likelihood of fire – Likelihood of receiving infected email – Number of network attacks 29
Valuation of Information Assets Using info from asset identification assign weighted score for the value. – 1 -100 – 100 – stop company operations – May use broad categories – NIST has some predefined 30
Risk Control Strategies • Apply safeguards that eliminate or reduce residual risks (avoidance) • Transfer the risk to other areas or outside entities (transference) • Reduce the impact should the vulnerability be exploited (mitigation) • Understand the consequences and accept the risk without control or mitigation (acceptance) 31
Mitigation • When a vulnerability can be exploited -- apply layered protections, architectural designs, and administrative controls • When attacker’s cost is less than potential gain -- apply protection to increase attackers costs • When potential loss is substantial -- redesign, new architecture, controls
Conclusion “The goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite” 33

Empfohlen

Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
The need for security
The need for securityThe need for security
The need for security
Dhani Ahmad
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Adri Jovin
 

Empfohlen

Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
The need for security
The need for securityThe need for security
The need for security
Dhani Ahmad
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Adri Jovin
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
Parag Deodhar
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Computer Aid, Inc
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
Wajahat Rajab
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security
Sammer Qader
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 

Weitere ähnliche Inhalte

Was ist angesagt?

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
Wajahat Rajab
 

Was ist angesagt? (20)

Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Information security
Information securityInformation security
Information security
 
Information security
Information securityInformation security
Information security
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 

Ähnlich wie MIS: Information Security Management

Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
Tripwire
 

Ähnlich wie MIS: Information Security Management (20)

Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assets
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 

Mehr von Jonathan Coleman

MIS: Business Intelligence
MIS: Business IntelligenceMIS: Business Intelligence
MIS: Business Intelligence
Jonathan Coleman
 
MIS: Information Systems Development
MIS: Information Systems DevelopmentMIS: Information Systems Development
MIS: Information Systems Development
Jonathan Coleman
 
MIS: Information Systems Management
MIS: Information Systems ManagementMIS: Information Systems Management
MIS: Information Systems Management
Jonathan Coleman
 
MIS: Project Management Systems
MIS: Project Management SystemsMIS: Project Management Systems
MIS: Project Management Systems
Jonathan Coleman
 
MIS: Business Process Modeling (BPMN)
MIS: Business Process Modeling (BPMN)MIS: Business Process Modeling (BPMN)
MIS: Business Process Modeling (BPMN)
Jonathan Coleman
 
Global Information Systems
Global Information SystemsGlobal Information Systems
Global Information Systems
Jonathan Coleman
 

Mehr von Jonathan Coleman (15)

MIS: Business Intelligence
MIS: Business IntelligenceMIS: Business Intelligence
MIS: Business Intelligence
 
MIS: Information Systems Development
MIS: Information Systems DevelopmentMIS: Information Systems Development
MIS: Information Systems Development
 
MIS: Information Systems Management
MIS: Information Systems ManagementMIS: Information Systems Management
MIS: Information Systems Management
 
MIS: Project Management Systems
MIS: Project Management SystemsMIS: Project Management Systems
MIS: Project Management Systems
 
MIS: Business Process Modeling (BPMN)
MIS: Business Process Modeling (BPMN)MIS: Business Process Modeling (BPMN)
MIS: Business Process Modeling (BPMN)
 
Online Branding
Online BrandingOnline Branding
Online Branding
 
Networks
NetworksNetworks
Networks
 
Business Internet
Business InternetBusiness Internet
Business Internet
 
Global Information Systems
Global Information SystemsGlobal Information Systems
Global Information Systems
 
Organizational Strategy
Organizational StrategyOrganizational Strategy
Organizational Strategy
 
Mis And You
Mis And YouMis And You
Mis And You
 
Database Management
Database ManagementDatabase Management
Database Management
 
Business processes
Business processesBusiness processes
Business processes
 
Hardware Systems
Hardware SystemsHardware Systems
Hardware Systems
 
Careers in MIS
Careers in MISCareers in MIS
Careers in MIS
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

MIS: Information Security Management

  • 2. The Elephant in the Server Room • Absolute security is a myth. • IS managers take the blame.
  • 3. Risk Management • Risk management: process of identifying and controlling risks facing an organization • Risk identification: process of examining an organization’s current information technology security situation • Risk control: applying controls to reduce risks to an organizations data and information systems 3
  • 4. Components of Risk Management Risk Management Risk Identification Risk Control Risk Assessment is the documented result of the risk identification process Selecting Strategy Inventorying Assets Justifying Controls Classifying Assets Identifying Threats & Vulnerabilities
  • 5. An Overview of Risk Management • Know yourself – Understand the technology and systems in your organization • Know the enemy – Identify, examine, understand threats • Role of Communities of Interest – Information Security – Management and Users – Information Technology 5
  • 6. Risk Identification • Assets are targets of various threats and threat agents • Risk management involves identifying organization’s assets and identifying threats/vulnerabilities • Risk identification begins with identifying organization’s assets and assessing their value 6
  • 7. 7
  • 8. Asset Identification and Valuation • List all elements of an organization’s system. • Classify and categorize assets. 8
  • 9. Table 4-1 - Categorizing Components & Valuation Asset Identification Traditional System SecSDLC and risk management system components Components People Employee Trusted employees Other staff Non-employees People at trusted organizations / Strangers Procedures Procedures IT & business standards procedures IT & business standards procedures Data Information Transmission, Processing, Storage Software Software Applications, Operating systems, Security components Hardware System devices and Systems and peripherals peripherals Security devices Networking components Intranet components Internet or DMZ components
  • 10. Data / People / Procedural Assets • Human resources, documentation, and data information assets are more difficult to identify • People with knowledge, experience, and good judgment should be assigned this task • These assets should be recorded using reliable data-handling process 10
  • 11. Hardware / Software / Network Assets • Name (device or program name) • IP address • Media access control (MAC) address • Element type – server, desktop, etc. Device Class, Device OS, Device Capacity 11
  • 12. Hardware / Software / Network Assets • serial number • manufacturer name; model/part number • software versions • physical or logical location • Software version, update revision
  • 13. Information Asset Classification • Many organizations have data classification schemes (e.g., confidential, internal, public data) • Classification must be specific enough to allow determination of priority • Comprehensive – all info fits in list somewhere • Mutually exclusive – fits in one place 13
  • 14. Information Asset Valuation • What is most critical to organization’s success? • What generates the most revenue? • What generates the most profit? • What would be most expensive to replace?
  • 15. Information Asset Valuation (continued) • What would be most expensive to protect? • What would be most embarrassing or cause the greatest liability is revealed?
  • 16. Figure 4-3 – Example Worksheet 16
  • 17. Listing Assets in Order of Importance • Weighted factor analysis • Each info asset assigned score for each critical factor (0.1 to 1.0) • Each critical factor is assigned a weight (1- 100) • Multiply and add
  • 18. Table 4-2 – Example Weighted Factor Analysis CPSC375@UTC/CS 18
  • 19. Data Classification and Management • Information owners responsible for classifying their information assets • Information classifications must be reviewed periodically • Most organizations do not need detailed level of classification used by military or federal agencies.
  • 20. Data Classification and Management • Organizations may need to classify data to provide protection – Public – For official use only – Sensitive – classified CPSC375@UTC/CS 20
  • 21. Data Classification and Management • Assign classification to all data • Grant access to data based on classification and need • Devise some method of managing data relative to classification CPSC375@UTC/CS 21
  • 22. Security Clearances • Security clearance structure: each data user assigned a single level of authorization indicating classification level • Before accessing specific set of data, employee must meet need-to-know requirement • Extra level of protection ensures information confidentiality is maintained
  • 23. Potential Threats Threat Example Acts of human error or failure Accidents, employee mistakes Compromises to intellectual Piracy, copyright infringement property Deliberate acts of espionage or Unauthorized access and/or data trespass collection Deliberate acts of information Blackmail or information extortion disclosure Deliberate acts of theft Illegal confiscation of equipment or information Deliberate acts of sabotage or Destruction of systems or vandalism information
  • 24. Potential Threats Categories of Threat Examples Deliberate acts of software attacks Viruses, worms, macros, denial-of- service Forces of nature Fire, flood, earthquake, lightning Deviations in quality of service ISP, power, WAN service issues from service providers Technical hardware failures or errors Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies 24
  • 25. Threat Assessment • Which threats present a danger to an organization’s assets? • Which threats represent the most danger? • How much would it cost to recover? • Which threat requires the greatest expenditure to prevent? 25
  • 26. Vulnerability Identification • Identify each asset and each threat it faces • Create a list of vulnerabilities • Examine how each of the threats are likely to be perpetrated
  • 27. Risk Assessment • Risk assessment evaluates the relative risk for each vulnerability • Assigns a risk rating or score to each information asset 27
  • 28. Risk Assessment likelihood of occurrence * value of the information asset - percent mitigated + uncertainty
  • 29. Probability Computation • Assign number between 0.1 – 1 • Data is available for some factors – Likelihood of fire – Likelihood of receiving infected email – Number of network attacks 29
  • 30. Valuation of Information Assets Using info from asset identification assign weighted score for the value. – 1 -100 – 100 – stop company operations – May use broad categories – NIST has some predefined 30
  • 31. Risk Control Strategies • Apply safeguards that eliminate or reduce residual risks (avoidance) • Transfer the risk to other areas or outside entities (transference) • Reduce the impact should the vulnerability be exploited (mitigation) • Understand the consequences and accept the risk without control or mitigation (acceptance) 31
  • 32. Mitigation • When a vulnerability can be exploited -- apply layered protections, architectural designs, and administrative controls • When attacker’s cost is less than potential gain -- apply protection to increase attackers costs • When potential loss is substantial -- redesign, new architecture, controls
  • 33. Conclusion “The goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite” 33