SlideShare ist ein Scribd-Unternehmen logo

ISAA PPt

Als PPTX, PDF herunterladen
R
RishabhAgrawal695188

PPT on information security management

Ingenieurwesen
1 von 29
Module-3 Information Security Management
Module-3: Information Security Management Monitor systems and apply controls Security assessment using automated tools Backups of security devices Performance Analysis, Root cause analysis and Resolution, Information Security Policies, Procedures, Standards and Guidelines
1. What is security assessment? 2. What are the non-intrusive types? 3. How do you choose between these types? 4. What are the intrusive types? 5. What are the types of risk reduction? 6. What is effective security? 7. What are the limitations to security assessment? Security Assessment Outline
1. Definition – Security assessment • identifies existing IT vulnerabilities (weakness) and • recommends countermeasures for mitigating potential risks. • Goal – Make the infrastructure more secure – Identify risks and reduce them • Consequences of Failure – Loss of services – Financial loss – Loss of reputation – Legal consequences Security Assessment Overview
• Non-Intrusive 1. Security Audit 2. Risk Assessment 3. Risk Analysis • Intrusive 1. Vulnerability Scan 2. Penetration Testing / Ethical Hacking • All have the goal of identifying vulnerabilities and improving security. – (what is allowed, legal liability, purpose of analysis, etc.). Security Assessment 2. Types
Independent review and examination of system records &  Activities to determine capability of system controls  Ensure compliance of security policy & Operational procedures, Detect cracks in security, and Recommend changes in these processes. Security Assessment: Non-Intrusive Types 1. Security Audit
• Features –Formal Process –Paper Oriented • Review Policies for Compliance and Best Practices –Review System Configurations • Questionnaire • Automated Scanning –Checklists Security Assessment: Non-Intrusive Types 1. Security Audit
• Risk Assessment (Vulnerability Assessment) is: –determination of state of risk associated with a system based upon thorough analysis –includes recommendations to support subsequent security controls/decisions. –takes into account business, as well as legal constraints. Security Assessment: Non-Intrusive Types 2. Risk Assessment
• Involves more testing than traditional paper audit • Primarily required to identify weaknesses in the information system • Steps –Identify security holes in the infrastructure –Look but not intrude into the systems –Focus on best practices (company policy is secondary) Security Assessment: Non-Intrusive Types 2. Risk Assessment
• Risk Analysis is the identification or study of: –an organization’s assets –threats to these assets –system’s vulnerability to the threats • Risk Analysis is done in order to determine exposure and potential loss. Security Assessment: Non-Intrusive Types 3. Risk Analysis
• Computationally intensive and requires data to –Compute probabilities of attack –Valuation of assets –Efficacy of the controls • usually requires an analytically trained person Security Assessment: Non-Intrusive Types 3. Risk Analysis
Security Assessment Assessment vs. Analysis vs. Audit Assessment Analysis Audit Objective Baseline Determine Exposure and Potential Loss Measure against a Standard Method Various (including use of tools) Various (including tools) Audit Program/ Checklist Deliverables Gaps and Recommendations Identification of Assets, Threats & Vulnerabilities Audit Report Performed by: Internal or External Internal or External Auditors Value Focused Improvement Preparation for Assessment Compliance
• Definition – Scan the network using automated tools to identify security holes in the network • Usually a highly automated process – Fast and cheap • Limitations – False findings – System disruptions (due to improperly run tools) • Differences in regular scans can often identify new vulnerabilities Security Assessment: Intrusive Types 1. Vulnerability Scan
• Definition (Ethical Hacking) – Simulated attacks on computer networks to identify weaknesses in the network. • Steps – Find a vulnerability – Exploit the vulnerability to get deeper access – Explore the potential damage that the hacker can cause • Example – Scan web server: Exploit buffer overflow to get an account – Scan database (from web server) – Find weakness in database: Retrieve password – Use password to compromise firewall Security Assessment: Intrusive Types 2. Penetration Testing
There are three strategies for risk reduction: • Avoiding the risk – by changing requirements for security or other system characteristics • Transferring the risk – by allocating the risk to other systems, people, organizations assets or by buying insurance • Assuming the risk – by accepting it, controlling it with available resources Security Assessment Risk Reduction
• Effective security relies on several factors – Security Assessments – Policies & Procedures – Education (of IT staff, users, & managers) – Configuration Standards/Guidelines • OS Hardening • Network Design • Firewall Configuration • Router Configuration • Web Server Configuration – Security Coding Practices Security Assessment Effective Security
Risk Analysis Concept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements.
• Assets- • Vulnerability- • Threat- • Security Risk- • Security Controls- Risk Analysis Basic Definitions
• Assets: Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Data – Breach of confidentiality – Loss of data integrity – Denial of service – Corruption of Applications – Disclosure of Data Risk Analysis Assets • Organization – Loss of trust – Embarrassment – Management failure • Personnel – Injury and death – Sickness – Loss of morale
• Infrastructure – Electrical grid failure – Loss of power – Chemical leaks – Facilities & equipment – Communications Risk Analysis Assets Cont’d • Legal – Use or acceptance of unlicensed software – Disclosure of Client Secrets • Operational – Interruption of services – Loss/Delay in Orders – Delay in Shipments
• Vulnerabilities are flaws within an asset, such as an operating system, router, network, or application, which allows the asset to be exploited by a threat. Risk Analysis Vulnerabilities
• Examples – Software design flaws – Software implementation errors – System misconfiguration (e.g. misconfigured firewalls) – Inadequate security policies – Poor system management – Lack of physical protections – Lack of employee training (e.g. passwords on post-it notes in drawers or under keyboards) Risk Analysis Vulnerabilities
• Threats are potential causes of events which have a negative impact. – Threats exploit vulnerabilities causing impact to assets • Examples – Denial of Service (DOS) Attacks – Spoofing and Masquerading – Malicious Code – Human Error – Insider Attacks – Intrusion Risk Analysis Threats
Risk Analysis Sources of Threats Source Examples of Reasons External Hackers with Malicious Intent • Espionage • Intent to cause damage • Terrorism External Hackers Seeking Thrill • Popularity Insiders with Malicious Intent • Anger at company • Competition with co-worker(s) Accidental Deletion of Files and Data • User errors Environmental Damage • Floods • Earthquakes • Fires Equipment and Hardware Failure • Hard disk crashes
• Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. • Risks of an organization are evaluated by three distinguishing characteristics: – loss associated with an event, e.g., disclosure of confidential data, lost time, and lost revenues. – likelihood that event will occur, i.e. probability of event occurrence – Degree that risk outcome can be influenced, i.e. controls that will influence the event Risk Analysis Security Risk
• Physical Asset Risks –Relating to items with physical and tangible items that have an associated financial value Risk Analysis Physical Asset Risks
• Mission Risks –Relating to functions, jobs or tasks that need to be performed Risk Analysis Mission Risks
• Security Risks –Integrates with both asset and mission risks Risk Analysis Security Risks
• ISO 17799 – Title: Information technology -- Code of practice for information security management – Starting point for developing policies – http://www.iso.ch/iso/en/prods- services/popstds/.../en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441 &ICS1=35 • ISO 13335 – Title: Information technology -- Guidelines for the management of IT Security -- Part 1: Concepts and models for IT Security – Assists with developing baseline security. – http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=217 33&ICS1=35 • NIST SP 800-xx – Different standards for various applications – http://csrc.nist.gov/publications/nistpubs/ • Center for Internet Security – Configuration Standards (benchmarks) – http://www.cisecurity.org/ Risk Analysis: Define Objectives Standards

Empfohlen

Intro.ppt
Intro.pptIntro.ppt
Intro.pptRamaNingaiah
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assetsDheeraj Sadawarte
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security.ppt
Security.pptSecurity.ppt
Security.pptssuser50c54b
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
ch01.ppt
ch01.pptch01.ppt
ch01.pptsamsam693199
 

Empfohlen

Intro.ppt
Intro.pptIntro.ppt
Intro.pptRamaNingaiah
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assetsDheeraj Sadawarte
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security.ppt
Security.pptSecurity.ppt
Security.pptssuser50c54b
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
ch01.ppt
ch01.pptch01.ppt
ch01.pptsamsam693199
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxAbraraw Zerfu
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
ch14.ppt
ch14.pptch14.ppt
ch14.pptFizZaShYkh
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 introKhawar Nehal khawar.nehal@atrc.net.pk
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
insider threat research
insider threat researchinsider threat research
insider threat researchAsma Al-maskaria
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 

Weitere ähnliche Inhalte

Ähnlich wie ISAA PPt

information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxAbraraw Zerfu
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 

Ähnlich wie ISAA PPt (20)

information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Administering security
Administering securityAdministering security
Administering security
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 

Kürzlich hochgeladen

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxNadaHaitham1
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesRAJNEESHKUMAR341697
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxchumtiyababu
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 

Kürzlich hochgeladen (20)

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 

ISAA PPt

  • 2. Module-3: Information Security Management Monitor systems and apply controls Security assessment using automated tools Backups of security devices Performance Analysis, Root cause analysis and Resolution, Information Security Policies, Procedures, Standards and Guidelines
  • 3. 1. What is security assessment? 2. What are the non-intrusive types? 3. How do you choose between these types? 4. What are the intrusive types? 5. What are the types of risk reduction? 6. What is effective security? 7. What are the limitations to security assessment? Security Assessment Outline
  • 4. 1. Definition – Security assessment • identifies existing IT vulnerabilities (weakness) and • recommends countermeasures for mitigating potential risks. • Goal – Make the infrastructure more secure – Identify risks and reduce them • Consequences of Failure – Loss of services – Financial loss – Loss of reputation – Legal consequences Security Assessment Overview
  • 5. • Non-Intrusive 1. Security Audit 2. Risk Assessment 3. Risk Analysis • Intrusive 1. Vulnerability Scan 2. Penetration Testing / Ethical Hacking • All have the goal of identifying vulnerabilities and improving security. – (what is allowed, legal liability, purpose of analysis, etc.). Security Assessment 2. Types
  • 6. Independent review and examination of system records &  Activities to determine capability of system controls  Ensure compliance of security policy & Operational procedures, Detect cracks in security, and Recommend changes in these processes. Security Assessment: Non-Intrusive Types 1. Security Audit
  • 7. • Features –Formal Process –Paper Oriented • Review Policies for Compliance and Best Practices –Review System Configurations • Questionnaire • Automated Scanning –Checklists Security Assessment: Non-Intrusive Types 1. Security Audit
  • 8. • Risk Assessment (Vulnerability Assessment) is: –determination of state of risk associated with a system based upon thorough analysis –includes recommendations to support subsequent security controls/decisions. –takes into account business, as well as legal constraints. Security Assessment: Non-Intrusive Types 2. Risk Assessment
  • 9. • Involves more testing than traditional paper audit • Primarily required to identify weaknesses in the information system • Steps –Identify security holes in the infrastructure –Look but not intrude into the systems –Focus on best practices (company policy is secondary) Security Assessment: Non-Intrusive Types 2. Risk Assessment
  • 10. • Risk Analysis is the identification or study of: –an organization’s assets –threats to these assets –system’s vulnerability to the threats • Risk Analysis is done in order to determine exposure and potential loss. Security Assessment: Non-Intrusive Types 3. Risk Analysis
  • 11. • Computationally intensive and requires data to –Compute probabilities of attack –Valuation of assets –Efficacy of the controls • usually requires an analytically trained person Security Assessment: Non-Intrusive Types 3. Risk Analysis
  • 12. Security Assessment Assessment vs. Analysis vs. Audit Assessment Analysis Audit Objective Baseline Determine Exposure and Potential Loss Measure against a Standard Method Various (including use of tools) Various (including tools) Audit Program/ Checklist Deliverables Gaps and Recommendations Identification of Assets, Threats & Vulnerabilities Audit Report Performed by: Internal or External Internal or External Auditors Value Focused Improvement Preparation for Assessment Compliance
  • 13. • Definition – Scan the network using automated tools to identify security holes in the network • Usually a highly automated process – Fast and cheap • Limitations – False findings – System disruptions (due to improperly run tools) • Differences in regular scans can often identify new vulnerabilities Security Assessment: Intrusive Types 1. Vulnerability Scan
  • 14. • Definition (Ethical Hacking) – Simulated attacks on computer networks to identify weaknesses in the network. • Steps – Find a vulnerability – Exploit the vulnerability to get deeper access – Explore the potential damage that the hacker can cause • Example – Scan web server: Exploit buffer overflow to get an account – Scan database (from web server) – Find weakness in database: Retrieve password – Use password to compromise firewall Security Assessment: Intrusive Types 2. Penetration Testing
  • 15. There are three strategies for risk reduction: • Avoiding the risk – by changing requirements for security or other system characteristics • Transferring the risk – by allocating the risk to other systems, people, organizations assets or by buying insurance • Assuming the risk – by accepting it, controlling it with available resources Security Assessment Risk Reduction
  • 16. • Effective security relies on several factors – Security Assessments – Policies & Procedures – Education (of IT staff, users, & managers) – Configuration Standards/Guidelines • OS Hardening • Network Design • Firewall Configuration • Router Configuration • Web Server Configuration – Security Coding Practices Security Assessment Effective Security
  • 17. Risk Analysis Concept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements.
  • 18. • Assets- • Vulnerability- • Threat- • Security Risk- • Security Controls- Risk Analysis Basic Definitions
  • 19. • Assets: Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Data – Breach of confidentiality – Loss of data integrity – Denial of service – Corruption of Applications – Disclosure of Data Risk Analysis Assets • Organization – Loss of trust – Embarrassment – Management failure • Personnel – Injury and death – Sickness – Loss of morale
  • 20. • Infrastructure – Electrical grid failure – Loss of power – Chemical leaks – Facilities & equipment – Communications Risk Analysis Assets Cont’d • Legal – Use or acceptance of unlicensed software – Disclosure of Client Secrets • Operational – Interruption of services – Loss/Delay in Orders – Delay in Shipments
  • 21. • Vulnerabilities are flaws within an asset, such as an operating system, router, network, or application, which allows the asset to be exploited by a threat. Risk Analysis Vulnerabilities
  • 22. • Examples – Software design flaws – Software implementation errors – System misconfiguration (e.g. misconfigured firewalls) – Inadequate security policies – Poor system management – Lack of physical protections – Lack of employee training (e.g. passwords on post-it notes in drawers or under keyboards) Risk Analysis Vulnerabilities
  • 23. • Threats are potential causes of events which have a negative impact. – Threats exploit vulnerabilities causing impact to assets • Examples – Denial of Service (DOS) Attacks – Spoofing and Masquerading – Malicious Code – Human Error – Insider Attacks – Intrusion Risk Analysis Threats
  • 24. Risk Analysis Sources of Threats Source Examples of Reasons External Hackers with Malicious Intent • Espionage • Intent to cause damage • Terrorism External Hackers Seeking Thrill • Popularity Insiders with Malicious Intent • Anger at company • Competition with co-worker(s) Accidental Deletion of Files and Data • User errors Environmental Damage • Floods • Earthquakes • Fires Equipment and Hardware Failure • Hard disk crashes
  • 25. • Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. • Risks of an organization are evaluated by three distinguishing characteristics: – loss associated with an event, e.g., disclosure of confidential data, lost time, and lost revenues. – likelihood that event will occur, i.e. probability of event occurrence – Degree that risk outcome can be influenced, i.e. controls that will influence the event Risk Analysis Security Risk
  • 26. • Physical Asset Risks –Relating to items with physical and tangible items that have an associated financial value Risk Analysis Physical Asset Risks
  • 27. • Mission Risks –Relating to functions, jobs or tasks that need to be performed Risk Analysis Mission Risks
  • 28. • Security Risks –Integrates with both asset and mission risks Risk Analysis Security Risks
  • 29. • ISO 17799 – Title: Information technology -- Code of practice for information security management – Starting point for developing policies – http://www.iso.ch/iso/en/prods- services/popstds/.../en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441 &ICS1=35 • ISO 13335 – Title: Information technology -- Guidelines for the management of IT Security -- Part 1: Concepts and models for IT Security – Assists with developing baseline security. – http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=217 33&ICS1=35 • NIST SP 800-xx – Different standards for various applications – http://csrc.nist.gov/publications/nistpubs/ • Center for Internet Security – Configuration Standards (benchmarks) – http://www.cisecurity.org/ Risk Analysis: Define Objectives Standards

Hinweis der Redaktion

  1. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  2. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  3. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  4. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  5. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  6. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  7. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  8. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”
  9. “The terms Risk Analysis, Risk Assessment, and Risk Management are used interchangeably by some individuals and, in the field of Program Management, are construed to represent similar concepts but the order of precedence is inverse to that for Automation or Computer Security.” Definition: “Risk Analysis is the identification of a specific installation’s assets, the threats to them, the system’s vulnerability to those threats, and the presumed loss in consideration of existing and projected safeguards. To accomplish either qualitative or quantitative analysis of the system’s risk posture, presumptions should be made that the threats actually occur periodically, if unpredictably, and result in significant damage to system assets that constitute some discernable value to the organization; further, safeguards under review should be considered to be properly conceived and to work correctly in order to make reasonable comparisons. Although approximations and simplifications may be made for the sake of expediency to accomplish a risk analysis, objectivity can prevail when reasonable compromises are made. The most realistic portrayal of actual situations can be made when figures used in computations closely represent the documented local conditions as contrasted with generic, averaged conditions. A concurrent or subsequent security test and evaluation of those very safeguards should be made to establish whether, in fact, the presumptions are correct and, if not, what improvement should be effected.” Definition: “Risk Assessment is a comprehensive determination of the state of risk associated with a system based upon a thorough analysis of the foregoing considerations; by definition, the assessment should include recommendations to support subsequent management decision for (elimination of unnecessarily onerous restrictions and/or) adoption of specific additional safeguards that would reduce the level of system risk to an acceptable level within the constraints imposed by mission, budgetary, political, societal, and other relevant factors.”