ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least...
-
Upload
arthur-day -
Category
Documents
-
view
213 -
download
0
Transcript of ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least...
ISA 562 Summer 20081
Personnel good practicePersonnel good practice• Job description; roles and
responsibilities• Least privilege/Need to know• Compliance with need to share• Separation of duties / responsibilities• Job rotation• Mandatory vacations
ISA 562 Summer 2008
Security AwarenessSecurity Awareness
• Awareness training– Remind employees of security
responsibility– Motivate personnel to comply with them
– Videos– Newsletters– Posters– Key-chains
ISA 562 Summer 2008
Training and EducationTraining and EducationJob training
– Provide skills to perform security functions.• Focus on security-related job skills • Address security requirements of the
organization, etc.
Professional Education– Provide decision-making and security
management skills important for success of security program.
ISA 562 Summer 20084
Good training practiceGood training practice
Address all the audience– Management– Data Owner and custodian– Operations personnel– User– Support personnel
ISA 562 Summer 2008
Risk in NIST SP 800-30Risk in NIST SP 800-30
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization
ISA 562 Summer 2008
Risk related DefinitionsRisk related Definitions• Vulnerability: A Flaw or weakness in
system procedures, design, implementation or internal controls that could be used breach or violate the system
• Likelihood: probability that a vulnerability may be used in the threat environment.
• Threat: the Potential for a mal-actor to exercise a vulnerability.
• Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)
ISA 562 Summer 2008
Risk Management concept Risk Management concept flowflow
ISA 562 Summer 20088
Risk Management DefinitionsRisk Management Definitions• Asset: something valued (to accomplish goals and objectives)
• Threat Agent: anything that can pose or cause a threat.
• Exposure: situation when a threat can cause loss.
• Vulnerability: weakness that could be exploited.
• Attack: Intentional action attempting to cause harm.
• Risk: probability that some event can occur
• Residual Risk: risk remaining after countermeasures and safeguards have been applied
ISA 562 Summer 20089
Risk ManagementRisk Management
To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project
ISA 562 Summer 200810
The Risk EquationThe Risk Equation
ISA 562 Summer 200811
Risk ManagementRisk ManagementIdentify and reduce risks
– Mitigating controls [Safeguards & Countermeasures]
– Residual Risk when countermeasures exist but are not sufficient should be at acceptable level
ISA 562 Summer 200812
Purpose of Risk AnalysisPurpose of Risk AnalysisIdentify and justify risk mitigation
– Assess threats to business processes and IS
– Justify use of countermeasures
Describe security based on risk to the organization
ISA 562 Summer 200813
Benefits of Risk Analysis Benefits of Risk Analysis • Focus on policy and resources• Identify areas with specific risk
– good IT Governance, supporting– Business continuity– Insurance and liability decisions– Legitimize security awareness program
ISA 562 Summer 200814
Emerging threatsEmerging threats• Risk Assessment must address new
threats– New technology– Change in culture of the organization– Unauthorized use of technology.
• May be discovered by periodic risk assessment
ISA 562 Summer 200815
Sources of identity threatsSources of identity threats• Users
– System administrators– Security officers– Auditors
• Operations – Facility records– Community and government records
• Vendor/security provider alerts• Other threats:
– Natural disasters – flood, tornado, etc.– Environment -- overcrowding or poor morale– Facility -- physical security or location of
building
ISA 562 Summer 200816
Risk analysis key factorsRisk analysis key factors• Obtain senior management support• Establish risk assessment team
• Define and approve purpose and scope• Select team members• State their authority and responsibility• Have management review findings and
recommendations
• Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc
ISA 562 Summer 200817
Use of automated tools for risk Use of automated tools for risk managementmanagement
• Objective: to minimize manual effort• May be time consuming in setup• Perform calculations quickly
– Estimate future expected loss– Determine benefit of security measures
ISA 562 Summer 200818
Preliminary security Preliminary security evaluation evaluation
Identify vulnerabilities
Review existing security measures
Document findings
Obtain management review and approval
ISA 562 Summer 200819
Risk analysis typesRisk analysis typesTwo types
– Quantitative– Qualitative
• Both provide valuable metrics
• Both required for a full picture
ISA 562 Summer 200820
Quantitative risk analysisQuantitative risk analysis
Determine monetary value• Fully quantitative if all elements are
quantified, but this is difficult to achieve. Requires much time and personnel effort
ISA 562 Summer 200821
Determining Asset ValueDetermining Asset ValueCost to acquire, develop, and maintain• Value to owners, custodians, or users• Liability for protection• Recognize real world cost and value
– Price others are willing to pay for it – Value of intellectual property– Convertibility/negotiability
ISA 562 Summer 200822
Quantitative analysis stepsQuantitative analysis steps1. Estimate potential single loss expectancy
SLE = Asset Value ($) * Exposure FactorExposure Factor=% of asset loss when threat succeedsTypes of loss
– Physical destruction, theft, Loss of data, etc
2. Conduct threat analysis ARO-Annual Rate of OccurrenceExpected number of exposures/incidents per yearLikelihood of unwanted event happening
3. Determine Annual Loss Expectancy (ALE)Magnitude of risk = Annual Loss ExpectancyPurpose to justify security countermeasuresALE=SLE * ARO
ISA 562 Summer 200823
Qualitative Risk analysis Qualitative Risk analysis • Scenario oriented• Does not assign numeric values to risk
components• Qualitative risk analysis is possible• Qualitative risk analysis factors
– Rank seriousness of threats and sensitivity of assets
– Perform a reasoned risk assessment
ISA 562 Summer 200824
Other risk analysis methodsOther risk analysis methodsFailure modes and effects analysis
– Potential failures of each part or module– Examine effects of failure at three levels
• Immediate (part or module)• Intermediate (process or package)• System-wide
Fault tree or spanning tree analysis– Create a “tree” of all possible threats and
faults• “Branches” are general categories [network threats,
physical threats, component failures, etc.]• Prune “branches” that do not apply• Concentrate on remaining threats.
ISA 562 Summer 200825
Risk mitigation optionsRisk mitigation options• Risk Acceptance
• Risk Reduction
• Risk Transference
• Risk Avoidance
ISA 562 Summer 200826
The right amount of securityThe right amount of security
• Cost/Benefit analysis- balance cost of protection versus asset value
• Need to assess:• Threats, Adversary, means , motives, and
opportunity.• Vulnerabilities and Resulting risk • Risk tolerance
ISA 562 Summer 200827
Countermeasures Selection Countermeasures Selection PrinciplesPrinciples
• Based on cost/benefit analysis, cost of safeguard• Selection and acquisition• Construction and placement• Environment modification• Nontrivial operating cost• Maintenance, testing• Potential side effects
• Cost justified by potential loss• Accountability
– At least one person for each safeguard– Associate directly with performance review
• Absence of design secrecy
ISA 562 Summer 200828
Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)
Audit capability– Must be testable– Include auditors in design and implementation
Vendor Trustworthiness– Review past performance
Independence of control and subject– Safeguards control/constrain subjects– Controllers administer safeguards– Controllers and subject have different populations
Universal application – Impose safeguards uniformly– Minimize exceptions
ISA 562 Summer 200829
Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)
• Compartmentalization and defense in depthRole of Safeguards– to improve security through layers
• Isolation, economy, and least common mechanism– Isolate from other safeguards– Simple design is cost effective and reliable, etc
• Acceptance and tolerance by personnel– Care taken to avoid implementing controls that pose
unreasonable constraints– Less intrusive controls more acceptable
• Minimize human intervention– Reduce possibility of errors and “exceptions” by
reducing reliance on administrative staff to maintain control
ISA 562 Summer 200830
Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)
• Sustainability• Reaction and recovery
Countermeasures, when activated, should:• Avoids asset destruction and stop further damage• Prevent disclosure of sensitive information through a covert
channel• Maintain confidence in system security• Capture information related to the attack and attacker
• Override and fail-safe defaults • Residual and reset
ISA 562 Summer 200831
Basis and Origin of EthicsBasis and Origin of Ethics• Religion, law, tradition, culture• National interest• Individual rights• Enlightened self interest • Common good/interest• Professional ethics/practices• Standards of good practice
ISA 562 Summer 200832
EthicsEthics• Formal ethical theories
– Teleology: Ethics in terms of goals, purposes, or ends– Deontology: Ethical behavior is duty
• Common ethical fallacies– Computers are a game– Law-abiding citizen, Gentlemanly conduct, Free
information– Shatterproof– Candy-from-a-baby– Hackers
• Difficult to define– Start with senior management
ISA 562 Summer 200833
ProfessionalProfessional Codes of ethics Codes of ethicsInternet Activities Board (IAB)
– Any activity is unethical & unacceptable that purposely:• Seeks to gain unauthorized access to the internet resources• Disrupts the intended use of the internet• Wastes resources through such actions• Destroys the integrity of computer-based information• Compromises the privacy of users• Involves negligence in the conduct of internet-wide experiments
ACM and IEEE (look them up)(ISC)2
– Protect society, the commonwealth, and the infrastructure – Provide diligent and competent services to principals, etc
Auditors
Professional codes may have legal importance