Information Security Governance and Risk Management Confidentiality- prevent unauthorized disclosure of sensitive information National defense Integrity

prevent unauthorized modification systems and information Banking Availability prevent disruption of service and productivity. E-commerce ISO/IEC 17799 and 27001 Controls (exact copies) Security policy Organizing information Security Asset management Human Resources Security Physical and Environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance Plan DO Check Act (PDCA) model Security is an ongoing process and never achieved Plan Implement Monitor and review Act Due care and Due Diligence Due Care- to do the right thing to protect assets Updating antivirus sigs D C do correct Due diligence to investigate actual threats and risks Installing antivirus Approach to security management Top-Down Approach Better approach Security practices are directed and supported at the senior management level Advantage - budgets Bottom Up Approach IT department tries to implement security Planning Horizon Operational goals day to-day goals that focus on productivity and task oriented activites

Tactical goals mid term goals that lay the necessary foundation to accomplish strategic goals Strategic goals Long term goals supported by operational and tactical goals Risk management process Risk Identification Risk management Qualitative Risk analysis Quantitative risk analysis Asset any resource that is of value Vulnerability weakness in an asset Threat potential danger to an asset which would be carried out by a threat agent Loss real or perceived devaluation of an asset Risk likelihood of a threat agent exploiting a vulnerability Exposure instance of being exposed to compromise Even/exploit instance of loss experienced Control/ measure a safeguard put into place to mitigate potential losses Purpose of risk assessment Identify what a company actually has and what its potential loss is for each and every threat recognized To ensure that a security program is cost-effective, relevant, and appropriate for the real risks it faces. Four main goals of a risk assessment Identify assets and their values Identify risks Quantify the impact of potential threats Provide an economic balance between the impact of the risk and the cost of the countermeasure SP 800-30: Risk Assessment Activities day 1 1:21 Step 1 System Characterization Input - Hardware, system , system interfaces, data and information, people, system mission Output System boundary, system functions, system and data critically, system and data sensitivity Step 2 Threat identification Input History of system attack, data from intelligence agencies Output threat statement Step 3 - Vulnerability Identification Input -Reports from prior risk assessments, any audit comments, security requirements, security test results Output list of potential vulnerabilities

Step 4 Control analysis Input current controls Step 5 - likelihood determination Step 6 Impact analysis Step 7 risk dtermination Step 8 control recommendations Step 9 results documentation Asset valuation Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to the owners Price others are willing to pay for the asset Liability of the asset is compromised Operational and productivity losses that will be suffered if the asset is unavailable Cost to replace the asset Data classification process Value of data Identified during risk analysis Sensitivity and value of the information Organize according to sensitivity to loss or disclosure Decide on control Data is segmented according to sensitivity level Each classification of data should have different security controls Classification criteria Usefulness of data Value of data Age of data Level of damage that could be caused if the data were disclosed, modified, or corrupted Laws, regulations, or liability responsibility about protecting the data Effects the data has on national security Who should accessing this data? Who should be maintaining this data? Who should be able to reproduce this data? What data would require labels and special marking? Data classification procedure Identify Data Owner (part of management) Identify Data custodian (technical person) Develop classification criteria based on CIA Define controls per classification Define document exceptions Document how to transfer custody of the data

Decassification procedures Security awareness program Commercial classifications Confidential Private Sensitive Public Military class Top secret Secret Confidential Sensitive but unclassified Unclassified Quantitative analysis Numeric and monetary value Management prefers quantitative Qualitative Subjective rating assigned Intuition Delphi method Allows you to assign ratings anonymously to prevent company culture influence Annualized loss expectancy (ALE) SLE =asset value (AV) x exposure factor(EF) =SLE Building cost x amount of damage ALE SLE x Annualized rate of occurrence (ARO) =ALE Qualitative risk analysis steps Develop risk scenarios Gather company subject matter experts Work through scenario to determine outcome Prioritize risks and threats to assets Build consensus for best countermeasure Type of risks Total risk vs residual risk Total risk - Risk that exits before a countermeasure is put into place Residual risk Remaining risk after a countermeasure is put in place Residual risk calculation = threats +vulnerability= total risk total risk control gap = residual risk + sign simply means in relation to

Risk analysis team Representatives from each department should be on the team Identify company assets by interviewing individuals, reviewing documentation, and tours Identified assets must have values assigned to them Many things go into estimating the value of an asset, not just paper value ***Ensure business managers maintain accountability for their decisions*** Threat sources Easily identified Fires, hackers, intruders Not easily identified Software flaw (buffer overflow) Employee fraud Potential loss Delayed loss Possible threats Availablility Disaster Failure of components DOS attacks Integrity Changing accounting records or system logs Disabling the alert mechanism in an IDS Modifying config files Confidentiality Shoulder surfing Social engineering Interception of a message Mitigation Options Reduce avoidance, limitation, research and acknowledgment Transfer Accept when the cost to protect is more than the asset value Reject ignorance or neglect Cost-Benefit analysis formula ALE (before countermeasure)-ALE (after countermeasure)- Annual cost of countermeasure= Value of the countermeasure to the company Strategy Control implementation Control categories

Policies Standards binding Compulsory rules that dictate how hardware and software are to be used and expected behavior of employees Baselines - binding Minimum level of security that is required throughout the organization Procedures - binding Detailed step by step actions to be taken to achieve a specific task Guidelines non binding Recommended actions and operations guides for users and staff members where standards to not apply Roles and responsibilities Executive management Assigned overall responsibility for the security of information Information systems security professionals Responsible for the design, implementation, management, and review of the organizations security policies Data owners Responsible for determing classification levels of the data as well as maintaining the accuracy and integrity of the data. Process owners or system owner Responsible for ensuring that appropriate security consistent with the organizations security policy is embedded in their information systems Technology providers or third party providers Responsible for assisting with the implementation of information security Users Responsible for following the procedures set out in the organizations security policy. IT system auditor Providing independent assurance to management on the appropriateness of the security objectives Deciding whether the security policies are appropriate and comply with the organizations security objectives Employee management policies Termination procedures First step is to inform all other departments that an employee is no longer to be trusted Second step disable or delete accounts