Overview: Information held in IT systems is increasingly a critical resource in enabling organizations to achieve their goals Expectation of privacy and

d protection from harm Expectation that the systems will perform their functions efficiently whilst exercising proper control of the information

Managements Concern about IT Security: Dependence on IT systems Information systems which can provide accurate services when and where they are required are the key to the survival of most modern businesses

Exposure of IT systems IT systems need a stable environment Organizations rely upon the accuracy of information provided by their systems

Investment in IT systems Information systems are costly both to develop and maintain, and management should protect their investment like any other valuable asset

Balance of Protecting IT Assets Appropriate to an organizations business needs yet comprehensive in its coverage Justified to the extent that it will reduce perceived risks to the level that management are willing to accept Effective against actual threats

Objective of IT Security Information is accessible only to those authorized to have access (confidentiality) Safeguarding the accuracy and completeness of information and processing methods (integrity)

Ensuring that authorized users have access to information and associated assets when required (availability)

IT Security Standards & Frameworks ISO/IEC 17799:2005 COBIT (Control Objectives for Information and Related Technology) etc

ISO/IEC 17799:2005 1. Risk assessment and treatment 2. Security policy 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance

COBIT Control Objectives for Information and Related Technology Newest: COBIT 5 Widely used: COBIT 4.1

Framework Control Objectives Management Guidelines Maturity Models

IT Risk Analysis Objective identify the various ways in which data, the information system, and network which support it, are exposed to risk Involves assessing the possibility that each of a wide range of threats End result security requirement for each type of threat that could affect the system

Risk

Risk in IT combination of threat, vulnerability, and impact Threat an unwanted that could remove, disable, damage, or destroy an IT asset Vulnerability a weakness that could be exploited by a threat Impact the consequences of a vulnerability in a system being exploited by a threat

Risk Analysis & Risk Management

Risk Analysis Principles Business modeling to determine which information systems support which business functions Impact analysis to determine the sensitivity of key business functions to a breach of confidentiality, integrity or availability Dependency analysis to determine points of access to information systems and assets that must be in place to deliver a service to a business function Threat and vulnerability analysis to determine points of weakness in the system configuration and the likelihood of events

Components of IT Risk

Reviewing IT risks IT risk analysis involves identifying IT assets that are at risk:

What type of threats do they face? What are their likely causes and their probable impact(s)? What is the likelihood of the threat succeeding? How would we know if the threat did succeed? What can we do to prevent the impact? What can we do to recover if the threat does succeed?

Risk Management Involves the identification, selection, and implementation of countermeasures that are designed to reduce the identified levels of risk to acceptable levels It is impossible to reduce all risks to zero (by term of cost-effective RM)

Types of Countermeasures Reduce the threat Reduce the vulnerability Reduce the impact Detect an incident Recover from the impact

Risk Management Process Prioritize actions Based on the risk levels presented in the risk assessment report, the implementation actions are prioritized.

Evaluate recommended control actions The technical feasibility and effectiveness of all identified controls should be evaluated so that the most appropriate control is chosen.

Conduct cost-benefit analysis

To allocate resources and implement cost-effective solutions, organizations should conduct a cost-benefit analysis for each proposed control.

Select control On the basis of the results of the cost-benefit analysis, management selects the costeffective controls for reducing risks.

Risk Management Process Assign responsibility Responsibility should be assigned to in-house experts or an outside agency which have the appropriate skill set and expertise to implement the selected control.

Develop safeguard implementation plan The safeguard implementation plan prioritizes the implementation actions and projects the start dates and the target completion dates.

Implement selected controls The selected controls should be implemented so that the risks are brought down within the acceptable levels.

Organization of Information Security Information security structure Security of third party access Outsourcing

1. Information Security Structure The objective is to deal with management of information security within the organization. A management framework should be established to initiate and control the implementation of information security within the organization Review to IS Management course

2. Security of 3rd Party Access

 The objective is to maintain security of organizational information processing facilities accessed by third parties. Access to organizations information processing facilities by third parties should be controlled

3. Outsourcing The objective is to maintain security of information when responsibility for processing is outsourced Types of Information Systems Assets Information assets databases and data files, system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information Software assets application software, system software, development tools and utilities Physical assets computer equipment (processors, monitors, laptops, modems), communication equipment (routers, PABX, fax machines), magnetic media (tapes and disks) Services computing and communication services, general utilities, e.g. heating, lighting, power, air-conditioning

Networking & Communication) New Threats and Risks

Data loss Data may be deleted or lost in transmission

Data corruption Data errors can occur during transmission

System unavailability Network links may be easily damaged A loss of a hub can affect the processing ability of many users Communications lines often extend beyond the boundaries of control of the client, e.g. the client may rely on the local telephone company for ISDN lines