ITSM

6/03/2014
1
Introduction to
SIT763 IT Security
Management
Welcome
Welcome to the SIT763 - IT Security Management
One of the units in the MIT for students who want to do
specialisation in computer security stream.
Address the broader challenge of information security management in
an organisation.
Covers most components of the body of knowledge for IT Security
certifications;
This is not a unit specifically about security technology and you will
not, for instance, learn how to configure a firewall as part of the core
teaching.
You will carry out some independent research into an issue in
information security management, analysing and evaluating the
results of your research for presentation in report and class.
I hope that you enjoy studying this unit.
Information Security Careers
IT Security is one of the most well paid careers in the market. Some of
IT Security careers are:
1. Computer CrimeInvestigator 2. MalwareAnalyst
3. InformationSecurityAnalyst 4. Forensic Analyst
5. NetworkSecurityEngineer 6. IncidentResponder
7. Chief InformationSecurityOfficer 8. IT SecurityArchitect
9. IT Forensics Expert
10. System, NetworkandWebPenetrationTester
Many organisations seek professional certification so that they can
more easily identify the proficiency of job applicants
CISSP SSCP GIAC SCP Security + CISM
Learning Objectives
Analyse information security management issues using critical thinking
and problem solving techniques;
Apply organisational planning and project management principles to IT
security program design and development;
Analyse requirements and design of contingency plans and IT security
policies;
Identify, select and implement appropriate information security controls;
Perform risk assessment and management using various strategies;
Identify and apply ethics, legal and regulatory requirements to IT
security management.
UNIT LEARNING RESOURCES
Textbook
Management of Information Security, by Whitman,
Michael E., Mattord, Herbert J., Publisher: Course
Technology, ISBN: 1423901304
Please refer to the table in the Teaching Roadmap
section in the unit guide for the instructing schedule.
You should read the relevant chapters before the lecture
in which it is covered.
Teaching TeamDetails
My role Unit Chair and Lecturer
About me
Full Professor;
Developed the unit & have been teaching it for years;
Serve as the IT Security Stream Director
Active researcher in the field. For more about me, visit my home
page: http://www.deakin.edu.au/~jemal
Contact Details & Consultation Times
Monday: 11:00PM 12:00PM
Phone: 03 522 71376 (Geelong campus)
Email: jemal@deakin.edu.au(most preferred)
6/03/2014
2
Students will on average spend 150 hours over the trimester
undertaking the teaching, learning and assessment activities
for this unit.
This will include 3 face-to-face contact hours per week (1 x 1-
hour lecture and 1 x 2-hour tutorial) and online problem-
based exercises.
All students are expectedto do the weekly practicals
For on-campus students, attendance at their allocated
sessions each week is considered part of the unit
requirements and is therefore compulsory.
Student Commitment
Assessment Submission
You must upload thecorrect file in a correct format through
CloudDeakinby the due date. It is recommended that you submit
your assignment well before the submission deadline.
Any submission beyond the deadline, be it one second, one minute,
one hour or one day, will receive the appropriate late penalty. The
time CloudDeakinrecords will be used as the exact time a file is
submitted.
An assignment is only considered submitted if it is in CloudDeakin
dropbox.
Resubmission after the assignment deadline will NOTbe accepted
Absolutely NOemail submission will be accepted.
Assessment Submission
Failure to ensure the following will result in a zero
mark for that assessment piece. It is your responsibility
to:
ensurethat the correct and final version of your assignment
has been submitted to CloudDeakinby the deadline.
verify that the correct file in a correct format was
successfully submitted to the CloudDeakinon due date.
check(use Turnitin) the originality content of your
submission.
Online Discussion Forum
I will moderate the discussion forum to ensure that it is
appropriately used.
It is not a venue to post questions to the lecturer.
If you have any questions you expect the lecturer to
respond to, please do send me email or come and see
me during consultation times.
I do not endorse postings made by other students. Ensure
you check directly with me if you are unsure about any
aspect of the unit content.
Communication with Lecturer
Email Communication must adhere to the following:
I will respond emails received on week days during working hours
within 48hours.
Include the unit code in the subject line;
Include a meaningful subject description;
Include your full name and student number;
Provide sufficient details in the body of the message to all
staff to respond in context;
Ensure your reply to address is correct.
Plagiarismand Collusion Policies
The Universitys definitions of plagiarism and collusion are as follows:
Plagiarismoccurs when a student passes off as the students own work, or copies
without acknowledgment of its authorship, the work of any other person.
Collusionoccurs when a student obtains the agreement of another person for a
fraudulent purpose with the intent of obtaining an advantage in submitting an
assignment or other work.
Penalties- you should note that the University views plagiarism/collusion very
seriously and may impose serious penalties that include a reprimand, a fine,
allocation of a zero mark; suspension/ exclusion of the student for a minimumof one
year.
If you have any doubt as to what constitutes authorised or unauthorized
collaboration, consult with your lecturer.
The University policy of plagiarism and collusion is available:
http://theguide.deakin.edu.au/
6/03/2014
3
End of Lecture
Questions?
8/03/2014
1
Lecture 1:
IT Security
Fundamentals
Lecture Objectives
The topics covered in this lecture are found in chapter 1 and
chapter 2 of the textbook.
After completing this session, you should :
understand the need for information security management;
describe IT security management and its main objectives;
explain the critical characteristics of information security;
realisethe different types of information security controls
and how they complement each other.
Background
Phenomenon advances in information and communication
Technology (ICT)
Advances in hardware - Hardware continues to become smaller,
faster, cheaper, and more portable, with greater storage capacity.
Software state - Todays software are very large, complex,
interconnected and exposed as Web services
Advances in network - Wired and wireless technology have
simplified connectivity to computer systems.
Highly mobile and interconnectedany-time any-where systems
IT Power and Ubiquity
Information technology is often critical assets that support the
mission of an organisation.
IT supports businesses (e.g. financial institutions, enterprises,
healthcare) and government mission.
Critical infrastructure systems (e.g., electricity) rely on IT
Individuals use it for communication, paying utility bills,
conducting banking, brokerage transactions, purchase or order
over the internet.
Information technology is also used by criminals for illicit
activities.
Malicious software - Malwares continue to increase in volume
and frequency as well as becoming more sophisticated in its
functionality
Number of hackers rising - Computing skills necessary to be a hacker
are decreasing.
Cybercimeis professionalised - organised by very clever and
technical experts
Cyber Security Rising
Storing sensitive information on an unprotected shared
drives.
Lax password security management practices
Inadequate or out-dated or non-existence countermeasures;
Updates to security software are not applied quickly enough
to protect networks.
Insufficient employee awareness, training, & education.
..
Poor Security Culture
8/03/2014
2
Example of individual risky behaviours and activities that
put corporate and personal data at risk:
Transferring files between work and personal
computers when working from home.
Share passwords with co-workers.
Increased use of personal devices in workplaces.
Risky Behaviours and Activities
IT Governance Strategy Gaps
Misconception- Too much concentration on technology
oriented security solutions (Note that 80%of unplanned
downtime is due to people and processes).
Misalignment - Security measures not aligned with business
strategy;
Miscommunication- The existence of a communication gap
between senior management and IT security professionals.
MisunderstandingSecurity as enabler of business.
Information security is often a management problem, not a
technical one.
Management is the process of achieving objectivesusing a
given set of resources.
The information security manager is responsible for
establishing and maintaining a security program.
Each security program must be managed as a project even if
the program is perpetually on-going.
IT Security Management
IT security management is defined as:
aprocess that examines andthenmitigates therisks that arisefrom
organisations day-to-day activities with the aims to maintaining a
competitive posture, safeguard reputation, reduce the cost and
increasetheeffectivenessof compliancebyprotectingtheorganisation
anditsassetstomeetitsmissionsuccessfully.
The role of security is not only asset protection but also
strategicbusinessenabler.
Information security profession is the intersection of people,
process, technology, andbusiness.
Broad IT Security Areas
IT security management includes the broad areas of information
security.
Physical
security
Operations security (e.g.,
Awareness and Training,
Incident Response)
Network security
Communications security
Personnel security
Asuccessful organisationshould have multiple layers of security in place
Give some examples of individual risky behaviours and
activities that put corporate and personal data at risk:
__________________________________
____________________________________
List and explain some of security factors responsible for
security lapses
__________________________________
____________________________________
Explain why the number of IT security incidents continue
to climb each year.
Questions
8/03/2014
3
IT Security Key Concepts
Confidentiality
Integrity
Availability
Privacy
Identification
Authentication
Authorisation
Accountability
Login information is an example of authentication.
Password is an example of authorisation.
Confidentiality ensures that information will be used
only for the purpose stated by the data owner and
in the ways known to the person providing it.
Questions: True or False
Threat - an entity (internal or external) that represents a
constant danger to an asset.
Vulnerability -flaw or weakness in the system defence
Exploit -a technique used to compromise a system.
Attack -deliberate act by threat-agents to compromise
(damage, destroy, steal, etc.) an organisations assets. An
attack can be technical or non-technical.
Control -countermeasures for handling vulnerabilities.
IT Security Key Concepts
Answer True or False
Malicious code (viruses, worms and Trojan horses) is an
example of vulnerability.
Insufficient employee training is an example of threat.
Firewall configuration errors is an example of vulnerability.
An attack can be technical (perpetrated by circumventing or
nullifying hardware and software protection mechanisms) or
non-technical (performed by means of deception).
Denial of service is an example of vulnerability.
Phishing is an example of attack.
IT Security Controls
Three classes of controls:
Managerialfocus on the management of the IT security programand the
management of risk within the organisation.
Operational- focus on security solutions that are mainly implemented and
executed by people.
Technical - focuses on hardware/software security solutions that provide
automated protection fromunauthorised access or misuse.
There is interrelationships among controls and some controls cross
the boundaries between management, operational, and technical.
Controls are implemented in terms of technology, processes, and
people.
Describe the main objectives of information security
management.
Explain the characteristics that differentiate information
security management from the general management.
Discuss contributing factors for the exponential increase of
the breadth and sophistication of IT threat vectors.
Explain the critical characteristics of information security;
Discuss the different types of information security controls
and how they complement each other.
Homework Questions
8/03/2014
4
The number and complexity of threats to organisations
increasing constantly.
Information security management implements the right
security controlsto eliminate or minimize the deliberate act
by threatagents that exploit system vulnerabilityto
perpetrate an attackand compromise the confidentiality,
integrityand availabilityof an organisations assets.
Lecture Summary
End of Lecture
Questions?
I hope that you enjoy studying this unit.
17/03/2014
1
Lecture 2: Planning for
Information Security
"All men can see these tactics whereby I
conquer, but what none can see is the
strategy out of which victory is evolved." --
Sun Tzu
Lecture Objectives
This lecture focuses on the role of planning as a function of
management.
The topics covered in this lecture are from Chapter 2of the
textbook
Upon completion of this session, you should be able to:
Recognise the importance of planning in information security
management
Describe the principal components of organizational planning.
Background
IT security is most effective and efficient if planned and
managed properly.
An effective information security professional should
understand the concept of organisational planning; and
know how the organisational planning process works
Knowing how the general organisational planning process
works helps in the information security planning process.
The importance of developing information security plans
can not be overestimated.
Planning Fundamentals
Planning is the processthat develops, creates, and
implements strategies for attaining business objectives of an
organisation.
Managers use planning to develop and implement strategic
action steps aimed at reaching an organisational goal.
Planning involves everyone in an organisationalbeit at different
level and stages.
Writing IT Security Plan
Demonstrates
due diligence!
Adapts to
technology
Depend on
our policy
Directives
for staff action
Build on the
recent risk
assessment
Will justify our
security budget
Planning Types
Organisational planning - gives panoramic view of the
organisations mission, vision and value (This lecturefocuses on
this type)
Contingency planning - getting back organisation that
experienced security incidents on its feet quickly at a minimum
loss.
Risk management planning - allow organisations to assess
risks to their assets and select appropriate and cost-effective
safeguards.
17/03/2014
2
Foundation of Organisational Planning
Three core elements of an organisationplanning are:
Mission typically one sentence and describes whythe
organization is in business and what it wants to accomplish.
Vision typically one sentence and expresses ambitiouslywhat
the organisationwants to become.
Value typically one sentence and establishes organisational
principles and makes organisationsconduct standards clear.
Organisations articulate their missions, vision and value by
way of formal statements.
Formal Statements
An example of a mission statement is:
We provide consistentlyreliable, banner-free andaffordable webhosting
services to small businesses withtechnical support andautomatic
measurable results.
An example of a vision statement is:
Our visionis to provide outstandingservices andto become a market leader
as a one stoptotal solutionto small businesses worldwide.
An example of a value statement is:
Our value is to be a professional webservice provider maintainingthe
highest standards of professional integrity.
Analysis of Mission Statement
An example of a mission statement is:
We provide consistentlyreliable, banner-free andaffordable webhosting
services to small businesses withtechnical support andautomatic
measurable results.
Analysis of the mission statement
Focuses at both customer (i.e., small businesses) and service (i.e., web
hosting);
States why the service meets the customer needs(i.e., banner-free &
affordable);
States benefits to the customer (i.e., reliable, technical support and measurable
results in terms of sales and inquiries);
Differentiate the organisation fromits competition in terms of innovations and
capabilities (automatic measurable results in terms of sales and inquiries)
Class Discussion
Analyse the following mission statement
ABC strives to provide the best and most comprehensive Internet
solution for your Internet and website needs.
Analysis of the mission statement
Who is the specific customer of ABC?:_______________________;
What is the product or service provided?: ________________________;
Why the service meets the needs of the customer?: ________________;
What are the benefits to the customer?:_____________________.
Does it distinguish the organisation fromcompetitors?: ____________.
Elements of Planning
To develop a strategic plan for IT security, you need to
understand the following critical concepts:
Goals
Objectives
Strategy
Tactics
Remember
Goals and objectives must work in tandem
Strategy and tactics help to efficiently achieve goals; they must
work in tandem as well.
Constraints
Metrics
Review & monitor
Goals
Goals is a desired future state that the organisationattempts to
realize. Example:
To keep hackers out and monitor internal users.
to counter specified threats.
to satisfy specified organisational security policies or assumptions.
to raise employee awareness about phishing risks.
Goals have to be well-articulated, realistic and inline with the
mission of the organisation and resources at your disposal.
Often to achieve a goal will require several specific objectivesto
be met.
17/03/2014
3
Objectives
Objectives- describe what needs to be done to achieve a defined goal.
Business objectives give the organisations a clearly defined target to
achieve(e.g., to increase client base of web hosting service by 3%yearly).
Security objectives - key element of the information security function
defined in terms of the business objectives (e.g., to save $80,000 from
security breach costs every year).
Objectives are more specific than goals and
should be very clear about, measurable, attainable, realistic,
has milestones (i.e., defined completion date)
Should be aligned with the business objectives.
Example
Goal- to educate all employees to where they are fully versed in
phishing attacks.
Objectives -to develop and present an introduction to phishing
types briefing every six month to the existing employees to increase
their knowledge of the attack.
Analysis
Very clear about: __________ Attainable :___________________
Measurable: ______________ Realistic:______________________
Time bound: _______________
Should be aligned with the business objectives:_______________
Strategy
Strategy is a specific approach to achieving the stated
objectives.
Strategy involves thinking and planning
Strategy lays out the goals that need to be
accomplished and the ideas for achieving those goals.
It is long Term and may change infrequently.
Strategies must be revised periodically to accommodate
changes in the business direction and in the
constraining factors
Tactics
Tactics refer specifically to action for implementing the strategies
Tactics have following characteristics:
Short-term, flexible to specific conditions.
Actionable
Measurable
Aligned to business strategy
Example
Strategy- Improve market share of a firewall brand
through various brand building activities within this year.
Tactics
on-line advertising
Offer lower cost solutions than the competitors
______________________
______________________
Elements of Planning
Constraintsinternal and external barriers that act as hindrance;
Example: Political or economic situation
Metrics- a means to measure the success of the stated
objectives.
Example: 100%collection of all server logs at the end of the
year.
Review&monitor - To ensure implementation of the plan and
updated it in response to changes that may occur.
17/03/2014
4
Class Discussion
Goals are as concrete as objectives. (T/ F)
For each goal which you want to proceed with, you will need
to ask What specific objectives must be undertaken to
achieve this goal? (T/ F)
If you have strategy without tactics you have big thinkers and
no action. (T/ F)
Strategy, as opposed to a tactic, is a specific approach
without tangible results on its own (T/ F)
If you have tactics without strategy, you have disorder. (T/ F)
What is the difference between a strategy and a tactic?
Planning Level
Three levels of control: strategic (purpose), tactical
(mechanisms), and operational (operations support).
Strategic
Planning
Tactical
Planning
Operational
Planning
Planning Levels
Strategic Planning
Ageneral strategy in nature and established at the highest level;
Serves to focus the organisations mission and sharpen operational
effectiveness;
Identifies the goals & objectives by which the organisation continually
assess its performance to monitor its strategic progress and program
success;
Enables organisations to define their long-term direction and ensure that
various tactical and operational functions work consistently toward
harmonised goals;
Includes mission statement, visionstatement, values statement &
strategy.
Tactical Planning
Developed by mid-level managers
Derived fromthe strategic plan and helps to meet the objectives articulated
in the strategic plan.
Designed with tactics needed to achieve the goals defined in the strategic
plan.
Much more detailed that the strategic plans.
Breaks applicable strategic goals into a series of incremental objectives
with specific delivery date, budget, resource allocation and personnel.
Deals with short-term (about a year) activities to achieve the objectives of
strategic plan. For example, a tactical plan might include how the security
department will handle software patches for the immediate future
Operational Planning
The process of linking strategic goals and objectives to tactical
goals and objectives;
Developed by frontline, or lower-level, managers.
Lower level plan that specify action steps for achieving operational
goals.
Ashort-term, highly detailed plan derived fromthe tactical plan to achieve
tactical objectives.
Operational goals - Specific, measurable results expected fromdepartments,
work groups, and individuals.
Used by managers and employees to organise the on-going, day-to-day
performance of tasks
Planning Structure
An organisation develops a general enterprise strategy (i.e., strategic
planning usually starts at the upper management level).
A specific strategic plans for major divisions (e.g., IT Division) is derived
from the general plan.
Each division translates those objectives into more specific objectives for
the level below (e.g., Information Security)
17/03/2014
5
Information Security Governance
Information Security Governance (ISG) is a subset discipline of
Corporate Governance with specific attention to information security.
Governance is the set of responsibilities and practices exercised by the
board and executive management with the goal of:
Providing strategic direction
Establishing objectives
Measuring progress toward those objectives
Verifying that risk management practices are appropriate
Validating that the organizations assets are used properly
Inculcating a culture that recognizes the importance of information security
Information Security Governance
Governance is directly tied to the strategy and direction of the
business.
Answer True or False
Organisations should use technology in accordance with
the businesses objectives
Organisations should approach information security as a
business strategy.
IT security strategies that do not focus on and align with
organisational objectives are ineffective in the long run
Strategic planning is a never-ending process
Strategic plans serve as a framework for lower-level
planning.
Lecture Summary
1. Vision
leads to
2. Mission
enables us
to create
3. Strategy
Provides
guideline for
4. Goals & tactics
To be implemented
5. Metrics
Measure efficiency
Three main types of plans a manager uses in pursuit of
company goals: strategic, tactical, andoperational
IT security plan is designed to protect information and
critical resources from a wide range of threats.
Without IT security plan,
The security function is always going to remain
something which lacks real substance in the eyes of
the other functions.
Reacting to every little thing that bumps in the night.
Lurching from challenge to challenge, from crisis to
crisis,
Homework Questions
Explain the importance of planning and describe the principal
components of organisational planning;
Describe basic elements and core principles of information
security strategic planning;
Describe the categories and types of information security
related plans and the steps involved in developing each.
Describethe process of establishing information security
governance.
What do we mean by vision?
What is the purpose of a vision statement?
What are the properties of a good vision statement?
End of Lecture
Questions?
18/03/2014
1
Lecture 3:
Incident Response
Planning
You got to becareful if you do not know
whereyou aregoing, becauseyou might
not get there.. --- Yogi Bera
Lecture Objectives
This lecture covers topics in Chapters 3of the textbook
Upon completion of this lecture, you should be able to:
Develop an understanding of the importance of proper IT security
incident handling.
Develop an understanding of a high-level overview of the key
issues and decisions that must be addressed in establishing an
incident response plan.
Understand the steps taken during an incident response plan.
Create a simple set of incident response plans.
Background
Many organisations face hundreds or thousands of attacks on
a daily basis and it's only a matter of time until an organisation
will suffer an IT security incident.
Many organisations learn how to respond to security incidents
only after suffering attacks (they are reactive). WHY?
Organisations that do have response plan, the plan is often out
of date, inaccessible to key decision makers, generic, unhelpful
for guiding specific activities, or some combination of the
above.
Fire Incident Management Workflow
Fire brigade
IT Security Incident Types
Definition - An IT security incident is any adverse event whereby
some aspect of information security could be threatened.
An information security incident includes, but not limited to:
attempts (either failed or successful) to gain unauthorised access to
a system or its data
unwanted disruption or denial of service
unauthorised use of a system for the processing or storage of data
changes to system hardware, firmware, or software characteristics
without the owner's knowledge, instruction, or consent
unauthorised disclosure of regulated or confidential information
Why Incident Response Plan?
Costs and overall time for remediation- organisations that
do not have an effective, up-to-date and periodically tested
incident response plan in place tend to:
react in a disorganised manner with little efficiency;
experience a higher cost per incident;
on average take longer to respond to security incidents.
Compliance laws and regulations requiring IRP. For
example, the Payment Card Industry Data Security Standard
(PCI DSS) require businesses that store or process credit
card information to have IRP in place and test it annually.
18/03/2014
2
Incident Response Plan Objectives
The goal of the incident response plan is to minimise
damage to the organisation and its customers through
Quickly detect and confirm incidents.
Minimise the number & severity of security incidents.
Contain the damage and minimise risks.
Quickly restore the affected systems.
Ensure related evidence is preserved.
Ensure appropriate disciplinary or legal action is taken.
Developing Incident Response Plan
IT Security Incidents
Incident Response Team
Drills
Incident Response Team
The IRT is the focal point with authority for dealing with any IT
security incidents. Members must include representatives from
a variety of stakeholders.
Public
Relations
Human
Resources
IT
Department
Purchase
Department
Incident Response Plan
For each incident, you should prepare the steps to be
performed
Before Incident
Procedure that must be performed in advance of the incident
An example is Do not download free games from Internet
After Incident
Procedures that must be performed immediately after the
incident has ceased.
An example is scan each PC thoroughly for any remaining
viruses
During Incident
Procedures that must be performed during the incident.
Example: Temporarily disconnect the server from the Internet
Security Incident Reporting
All members of the organisation are responsible for promptly
reporting suspected or known IT security incidents.
Reports must be documented to
enable proper staff allocation,
improve/enable problem management,
empower management to create better decisions and
help build a useful knowledge database.
IID Reporter Description DateandTime Handler Real Status
1 Aaron MaliciousCode 7/03/2014: 3:38PM Smith No Done
n John Phishing attack 19/03/2014: 3:38PMSara Yes Open
IT Security Incident Assessment
Take steps to determine whether you are dealing with an
actual incident or a false positive.
When a threat becomes a valid attack, it is classified as an
information security incident if:
It is directed against information asset
It has a realistic chance of success
It threatens the confidentiality, integrity or availability of
information asset.
18/03/2014
3
Class Discussion
Incident response plan is a reactive measure, not a
preventative one (why?)
Example of Incidents
Integritycompromise - when a virus infects a program or
the discovery of a serious system vulnerability.
----------------------------------------------------------------------
---------------------------------------------------------------------
Why incident categorisation is important?
IT Security Incident Classification
Incidents are prioritised and categorised, to determine the
appropriate response, based on:
Incident severity
Asubjective measure of IT security impacts.
It determines the priority for handling the incident, who manages
the incident, and the timing and extent of the response.
Attack vectors
The process of organising the incidents into classes or categories.
Provides the ability to track similar incidents
IT Security Incident Attack Vectors
Examples of incident category is shown below. Note that several
categories may apply to a single incident.
Certain types of incident may require you to report to law enforcement but
often when such an opportunity arises no-one knows exactly how to do it.
Category Name Description Law
CAT1 Web Incidentsthatexploitwebvulnerabilities YES
CAT2 Email Incidentsthatexploitemailvulnerabilities NO
CAT3 Impersonation
Malicioussoftware(e.g.,virus,worm,Trojanhorse,or
othercodebasedmaliciousentity).
YES
. . .
CATN ImproperUsage Apersonviolatesacceptablecomputingusepolicies. No
Incident Severity Level
Priority 1 (Disaster)
Priority 2 (Total loss of critical services)
Priority 3 (Interruption of critical systems and
severe degradation)
Priority 4 (Interruption of non-critical systems)
Priority 5 (Localized incident with minimal impact
Incidents should usually be grouped into a few
different severity levels, with broad sets of criteria
for each level. For example:
Prioritizing incidents
Three impact-based criteria to prioritise an incident.
Functional impactdescribes how the business functions are
affected by the system and is categorized as none, low, medium or
high.
Information impactdescribes the sensitivity of the information
breached during the incident and may be categorized as none,
confidentiality breach, privacy breach, proprietary breach or integrity
breach.
Recoverability impactdescribes the resources needed to recover
from the incident and may be categorized as regular, supplemented,
extended, not recoverable.
Incident Level of Priority
Incident priority can be determined
based on a product of the
Impact/Urgency matrix.
Impact- howcritical the downtime is for the
business.
Urgency- it is usually defined in SLAfor the
specific ITservice. If more than one service is
impacted, parameters for the higher urgency
service will be taken into account.
The necessary resources is assigned
to resolve the incident based on the
priority
Most commonly used priority
matrix
Example of resolution times
regarding Incident Priority
18/03/2014
4
Class Discussion
Suppose you have discovered that a hacker has compromised
one of your web servers, would you containing the damage
and recover as quickly as possible or watch the attacker and
learn?
If you decide to contain the damage and recover as quickly as
possible, discuss why.
If you decide to watch the attacker and learn, discuss why.
Class Discussion
Why incidents should usually be grouped into a few different
severity levels?
True or False
All staff members and to some degree, all members of an
organization should be instructed on how to report an incident
that has occurred.
Different criteria can be used to define different incident
severity levels.
Practice Makes Perfect
Periodic drill is used to check that the plan is valid and has
been executed satisfactorily.
Example of exercise approaches
Tabletop- IRP team and its executive/senior management would
meet in a conference room to walk through several mock scenarios
such as malware infestation and determine what knowledge and/or
process gaps exist in the plan and IRP team.
Simulation- test the teams ability to identify, respond to and
remediate an internal incident in an environment that mimic real
production environment as much as possible.
Incident Management Workflow
Feedback loop is
Homework
What are the goals of incident response plan?
Discuss the importance of establishing well-defined policies and
procedures for incident management processes
Explain incident management activities, including the types of
activities and interactions that a IRT may perform
Explain various processes involved in detecting, analysing, and
responding to security incidents
What are the key components needed for protecting and
sustaining IRT operations?
Explain how to evaluate the effectiveness of exiting IT security
incident response process
Lecture Summary
Incident response plan is a crucial component of a
contingency plan.
Having specific controls in place and a plan of action for
responding to attacks or incidents can greatly reduce the
resultant costs to an organisation.
Implementing an incident response plan helps
To streamline the incident detection capabilities,
To contain the impact of those incidents to minimize loss and
destruction,
To reduce the scope of weaknesses, and
To restore services within the parameters of the organisation.
18/03/2014
5
End of Lecture
Questions?
27/03/2014
1
Lecture 4:
Disaster Recovery Planning
Planning for the Inevitable
Lecture Objectives
This lecture covers topics in Chapters 3of the textbook
Upon completion of this lecture, you should be able to:
Explain the potential impacts of disasters and the underlying
risks on businesses;
Develop understanding of the disaster planning and
recovery process; and
Create a simple set of disaster recovery plans
Background
Adisaster is any adverse event that disruptsthe IT
infrastructures for an unacceptable period of time (a day or
more) rendering the ordinary conduct of business difficult or
even impossible.
In the current digital climate, disaster is virtually unavoidable.
WHY?
_________________________________________________________
_______________________________________________________
With careful planning, the effects of a disaster can be
minimised.
Some Examples
The September 11th Effect
Financial loss (due to infrastructure damage)
in excess of $50 billion
Silver Top Taxi (Melbourne) Call
Centre Fire
Provide 50%of Melbourne taxi services
Fire destroyed administration and call centre
office
Thrown into chaos: Commuters affected;
unable to use EFTPOS
*Source: AP or Reuters
Some Examples
In 26 September 2010, a hardware failure,
brought down Virgin Blue's airline's check-
in, boarding systems and online booking
systems for 11 days.
VirginBlue IT outage hit profit byupto
$20M
Customers couldn't board their scheduled
flights.
The outage fired up a lot of negative press,
as well costing the company $20Mmillions
in profits.
Common Causes of Disasters
Source: Comdisco, 1999
27/03/2014
2
Escalation of Incidents
An incident is considered a disaster
when:
organisation is unable to contain or
control the impact of an incident
or
level of damage or destruction from an
incident is so severe, the organisation
is unable to quickly recover
When disaster threatens the
organisationat the primary site, DRP
becomes business continuity issue.
Disaster Classes
Natural disaster - High profile events and rare but lethal
Hurricane, fire, earthquake, (usually rapid onset disasters)
act of a terrorist or similar catastrophe.
Manmade disaster - Lower profile events and every bit as
consequential as natural events
Unintentional/ intentional attack (usually slow onset disasters),
software bugs and hardware failures.
Consequential disaster that might indirectly end up being a
disaster for an organisationthat were not directly affected by it.
Example: ____________________
Why Disaster Management?
To minimise the impacts of a disaster.
Statistics gathered by the London Chamber of Commerce
demonstrate that:
90%of businesses that lose data from a disaster are forced to close
within two years of the disaster;
80%of businesses without a well-structured recovery plan are forced
to close within 12 months of a flood or fire;
43%of companies experiencing disasters never recover; and
50%of companies experiencing a computer outage will be forced to
shut within five years.
DRP Regulatory Requirements
To comply with governance, privacy, and other regulatory
requirements.
For example, The disaster recovery plan is a required
implementation, defined within the HIPAAContingency Plan
standard in the Administrative Safeguards section of the
HIPAASecurity Rule.
Failure to comply exposes organisation to repercussions, such
as fines or jail time.
True or False
Power failure is an example of natural disaster.
IT disasters can be damaging, disruptive and downright
dangerous.
When we fail to contain or control the impact of an incident,
we say the incident is a disaster.
It is virtually impossible to avoid disasters.
In some sectors, failure to adequately prepare to recover
from a disaster could lead to noncompliance.
Willful damage is an example of natural disaster.
Disaster Management
Potential Disaster
Develop
DRP
Planning for disaster is a risk reduction and
mitigation, and needs to be seen as such by top
management.
27/03/2014
3
Components of Disaster Recovery Plan
Disaster recovery team
Drills
IT Disaster
Crises communication
Update
Test
Update
DRP Development Phase
DRP Exercise Phase
DRP Handling Phase
Disaster Recovery Teams
The recovery process will be handled by teams that
work together with a manager as the leader.
To oversee the whole recovery process
To function in an efficient manner
To allow independent tasks to proceed simultaneously,
IT Disaster Recovery Plan (DRP)
IT DRP is a crucial component of contingency plan.
IT DRP is a document that ensure an orderly recovery after a
disaster occurs. It specifies structured procedures, the
resources, personnel and data that are required to recover IT
infrastructures (e.g., hardware, software, networks, processes,
data, and people) to the usual level of operations at the normal
business site quickly and efficiently after a disaster occurs.
ITDRPdealswithtechnologyrecovery.
ITDRPisreactivestrategy.
IT Disaster Recovery Plan Goals
To minimisethe decision-making process during a disaster.
To limit the extent of the damageand to prevent the escalation
of a disaster
To preventpersonal injury(internal and the general public)
To preventphysical damageto company property
To minimizea disaster's economic impacton the business.
To reduce/eliminatepotential legal liabilities
To lower unnecessarily stressful work environment, and
To comply with regulations when relevant.
DRP Testing and Updating
Having adequate and regular testing procedures in place is imperative to
functioning DRP. Some of the ways testing can be performed:
StructuredWalk-Through Testing- DR teammembers meet to verbally
walk through the specific steps of each component of the DR process as
documented in the DRP.
SimulationTesting- Simulate the conditions of an actual disaster recovery
situation.
Full-interruptionTestingReal-time actual systemtest with possible
disruption of normal operations.
ADRP must be a living document. Since an obsolete DRP can be worse
than having no plan, it is important to review and update the plan
regularly.
Crisis Communications
Crisis management team plan a response that meets the law
and your obligations to your clients and business partners.
Crisis management is a set of focused steps that deal primarily
with the people involved taken during and after a disaster
To achieve smooth emergency response
Establish formal crisis communication program
Identify stakeholders for emergency communications
Identify key internal communications channels
Draft sample communications
Your communications plan could include a website or call centre
dedicated to the incident.
27/03/2014
4
Lecture Summary
We must be prepared to avoid a disaster; and to recover
quickly when the disaster strikes.
Asound disaster recovery program is a collection of specific
action plans:
Adisaster avoidance plan to reduce or limit risks.
An emergency response plan to ensure quick response to
incidents.
Arecovery plan to guide an organisation in resuming vital
business functions.
Homework
What is disaster management?
What are the various stages that disaster management
involves?
Discuss how DRP minimise decision-making during a
disaster.
Discuss how DRP minimise risk of lost production and
services.
End of Lecture
Questions?
14/04/2014
1
Information Security Management
Lecture 5
Business Impact Analysis
Learning Objectives
After completing this session, you should be able to:
Complete a business impact analysis
Identify and categorise the critical business processes that
have the high availability requirements
Formulate the cost of downtime
Establish RTO and RPO goals for these various business
processes.
Background
Organisations have hundreds of operations in its overall business
Knowing which areas of the business need to get up and running
first after a system goes down can mean the difference between
survival and extinction.
The Business Impact Analysis (BIA) comprises the heart of
the contingency planning process.
It lays out which areas are most criticaleither because they
directly generate revenue or the company depends on them
for successful day-to-day operation.
Impacts of business interruption?
According to [Gartner Inc. research]
Organisations that suffer significant, sustained disasters,
20% are completely out of business within 24 months.
93%of organizations that have experienced a significant
data loss are out of business within five years.
80% of businesses affected by a major incident either never
reopen or close within 18 months,
Business Functions
Abusiness function stops if one or more of its critical resources become
unavailable. This could be
People, Software (e.g., e-mail, database, etc.)
Hardware (e.g., server, printer, telephone, etc.)
Network LAN/WAN.
The fundamental issues are
which applications are required to run the business,
howmuch data can be lost, and
howlong you can wait to restore functionality.
The BIAwill facilitate the identification of how quickly essential
business units and/or processes have to return to full operation
following a disaster situation.
It takes into consideration
essential business functions,
people and system resources,
government regulations, and
internal and external business dependencies.
14/04/2014
2
The objectives of BIAare as follows:
Identify the organisations business unit processes and the
estimated recovery time frame for each major business unit.
Estimate the financial impacts for each major business unit,
assuming a worst-case scenario
Estimate the intangible (operational) impacts for each major
business unit, assuming a worst-case scenario
Define the estimated number of personnel required for recovery
operations
Data gathering
The BIAis done using objective and subjective data gathered
from interviews with
knowledgeable and experienced personnel,
reviewing business practice histories,
financial reports,
IT systems logs,
..
Business Unit Analysis
The secondmajor BIAtaskis the analysis and prioritisation
of business functionswithin the organization
Business functions are ranked based on the following
criteria.
1 Highly critical function; cannot operate without this process
for even a short period of time (hours)
2 Essential function; can work around the process for a short
period of time (less than a week).
3 Routine function; can work around or function without the
process for a week or more.
Interruption Tolerance level
How long an activity can remain disrupted?
Example Event Ranking
Critical Design Parameters
Assign minimum tolerable downtimes (MTDs)
Recovery time objectives (RTO)
How fast the company can get its business running after
disaster?
Recovery point objectives (RPO)
What is the amount of data the organization can afford to
lose? The smaller the gap, the less data is lost.
RPO and RTO help choose optimal disaster recovery
technologies and procedures.
The closer these points, the greater the need for quick
recovery.
14/04/2014
3
Critical Design Parameters
Potential damage assessment
In this step, you will quantify losses due to
business outage (financial, extra cost of
recovery, reputation)
Estimate the cost of the best, worst, and most
likely outcomes
By preparing an attack scenario end case
Allows identification of what must be done to
recover from each possible case
Tangible Impacts
Business
Function
Business Unit
Name
RTO
(hours)
Loss
(daily)
Order Entry Customer Service 4 $500,000
Billing Customer Service 8 $25,000
New Account Credit
Checking Customer Service 16 $20,000
New Account Set Up Customer Service 16 $20,000
Order Picking & Shipping Distribution 4 $500,000
Product Receipt &
Storage Distribution 72 $100,000
Purchase Order Creation Finance 120 $10,000
Accounts Receivable Purchasing 72 $100,000
Intangible Impact
Business
Function
Business
Units Name
RPO
(hrs) Impact
Product Recall Customer Service 8 High
Customer Follow Up
Surveys Customer Service 240 Low
Payroll Finance 4 High
Accounts Payable Finance 120 Low
General Ledger
Creation/Maintenance Finance 120 Low
Employee Performance
Reviews Human Resources 240 Low
Marketing Literature Marketing & Sales 72 Med
Example Impact Estimation
Prioritise Business Functions
The this step, you will categorise the business
processes based on the severity of the impact
of IT-related outages.
Group all business processes/functions based
on the tolerance for loss of service.
Validate this with senior management for
approval there will be differences of opinion
14/04/2014
4
Prioritise Business Functions
Loss of Service/Capability Sample Classes of Business Function
Critical Essential Necessary Desirable
Business Process /
Function.
Loss of Service Tolerance / Duration
8 hours or
less
24 Hours 24 Hours 1 Week or longer
A. Production X
B. Inspection X
C. Financial
D. Executive Services X X
Mission Critical Systems
Systems need to be maintained during an
emergency.
Vital Files, Records, and Databases need to be
maintained during an emergency.
Recovery Cost-Benefit Analysis
The longer the recovery time, the greater the potential
impact.
The shorter the recovery time, the greater the recovery cost.
What is the survival time of each entity?
BIA Report Contents
ABIAshould be written out in clear language, stating, for example, that
"if a disruption lasts for xhours, this is what will happen" It should be
made clear to the recipient of a BIAreport what the effects of disruptions
of various durations and data losses will be.
ABIApresents requirements for disaster recovery plans.
The narrative outline for a BIAstrategy should go as follows:
1) We rely on x[data centres, offices, people, network capacity, etc.] to do
business.
2) We only have yavailable to us.
3) We cannot obtain xminus yin a reasonable timeframe.
4) Therefore, we need to arrange for alternate data centres, working premises,
personnel, bandwidth, etc., in advance of a disruption.
Lecture Summary
The fundamental task in business impact analysis (BIA) is
understanding which processes in your business are vital to
your ongoing operations and to understand the impact the
disruption of these processes would have on your business.
Devoting attention to RTO and RPO is the only way to
guarantee your organization will still be able to operate in the
event of a disaster.
Does not consider what types of incidents cause a disruption;
only identifying consequences
14/04/2014
5
End of Lecture
Questions?
14/04/2014
1
Lecture 6: Business
Continuity Planning
Lecture Objectives
After completing this session, student should be able to:
Understand the need for business continuity planning;
Know the major components of business continuity planning;
Evaluate business continuity plan capability of the organisations to ensure
business in the event of an IT disruption;
Evaluate the adequacy of the backup and restore provisions to ensure the
availability of information required to resume processing;
Evaluate the assessment of backup and recovery methods and identification
of ways to improve performance.
Background
What capabilities are required to successfully implement business
continuity (BC) planning?
What are the top barriers to business continuity (BC) plan?
How do you make sure the BC plan isn't overkill for the
organisation?
What are the key issues organisations should consider when developing a
continuity plan?
What are factors to consider when selecting recovery solution?
Can you quantify the impact of the data lose on a business?
Can you recover all your data? Howlong will it take to recover your data?
Will your data be all up to date when it is recovered? Howwill you validate that?
How can you sell the BC planning to the executives?
What are the potentials offered by virtualisation in the BCarena.
Background
The 24/7 business environments of today requires fast and continuous
access to applications and data is essential for success.
However, business disruptions can occur at any moment for a variety
of reasons
inclement weather (hurricane, flooding, snowstorms, etc.), power
outages, business partner problems;
a malfunctioning software caused by a computer virus;
illness or departure of key staffers; and other events.
These disruptions can cause severe problems
In customer service and employee productivity,
In business competitiveness and the corporate image
Financial losses and possible litigations
Can you quantify the impact of the data lose
on a business?
The effect of lost data is detrimental to your business and job
security
For instances, what happens when data gets lost in an airline
industry?
Lost booking information
Critical flight safety information
Lost revenue
Impact on other dependent businesses (e.g., catering)
Question
Give an example of a business
List and discuss the impact of data lose on the business.
Business Continuity (BC) Plan
A component of contingency planning and a crucial
component of todays network-based organisations
It ensures smooth recovery and continuity of the critical
business functions to acceptable level of working
conditions (often at an alternate site) in the face of a
major unplanned incident that may significantly disrupt
business operations.
14/04/2014
2
Business Continuity (BC) Plan
As BC is a management issue, thus it is managed by the CEO of
the organisation.
BC is PROACTIVE it deals with how to avoid or mitigate the
impact of a risk.
BC team - the focal point for dealing with computer security incidents in
your environment.
Why Business Continuity Planning?
Complianceincreasing emphasis on the need for
organisations to have effective BC in place by regulators and
governments.
Trading partners - large businesses are starting to insist on
suppliers having robust BC processes in place before they will
trade with them.
Business interruption insurance premiums - insurance
companies started using how fast an organisation is able to
resume business.
Why Business Continuity Planning?
Customer loyalty Business disruptions could lead to the
customer dissatisfaction and subsequent lost revenue.
Minimise inherent risks - Statistics gathered by the London
Chamber of Commerce demonstrate that :
(i) 90%of businesses that lose data froma disaster are forced to close
within two years of the disaster;
(ii) 80%of businesses without a well-structured recovery plan are forced to
close within 12 months of a flood or fire;
(iii) 43%of companies experiencing disasters never recover; and
(iv) 50%of companies experiencing a computer outage will be forced to
shut within five years.
ProblemStatement
Given:
List of prioritised mission-critical business functions (critical data and
applications) and people;
Recovery time objectives and recovery point objectives .
Problem:
Devise a cost-effective plan that provide reasonable assurance an organisation
to promptly and seamlessly resume its mission critical functions in a practical
and affordableway following severe business disruptions.
Objectives:
minimise the immediate adverse effects (e.g., customer base, amount of loss
and downtime) of a disruption;
maximise critical resources (e.g., employees and supplier partners) operations in
a crisis;
major participants unaffected by the disaster could continue to operate with
minimal disruption.
Business Recovery Strategies
Two main decisions to be made to implement business
continuity plan
Alternative workspace facility - In an extreme disaster
where the primary site has also been rendered unusable, an
alternate site must be chosen.
Resiliencestrategy Abroad range of technologies can
support organisations business continuity implementation.
Which one is best suited for the business?
What are factors to consider when selecting
recovery solution?
There are numerous advanced recovery solutions that an
organisation could select from
The recovery options to select depends on the organisations key
objectives for recovery as identified in the BIA.
Because some of these solutions are more costly to implement than
others, the balance of budget constraints against the impacts quantified in
the BIAoften define the selection process.
Other factors such as budget andlocations may also play a role in an
organizations selection of a particular solution. For example, some
locations are at higher risk for natural disasters, and you should take those
factors into consideration.
14/04/2014
3
Recovery Time vsRecovery Cost
High Availability
Availability includes techniques and technologies that help
to protect information and resources used to process,
transmit and store.
Availability typically uses an annual system uptime
measurement, from 99.9%- 99.9999%.
Adding each nine to the availability figure increases costs by at
least a factor of 10.
The following table shows the relationship between
reliability and downtime.
Availability
Alternative Workspace Facility
Alternative Workspace Facility.
Cold Site -Empty facility and everything necessary
(computing equipment, connections, etc.) will be brought in
later.
WarmSite Only some basic furniture (e.g., desks, chairs &
phones). The computing infrastructure (hardware, software
and data) necessary to do business will be brought in later.
Alternative Workspace Facility
Hot site Fully equipped with furniture, communications, the same
infrastructure (i.e., systems, applications and data) as the primary sites
needed and ready for almost immediate use.
Stationary- off-site facilities equipped with the computing power
and backed-up data to keep systems and services online.
Mobile- wheelers with servers and office equipment inside
bringing the work area to the end user.
OutsourcedSubscriptions-based commercial hot sites. vendors
provide the necessary infrastructures and platforms for the clients
applications
14/04/2014
4
Cold-site Recovery Facilities
Provides the most basic of infrastructure at the recovery site with no
actual systems. For example, the cold site may have air-conditioning,
computer cabling, raised floor, etc- but there will be no systems
permanently available at that site.
When a disaster occurs, new systems need to be delivered to the site
and only then can recovery start.
Long recovery time (RTO) in the range of days or weeks -
depending on how long it takes for backup systems to be delivered to
the site);
The cheapest strategy
It is seldom used and is not recommended.
Warm-site Recovery Facilities
It contains data centre facilities that include
backup power supply, cabling, air conditioning, etc); and
permanently available IT infrastructure (servers, disk,
networking, etc).
There may be some data mirroring or replication, although
mostly restores will be done from a backup.
Recovery time would generally be hours or days to recover
This is a common strategy.
Hot Site
Atwo-site solution based on
the concept of
primary site
secondary (failover) site.
Backup hardware and software
are replicated at each site
Recovery can be initiated using a
simple web browser from
anywhere in the world.
Hot-site Recovery Facilities
The site facility contains dedicated hardware that can be
ready to take over production system processing
immediately, within minutes or within a few hours at most.
Provides very low (or near zero) RTO and RPO objectives.
The data required to continue operations is generally
replicated to the recovery site and so is available virtually
immediately.
It is fairly expensive
ResilienceStrategies
The means for restoring business critical functions from a
disruptive events in a cost-effective manner.
The focus of any recovery plan must be on keeping the business
running not keeping the computers running.
The strategy and technology used should be dictated by the
requirements that were established in the BIA such as
maximumallowable downtime,
maximumallowable loss of data,
etc.
ResilienceStrategies
Abroad range of strategies and technologies are available for
implementation.
Some provide the benefits of enabling full and timely recovery.
These technologies can be used individually or in combination.
Vary in price and performance
These strategies and technologies
Data Shadowing (Asynchronous Replication)
Data mirroring (Synchronous Replication)
Data Vaulting
14/04/2014
5
Replication Techniques
Synchronous replication - Guarantee both the primary and secondary sites are
synchronized between them.
The RPOtends to zero - Duplicate each write request, sending to both the
primary and secondary data store.
RTOmay be of the order of a fewhours - As it may be necessary to manually
failover a synchronous replication setup.
Asynchronous replication - maintains a replica of the data by continuously
capturing changes to a log and applying the changes in the log to the replicating
server.
It also drives RPOtoward zero, but does so without waiting for every write to be
acknowledged fromboth local and remote data stores.
Good for applications that are not mission critical, and can tolerate a slight lag
between writes to the primary and the secondary for the sake of improved
bandwidth usage
Mirroring (Synchronous Replication)
Both the primary and the secondary servers
are active and functioning at the same time;
Clients connect to both the servers, and the
servers take care of maintaining consistency
with each other at all times.
When a server fails, the second server
seamlessly takes over the entire functionality
of the systemwithout necessitating a manual
fail-over.
Generally speaking, the costliest formof
replication
Provides an RPOand RTOof zero
Failover to Secondary after Loss of Primary
(with Mirroring)
failover
failback
Data Vaulting
This is an emerging technique for backing up data in which data are
transmitted over data networks to a remote site to a storage system.
Recovery times for vaulting solutions depend on the nature of the
product used and how it is set up.
If the previous nights backup tape must be loaded and then the
vault contents applied to it, the recovery time will be about the
same as for a tape backup with journaling.
However, some products allow for a completely online and fully
automated recovery process that can significantly reduce recovery
times.
Virtualisation Technology
The conventional BC solutions have been based on redundant
hardware geographically distributed or hosted in the same facility.
Avirtual machine is independent of the hardware it is running on and
can be moved around LAN or WAN to make best use of existing
resources.
Copies of these virtual machines can be saved off-site to protect against
the effects of a server failure.
Froma BC prospective, the characteristics of virtual machines
encapsulation and portability make themsimpler to back up, replicate
and restore.
Virtualisation Technology
Virtualisation offers a powerful and flexible new approach to BC.
Simplify backup and recovery of data and systems.
The files that make up a virtual machine can be recovered to any compatible
virtualised server platformwithout requiring any changes. This makes tasks
such as server migration, backup and recovery, and replication to be regarded
as simple data migrations or file copy operations.
this enables the ITdepartment to provision for levels of business continuity that
would have been unaffordable in a purely physical environment.
Eliminate the cost and unpredictability of traditional disaster recovery solutions. For
example, eliminates the issue of failure due to hardware differences between the
primary and backup facilities.
14/04/2014
6
Testing and Maintenance
Aim- testing the effectiveness of the plan and the preparedness of the
organisation and/or highlighting areas where the plan requires further
development.
Types of exercise include:
tabletop exercises,
simulation exercises,
operational exercises,
mock disasters,
desktop exercises, and
full rehearsals.
Lecture Summary
BC ensure the continuation of core business activities in the
immediate aftermath of a crisis; and gradually ensure the continued
operation of all business activities in the event of sustained and
severe disruption.
Agood business continuity planis like an information insurance
policy for a small or large business.
The keys to a creating a successful business continuity plan are
involves:
define step-by-step procedures for response and recovery,
validate these activities through periodic exercising, and
maintain the plan and its various components up to date.
End of Lecture
Questions?
2/05/2014
1
Information
Security Policy
Learning Objectives
Upon completion of this material, you should be able to:
Explain information security policy and its central role in a successful
information security program
Know the three major types of information security policy often used and
what goes into each type
Develop, implement, and maintain various types of information security
policies
Develop policies, organizational standards, guidelines and best practices
Vet and communicate the policy throughout the organization
Determine policy effectiveness and develop reporting structures
Security Policy
Aformal senior management statement that dictates what type of role
that IT security plays in the organisation.
Its organisation-specific written rules by means of which the organisations
information security objectives can be defined and attained
It enables the staff to clearly understand what is and is not permitted in the
organisation regarding information assets and resources.
It provides a baseline fromwhich detailed guidelines and procedures can be
established.
It can be used to demonstrate the minimumstandard of due care for a legal
defence.
Security Policy
Policies specifies WHY something should be done, not
WHAT exactly and HOW.
Specific directives that are mandatory
Least expensive security protection
Policies are often the most difficult to implement/enforce.
Why?
Should be developed using industry-accepted practices.
Foundational Key Policies
Policies always state required actions
An organisation that has internet presence will need to have most if
not all of the following:
Data Classification Policy Extranet Policy
Acceptable Use Policy MinimumAccess Policy
Network Access Policy Remote Access Policy
Acceptable Encryption Policy Web Server Security Policy
Application Service Provider Policy Email Security Policy
Authentication Credentials Policy
Many of these policies will also have an associated standard.
Policy Attributes
Require compliance (mandatory)
Special approval is required when you wishes to take a course of action that is not
in compliance with policy.
Because compliance is required, policies use definitive words like "mustnot" or
"youmust.
Failure to comply results in disciplinary action
Focus on desired results, not on means of implementation
It must support the mission, vision, and strategic planning of the
organisation.
Must never conflict with law and must standup in court
Must be implementable (e.g., flexible) and comply with.
Must be clear, concise, understandable, and enforceable.
2/05/2014
2
Policy Flexibility
If a security policy is too restrictive, people may not be able
to act legally, and could wind up not acting at all.
For example, emergency situations require trusting people
and process.
it is good policy to require approval under normal
circumstances, but the policies should address the fact that
needs are different during an emergency.
Asecurity policy should provide mechanism that allow
people to react quickly and appropriately in an emergency.
Information Policy Classification
Policy sets strategic direction, scope, and tone for organizations
security efforts
Issue-Specific Policy related to specific issues such as firewalls
policy
Systems-Specific Policy control the configuration and/or use of a
piece of equipment or technology. It is technical/managerial in nature
Information Policy Classification
Example of an enterprise policy
Information must be protected in a manner commensurate
with its sensitivity, value, and criticality
Example of issue-specific policy
Incident response and management
password assessment policy
Use of company computers
Example of system-specific policy
Configuration of security systems such as firewalls, intrusion
detection systems, proxy servers
Policy Design Process
Need to create policies that are necessary, current, relevant and
useful, and ensure that they are developed and presented in a
uniform way.
The process for development and review of policy is a circular
process and generally involves the following steps
Step 1 - Needs Analysis
Step 2 - Consultation and Drafting
Step 3 - Authorisation
Step 4 - Communication & Implementation
Step 5 - Maintenance
Step 6 - Review
Policy Template Example
Overview
Why are we implementing this policy?
What behaviorsare we trying to govern?
What conflict or problemdoes the policy intend to resolve?
What is the overall benefit?
Scope
Who must observe the policy?
Who must understand the policy in order to performtheir job?
What technologies or groups are included in the policy?
Are there any exceptions to the policy?
Example Policy Template
Policy Statements
What behaviors are we trying to govern?
What are the responsibilities that each individual must meet for compliance?
What are the general technical requirements for individuals or devices to be
in compliance with policy?
References
Corresponding standards documentation
Links to guidelines that relate to the policy statement
Enforcement
This section identifies the penalties for violating the policy.
Definition
Defines acronyms and technical terms that enable the reader to better
understand the policy
Revision History
2/05/2014
3
Exercise
Explain why security policies MUST balance level of
control with level of productivity.
_________________________________
Offer your suggestions on how to achieve a good balance.
___________________________________
Why policies at the highest level should be short, concise,
and have a lengthy shelf life?
_________________________________
Policy Implementation
Policies are implemented using: Standards, Procedures, Practices, and
Guidelines
Standards
When developing an information security policy, it will be necessary
to establish a set of supporting standards.
Standards make a policy more meaningful and effective
Standards define and clarify what is acceptable and what is not
acceptable
What the organisation will do to stop unacceptable activities
These standards
State what must be done to comply with policy
Mandatoryrequirements that support individual policies.
Password Complexity Standard
All passwords must be:
Minimum of eight characters in length
Contain a combination of the following character types:
Lowercase (a-z)
Uppercase (A-Z)
Numbers (0-9)
Punctuation and special characters
No more than 3 of these characters can be repeated in
the password
Password Aging Standard
Password Changing Cycles
Changed on a quarterly basis for staff, other user, system
and administrator accounts,
at least every six months for student accounts
Password cycle period The same password cannot be
used within a minimum of
5 password cycle period for user accounts, and
50 password cycle period for system and administrator
accounts
Procedures
Aseries of mandatorysteps taken to successfully complete a
given task
Procedures define "how" to protect resources and are the
mechanisms to enforce policy.
Procedures
provide a quick reference in times of crisis.
help eliminate the problem of a single point of failure (e.g., an
employee suddenly leaves or is unavailable in a time of crisis).
2/05/2014
4
Procedures: Example
Password Policy would outline
password construction rules,
rules on how to protect your password, and
how often to change them.
Password Procedure would outline the process to
create new passwords,
distribute them
ensure the passwords have changed on critical devices.
Guideline
Guidelines are generally discretionarybest practice
recommendations
May change frequently based on the environment and should
be reviewed more frequently than standards and policies.
For example, an organisation might
choose to publish a guideline on how to secure home networks
even though they are not supported by the corporation.
have a guideline that each new employee should have a
background check
Policy Management
An individual responsible for the creation, revision, distribution, and
storage of the policy
Aschedule of reviews to ensure currency and accuracy and to
demonstrate due diligence
Amechanism by which individuals can make recommendation for
revision of policy (possible anonyms)
Must be properly disseminated, supported and administered
Read, understood and agreed to be uphold by all members
You must perform periodic reviews of the security policies, processes,
and procedures in use.
Measuring Policy Effectiveness
Effective policies ultimately result in the development and
implementation of a better computer security program and better
protection of systems and information.
Keep Users Current on Their Policy Responsibilities. For example
Conduct training that describes howusers should protect themselves and their
personal information at home something that they care about. This is easy for
people to understand and grab on to.
Measure Policy Effectiveness. For example:
Did the end user knowabout the policy?
Did they decide not to followit?
Did their management support themnot following the policy?
Homework Questions
Explain Policy vs. Standard vs. Procedure
Do you think the security policies in the army, in a financial
institution, at a university, and in a big corporation are
significantly different? Why?
Why policies requires visibility to be effective?
Argue for or against the claim that security policy protects both
people and information.
Which of the following is correct? Explain your answer
Policies are not procedures.
Procedures are derived from policies.
Summary
Provide a paper trail in cases of due diligence.
Exemplify an organization's commitment to security.
Form a benchmark for progress measurement.
Help ensure consistency.
Serve as a guide to information security.
Give security staff the backing of management.
2/05/2014
5
End of Lecture
Questions?
1
Lecture 8
Risk Analysis
Process
Professor J . H. Abawajy 1 Information Security Management
Once we know our weaknesses, they
cease to do us any harm.
GEORG CHRISTOPH
2
Learning Objectives
Upon completion of this session, you
should be able to:
Define risk management and its role in
the organisation
Describe the security risk analysis
process
Explain the risk determination process
Professor J . H. Abawajy Information Security Management
Principles of Information Security - Chapter 3 Slide #3
Risk Management
If you know the enemy and know yourself,
you need not fear the result of a hundred
battles.
Once we know our weaknesses, they cease to
do us any harm.
If you know yourself but not the enemy, for
every victory gained you will also suffer a
defeat.
If you know neither the enemy nor yourself,
you will succumb in every battle. (Sun Tzu)
Background
In IT security management, risks assessment is
a fundamental part of the steps for determining
the most cost effective mitigating controls to
implement.
Risk assessment involves the interaction of the
following elements:
Assets Vulnerabilities Threats
Impacts Likelihoods Controls
Risk analysis is a process that systematically identifies and
determines the levels of risks of an asset based on the
asset value, the levels of threats to, and vulnerabilities of
the assets, the potential loss to an organisation due to
threats, and how to respond to that potential loss.
Professor J . H. Abawajy Information Security Management 4
IT Security Risks
A risk is a combination of an asset, a threat, and a
(potential) vulnerability.
Risk can be considered as an answers to following
questions:
What threats can happen?
What is probability / frequency that it can happen?
What is the consequences if it can happen?
In the figure, a threat is an attacker, which uses a
vulnerability to compromise an asset (information).
Threat (attacker)
Vulnerability
InformationAsset at Risk
Professor J . H. Abawajy 5 Information Security Management
Understanding Risk Analysis
Risk analysis starts with understanding of
What is at risk (national security, lives, property,
money, image)?
What is the threat and where does the threat comes
from?
Who? (competitors, foreign agents, hackers)
Motivation (national security, money, fame, fun)
Target (see confidential data, change data, deface
website, etc.)
Capabilities (intellect, equipment, money)
What vulnerabilities can be exploited?
Technology, Process, People
Professor J . H. Abawajy
6
2
Risk Analysis Concept Map
Source: Australian Standard Handbook of Information Security Risk Management HB231-2000
Risk Analysis Process
The following diagram shows the 4 risk analysis steps:
The outcome of the risk analysis is used as a basis for
identifying appropriate and cost-effective risk control
mechanisms.
Risk Identification Process
The objective of risk identification process is to identify,
categorise and valuate organisational assets & document
them.
The following diagram shows the main components of the
risk identification process
Information Security Management 9
Creating Assets Inventory
All organisations contain assets that they wish to protect from harm.
Effective security begins with a solid understanding of the protected
asset such as people (inside and outside), procedures, data and
information, software, hardware, and networking elements.
Classifying Assets
After the assets inventory is assembled, they should be classified based
on their sensitivity and security needs.
The categories must be comprehensive and mutually exclusive
Each category designates level of protection needed for a particular asset
Slide #12
Information Asset Classification
The aim of data classification is to aid in selecting
appropriate security controls for the protection of
data.
Many organisations already have a classification
scheme that classify data based on its level of
sensitivity, value and criticality to the organisations.
An example classifications model is:
Restricted data (Loss could cause a significant level of risk to the
organisations)
Private data (Loss could cause a moderate level of risk to the
organisations)
public data (Loss could cause little or no risk to the organisations)
You need to know owner/creator/manager
3
Sample Asset Classification
Worksheet
Asset Valuation
As each information asset is identified, categorized, and
classified, assign a relative value
Relative values are comparative judgments made to
ensure that the most valuable information assets are given
the highest priority, for example:
Which information asset is the most critical to the success of
the organisation?
Which information asset generates the most revenue?
Which information asset generates the highest profitability?
Which information asset is the most expensive to replace?
Which information asset is the most expensive to protect?
Which information assets loss or compromise would be the
most embarrassing or cause the greatest liability?
Intangible Assets
Incorporating intangible assets within
Quantitative Risk Analysis is difficult as it is
hard to put a price on things such as trust,
reputation, or human life.
However, it is necessary to put in as accurate
a value as possible when factoring these
assets within risk analysis as they may be
even more important than tangible assets.
Principles of Information Security - Chapter 3 Slide #16
Information Asset Valuation
Create a weighting for each category based
on the answers to the previous questions
Which factor is the most important to the
organization?
Once each question has been weighted,
calculating the importance of each asset is
straightforward
List the assets in order of importance using a
weighted factor analysis worksheet
Asset Prioritisation
Professor J . H. Abawajy Information Security Management
17
Risk Determination Process
For each identified threat/vulnerability pair.
Identify potential dangers to information and
systems (threats).
Identify the system weakness that could be
exploited (vulnerabilities) associated to generate
the threat/vulnerability pair.
Identify existing controls to reduce the risk of the
threat to exploit the vulnerability.
Determine the likelihood of occurrence for a
threat exploiting a related vulnerability given the
existing controls.
Determine the severity of impact on the system
by an exploited vulnerability.
Determine the risk level for a threat/vulnerability
pair given the existing controls.
Item
No.
Threat
Name
Vulnerability
Name
Risk
Description
Existing
Controls
Likelihood of
Occurrence
Impact
Severity
Risk Level

4
Threats to Information Security
Threats to Information Security
Threat categories are rated on the scale of 1 to 5 by top 1000 executives and shown under the
heading Mean
The executives also identified the top 5 threats from the category to their organisation.
Responses were weighted and appear under the Weightheading
Weighted Rank =Mean * Weight.
Weighted Ranking of Threat-
Driven Expenditures
The executives also identified top 5 expenditures towards threats, which was used
to create the following rank order of the expenditure
Top Threat-Driven Expenses Rating
Deliberate software attacks 12.7
Acts of human error or failure 7.6
Technical software failures or errors 7.0
Technical hardware failures or errors 6.0
Quality-of-service deviations from service providers 4.9
Deliberate acts of espionage or trespass 4.7
Deliberate acts of theft 4.1
Deliberate acts of sabotage or vandalism 4.0
Technological obsolescence 3.3
Forces of nature 3.0
Compromises to intellectual property 2.2
Deliberate acts of information extortion 1.0
Vulnerability Assessment
Once you have identified the information assets of the
organization and documented some threat assessment
criteria, you can begin to review every information asset
for each threat
Leads to creation of list of vulnerabilities that remain
potential risks to organization
Vulnerabilities are specific avenues that threat agents can
exploit to attack an information asset
At the end of the risk identification process, a list of assets
and their vulnerabilities has been developed
This list serves as starting point for next step in the risk
management processrisk assessment
Analyse Existing Security Controls
Identify existing controls that reduce:
the likelihood or probability of a threat exploiting
an identified system vulnerability, and/or
the magnitude of impact of the exploited
vulnerability on the system.
Existing controls may be management,
operational and/or technical controls depending
on the identified threat/vulnerability pair and the
risk to the system.
Likelihood of Occurrence Levels
Determine the likelihood that a threat will exploit a
vulnerability.
Several approaches to computing probability of an event:
classical, frequency and subjective.
Probabilities hard to compute using classical methods
Frequency can be computed by tracking failures that result in security
breaches or create new vulnerabilities can be identified
e.g. operating systems can track hardware failures, failed login attempts,
changes in the sizes of data files, etc.
If automatic tracking is not feasible, expert judgment is used
to determine frequency
Approaches
Delphi Approach: Probability in terms of integers (e.g. 1-10)
Normalized: Probability in between 0 (not possible) and 1 (certain)
5
Delphi Approach
Subjective probability
technique originally
devised to deal with
public policy decisions
Assumes experts can
make informed
decisions
Results from several
experts analyzed
Estimates are revised
until consensus is
reached among experts
Frequency Ratings
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
Likelihood of Occurrence Levels
Likelihood Description
Negligible Unlikely to occur.
Very Low Likely to occur two/three times every five years.
Low Likely to occur one every year or less.
Medium Likely to occur once every six months or less.
High Likely to occur once per month or less.
Very High Likely to occur multiple times per month
Extreme Likely to occur multiple times per day
Determine the Severity of Impact
Determine the magnitude or severity of impact on the
systems operational capabilities and data if the threat is
realized and exploits the associated vulnerability.
Determine the severity of impact for each threat /
vulnerability pair by evaluating the potential loss in each
security category (confidentiality, integrity and availability)
based on the systems information security level as
The impact can be measured by loss of system functionality,
degradation of system response time or inability to meet business
mission, dollar losses, loss of public confidence, or unauthorized
disclosure of data.
Complete the column labelled Impact Severity in the
Impact Severity Levels table
Impact Severity Level Table
Impact
Severity
Description
Insignificant
Will havealmost no impact if threat isrealizedandexploitsvulnerability.
Minor
Will have some minor effect on the system. It will require minimal effort to
repair or reconfigure the system.
Significant
Will result insometangibleharm, albeit negligibleandperhapsonly notedby afew
individualsor agencies. May causepolitical embarrassment. Will requiresome
expenditureof resourcesto repair.
Damaging
May causedamageto thereputationof systemmanagement, and/or notablelossof
confidenceinthesystemsresourcesor services. It will requireexpenditureof
significant resourcesto repair.
Serious
May causeconsiderablesystemoutage, and/or lossof connectedcustomersor
businessconfidence. May result incompromiseor largeamount of Government
informationor services.
Critical
May causesystemextended outageor to bepermanently closed, causing
operations to resumein aHot Siteenvironment. May result in complete
compromiseof Government agencies information or services.
Risk Level Determination
The risk can be expressed in terms of the
likelihood of the threat exploiting the vulnerability
and the impact severity of that exploitation on the
confidentiality, integrity and availability of the
system.
Table 4 shows risk levels resulting from the affect
of both parameters on the risk level. The system
owner may increase the risk to a higher level
depending on the systems information security
level and the level of compromise if a threat is
realized.
Risk Level Determination Table
Likelihood
of
Occurrence
Impact Severity
Insignificant Minor Significant Damaging Serious Critical
Negligible Low Low Low Low Low Low
Very Low Low Low Low Low Moderate Moderate
Low Low Low Moderate Moderate High High
Medium Low Low Moderate High High High
High Low Moderate High High High High
Very High Low Moderate High High High High
Extreme Low Moderate High High High High
6
Slide #31
Documenting Risk Analysis Results
The goal of this process has been to identify the
information assets of the organization that have
specific vulnerabilities and create a list of them,
ranked for focus on those most needing
protection first
In preparing this list we have collected and
preserved factual information about the assets,
the threats they face, and the vulnerabilities they
experience
We should also have collected some information
about the controls that are already in place
Slide #32
Risk Identification &
Assessment Deliverables
End of Lecture
Questions?
Professor J . H. Abawajy 33
1
Lecture 9
Risk Management
J . H. Abawajy 1 Information Security Management
2
Learning Objectives
Upon completion of this session, you
should be able to:
Apply quantitative and qualitative security
risk analysis to appropriate situations
Compute Annual Loss Expectancy (ALE)
Use existing conceptual frameworks to
evaluate risk controls, and formulate a
cost benefit analysis
J . H. Abawajy Information Security Management
Risk Management
The objective of risk management is to deliver
optimal security at a reasonable cost.
Risk management is the process of identifying,
analysing and assessing, risk-reducing
safeguards that mitigate vulnerabilities and the
degree to which selected safeguards can be
expected to reduce threat frequency or impact.
J . H. Abawajy Information Security Management 3
Qualitative vs Quantitative Risk
Analysis
Qualitative and Quantitative Risk Analysis are
two possible ways of determining risks
The differences in both Qualitative and
Quantitative Risk Analysis is mainly in terms of
asset valuation:
Qualitative Risk Analysis is more subjective and
relative
Quantitative Risk Analysis is based on actual
numerical costs and impacts.
Qualitative Risk Analysis
Qualitative risk analysis is by far the most widely
used approach to risk analysis.
Probability data is not required and only estimated
potential loss is used.
Most qualitative risk analysis methodologies make use
of a number of interrelated elements
The definite characteristic of the qualitative model is the
use of subjective indexes (e.g., low-medium-high, vital-
critical-important, bench mark etc.
Qualitative Risk Analysis Matrix
In order to better understand the risk exposure, a matrix is
constructed that assigns risk levels (E, H, M, L) to risks
based on combining probability (S, L, P, U, and R) and
impact scales (1, 2, 3, 4, 5) of a risk on assets.
An example of the risk analysis matrix is shown below:
Likelihood
Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
S ( almost certain ) M H H E E
L ( likely ) M M H H E
P ( possible ) L M M H E
U ( unlikely ) L M M M H
R ( rare ) L L M M M
2
Quantitative Risk Analysis
Quantitative risk analysis methods are based on
statistical data and compute numerical values of
risk based on the following two fundamental
components
the probability of an event occurring; and
the likely loss should it occur.
It is thus theoretically possible to rank risks and to
make decisions based upon this.
8
Risk Identification Estimate
Factors
Risk Identification Estimate Factors
Where
PThe likelihood of the occurrence of a vulnerability.
(0 <=P<=1.0).
VThe current value of the information asset.
CThe percentage of risk mitigated by current
controls.
UThe uncertainty of current knowledge of the
vulnerability.
) * ( ) * ( ) * ( V P U V P C V P Risk
J . H. Abawajy
Risk Determination Example
Question 1: Asset A has a value of 50 and has
one vulnerability, which has a likelihood of 1.0
with no current controls. Your assumptions/data
are 90% accurate.
Answer
P1.0; V50; C0.0; and U10%.
J . H. Abawajy
) * ( ) * ( ) * ( V P U V P C V P Risk
) 50 * 0 . 1 ( 1 . 0 ) 50 * 0 . 1 ( 0 ) 50 * 0 . 1 ( Risk
55 Risk
Risk Determination Example
Question 2: Asset B has a value of 100 and has
a vulnerability that has a likelihood of 0.5 with a
current control that addresses 50% of its risk.
Your assumptions and data are 80% accurate.
Answer
P0.5; V100; C50%; and U80%.
J . H. Abawajy
) * ( ) * ( ) * ( V P U V P C V P Risk
) 100 * 5 . 0 ( 2 . 0 ) 100 * 5 . 0 ( 5 . 0 ) 100 * 5 . 0 ( Risk
35 10 25 50 Risk
Single Loss Expectancy
Single loss expectancy (SLE): calculation of
value associated with most likely loss from an
attack
Based on asset value and expected percentage of
loss that would occur from a particular attack:
SLE =asset value (AV) x exposure factor (EF)
EF =the percentage loss that would occur from a
given vulnerability being exploited
This information is usually estimated.
Single Loss Expectancy Example
Let 80% of a library complex wing be destroyed by a fire.
Assume that the cost of the damages to the building be
$800. What is the total asset value of the complex? J ustify
your answer.
The formula for computing Single Loss Expectancy
(SLE) is.
AV Asset Value & EF Exposure Factor.
The damage to the building (that is SLE) $800 and
EF 80%. Substitute the values into the above
equation gives the following:
3
Annualised Loss Expectancy
Annualised Loss Expectancy (ALE) computes
risk using the probability of an event occurring
over one year.
Formulation:
ALE = SLE x ARO
ARO Annualized Rate of Occurrence. It characterises, on
an annualised basis, the frequency with which a threat is
expected to occur.
SLE Single Loss Expectancy
Annualized Loss Expectancy Example
Question 1: The chance of your hard drive failing is once
every three years. The cost of new disk: $300. What is
the annual loss expectancy?
Answer:
Given
EF (Exposure Factor) 1.0 (replacement disk is needed)
Asset value $300.00
ARO (Annualized Rate of Occurrence) 1/3
Single Loss Expectancy
SLE =AV * EF =$300 * 1.0 =$300.00
Annual Loss Expectancy
ALE =SLE * ARO
=(300 x 1/3)
ALE = $100
Balancing Control Cost/Benefits
Cost Benefit Analysis (CBA)
determines whether or not a
control alternative is worth its
associated cost.
Basically cost/benefit analysis
ensure that the cost of a control
should not exceed the potential
loss. For example
Let the yearly potential loss to an
organisation is estimated to be
$15,000.
The cost of the control selected to
reduce the potential loss should not
cost more than $15,000 per year.
J . H. Abawajy
Value of
Assets
Cost of protecting
those assets
Information Security Management Slide 16
Balancing Control Cost/Benefits
Some of the items that impact the cost of a
control include:
Cost of development or acquisition
Training fees
Cost of implementation
Service costs
Cost of maintenance
J . H. Abawajy
Balancing Control Cost & Benefits
Cost Benefit Analysis (CBA) determines whether or not
a control alternative is worth its associated cost.
CBA = ALE(prior) ALE(post) ACS
ALE(prior) the annualized loss expectancy of the risk
before the implementation of the control
ALE(post) the ALE examined after the control has
been in place for a period of time
ACS the annual cost of the safeguard (please note
that its not only purchasing costmaintenance cost
is included).
J . H. Abawajy
Example
Question 1: On 28 J uly 2009, a fire destroyed 80% of the
two-storey Silver Top taxi (STT) building in Melbourne. The
damage to the building was $800. Fire statistics reveal that
the STT has had a similar fire an average once every five
years. Should STT install a fire prevention system that
costs $1200 plus $100 per year for extended warranty
maintenance contract for 15 years?
Answer: We need to answer the following three questions:
Question 1.1: What will be the total cost to Silver Top over 15
years if we do not install the fire prevention system?
Question 1.2: What will be the total cost to Silver Top over 15
years if we install the fire prevention system?
Question 1.3: What will you recommend?
4
Cost-Benefit Analysis
Question 1.1: What will be the total cost to Silver Top
over 15 years if we do not install the fire prevention
system?
Answer
Given
STT has had a similar fire an average once every five years.
In 15 years, Silver Top is expected to suffer 3 fires
(15/53).
Each fire incident causes a loss of $800 annually
The total cost over 15 years to Silver Top is
3 x $800$2400.
19
Question 1.2: What will be the total cost to Silver Top
over 15 years if we install the fire prevention system?
Given
The initial cost of the fire prevention system is
$1200.
The $100 per year extended warranty adds up to
$1500 over the 15 years.
The total cost to STT over 15 years will be:
$1200+1500$2700.
20
Question 1.3: What will you recommend?
Answer:
ALE(prior)=$2400; ALE(post)=0; ACS=$2700
We use the following formula
CBA = ALE(prior) ALE(post) ACS
CBA =$2400 - $0 - $2700
CBA =-$300
Installing the fire prevention system costs 12.5%
more than not installing the fire prevention system.
Based on cost-analysis result, you should not
recommend it.
21
Handling Risks
Risk can be handled in the following ways:
Risk avoidance: Prevention threats /
vulnerabilities, which leads to the risk in the first
place.
Risk reduction: Reduced risk to an acceptable
level through implementation of the necessary
countermeasures.
Risk transference: the risk is transferred to a third
party (e.g., insurance company)
Risk acceptance: Do nothing to mitigate risk and
accept the consequences of the potential loss (no
countermeasures).
Risk Handling
Approach Home owner theft risk IT example
Avoid Security guard No internet/intranet
connection.
Reduce Locks on doors, alarm
systems
Strong security, e. g.,
firewalls, crypto, etc.
Transfer Homeowners insurance Insurance;
Network Service
Provider with security
guarantees
Accept Deductible on insurance Minimal security (e. g.,
an informational web
site accepting risk of
defacement)
Mitigation Measures
Risk vs. Mitigation
Accept is high risk
Avoid is low risk
Reduce is intermediate
High
Medium
Low
0
A
c
c
e
p
t
A
v
o
i
d
R
e
d
u
c
e
Risk
5
Mitigation Measures
Cost vs. Mitigation
Accept is cheapest
Avoid is expensive
Reduce no cost
High
Medium
Low
0
Accept
A
v
o
i
d
R
e
d
u
c
e
Cost
End of Lecture
Questions?
J . H. Abawajy 26
1
J . H. Abawajy IT Security Management Slide#: 1
Personnel Security
Awareness, Training
and Education
Learning Objectives
After completing this chapter, you should be able to
Explain standards for staffing the security function
Explain employment policies and practices
Explain the need for personnel security
Explain the principles of personnel security and identify
methods to implement personnel security
Explain the purpose of security awareness, training and
education and identify various possible delivery methods
for security awareness programs
Background
A companys existence could depend on the
integrity of its employees.
Unauthorised release of sensitive information
could destroy the corporations reputation or
damage it financially.
Without security processes in place, an
organisations reputation could be destroyed.
Partners and customers with system access
are also a source of exposure.
Human-related IT security risks are a major
source of enterprise security vulnerabilities
The Human Factor
Humans are the
strongest line of
defence.
Humans are the Achilles Heel of information
security
However, they are
also the weakest link
Why Personnel Security Important?
Insider threat is a prime information security
concern
FBI statistics indicate that 72% of all thefts, fraud,
sabotage, and accidents are caused by a
companys own employees.
Another 15 to 20% comes from contractors and
consultants.
Only about 5% to 8% is external people.
It is one of the most significant and difficult to
mitigate security vulnerabilities.
Why Personnel Security Important?
Its true that young workers deeply embrace
technology. According to the study:
Seven out of ten young workers were aware of their
employers IT policies, but violated them regularly.
An alarming 80% of young workers indicated they
violated IT policies either all or most of the time.
Over half, 52%, believed they had no responsibility for
securing their work devices or data.
2
Insider Threat Types
Definition: Insider threat is a threat introduced by a
trusted entity (e.g., current or former employee, contractor,
or business partner) who has or had authorised access to
an organization's network, system, or data
Generally it can be divided as:
Unintentional insider threat
Unintentional compromise of sensitive information either by
mistake or through attacks such as social engineering.
Example: The recent breach at Target Corp. is a malware-laced
email phishing attack sent to employees
Malicious insider threat
Intentional compromise of sensitive information
Example: Edward Snowden saga
Reducing Intentional Insider Threat
Involves both technical and non-technical
controls
Some of these control mechanisms are:
Separation of duties
Two-person control
J ob rotation and Task rotation
Mandatory vacation
Principle of least privilege
Periodic review of logs
Using honey tokens
Personnel Security Controls
Unintentional Insider Threat
Unintentional insider threat
associated with personnel is
due to
Lack of organisational policy
awareness or failure to adhere to
it
Majority of attacks (e.g., virus &
social engineering) feed on
employees' lack of knowledge
about security.
Advances in size and
miniaturisation of IT
Can be handled by
Security awareness, training and
education
Security as part of performance
evaluation
Reducing Unintentional Insider
Threat
Reducing accidental security breaches involves both
technical and non-technical controls
Security Education, Training, and Awareness (SETA)
are example of non-technical control measures:
Improving security awareness of the need to protect
system resources
Developing skills and knowledge (i.e., security training)
so computer users can perform their jobs more
securely
Building in-depth knowledge (i.e., security education)
to design, implement, or operate security programs for
organisations and systems.
Purposes of SETA
They are preventative measures
SETA is generally the responsibility of the CISO
Build intentions to adhere to enterprise
technology rules and best practices.
Builds an in-depth knowledge base to design,
implement, or operate security programs for
organizations and systems
Develops skills and knowledge so that users can
perform their jobs using IT systems more securely
Improves awareness of the need to protect system
resources
3
Information Security Awareness
IT Security Education Goal
Most basic level of SETA
Used for employees who are new or
unskilled
Gets employees to focus on security
Least common, but extremely effective
Delivery methods
Get the word out with mugs, t-shirts, posters,
banners, conferences, newsletters, bulletin
boards security alerts (email, social media,
blogs, etc.), classes, seminars, screen lockers,
emails, games, etc. to reach employees
Avoid boring staff prevent tune out
Refrain from overloading users and from
using technical jargon; speak the language
the users understand.
Information Security Training
IT Security Training Goal
Intermediate level of SETA
To provide detailed information and hands-on instruction to give
skills to users to perform their duties securely
Management can develop customised in-house training or
outsource the training program
Delivery Methods
One-on-One Method, Formal Class Computer-Based Training
User Support Groups On The J ob Training Self-Study
Distance learning/ Web Seminars
Keep in mind that
Do not treat staff as equal and take into account the level of technical expertise
(novice, intermediate, and advanced) and functional background (general user,
managerial user, and technical user).
Make it fun to maximize success rate
Information Security Education
IT Security Education Goal
Highest level of SETA
Used for employees in highly technical or
skilled positions that demand greater
information security
Delivery Methods
When formal education for individuals in
security is needed, an employee can
identify curriculum available from local
institutions of higher learning or
continuing education
A number of universities have formal
coursework in information security
Comparative SETA Framework
Evaluation and Performance Criteria
There is a measured improvement in employee
awareness of system security principles and
performance of duties in a secure manner.
Examples include
decreases in failed access attempts,
password failures and
help desk password resets.
Personnel Security
Employment
Policy and Hiring
Practices and
Staffing the
Security Function
4
Security Risk Posed By Personnel
Personnel of an organinsation may include regular
(full-time or part-time) staff employees, contractors,
consultants or temporary workers.
Current employees (Full-Time and Part-Time) pose
perhaps the greatest risk in terms of access and potential
damage to critical information systems.
Former employees often retain sufficient access to the
organisation information resources directly -- through
"backdoors" -- or indirectly through former associates
Departing employee, who has just accepted a position with
a major competitor, may have access to trade secrets that
are the foundation of the corporations success.
New employees ethical outlook is unknown to the
company.
Security Risk Posed By Personnel
Contractors, Partners, Consultants and
Temporary Workers
Often have highly privileged access to to extremely sensitive
and confidential information.
They are often not subjected to
the same screening and background checks.
the contractual obligations or general policies that govern other
employees
This increases the risk of information security breaches.
A lesser degree of loyalty to the firm or agency would be
anticipated.
Temporary workers face lower wages, fewer benefits, and less
job security.
Staffing the Security Function
Goal
To improve the IT security staffing discipline
Mechanism - Learn more about position requirements
and qualifications for both IT security positions and
relevant IT positions
Information security professional credentials such as
CISSP
Grant the information security function (and CISO) an
appropriate level of influence and prestige
Develop an information security organisational staffing plan
When hiring information security professionals at all levels,
organisational, behavioral and information security
concepts and knowledge are desirable.
Staffing Process
Goal
To integrate information security into the hiring process
Mechanism
When advertising open positions, omit the elements of
the job description that describe access privileges
Monitoring and nondisclosure agreements must be
made a part of the employment contracts. Apply
employment contingent upon agreement where
required
New employees should receive, as part of their
orientation, an extensive information security briefing
Vetting Personnel
Goal
to determine if a potential employee is trustworthy
Mechanism
Verify identity and personal information
Verify professional credentials, previous employment and
education
Verify character of individual; may include
Interview with individual - avoid candidates entering secure
and restricted sites and limit the information provided to the
candidates on the access rights of the position
Checking provided references - A background check (may
include criminal records) should be conducted before making
an offer to any candidate
Managing Temporary Employee Risks
Goal
Minimising IT security risk posed by temporary workers
Mechanism
Although they have access to company information,
they are not usually held accountable for their actions
Access to information should be limited to what is
necessary to perform their duties
They should be made to follow good security practices
An appropriate summary of the information security
policies must be formally delivered to, and accepted
by, all temporary staff, prior to their starting any work
for the organisation.
5
Managing Contractor Risks
Goal
Minimising IT security risk posed by Contractors
Mechanism
Professional contractors may require access to virtually
all areas of the organisation to do their jobs. However,
service contractors do not.
Thus, service contractors should be escorted into and
out of the secure facility;
Always require verification for services
Ensure there is advance notice for scheduling,
rescheduling or cancellation of maintenance visits.
Managing Risk Posed by Consultants
Goal
Minimising IT security risk posed by Consultants
Mechanism
Apply the principle of least privilege when
working with consultants.
Special requirements (e.g., information or
facility access requirements) should be
integrated into the contract
They must be prescreened, escorted, and
subjected to nondisclosure agreements.
Business Partners
Goal
Businesses sometimes engage in strategic alliances
with other organizations to exchange information,
integrate systems, or enjoy some other mutual
advantage
Mechanism
A prior business agreement must specify the levels
of exposure that both organizations are willing to
tolerate
Nondisclosure agreements are an important part of
any such collaborative effort
Termination Issues
Goal
When an employee leaves an organisation, the following tasks must be
performed:
Mechanism
Two methods for handling employee out processing, depending on
the employees reasons for leaving, are:
Hostile departures
Friendly departures
Access to the organisations systems must be disabled and
keycard access revoked;
Personal effects removed from the premises and escorted from
the premises,
All removable media must be collected, hard drives must be
secured
File cabinet locks and office door locks must be changed
Homework Questions
What measure would organisations can have in place to ensure
employee mistakes don't become a larger problem?
Briefly discuss the fundamental technology controls to mitigate
insider risks;
Briefly discuss best practices in identifying and responding to
insider threats.
Briefly explain, from your perspective, what attention the Edward
Snowden saga brought to the topic of insiders threat.
What are he characteristics of the unintentional insider?
Why security awareness, training and education are so
important?
End of Lecture
Questions?
1
Professional Ethics
and Standards
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so.
Immanuel Kant
Session Objectives
This session examines the legal and ethical issues
related to information security. Chapter 12 of the textbook
covers information security law and ethics.
Upon completion of this session, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that
underlie modern codes of ethics
Identify major national and international laws that relate to
the practice of information security
Describe the role of culture as it applies to ethics in
information security
A/ Professor J emal H. Abawajy IT Security Management Slide#: 2
Fundamentals of Laws and Ethics
Laws are rules adopted and enforced by governments to
codify expected behavior in modern society
As it is impossible to formulate laws to enforce all
sorts of acceptable behaviours, we also depend
on ethics to build awareness of socially accepted
conduct or practice (especially the standards of a
profession).
Question - As an information security professional, why
should you care knowing about the law and ethics?
Answer
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
Characteristics of Laws
Written so that it is accessible to everyone;
Technically, it is equally applicable to every one with
similar characteristics facing the same set of
circumstances;
Carries the sanction of a governing authority;
Compliance with the law is not optional. You are
compelled to obey the law if you do not choose to do
so voluntarily.
Failure to comply with the applicable laws may expose
the organisation and its management (i.e., managers,
directors and officers) to serious penalties and in some
case imprisonment in addition to fines.
Due Care/Diligence
Standards of Due care
It is the care that a reasonable information security
professional would exercise under the circumstances; the
standard for determining legal duty.
Standards of Due diligence
It is the effort an information security professional makes to
demonstrate due care; and avoid neglect of due care.
The challenge is to understand what standard of due care
should be applied in a given circumstance and what
process of due diligence should be employed to validate
due care.
The best way to accomplish this is to ask your legal
staff for an opinion.
Due Care/Diligence
Organisations regularly collect personal information such
as (address, phone, purchases, bank account, credit card
information, employment history, salary, etc.)
Collecting personal information without proper authorisation
Sharing or disclosing personal information without proper
permission? For example, what if an organisation has provided it
to a foreign call centre without adequate security safeguards
Store personal information without appropriate security measures
Each of the above acts could expose the organisation to
A criminal or civil class actions for non-compliance with
applicable laws, or for loss of sensitive data.
Unwanted publicity could cause a public relations disaster.
2
Managers Role in Legal/ethical
Performance
Managers play a vital role in a company's legal and
ethical performance.
It is in part their responsibility to ensure that their
employees are abiding by Federal, State, and Local laws,
as well as any ethical codes established at the company.
But most importantly, the managers must provide a
positive example to their employees of proper behaviour
in light of laws and ethical codes.
Managers cannot simply limit their decisions to following
the law. They must also consider the ethics of their
employees and customers.
and Laws
Information Security Laws
A significant regulatory regime already exists for information security.
Aim
To provide protection against breach of ownership, confidentiality,
integrity, and availability of information as well as regulate the
behaviour of people who use information technology from
insidious misuse
Examples
Intellectual property law (Patents, copyrights, and trade secrets) to
protect the rights of developers and owners of the programs and
data.
Enforcement
Organisational security practices are constantly monitored and
scrutinised by various law enforcement agencies (e.g., Security &
Exchange Commission in USA).
Types Of Law
Law
Explanation
Civil pertains to relationships between and among individuals and
organisations
Tort subset of civil law which allows individuals to seek recourse
against others in the event of personal, physical, or financial
injury
Criminal addresses violations harmful to society and actively
enforced/prosecuted by the state
Private includes family law, commercial law, and labor law: regulates
relationships among individuals and among individuals and
organizations
Public includes criminal, administrative, and constitutional law:
regulates structure and administration of government
agencies and their relationships with citizens, employees, and
other governments
Intellectual Property
Copyrights Patent Trade Secret
Subject
protected
Actual original works -
music, photograph,
books, song, etc.
Inventions(i.e., the
intellectual method of
creating aproduct)
A secret
competive
advantage
Disclosure Public record fromdate
created
Public knowledgefrom
patent issuedate.
Private
Registration
required?
No Yes No
Protection
Effective
Immediately after the
work is created
After patent issued. Automatic
Duration 70 years after the
creator's death
20 years Indefinite
Infringement
Occurs
if work copied wholly or
createaderivativework,
distributed, performed,
or displayed
If making, using, or selling
thepatented invention.
Confidential
information is
improperly
obtained
Questions for Discussion
Can software be copyrighted?
If I purchase software, does copyright prevents me from
doing whatever I please with the software?
Which of the following items cannot be patented?
artistic creations, mathematical models, plans, schemes.
Is independent invention a valid defence against claims of
Patent infringement.
Copyright infringement
Does trade secret protection applies to computer
software?
3
Questions for Discussion
After many years of extensive research, Alice invents a
new technology and begin marketing it widely completely
unaware that Rosa had patented the same technology. Is
Alice liable for patent infringement?
Alice produces a code with different but functionally
equivalent code as Rosa. Alice is
Liable for copyright infringement.
Liable for patent infringement
Liable for copyright and patent infringement
Australian Laws
In Australia, the legal system is based on English law and
composed of two sources
Statute law the legislation enacted by parliaments
Common law judge-made law derived from court
judgements handed down through the history of the legal
system
There are also two types of law: Criminal law and Civil law.
Australian federal and state laws exit for information
security that includes
The Cybercrime Act 2001
Telecommunications Legislation
Spam Legislation
Privacy Law
Cybercrime Act 2001 (Australia)
Goal - To address forms of cybercrime which impair the security,
integrity and reliability of computer data and electronic communications.
The act is an extension of the Criminal Code Act 1995 with computer
and communications offences.
It also increases investigation powers relating to search and seizure of
electronically stored data by amendments to the Crimes Act 1914 and
Customs Act 1901
Provisions: The Act creates three serious computer offences:
Unauthorised access, modification or impairment with intent to
commit a serious offence (a penalty of at least five years
imprisonment);
Unauthorised modification of data recklessly (maximum penalty of
10 years imprisonment); and
Unauthorised impairment of electronic communications (maximum
penalty of 10 years imprisonment).
The Privacy Amendment (Private
Sector) Act 2000 (Australia)
Since December 2001, privacy legislation has applied to
most private sector organisations with a turnover of over
A$3 million.
Most private sector organisations (except those with
exemptions) are now subject to privacy standards when
handling personal information.
Organisations must now seek to comply with the 10
National Privacy Principles (NPPs) that relate to:
collection, data quality, use and disclosure,
data security, openness, access and correction,
identifiers, anonymity, sensitive information
transborder flow of data and.
Example of International Acts
Statute Type of Explanations
Digital Millennium
Copyright Act
(DMCA)
Federal law
(USA)
U.S.-based international effort to reduce
impact of copyright, trademark, and privacy
infringement especially via the removal of
technological copyright protection measures
Data Rtention
Directive
European Union Retention of data generated or processed in
connection with the provision of publicly
available electronic communications services
or public communications networks
E-Communications
Directive
European Union the Processing of Personal Data and the
Protection of Privacy in the Electronic
Communications Sector
EU Directive
95/46/EC
European Union On the Protection of Individuals with regards to
the Processing of Personal Data, and on the
Free Movement of such Data. UK has already
implemented a version of this directive called
the Database Right
Example of USA Acts
Statute Type of Explanations
CFA Federal Deals with computer-related federal laws and enforcement efforts
CSA Federal Protects federal computer systems by establishing minimum
acceptable security practices
Privacy
Act of
1974
Federal Created to ensure that government agencies protect privacy of
individuals and businesses information, and hold them
responsible if this information is released without permission
HIPAA Federal designed to protect confidential healthcare information through
improved security standards and federal privacy legislation
GLBA Federal Requires all financial institutions to disclose their privacy policies,
describe how they share private personal information, how
customers can request that their information not be shared with
third parties
SOA Federal Enforces accountability for financial record keeping and reporting
at publicly traded corporations
4
Question for Discussion
Question
What are the Key differences between Policy and
Law?
Answer
________________________________________
________________________________________
________________________________________
________________________________________
________________________________________
________________________________________
________________________________________
Discussion Question
Question
You are the security officer for a research network
at Deakin University. You suspect that students
are using P2P appliances to upload copyrighted
music that they do not own. What law this action
violates? J ustify your answer.
Answer
____________________________________________________
____________________________________________________
____________________________________________________
____________________________________________________
____________________________________________________
____________________________________________________
____________________________________________________
____________________________________________________
Ethics in Information
Security
Ethical Concepts In Information
Security
Information security student is not expected
to study the topic of ethics in a vacuum, but
within a larger ethical framework
However, those employed in the area of
information security may be expected to be
more articulate about the topic than others in
the organization
Often must withstand a higher degree of
scrutiny
Characteristics of Ethics
Ethics involves learning what is right and
wrong, and then doing the right thing.
Most ethical decisions have
extended consequences.
multiple alternatives.
mixed outcomes.
uncertain consequences.
personal implications.
Differences in Ethical Concepts
Cultural issues in computer use ethics
Do you think individuals of different nationalities have different
perspectives on the ethics of computer use?
What kinds of difficulties arise when one nationalitys ethical
behavior does not correspond to that of another national group?
Differences in computer use ethics are not exclusively
cultural
Found among individuals within the same country, same social
class, same company
Key studies reveal that overriding factor in leveling
ethical perceptions within a small population is
education
Employees must be trained and kept up to date on information
security topics, including the expected behaviors of an ethical
employee
5
Ethical Concepts In Information
Security
Ethics, from information security prospective, deals
with responsible cyber social behaviour.
Today most organisations have written codes of ethics
for its members to abide by.
Information security professionals are expected to be more
articulate about ethics than others in the organisation
Ethics are objective
Based on cultural mores: relatively fixed moral
attitudes or customs of a societal group.
Unlike laws, they cannot be forced on individuals.
In fact different individuals may have different ethical
beliefs.
Deterring Unethical and Illegal
Behavior
Three general categories of unethical behavior that organizations and
society should seek to eliminate:
Ignorance
Accident
Intent
Deterrence is the best method for preventing an illegal or unethical
activity. Controls or safeguards to deter unethical and illegal acts
includes
Technology - Many security professionals understand technological means
of protection
Policy - Many underestimate the value of policy
Education and training
Generally agreed that laws, policies and their associated penalties only
deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
Organizational Liability and The
Need for Counsel
What if an organization does not support or even
encourage strong ethical conduct on the part of its
employees?
What if an organization does not behave ethically?
If an employee, acting with or without authorization,
performs an illegal or unethical act causing some degree of
harm, organization can be held financially liable
Organization increases its liability if it refuses to take
measuresdue careto make sure that every employee
knows what is acceptable and what is not, and the
consequences of illegal or unethical actions
Due diligence requires that an organization make a valid
and ongoing effort to protect others
Ethics and Education
Overriding factor in leveling ethical perceptions
within a small population is education
Employees must be trained in expected
behaviors of an ethical employee, especially in
areas of information security
Proper ethical training vital to creating
informed, well prepared, and low-risk system
user
Comparison of Law and Ethics
Law Ethics
Destributed by formal, written
documents
Described by unwritten principles
Interpreted by courts Interpreted by each individual
Established by legislatures representing
all people
Presented by philosophers, religions,
professional groups
Applicableto everyone Personal choice
Priority determined by courts if two
laws conflict
Priority determined by an individual if
two principles conflict
Court is final arbiter of right No external arbiter
Enforceableby policeand courts Limited enforcement
Questions
Differentiate between law and ethics
Identify major national and international laws
that relate to the practice of information security
Understand the role of culture as it applies to
ethics in information security
Access current information on laws,
regulations, and relevant professional
organizations
What exactly is an information professionals
duty of care?
6
End of Lecture
Questions?

ITSM

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ITSM

Încărcat de

Drepturi de autor:

Formate disponibile

6/03/2014

S-ar putea să vă placă și