Scribd Logo
Upload

Welcome to Scribd!

  • CH 04

    Uploaded by

    Hihi Haha
    7 views27 pages

    Original Title

    ch04

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views27 pages

    CH 04

    Uploaded by

    Hihi Haha

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Fundamentals of Information

    Systems Security

    Lesson 4
    The Drivers of the
    Information Security Business

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    www.jblearning.com
    All rights reserved.
    Learning Objective(s)
     Explain information systems security and
    its effect on people and businesses.

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 2
    All rights reserved.
    Key Concepts
     Risk management and approaches
     Business impact analysis (BIA), business
    continuity plan (BCP), and disaster recovery plan
    (DRP)
     Impact of risks, threats, and vulnerabilities on the
    IT infrastructure
     Adhering to compliance laws and governance
     Managing and mitigating risk

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 3
    All rights reserved.
    Business Drivers

    Elements in an organization
    that support business objectives

    People Information Conditions

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 4
    All rights reserved.
    Defining Risk Management
     Process of identifying, assessing,
    prioritizing, and addressing risks
     Ensures you have planned for risks that
    may affect your organization

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 5
    All rights reserved.
    Risks, Threats, and Vulnerabilities

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 6
    All rights reserved.
    Defining Risk Management

    Risk
    methodology
    A description of how you will manage risk

    Risk
    register
    A list of identified risks

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 7
    All rights reserved.
    Implementing a BIA, a BCP, and a
    DRP
    Protecting an organization’s IT resources and
    ensuring that events do not interrupt normal
    business functions

    Business
    Business impact Disaster recovery
    continuity plan
    analysis (BIA) plan (DRP)
    (BCP)

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 8
    All rights reserved.
    Business Impact Analysis (BIA)
     An analysis of an organization’s functions
    and activities that classifies them as critical
    or noncritical
     Identifies the impact to the business if one
    or more IT functions fails
     Identifies the priority of different critical
    systems

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 9
    All rights reserved.
    BIA Recovery Goals and
    Requirements
    Recovery point objective (RPO)

    Recovery time objective (RTO)

    Business recovery requirements

    Technical recovery requirements

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 10
    All rights reserved.
    Business Continuity Plan (BCP)
     A written plan for a structured response to any
    events that result in an interruption to critical
    business activities or functions
     Order of priorities:
    1. Safety and well-being of people
    2. Continuity of critical business functions and
    operations
    3. Continuity of IT infrastructure components
    within the seven domains of an IT
    infrastructure

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 11
    All rights reserved.
    Elements of a Complete BCP
     Policy statement defining the policy, standards,
    procedures, and guidelines for deployment
     Project team members with defined roles, responsibilities,
    and accountabilities
     Emergency response procedures and protection of life,
    safety, and infrastructure
     Situation and damage assessment
     Resource salvage and recovery
     Alternate facilities or triage for short-term or long-term
    emergency mode of operations and business recovery

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 12
    All rights reserved.
    Disaster Recovery Plan (DRP)
     Disaster
    • Is an event that affects multiple business
    processes for an extended period
    • Causes substantial resource damage you must
    address before you can resolve business process
    interruption
     DRP
    • Includes specific steps and procedures to recover
    from a disaster
    • Is part of a BCP
    • Extends and supports the BCP

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 13
    All rights reserved.
    Disaster Recovery Plan (DRP)

    Threat analysis

    Impact scenarios

    Recovery
    requirement
    documentation

    Disaster recovery

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 14
    All rights reserved.
    Disaster Recovery Plan (DRP)
    • Has environmental utilities, hardware,
    Hot site software, and data like original data
    center

    • Has environmental utilities and basic


    Warm site computer hardware

    • Has basic environmental utilities but


    Cold site no infrastructure components

    • Trailer with necessary environmental


    Mobile site utilities, can operate as warm or cold
    site

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 15
    All rights reserved.
    Assessing Risks, Threats, and
    Vulnerabilities
    Risk Management Guide for Information Technology
    Systems (NIST SP800-30)

    CCTA Risk Analysis and Management Method


    (CRAMM)

    Operationally Critical Threat, Asset, and Vulnerability


    Evaluation (OCTAVE)

    ISO/IEC 27005 “Information Security Risk


    Management”

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 16
    All rights reserved.
    Closing the Information Security Gap

    Security gap Gap analysis


    Difference between Comparison of the
    the security controls security controls in
    in place and controls place and the controls
    you need to address you need to address
    vulnerabilities all identified threats

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 17
    All rights reserved.
    Steps for Conducting a Gap Analysis
     Identify applicable elements of security policy
    and other standards
     Assemble policy, standard, procedure, and
    guideline documents
     Review and assess implementation of
    policies, standards, procedures, and
    guidelines
     Collect hardware and software inventory
    information
    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Fundamentals of Information Systems Security www.jblearning.com Page 18
    All rights reserved.
    Steps for Conducting a Gap Analysis
    (cont.)
     Interview users to assess knowledge of and
    compliance with policies
     Compare current security environment with
    policies
     Prioritize identified gaps for resolution
     Document and implement remedies to
    conform to policies

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 19
    All rights reserved.
    Adhering to Compliance Laws
    Sarbanes-Oxley Act (SOX)
    Health Insurance Portability and Accountability Act
    (HIPAA)

    Gramm-Leach-Bliley Act (GLBA)

    Payment Card Industry Data Security Standard


    (PCI DSS)
    Federal Information Security Modernization Act
    (FISMA)
    Government Information Security Reform Act
    (Security Reform Act) of 2000

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 20
    All rights reserved.
    Keeping Private Data Confidential

    Ensuring
    availability and
    integrity is
    important

    You cannot undo


    a confidentiality
    violation

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 21
    All rights reserved.
    The Three Tenets of Information
    Security

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 22
    All rights reserved.
    Keeping Private Data Confidential
    Authentication controls Authorization controls

    Passwords and PINs Authentication server rules


    and permissions
    Smart cards/ tokens Access control lists
    Biometric devices Intrusion detection/
    prevention
    Digital certificates Physical access control
    Challenge-response Connection/access policy
    handshakes filters
    Kerberos authentication Network traffic filters
    One-time passwords

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 23
    All rights reserved.
    Mobile Workers and Use of
    Personally Owned Devices

    Mobility
    • Allows remote workers and employees to be
    connected to the IT infrastructure in almost real
    time

    Bring Your Own Device (BYOD)


    • Employees using their personally owned
    devices for business and personal use

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 24
    All rights reserved.
    BYOD Concerns/Policy Definition

    Data ownership
    Antivirus management

    Support ownership

    Privacy

    User acceptance

    Legal concerns

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 25
    All rights reserved.
    Endpoint and Device Security

    Full device encryption


    Remote wiping

    Global positioning system (GPS)

    Asset tracking

    Device access control

    Removable storage

    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Fundamentals of Information Systems Security www.jblearning.com Page 26
    All rights reserved.
    Summary
     Risk management and approaches
     Business impact analysis (BIA), business
    continuity plan (BCP), and disaster
    recovery plan (DRP)
     Impact of risks, threats, and
    vulnerabilities on the IT infrastructure
     Adhering to compliance laws and
    governance
     Managing and mitigating risk
    © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Fundamentals of Information Systems Security www.jblearning.com Page 27
    All rights reserved.

    You might also like