Professional Documents
Culture Documents
Governance
&
Risk Management
Fundamentals of Information Security
Information Security Management System
(ISMS) 1
Life Cycle (SDLC) Management
(Feasibility) May not apply
Project initiation Senior Management
Direction
Functional Requirements Business Unit Needs
(assurance requirements)
System Design Architect a solution
Develop/Acquire SMEs “Verification”
Installation/Implementation Testing, UAT, “Validation”
C&A
Operation/Maintenance Monitoring, Audits,
Retirement/Disposal Data Retention / Leakage
ISC2 Code of Ethics
• Code of Ethics Preamble:
– Safety of the commonwealth, duty to our principals,
and to each other requires that we adhere, and be
seen to adhere, to the highest ethical standards of
behavior.
• Code of Ethics Canons:
– Protect society, the commonwealth, and the
infrastructure
– Act honorably, honestly, justly, responsibly, and
legally
– Provide diligent and competent service to principals
– Advance and protect the profession
Ethics & The Internet
(RFC-1087)
• Characterized as unethical and unacceptable
any activity which purposely:
– (a) seeks to gain unauthorized access to the
resources of the Internet
– (b) disrupts the intended use of the Internet
– (c) wastes resources (people, capacity,
computer) through such actions
– (d) destroys the integrity of computer-based
information and/or
– (e) compromises the privacy of users
http://tools.ietf.org/html/rfc1087
Joe Lewis Fighting Systems
Code of Ethics
“To Advantage All
Without Disadvantaging Any”
Buckminster Fuller (1895-1983)
IT Governance Objectives
7
Gap Analysis
8
Types of Laws
• Civil law
– Tort
– Contract
– Property
• Criminal law
• Administrative (regulatory or business) law
9
Intellectual Property Laws
• Trade Secret
• Trademark
• Copyright
• Patent
10
WIPO
WTO
OECD
ISO/IEC 27001:2005
(updated 27001:2013)
http://en.wikipedia.org/wiki 15
Managing the Fourth Dimension
16
Process Management
http://www.m-w.com/dictionary/process 17
Quality Management
18
18
Quality Management
19
19
Models
W. Edwards Deming
21
The OODA Loop
• Originated by military strategist Col. John
Boyd of the United States Air Force.
• Defines four overlapping and interacting
processes
• Adopted by business and public for continuity
planning.
22
Capability Maturity Model
Integration ®
• Carnegie-Mellon Software Engineering
Institute (SEI)
• A process improvement maturity model for
development of products and services
• Maturity Levels
– 0 - Incomplete
– 1 - Initial
– 2 - Repeatable
– 3 - Defined
– 4 - Quantitatively Managed
– 5 - Optimized
23
Plan Do Check Act
24
Governance “Steering”
25
Directive Documentation
• Generally What:
– Policies
• Goals
• Specifically How:
– Standards – Specifications for techniques and
technologies “Shall”
– Procedures – Step by step instructions
– Baselines – Reference points of unacceptable
risk
– Guidelines – Suggestions “Should”
Threats
• Malicious attacks
• Accidents
• Natural Disasters
• Fatigue
• Legal liabilities
• Cost to quality
27
Fundamental Security Goals
• Security Objectives:
– Availability
– Integrity
– Confidentiality
28
Roles and Responsibilities
• Senior Management
• Functional Management
• CIO
• CSSO
• Users
• Independent Auditors
– Internal
– External
29
RACI Charts
• Responsible
– "The Doer"
• Accountable
– "The Buck Stops Here"
• Consult
– "Prior to making a decision"
• Inform
– "After decision is made"
30
NIST SDLC
• Initiation
– Sensitivity assessment
• Development / acquisition
– Determine security requirements & risk
assessment
– Incorporate requirements into specifications
– Obtain the system (build/buy) & related
activities
• Implementation
– Install and turn on
– Testing / certification / accreditation
31
NIST SDLC
• Operation / maintenance
– Security operations & administration
– Operational assurance (monitor/audit)
– Change management
– Periodic re-accreditation
• Disposal
32
NIST SDLC (SP800-100)
33
Certification
• [15th century. From, ultimately, medieval Latin certificatum , from the past
participle of late Latin certificare “to certify” (see certify). The underlying idea is
of a document that makes something certain.]
• Microsoft® Encarta® Reference Library 2004. © 1993-2003 Microsoft
Corporation. All rights reserved.
34
Accreditation
35
SP800-12 Accreditation
36
SP800-12 SDLC
37
ISO/IEC 27001 Section 4.2
38
Risk* Management
Preventing, Detecting & Responding to unforeseen dangers
*From the Greek “ Rhiza” = cliffs under water.
39
Quantitative Analysis
• “You can only speak matter of factually
about what you can measure”*
• Objective numeric metrics:
– Real numbers
– Concrete percentages
– Monetary values
• Certification
• Insufficient data
40
*Robert Anton Wilson
Qualitative Analysis
• Subjective rankings
– Experience
– Intuition
– Feelings
• Accreditation
• Brainstorming
• The Delphi technique
41
Important Terminologies!!!
• Assets – Anything of Value
– Ownership, valuation, classification, entitlements
• Threats – Things that can cause Loss of Value
– Threat Agent – Source of a threat
• Vulnerability – Weakness/limitation of the asset
• Exposure – Vulnerability is accessible to threat
source
42
Important Terminologies!!!
• Impact – Amount of loss
• Likelihood – Frequency of threat
• Exploit – An incident of an actual loss event
• Controls – Safeguards/Measures/Countermeasures
– Control Failure Policies
43
Value versus Cost
• Value – Assets
– Subjective
– Qualitative
• Cost – Controls
– Objective
– Quantitative (TCO)
• Cost Benefit Analysis
Asset Valuation Factors
45
Loss Criteria
• Life
• Branding / Reputation
• Initial loss versus delayed loss
• Aggregate Losses:
– Asset
– Productivity
– Opportunity (how to quantify?)
46
Threat Analysis
• Threat Taxonomy:
– Man made
• Accidental (most common!!!)
• Intentional
– Natural
– (Technical)
47
SP800-100 Risk Assessment
48
Control Analysis
49
Control Categories
Preventive
Detective
Responsive
•Correct
•Recover 50
Control Gap
• A “gap” in coverage
• Percentage of asset not protected by
control. For example, if insurance
covers 80% of loss, then the Control
Gap = 20%
Residual Risk (SP800-30)
52
Cost Benefit Analysis
53
Example
Over the last 10 years a company had 4 outages.
The quantifiable impact for each event is the
following:
Cost of recovery: $50,000
Loss of productivity: $30,000
TOTAL IMPACT: $80,000
• Avoid / Termination
• Reduce
– Planning
– Technologies
– Training
• Transfer
• Accept “risk appetite”
• Reject – Negligence!
55
Accepted Risk Business Continuity
• Risk Appetite
– Qualitative risk culture of an organization
– How much is one willing to eat?
• Risk Tolerance
– Quantitative metrics to monitor compliance
– Allows organization to detect and respond
appropriately to changes in risk
• Business Continuity Management
– Policies, plans and procedures to respond to
accepted risk
Accepted Risk Business Continuity
• Risk Appetite
– Qualitative risk culture of an organization
– How much is one willing to eat?
• Risk Tolerance
– Quantitative metrics to monitor compliance
– Allows organization to detect and respond
appropriately to changes in risk
• Business Continuity Management
– Policies, plans and procedures to respond to
accepted risk
SP800-100 Risk Mitigation
58
Plan Do Check Act
(SP800-50)
59
ISO/IEC 27001 Section 5
• Management responsibilities
– Commitment
– Provision of resources
• People
• Funding
• Time
• Location
60
Plan Do Check Act
61
ISO/IEC 27001 Section 6
• Management Review
• General
– Defining review policy
– Schedule
• At least once a year
• Inputs
– Audits
– Other stakeholder feedback
• Outputs
– Improvement plans
– Other remediation
63
Plan Do Check Act
• ISO/IEC Section 8
• Maintain & improve ISMS
• Make adjustments
• Promote change
• Publicize successes
64
Summary
• ISMS
• Security Mindset
• IT Governance
• Risk management
• Knowledge Transfer
• Continual improvement
65