Professional Documents
Culture Documents
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
06/14/23 1
Objectives
2
Management of Information Security, 3rd ed.
A true story
A local company suffered a catastrophic loss one night when its
office burned to the ground.
As the employees gathered around the charred remains the next
morning, the president asked the secretary if she had been
performing the daily computer backups. To the president’s relief
she replied that yes, each day before she went home she
backed up all the financial information regarding customers,
invoices, order and payments.
The president then asked the secretary to retrieve the backup so
they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I put
those backups in the desk drawer next to the computer in the
office. ”
3
Risk Management
• Risk management: identification,
assessment, and prioritization of risks
• Managing risk is one of the key
responsibilities of every manager within
the organization
• In any well-developed risk management
program, two formal processes are at
work
– Risk identification and assessment
– Risk control
4
Risk Management
6
Management of Information Security, 3rd ed.
Knowing the Enemy
• Identifying, examining, and understanding
the threats facing the organization’s
information assets
– Must fully identify those threats that pose risks
to the organization and the security of its
information assets
• Risk management
– The process of assessing the risks to an
organization’s information and determining
how those risks can be controlled or mitigated
7
Management of Information Security, 3rd ed.
Risk management cycle
From http://technet.microsoft.com/en-us/library/cc750827.aspx
• Risk identification
– Identify
– Measure
– Prioritize
• Control measures
– Cost benefit analysis
8
Accountability for Risk Management
Communities of interest must work together
• Information Security – leadership role in
addressing risk
• Information Technology – role involves
building and maintaining secure systems
• Management – role involves resource allocation
and prioritization of security concerns
• Users – crucial role in (early) detection, and
proper response to threats
9
Management of Information Security, 3rd ed.
Steps in Risk Management
• Evaluating the risk controls
• Determining which control options are cost-
effective
• Acquiring or installing the appropriate controls
• Overseeing processes to ensure that the controls
remain effective
• Identifying risks
• Assessing risks
• Summarizing the findings
10
Management of Information Security, 3rd ed.
Risk Identification
12
Management of Information Security, 3rd ed.
Information Asset Inventory
creation
• Identify information assets
– Includes people, procedures, data and
information, software, hardware, and
networking elements
– This step should be done without pre-judging
the value of each asset
• Values will be assigned later in the process
• Determine which attributes of each
information asset should be tracked
13
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
14
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Information Asset Inventory
creation (contd.)
• Potential asset attributes
– Name
– Asset tag
– IP address
– MAC address
– asset type
– Serial number
– manufacturer name
– Manufacturer’s model or part number
– Software version, update revision, or FCO number
– Physical location, logical location
– Controlling entity 15
Management of Information Security, 3rd ed.
Example: Network Asset tracker
• http://www.misutilities.com/network-asset-tracker/howtouse.html
16
Information Asset Inventory
creation (contd.)
Identifying people, procedures and data assets.
Sample attributes for people, procedures, and
data assets
– People
• Position name/number/ID
• Supervisor name/number/ID
• Security clearance level
• Special skills
17
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Procedures
• Description
• Intended purpose Software/hardware/networking
elements to which it is tied
• Location where it is stored for reference
• Location where it is stored for update purposes
18
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Data
• Classification
• Owner/creator/manager
• Size of data structure
• Data structure used
• Online or offline
• Location
• Backup procedures
19
Management of Information Security, 3rd ed.
Next: Asset ranking
• Determine the values of assets
• Prioritize according to value
20
Classifying and Categorizing Assets
• Determine/refine an asset classification scheme
• A classification scheme categorizes information
assets based on their sensitivity, security needs
• Each category designates the level of protection
needed for a particular information asset
• Some asset types, such as personnel, may
require an alternative classification scheme
• Classification categories must be comprehensive
and mutually exclusive
21
Management of Information Security, 3rd ed.
Assessing Values for
Information Assets
• Assign a relative value: Comparative
judgments made to ensure that the most
valuable information assets are given the
highest priority
22
Management of Information Security, 3rd ed.
Assessing Values for
Information Assets - Questions
23
Management of Information Security, 3rd ed.
Figure 8-2 Sample asset classification worksheet
24
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Listing Assets in Order of
Importance
Final step: list the assets in order of importance
•achieved by using a weighted factor analysis worksheet
25
Management of Information Security, 3rd ed.
Next step: Threat Identification
• Typically: wide variety of threats; each threat
presents a unique challenge to information
security
Questions:
• Which threats present a danger to your
company’s information assets?
– reduce scope and cost of risk management
• Which threats present the gravest danger to
your company’s information assets?
– Rough assessment of severity of threat
26
Management of Information Security, 3rd ed.
Threat Identification (cont’d.)
27
Management of Information Security, 3rd ed. Source: ©2003 ACM, inc., included here by permission
Prioritizing threats
1000 top computing executives rated threats on a 5 point scale, from
not significant to very significant
29
Prioritizing threats (contd.)
• Probability of threat: negligible to
extreme
31
Management of Information Security, 3rd ed.
Vulnerability Assessment (contd.)
33
Likelihood and Consequences
(contd.)
• Consequences and likelihoods are combined
35
Management of Information Security, 3rd ed.
The TVA Worksheet (cont’d.)
37
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
More complex model
• Extended risk formula
R = Pa Ps V
• Where Pa = Probability of attack and
Ps = Probability that the attack
successfully exploits the vulnerability
V = value lost by successful
exploitation of vulnerability
38
Another formula
• Extended Whitman’s Risk Formula
R = P*V*(1 – CC + UK)
where P = probability that a vulnerability is
exploited,
V = value of asset,
CC = fraction of risk mitigated by current
control,
UK = fraction of risk not fully known
(uncertainty of knowledge)
39
In words…
40
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Risk Determination Example
– Asset A has a value of 50 and has one vulnerability, which has a
likelihood of 1.0 with no current controls. Your assumptions and
data are 90% accurate
– Asset B has a value of 100 and has two vulnerabilities:
vulnerability #2 has a likelihood of 0.5 with a current control that
addresses 50% of its risk; vulnerability # 3 has a likelihood of 0.1
with no current controls. Your assumptions and data are 80%
accurate
– The resulting ranked list of risk ratings for the three vulnerabilities
is as follows:
• Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
• Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% +
20%
• Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%
41
Management of Information Security, 3rd ed.
Documenting the Results
of Risk Assessment
• Goals of the risk management process
– To identify information assets and their vulnerabilities
– To rank them according to the need for protection
• In preparing this list, a wealth of factual
information about the assets and the threats they
face is collected
• Information about the controls that are already in
place is also collected
• The final summarized document is the ranked
vulnerability risk worksheet
42
Management of Information Security, 3rd ed.
Table 8-9 Ranked vulnerability risk worksheet
43
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Documenting the Results of Risk
Assessment (cont’d.)
44
Management of Information Security, 3rd ed.
Summary
• Introduction
• Risk management
• Risk identification
• Risk assessment
• Documenting the results of risk
assessment
45
Management of Information Security, 3rd ed.
Risk Control (Ch 9)
Identify Possible Controls
• For each threat and its associated
vulnerabilities that have residual risk,
create a preliminary list of control ideas
• Three general categories of controls exist:
– Policies
– Programs
– Technical controls
46
Management of Information Security, 3rd ed.
Objectives
• Upon completion of this chapter, you
should be able to:
– Recognize and select from the risk mitigation
strategy options to control risk
– Evaluate risk controls and formulate a cost-
benefit analysis using existing conceptual
frameworks
– Explain how to maintain and perpetuate risk
controls
– Describe the OCTAVE Method and other
approaches to managing risk
47
Management of Information Security, 3rd ed.
Introduction
• To keep up with the competition,
organizations must design and create a
safe environment in which business
processes and procedures can function
– This environment must maintain confidentiality
and privacy and assure the integrity and
availability of organizational data
– These objectives are met via the application of
the principles of risk management
48
Management of Information Security, 3rd ed.
Risk Control Strategies
• four basic strategies to control risks
– Avoidance
• Applying safeguards that eliminate or reduce the
remaining uncontrolled risks for the vulnerability
– Transference
• Shifting the risk to other areas or to outside entities
– Mitigation
• Reducing the impact if the vulnerability is exploited
– Acceptance
• Understanding the consequences and accepting the
risk without control or mitigation
49
Management of Information Security, 3rd ed.
Avoidance
• The risk control strategy that attempts to
prevent the exploitation of the vulnerability
• Avoidance is accomplished through:
– Application of policy
– Application of training and education
– Countering threats
– Implementation of technical security controls
and safeguards
50
Management of Information Security, 3rd ed.
Transference
• The control approach that attempts to shift
the risk to other assets, other processes, or
other organizations
• May be accomplished by rethinking how
services are offered
– Revising deployment models
– Outsourcing to other organizations
– Purchasing insurance
– Implementing service contracts with providers
51
Management of Information Security, 3rd ed.
Mitigation
• The control approach that attempts to
reduce the damage caused by the
exploitation of vulnerability
– Using planning and preparation
– Depends upon the ability to detect and respond
to an attack as quickly as possible
• Types of mitigation plans
– Disaster recovery plan (DRP)
– Incident response plan (IRP)
– Business continuity plan (BCP)
52
Management of Information Security, 3rd ed.
Mitigation (cont’d.)
53
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Acceptance
• do nothing to protect an information asset
– To accept the loss when it occurs
• assumes that it may be a prudent business
decision to examine the alternatives and
conclude that the cost of protecting an
asset does not justify the security
expenditure
54
Management of Information Security, 3rd ed.
Acceptance (contd.)
• the organization must:
– Determine the level of risk to the information asset
– Assess the probability of attack and the likelihood of a
successful exploitation of a vulnerability
– Approximate the ARO of the exploit
– Estimate the potential loss from attacks
– Perform a thorough cost benefit analysis
– Evaluate controls using each appropriate type of
feasibility
– Decide that the particular asset did not justify the cost
of protection
55
Management of Information Security, 3rd ed.
Managing Risk
• Risk appetite (also known as risk tolerance)
– The quantity and nature of risk that
organizations are willing to accept
• As they evaluate the trade-offs between perfect
security and unlimited accessibility
• The reasoned approach to risk is one that
balances the expense (in terms of finance
and the usability of information assets)
against the possible losses if exploited
56
Management of Information Security, 3rd ed.
Managing Risk (contd.)
• Residual risk
– When vulnerabilities have been controlled as much as
possible, there is often remaining risk that has not
been completely removed, shifted, or planned for
• Residual Risk is a combined function of:
– Threats, vulnerabilities and assets, less the effects of
the safeguards in place
• The goal of information security is not to bring
residual risk to zero, but to bring it in line with an
organization’s risk appetite
57
Management of Information Security, 3rd ed.
Managing Risk (contd.)
• If decision makers have been informed of
uncontrolled risks and the proper authority groups
within the communities of interest decide to leave
residual risk in place, then the information security
program has accomplished its primary goal
• Once a control strategy has been selected and
implemented:
– The effectiveness of controls should be monitored and
measured on an ongoing basis to determine its
effectiveness and the accuracy of the estimate of the
residual risk
58
Management of Information Security, 3rd ed.
Managing Risk (contd.)
59
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Managing Risk (cont’d.)
• Risk control involves selecting one of the
four risk control strategies
– For the vulnerabilities present
• If the loss is within the range of losses the
organization can absorb, or if the attacker’s
gain is less than expected costs of the
attack, the organization may choose to
accept the risk
– Otherwise, one of the other control strategies
will have to be selected
60
Management of Information Security, 3rd ed.
Risk handling action points
62
Management of Information Security, 3rd ed.
Risk control cycle
63
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Feasibility and Cost-Benefit Analysis
• Before deciding on the strategy for a specific
vulnerability
– All readily accessible information about the
consequences of the vulnerability must be explored
– Ask “what are the advantages of implementing a
control as opposed to the disadvantages of
implementing the control?”
• There are a number of ways to determine the
advantage or disadvantage of a specific control
• The primary means are based on the value of the
information assets that it is designed to protect
64
Management of Information Security, 3rd ed.
Cost-Benefit Analysis
• Economic feasibility
– The criterion most commonly used when
evaluating a project that implements
information security controls and safeguards
• It is difficult to determine the value of
information
– It is also difficult to determine the cost of
safeguarding it
65
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Factors that affect the cost of a safeguard
– Cost of development or acquisition of
hardware, software, and services
– Training fees
– Cost of implementation
– Service and maintenance costs
66
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Benefit
– The value to the organization of using controls
to prevent losses associated with a specific
vulnerability
– Usually determined by valuing the information
assets exposed by the vulnerability and then
determining how much of that value is at risk
and how much risk there is for the asset
– This is expressed as the annualized loss
expectancy (ALE)
67
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Asset valuation
– The process of assigning financial value or
worth to each information asset
– The value of information differs within and
between organizations
• Based on the characteristics of information and the
perceived value of that information
– Involves estimation of real and perceived costs
associated with the design, development,
installation, maintenance, protection, recovery,
and defense against loss and litigation
68
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Asset valuation components
– Value retained from the cost of creating the
information asset
– Value retained from past maintenance of the
information asset
– Value implied by the cost of replacing the
information
– Value from providing the information
– Value acquired from the cost of protecting the
information
69
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
70
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Potential loss is that which could occur
from the exploitation of vulnerability or a
threat occurrence
• Ask these questions:
– What loss could occur, and what financial
impact would it have?
– What would it cost to recover from the attack,
in addition to the financial impact of damage?
– What is the single loss expectancy for each
risk?
71
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• A single loss expectancy (SLE)
– The calculation of the value associated with
the most likely loss from an attack
– SLE is based on the value of the asset and the
expected percentage of loss that would occur
from a particular attack
– SLE = asset value (AV) x exposure factor (EF)
• Where EF is the percentage loss that would occur
from a given vulnerability being exploited
– This information is usually estimated
72
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
73
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• CBA determines whether or not a control
alternative is worth its associated cost
• CBAs may be calculated before a control or
safeguard is implemented
– To determine if the control is worth
implementing
• Or calculated after controls have been
implemented and have been functioning for
a time
74
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Cost-benefit analysis formula
CBA = ALE(prior) – ALE(post) – ACS
– ALE (prior to control) is the annualized loss
expectancy of the risk before the
implementation of the control
– ALE (post-control) is the ALE examined after
the control has been in place for a period of
time
– ACS is the annual cost of the safeguard
75
Management of Information Security, 3rd ed.