fundamentals of information systems security chapter 4
TRANSCRIPT
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 4
The Drivers of the
Information Security Business
Page 2Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 2Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Explain information systems security and
its effect on people and businesses.
Page 3Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 3Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Risk management and approaches
Business impact analysis (BIA), business
continuity plan (BCP), and disaster recovery plan
(DRP)
Impact of risks, threats, and vulnerabilities on the
IT infrastructure
Adhering to compliance laws and governance
Managing and mitigating risk
Page 4Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 4Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Drivers
Elements in an organization that support business objectives
People Information Conditions
Page 5Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 5Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Risk Management
Process of identifying, assessing,
prioritizing, and addressing risks
Ensures you have planned for risks that
may affect your organization
Page 6Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 6Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risks, Threats, and Vulnerabilities
Page 7Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 7Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Risk Management
A description of how you will manage risk
Risk methodology
A list of identified risks
Riskregister
Page 8Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 8Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Implementing a BIA, a BCP, and a
DRP
Protecting an organization’s IT resources and ensuring that events do not interrupt normal
business functions
Business impact analysis (BIA)
Business continuity plan
(BCP)
Disaster recovery plan (DRP)
Page 9Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 9Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Impact Analysis (BIA)
An analysis of an organization’s functions
and activities that classifies them as critical
or noncritical
Identifies the impact to the business if one
or more IT functions fails
Identifies the priority of different critical
systems
Page 10Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 10Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BIA Recovery Goals and
Requirements
Recovery point objective (RPO)
Recovery time objective (RTO)
Business recovery requirements
Technical recovery requirements
Page 11Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 11Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Continuity Plan (BCP)
A written plan for a structured response to any
events that result in an interruption to critical
business activities or functions
Order of priorities:
1. Safety and well-being of people
2. Continuity of critical business functions and
operations
3. Continuity of IT infrastructure components
within the seven domains of an IT
infrastructure
Page 12Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 12Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements of a Complete BCP
Policy statement defining the policy, standards,
procedures, and guidelines for deployment
Project team members with defined roles, responsibilities,
and accountabilities
Emergency response procedures and protection of life,
safety, and infrastructure
Situation and damage assessment
Resource salvage and recovery
Alternate facilities or triage for short-term or long-term
emergency mode of operations and business recovery
Page 13Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 13Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disaster Recovery Plan (DRP)
Disaster
• Is an event that affects multiple business
processes for an extended period
• Causes substantial resource damage you must
address before you can resolve business process
interruption
DRP
• Includes specific steps and procedures to recover
from a disaster
• Is part of a BCP
• Extends and supports the BCP
Page 14Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 14Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disaster Recovery Plan (DRP)
Threat analysis
Impact scenarios
Recovery requirement
documentation
Disaster recovery
Page 15Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 15Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disaster Recovery Plan (DRP)
• Has environmental utilities, hardware, software, and data like original data center
Hot site
• Has environmental utilities and basic computer hardwareWarm site
• Has basic environmental utilities but no infrastructure componentsCold site
• Trailer with necessary environmental utilities, can operate as warm or cold site
Mobile site
Page 16Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 16Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Assessing Risks, Threats, and
Vulnerabilities
Risk Management Guide for Information Technology Systems (NIST SP800-30)
CCTA Risk Analysis and Management Method (CRAMM)
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
ISO/IEC 27005 “Information Security Risk Management”
Page 17Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 17Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Closing the Information Security Gap
Security gap
Difference between the security controls in place and controls you need to address
vulnerabilities
Gap analysis
Comparison of the security controls in
place and the controls you need to address all identified threats
Page 18Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 18Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Steps for Conducting a Gap Analysis
Identify applicable elements of security policy
and other standards
Assemble policy, standard, procedure, and
guideline documents
Review and assess implementation of
policies, standards, procedures, and
guidelines
Collect hardware and software inventory
information
Page 19Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 19Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Steps for Conducting a Gap Analysis
(cont.)
Interview users to assess knowledge of and
compliance with policies
Compare current security environment with
policies
Prioritize identified gaps for resolution
Document and implement remedies to
conform to policies
Page 20Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 20Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Adhering to Compliance Laws
Sarbanes-Oxley Act (SOX)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Security Modernization Act (FISMA)
Government Information Security Reform Act (Security Reform Act) of 2000
Page 21Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 21Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Keeping Private Data Confidential
Ensuring availability and
integrity is important
You cannot undo a confidentiality
violation
Page 22Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 22Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Three Tenets of Information
Security
Page 23Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 23Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Keeping Private Data Confidential
Authentication controls Authorization controls
Passwords and PINs Authentication server rules
and permissions
Smart cards/ tokens Access control lists
Biometric devices Intrusion detection/
prevention
Digital certificates Physical access control
Challenge-response
handshakes
Connection/access policy
filters
Kerberos authentication Network traffic filters
One-time passwords
Page 24Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 24Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Mobile Workers and Use of
Personally Owned Devices
Mobility
• Allows remote workers and employees to be connected to the IT infrastructure in almost real time
Bring Your Own Device (BYOD)
• Employees using their personally owned devices for business and personal use
Page 25Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 25Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BYOD Concerns/Policy Definition
Data ownership
Antivirus management
Support ownership
Privacy
User acceptance
Legal concerns
Page 26Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 26Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Endpoint and Device Security
Full device encryption
Remote wiping
Global positioning system (GPS)
Asset tracking
Device access control
Removable storage
Page 27Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 27Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Risk management and approaches
Business impact analysis (BIA), business
continuity plan (BCP), and disaster
recovery plan (DRP)
Impact of risks, threats, and
vulnerabilities on the IT infrastructure
Adhering to compliance laws and
governance
Managing and mitigating risk