fundamentals of information systems security chapter 4

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Fundamentals of Information

Systems Security

Lesson 4

The Drivers of the

Information Security Business

Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.Page 2Fundamentals of Information Systems Security


www.jblearning.com


Learning Objective(s)

Explain information systems security and

its effect on people and businesses.


www.jblearning.com



www.jblearning.com


Key Concepts

Risk management and approaches

Business impact analysis (BIA), business

continuity plan (BCP), and disaster recovery plan

(DRP)

Impact of risks, threats, and vulnerabilities on the

IT infrastructure

Adhering to compliance laws and governance

Managing and mitigating risk


www.jblearning.com



www.jblearning.com


Business Drivers

Elements in an organization that support business objectives

People Information Conditions


www.jblearning.com



www.jblearning.com


Defining Risk Management

Process of identifying, assessing,

prioritizing, and addressing risks

Ensures you have planned for risks that

may affect your organization


www.jblearning.com



www.jblearning.com


Risks, Threats, and Vulnerabilities


www.jblearning.com



www.jblearning.com


Defining Risk Management

A description of how you will manage risk

Risk methodology

A list of identified risks

Riskregister


www.jblearning.com



www.jblearning.com


Implementing a BIA, a BCP, and a

DRP

Protecting an organization’s IT resources and ensuring that events do not interrupt normal

business functions

Business impact analysis (BIA)

Business continuity plan

(BCP)

Disaster recovery plan (DRP)


www.jblearning.com



www.jblearning.com


Business Impact Analysis (BIA)

An analysis of an organization’s functions

and activities that classifies them as critical

or noncritical

Identifies the impact to the business if one

or more IT functions fails

Identifies the priority of different critical

systems


www.jblearning.com



www.jblearning.com


BIA Recovery Goals and

Requirements

Recovery point objective (RPO)

Recovery time objective (RTO)

Business recovery requirements

Technical recovery requirements


www.jblearning.com



www.jblearning.com


Business Continuity Plan (BCP)

A written plan for a structured response to any

events that result in an interruption to critical

business activities or functions

Order of priorities:

1. Safety and well-being of people

2. Continuity of critical business functions and

operations

3. Continuity of IT infrastructure components

within the seven domains of an IT

infrastructure


www.jblearning.com



www.jblearning.com


Elements of a Complete BCP

Policy statement defining the policy, standards,

procedures, and guidelines for deployment

Project team members with defined roles, responsibilities,

and accountabilities

Emergency response procedures and protection of life,

safety, and infrastructure

Situation and damage assessment

Resource salvage and recovery

Alternate facilities or triage for short-term or long-term

emergency mode of operations and business recovery


www.jblearning.com



www.jblearning.com


Disaster Recovery Plan (DRP)

Disaster

• Is an event that affects multiple business

processes for an extended period

• Causes substantial resource damage you must

address before you can resolve business process

interruption

DRP

• Includes specific steps and procedures to recover

from a disaster

• Is part of a BCP

• Extends and supports the BCP


www.jblearning.com



www.jblearning.com



Threat analysis

Impact scenarios

Recovery requirement

documentation

Disaster recovery


www.jblearning.com



www.jblearning.com



• Has environmental utilities, hardware, software, and data like original data center

Hot site

• Has environmental utilities and basic computer hardwareWarm site

• Has basic environmental utilities but no infrastructure componentsCold site

• Trailer with necessary environmental utilities, can operate as warm or cold site

Mobile site


www.jblearning.com



www.jblearning.com


Assessing Risks, Threats, and

Vulnerabilities

Risk Management Guide for Information Technology Systems (NIST SP800-30)

CCTA Risk Analysis and Management Method (CRAMM)

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

ISO/IEC 27005 “Information Security Risk Management”


www.jblearning.com



www.jblearning.com


Closing the Information Security Gap

Security gap

Difference between the security controls in place and controls you need to address

vulnerabilities

Gap analysis

Comparison of the security controls in

place and the controls you need to address all identified threats


www.jblearning.com



www.jblearning.com


Steps for Conducting a Gap Analysis

Identify applicable elements of security policy

and other standards

Assemble policy, standard, procedure, and

guideline documents

Review and assess implementation of

policies, standards, procedures, and

guidelines

Collect hardware and software inventory

information


www.jblearning.com



www.jblearning.com


Steps for Conducting a Gap Analysis

(cont.)

Interview users to assess knowledge of and

compliance with policies

Compare current security environment with

policies

Prioritize identified gaps for resolution

Document and implement remedies to

conform to policies


www.jblearning.com



www.jblearning.com


Adhering to Compliance Laws

Sarbanes-Oxley Act (SOX)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Payment Card Industry Data Security Standard (PCI DSS)

Federal Information Security Modernization Act (FISMA)

Government Information Security Reform Act (Security Reform Act) of 2000


www.jblearning.com



www.jblearning.com


Keeping Private Data Confidential

Ensuring availability and

integrity is important

You cannot undo a confidentiality

violation


www.jblearning.com



www.jblearning.com


The Three Tenets of Information

Security


www.jblearning.com



www.jblearning.com


Keeping Private Data Confidential

Authentication controls Authorization controls

Passwords and PINs Authentication server rules

and permissions

Smart cards/ tokens Access control lists

Biometric devices Intrusion detection/

prevention

Digital certificates Physical access control

Challenge-response

handshakes

Connection/access policy

filters

Kerberos authentication Network traffic filters

One-time passwords


www.jblearning.com



www.jblearning.com


Mobile Workers and Use of

Personally Owned Devices

Mobility

• Allows remote workers and employees to be connected to the IT infrastructure in almost real time

Bring Your Own Device (BYOD)

• Employees using their personally owned devices for business and personal use


www.jblearning.com



www.jblearning.com


BYOD Concerns/Policy Definition

Data ownership

Antivirus management

Support ownership

Privacy

User acceptance

Legal concerns


www.jblearning.com



www.jblearning.com


Endpoint and Device Security

Full device encryption

Remote wiping

Global positioning system (GPS)

Asset tracking

Device access control

Removable storage


www.jblearning.com



www.jblearning.com


Summary

Risk management and approaches

Business impact analysis (BIA), business

continuity plan (BCP), and disaster

recovery plan (DRP)

Impact of risks, threats, and

vulnerabilities on the IT infrastructure

Adhering to compliance laws and

governance

Managing and mitigating risk

fundamentals of information systems security chapter 4

Education