Information Systems Security

Information Security

&

Risk Management

Core Principles

Confidentiality – only authorized nodes have access to information on need-to-know basis

Integrity – Information should be protected from intentional, unauthorized, or accidental change

Availability – Information is accessible by users when needed

Security Concepts

Privacy Authentication Authorization Auditing Non-repudiation

Type of Policies

Regulatory– Ensures company is following standards– More detailed in nature– Specific to type of industry

Advisory– Outlines expected behaviors in a company and

the associated ramifications

Policies Con’td

Informative– Tool to teach employees about specific issues– Not enforceable

BS/ISO 7799

Address topics in terms of policies and best practices– Organizational security policy– Asset classification– Personnel security– Physical/environmental safety– Communications security– Access control– BCP– Compliance

Components of a Security Policy

Policy – Must be – Virus protection

Guides – Should be– Recommend McAfee

Standards – Will be– Will be installed on all systems

Procedures – How to– Will be updated each week from server

Control – Has it? Does it?

Senior Management Role

Defines the scope, objectives, priorities, and strategies of the security program

Provides vision, funds, and enforcement Ultimately liable Without support, efforts will be doomed from

the start

Security Roles

Data Owner– Data classification– Sets security requirements

System Owner– Responsible for computer system– One system – One owner

Security Roles

Data Custodian– Data maintenance tasks– Implements and maintains controls to provide

necessary protection

User– Person who routinely uses company data

Information Classification

Determine the value of data– Role of data– Liability if disclosed– Cost to gather– Value that opposition would pay

Classify Information– Pertaining to availability, integrity, and

confidentiality issues per data set– Assign a classification level

Classification Con’td

Decide on Controls– Controls are implemented to protect data at

each classification level– Each classification level has different handling

procedures

Classification Criteria

Criteria Items– Usefulness and value– Level of damage possible– Law and regulations– Who should access? Who should maintain?– Who should monitor? Who should audit?– How long will protection be required

Military Classification Levels

Top Secret– Drastic effects and critical damage to NS

Secret– Significant effect and critical damage to NS

Confidential– Noticeable effects and serious damage to NS

Sensitive but Unclassified– Not cause significant damage if disclosed

Unclassified

Commercial Classifications

Confidential– Extremely sensitive and for internal use only

Private– Personal data for internal use only

Sensitive– Negative impact if disclosed

Public– No negative impact if disclosed

How is Liability Determined?

Due Diligence – Identifying threats and risks– Uncover potential dangers– Carry out assessments– Perform analysis on assessment data– Implement risk management– Research vulnerabilities and risks

Liability Con’td

Due Care – Acting upon findings to mitigate risks– Doing the right thing– Implementing solutions based on analyses– Properly protecting the company and its assets– Acting responsibly

Prudent Person Rule– Perform duties that prudent and responsible

people would exercise in similar circumstances

Risk Assessment

Identify Vulnerabilities – a flaw or weakness in system security procedures or controls that can be exploited and result in a breach

Threats – potential for a particular threat to successfully exercise a vulnerability

Risk Management

Reduce– Implement safeguards

Assign– Transfer risks to another entity

Accept– Agreed to accept the consequences

Reject– Ignore that the risk exists

Risk Management is Hard

Trying to predict the future Incredible number of variables Surmising all possible threats Gathering data from many sources Dealing with many unknowns Quantifying qualitative items

Valuating an Asset

Cost of acquisition Replacement cost Cost of development Role of the asset in the company Amount of worth to competition Cost of maintain and protecting Production Losses Liability

Categorizing Risk Analysis

Immediate vs. Delayed Loss Quantitative

– Numeric and monetary values available– Management likes it better

Qualitative– Opinion based– Uses rating system– Scenario based

Qualitative Analysis

Gather company experts Present risk scenarios Rank seriousness of threats Rank countermeasures

DELPHI METHOD– Anonymous – More honest – No intimidation

Quantitative Analysis

ALE (Annualized Loss Expectancy)– Expected monetary loss for an asset due to a

risk over a 1-year period. ALE = SLE * ARO

SLE (Single Loss Expectancy)– Asset Value X Exposure Factor (EF)– EF = Percentage of loss that could be

experienced

Quantitative Con’td

ARO – Annualized Rate of Occurrence– Probability that a risk will occur in a year

Fire will reduce building usage by 3/4– EF = 75%

Probability that fire occurs every 10 years– ARO = .10

Quantitative Con’td

Building Asset Valued at $1M– SLE = $1M * .75 = $750K– ALE = $750K * .10 = $75K

If a company’s website is attacked, it will cause 40% damage. The threat is estimated to happen once a year. The website is valued at $300K. What is the cap to be spent on safeguards?

Cost/Benefit of Countermeasure

ALE prior to Countermeasure –– ALE after Countermeasure –

Annual Cost of Countermeasure =– Cost/Benefit of Countermeasure

ALE of web disruption = $40K ALE after countermeasure = $24K Cost of countermeasure = $2K/annually Benefit of countermeasure = $23K

Eliminate ALL Risks?

Total Risk Versus Residual Risk– Amount of risk that exists before a safeguard is

put into place in total risk– After safeguard installed, the remaining risk is

residual risk Threat x Vulnerability x Asset Value = TR TR x Control Gap = RR

Mitigate Risk

Team presents the analysis results to management

Management makes the decision about the next steps

Transfer the risk (insurance) Reduce the risk (control) Accept the risk (informed decision) Reject the risk (no decision made)

Liability of Actions

Accepting Risks– Carried out in due diligence– Made an informed business decision– Better change of not being found negligent

Reject Risks– Did not practice due diligence– Decision based on ignorance of the issue– Most likely will be found negligent

Employee Management

Weakest link in security is people Proper management of employees needed Communication structure in place Management structure in place Enforce acceptable usage policy Rotation of duties 20/80 Rule

Employee Security Management

Separation of duties Job responsibilities Job rotation Background checks Employee agreements

Firing Issues

Complete an exit interview Non-disclosure agreements Collect keys and escort out of building Disable accounts

Ethics – ISC2

Four canons– Protect society and the infrastructure– Act honorably, justly, responsibly, and legally– Provide diligent and competent service– Advance and protect the profession

Ethics - CEI

Compute Ethics Institute– Non-profit organization to stimulate awareness

of the ethical issues of technology– Tries to help balance civil liberty and

government monitoring– Provides advisory and consultative activities,

research, education, and public outreach

Ethics - IAB

Internet Advisory Board– Coordinating committee for Internet design– Two task forces:

Internet Engineering Task Force (IETF) Internet Research Task Force (IRTF)

– Internet use to be seen as a privilege and should be treated as such

IAB Standards

Unethical behavior includes:– Seeking to gain unauthorized access to Internet– Disrupting the normal use of the Internet– Wasting resources through purposeful actions– Destroying the integrity of computer information– Compromising the privacy of others– Involving negligence in the conduct of Internet-

wide experiments