risk assessment. infosec and legal aspects risk assessment laws governing infosec privacy
TRANSCRIPT
Risk Assessment
InfoSec and Legal Aspects
• Risk assessment
• Laws governing InfoSec
• Privacy
Risk Assessment
• Assigns a risk rating for each asset
• Likelihood refers to the probability of a known vulnerability being attacked– Likelihood of fire forecast from actuarial data– Likelihood of virus estimated from volume of
email handled and number of servers in use– Likelihood of a network attack estimated from
the number of network addresses in use
Risk Assessment
• How to assign value to information assets?– NIST SP 800-30 contains parameters to check– Critical assets are assigned the value 100– Non-critical but essential asset gets the value 50– Least critical assets get the value 1
• What factors to look for in valuation?– Which threats present a danger?– Which threats present a significant danger?– Cost to recover from an attack– Threats that require maximum cost to prevent
Risk Assessment
• Risk determination:Risk = likelihood * value – risk percentage +
uncertaintyExample:
Asset A has vulnerability score 50Number of vulnerabilities 1Likelihood value 1 with no controlsData are 90% accurateHence, Risk = 1 * 50 – 0% + 10%
= 50 + 10% of (1 * 50) = 50 + 5 = 55
Risk Assessment
Example: Asset B has vulnerability score 100
Number of vulnerabilities 2
Likelihood value 0.5 for 1st vulnerability which addresses 50% of risk
Data are 80% accurate
Hence, Risk = 0.5 * 100 – 50% + 20%
= 50 – (50% of 50) + (20% of 50)
= 50 – 25 + 10
= 35
Risk Assessment
Example: Asset B has vulnerability score 100
Number of vulnerabilities 2
Likelihood value 0.1 for 2nd vulnerability with no controls
Data are 80% accurate
Hence, Risk = 0.1 * 100 – 0% + 20%
= 10 – 0 + (20% of 10)
= 10 + 2
= 12
Risk Assessment
• The generic risks to the business are: – Loss of key assets
• Information• the network• skilled people
– Disruption of key processes• Revenue• regulatory reporting
Risk Factors
• Assess risk based on these factors:– Impact Size – Rate of Change – Business Impact – Complexity – Recoverability – Value – Management Team Focus
Definitions
• Civil law addresses violations of rules that result in monetary loss as well as other forms of damage caused to individuals or organizations
• Criminal law addresses violations that are harmful to society
• Tort law addresses violations by individuals that result in personal, physical, or financial injury to an individual
• Private law regulates relationships between an individual and an organization
• Public law regulates relationships between citizens
Definitions
• Ethics is defined as socially acceptable behavior
• Code of conduct is a set of rules that an organization defines as acceptable
Laws governing Information Security
• Computer Security Act
• Communications Assistance to Law Enforcement Act
• Computer Fraud and Abuse Act
• USA PATRIOT Act
Computer Security Act
• Passed in 1987. Official designation PL100-235• Law gave NIST the authority over unclassified
non-military government computer systems• NSA originally had this power• Main goals:
– Develop policies for federal agencies concerning computer security
– Develop procedures to identify vulnerabilities in computer security
Computer Security Act
• Provide mandatory security awareness training to all federal employees dealing with sensitive information
• Identify all computer systems that contain sensitive information
CALEA
• Passed in 1994• Works in conjunction with FCC regulations• Telephone companies to include hardware to
their switches that will facilitate tapping of conversations by law enforcement agencies
• Telcos are not responsible for decrypting any intercepted communication
• Telcos will be provided reasonable compensation for the addition of interception hardware to switches
Computer Fraud and Abuse Act
• Originally passed in 1994 and amended in 1996• PATRIOT Act amends this act further• CFAA’s main provisions relate to the following:
– having knowingly accessed a computer without authorization
– intentionally accesses a computer without authorization
– knowingly and with intent to defraud, accesses a protected computer without authorization
– Prison time of up to 10 years is possible for any violation
• If damage caused is below $5,000 then only criminal penalties apply and no civil penalties apply
USA PATRIOT Act• Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
• Passed in October 2001• Gives extensive powers to the federal
government to suspend notification provisions of existing laws
• Provides authorization for information search without knowledge of the individual
• Law expires in December 2004, unless renewed by Congress
Privacy and Ethics
• Information privacy• Information privacy laws
– Federal Privacy Act of 1974– Electronic Communications Privacy Act of 1986– Communications Act of 1996– HIPAA of 1996– Computer Security Act of 1987– USA PATRIOT Act of 2001
• Ethical aspects of information handling
Information Privacy• Privacy refers to personally identifiable
information about an individual or an organization
• Privacy does not mean absolute freedom from observation
• Privacy means “state of being free from unsanctioned intrusion”
• Financial and medical institutions treat privacy as part of their compliance requirements
• Information is collected by cookies and points of sale
Information Privacy
• Privacy is a risk management issue
• Ability to collect information from multiple sources and combine them in different ways have resulted in powerful databases that can shed more light than previously possible
Information Privacy Laws• Federal Privacy Act of 1974
– Requires all government agencies from protecting the privacy information of individuals and businesses
– Certain agencies have exemption to release aggregate data
• Census Bureau• National Archives• Congress• Comptroller General• Credit agencies
Information Privacy Laws
• Electronic Communications Privacy Act of 1986– Regulates interception of wire, electronic,
and oral communications– Works in conjunction with the Fourth
Amendment providing protection against unlawful search and seizure
Information Privacy Laws
• Communications Act of 1996– Regulates interstate and international
communications– Communications decency was part of this
Act
Information Privacy Laws
• Health Insurance Portability and Accountability Act (HIPAA) of 1996– Protect confidentiality and security of
health care data– Electronic signatures are allowed– Patients have a right to know who have
access to their information and who accessed it
References
• NIST Risk Assessment Guide for Information Technology Systems, SP 800-30
• Mike Godwin, “When copying isn’t theft,” www.eff.org/IP/phrack_riggs_neidorf_godwin.article
• Michael Whitman, “Enemy at the Gates: Threats to Information Security,” Communications of ACM, 2003
References
• Financial institutions: http://www.fdic.gov/news/news/financial/1999/FIL9968a.HTML
• Risk Assessment Process: http://www.mc2consulting.com/riskart1.htm
• ISACA http://www.isaca.org/• Risk Assessment Guidelines
http://www.gao.gov/special.pubs/ai99139.pdf• Risk Assessment:
http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_security_%20risk_asst.htm