![Page 1: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/1.jpg)
Chief Information Officers Chief Information Officers (CIO) (CIO)
![Page 2: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/2.jpg)
Information SecurityModule 9
![Page 3: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/3.jpg)
Objectives of Module 9
To present and discuss the basic concepts and tools for security of information, data and IT infrastructure in the context of the E-Government Program of Iraq
![Page 4: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/4.jpg)
Information Security Concept
Protecting Information Resources and Systems From
•Unauthorized Use and Access•Unauthorized Disclosure and Modification•Damage and Destruction
![Page 5: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/5.jpg)
Sources of Likely Threat for Information Systems and Resources of the Government • Insiders for fun or revenge• Enemies of the Nation• Faults and Malfunction• Insiders and Outsiders for Profit• Acts of God
![Page 6: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/6.jpg)
Possible Impact • System Not available• Privacy of Data violated• Information modified/ misused with consequential public and private loss• Systems /information Damaged and Destroyed • with consequential private and public loss.
![Page 7: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/7.jpg)
ISO 27001 Code of Practice on Information Security Management•Information Security Policy•Organization of Information Security•Asset Management•Human Resources Security•Physical and Environmental Security•Communications & Operations Management•Access Control•Information Systems Acquisition, Development & Maintenance•Incident Management•Business Continuity Management•Compliance
![Page 8: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/8.jpg)
Information Security Standards ISO27001PCI DSSBS 25999 (Business Continuity Management System)Other Standards
![Page 9: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/9.jpg)
OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability
Evaluations)
Suite of tools, techniques, and methods for risk-based information security strategic assessment and planning
![Page 10: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/10.jpg)
Identify Your Adversaries
•Internet Hacker•Insider•Thief•Terrorist•Industrial Spy
![Page 11: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/11.jpg)
Which are likely targets•Information Systems•Networks and IT Infrastructure•Servers/ Computers/ Devices•Databases and Information Repositories•Information Applications• Websites
![Page 12: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/12.jpg)
Risk Assessment• The “Risk Equation”• Likelihood• Impact
Addressing Risk• Establish Policy• Implement Countermeasures• Maintain Vigilance
![Page 13: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/13.jpg)
Vulnerability Driven Analysis•Search for known vulnerabilities•Tabulate and estimate severity•Determine what assets are affected•Assign impact value•Consider adversaries and their motivations•Assign likelihood•Tabulate and report
![Page 14: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/14.jpg)
Risk Assessment and Management
![Page 15: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/15.jpg)
The Risk Equation Impact x Likelihood= Risk
•Universal: Applies to all types of risk•Uniform: Enables comparison•Objective: Track over time
![Page 16: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/16.jpg)
Measures the level of “pain” to the organization
Examples:•Financial: Loss or cost to repair•Operational: Lost time, production or delivery•Reputation: Loss of customer or consumer confidence• Competitive: Reduction of market advantage•Regulatory: Legal liability•Fiduciary: Fiduciary liability
![Page 17: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/17.jpg)
Vulnerability Driven Analysis
1.Search for known vulnerabilities2.Tabulate and estimate severity3.Determine what assets are likely to be affected4.Assign impact value5.Consider adversaries and their motivations6.Assign likelihood7.Tabulate and report
![Page 18: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/18.jpg)
Network and System VulnerabilitiesNetwork:• Unnecessary pathways• Unsecured data-streams
System:• Unhardened systems• Unprotected administrator logon• Exposed management interfaces
![Page 19: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/19.jpg)
Asset Driven Analysis1.Inventory information assets2.Estimate impact3.Trace information back to technology4.Analyze for vulnerabilities5.Consider adversaries and their motivations6.Assignlikelihoods7.Tabulate and report
![Page 20: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/20.jpg)
![Page 21: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/21.jpg)
• Initiate Risk Assessment• Prioritize Security Areas Needing Attention – Pareto
Principle• Seek Input in Developing and Implementing a Campus
Unit Security Plan• Implement Security Plan• Annually Review Security Plan• Keep Up to Date with Security News
Information Security Roadmap
![Page 22: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/22.jpg)
Security Provisions for BFB IS-3•Authentication & Authorization•Background Checks•Control Administrative Accounts•Data Backup/Retention/Storage and Transit Encryption•Disaster Recovery Plan•Incident Response/Notification Plan•Physical Security Controls & Media Controls
![Page 23: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/23.jpg)
Policy Statements Most corporate policies must be translated to concrete statements
Major elements:•Information Classification•System Criticality•Operational Context
![Page 24: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/24.jpg)
Information Classification
• Information classification streamlines policy statement and enforcement.
• CAVEAT: Over-classification leads to excessive cost and added Overhead.
• CAVEAT: Some collections of unclassified data become sensitive when aggregated.
![Page 25: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/25.jpg)
![Page 26: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/26.jpg)
Criticality
Criticality is a quality of operational systems.It depends upon the importance of a network system or application.Criticality motivates reliability measures.
![Page 27: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/27.jpg)
![Page 28: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/28.jpg)
Policy•Policy defines classification and rules for access/exchange
• Policy defines criticality.
•Policy hierarchy defines security services and quality of mechanisms.
![Page 29: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/29.jpg)
Implement Countermeasures
![Page 30: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/30.jpg)
Cost vs Risk
![Page 31: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/31.jpg)
Level of Vigilance Vs Frequency of Attacks
![Page 32: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/32.jpg)
Balance Security Activities
![Page 33: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/33.jpg)
Security Plan Consider:• Future business needs• Changing threat -scape• Tolerance to residual risk
• Establish policy• Design security infrastructure• Develop security procedures
![Page 34: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/34.jpg)
Execute Plan
• Implement according to design• Operate according to procedures• Continually improve
![Page 35: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/35.jpg)
AppraiseAppraise the plan:• Does it meet the expected threats?• Will it protect business interests?• Are there flaws in the design?• Is policy adequate or overly burdensome?Appraise the execution:• Is the design implemented correctly?• Has the configuration changed?• Do procedures cover all events?• Are operators alert?
![Page 36: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/36.jpg)
Disaster Management &
Business Continuity
![Page 37: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/37.jpg)
What is a Disaster?
Any unplanned event that requires immediate redeployment of limited resources
Any unplanned event that requires immediate redeployment of limited resources
Natural Forces• Fire• Environmental Hazards• Flood / Water Damage• Extreme Weather
Technical Failure• Power Outage• Equipment Failure• Network Failure• Software Failure
Human Interference• Criminal Act• Human Error• Loss of Users• Explosions
Sample Disasters
![Page 38: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/38.jpg)
What is a Disaster Recovery Plan?
A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents
A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents
• Business Continuity Plan• Contingency Plans• Continuity Plans• Emergency Response Plans• Business Recovery Plans• Recovery Plans
Other names commonly used:
![Page 39: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/39.jpg)
AssessDamage
RestorePrimary
Site
PrepareNew Site
ConfirmResponseStrategy
ExecuteRequiredFunctions
Transfer &Execute atNew Site
Transfer toAlternateLocation
Incident
Return to Normal Operations
Transfer &Execute at
Primary Site
GenerateChange
Requests
Assess DRPEffectiveness
When an incident occurs, the Disaster Recovery response activities are likely to be the following (at a high level)
Disaster Recovery Response
![Page 40: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/40.jpg)
• Regional Area• Local Area• Within 3 Blocks• To The Building• Within 3 Floors• On The Floor• Within The Room
What is the magnitude of an incident?
Depending upon the magnitude of an incident, possible alternative sites include:
• Within The Room• Within the Building• Within the Region• Outside the Region
![Page 41: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/41.jpg)
Avoidance Strategy• Redundant configuration
to avoid incidents• Site harden facilities to r
esist incidents• Redundant utilities and
hardware• Automated operation re
covery plan
Mitigation Strategy• Early warning detection• Contractual agreements
with vendors• Mirrored data and docu
ments• Detailed migration recov
ery plan
Recovery Strategy• High level recovery plan• Off-site data storage• Very responsive vendor
relationships• Very knowledgeable em
ployees
Types of Strategy Options• Hot site• Cold site• Self Backup• Service Bureau• Reciprocal Agreement
Types of Strategies
![Page 42: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/42.jpg)
What is a Critical Business Function? A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful
ly operate after an identified time period
A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful
ly operate after an identified time period
Financial Loss• Lost Revenue• Lost Sales• Lost Market Share• Lost Opportunity
Extra Expense• Labor Cost
—Recreate Lost Business
—Recreate Lost Data—Use Manual Process
• Equipment Cost—Hardware / softwar
e—Telephones
• Money Cost—Delayed Receivable—Delayed Orders—New Interest—New Investments
Human Interference• Management Control• Employee Relations• Stockholder Relations • Public Image• Legal Exposure• Contractual Liability• Competitive Advantage
Types of ImpactTypes of Impact
![Page 43: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/43.jpg)
Timing Requirements• Minutes• Hours• Days• Weeks• Quarters• Special Situations
Interdependencies• Inputs and Outputs
Criteria for a Critical Business Function
Cost of Impact $
Impact
Cost
Cost of Control $
Cost of Control vs. Impact
![Page 44: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/44.jpg)
PlanningThe primary objective for the Planning Phase is to gain management consensus on the focus areas and scope of a Disaster Recovery Plan that will address major business risks
Implementation
Scoping & Risk
Assessment
Planning
Recovery Strategy
Development
Disaster Recovery
PlanApproval
Training&
Testing
Implementation
The primary objective for the Implementation Phase is to develop, test, and rollout a Disaster Recovery plan. The implementation phase could be longer or shorter, depending upon scope, approach, and staffing defined during the Scoping and Risk Assessment phase
Disaster Recovery Approach
![Page 45: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/45.jpg)
An Example of Disaster Recovery Team
AdministrativeSupport
Customer Liaison
System Softwareand Database
Administration
ComputerOperation andOff-site Storage
Network Delivery
ApplicationSupport
Services
Delivery
ProductionApplication
Disaster Recovery
CoordinatorSite Restoration
Disaster Recovery Director
DRP Management Team
DR Team Organization
Security
![Page 46: Chief Information Officers (CIO). Information Security Module 9](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d8a5503460f94a702c7/html5/thumbnails/46.jpg)
Example: Disaster Recovery ServicesEducation Classes
Creating a base of common knowledge for the business continuity/disaster recovery planning industry through education, assistance, and the promotion of international standards
On-Site Recovery Facilities
Manage the mobilization of an on-call response team, prepare pre-designated site, erect temporary pre-engineered structures, install mechanical and electrical systems and coordinate move-in activities