information systems 365 lecture three - performing an it security risk analysis
DESCRIPTION
Lecture 3 slides for the Information Systems 365/765 class I teach at UW-Madison. If you ever had the urge to perform a 5 step quantitative IT Security Risk Analysis, then this is for you!TRANSCRIPT
![Page 1: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/1.jpg)
Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas DavisLecture 2, Course Introduction
![Page 2: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/2.jpg)
04/13/23 UNIVERSITY OF WISCONSIN 2
![Page 3: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/3.jpg)
Lecture TopicsLecture TopicsSecurity management responsibilitiesDifference between Administrative, Technical and Physical ControlsThe three main security principlesRisk management How to perform a risk analysis
04/13/23 UNIVERSITY OF WISCONSIN 3
![Page 4: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/4.jpg)
Defining SecurityDefining SecurityManagementManagement
Risk management method (see next slide)Information Security PoliciesProceduresStandardsGuidelinesBaselinesInformation ClassificationSecurity OrganizationSecurity Education
04/13/23 UNIVERSITY OF WISCONSIN 4
![Page 5: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/5.jpg)
Process of SecurityProcess of SecurityManagementManagement
Determination of needsAssessment of risksMonitoring and evaluation of existing systems and practicesPromote awareness of existing issuesImplementation of policies and controls to address needs
Use a “Top Down” approach, not a “Bottom Up” approach
04/13/23 UNIVERSITY OF WISCONSIN 5
![Page 6: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/6.jpg)
Three Types of SecurityThree Types of SecurityControlsControls
AdministrativeTechnicalPhysical
04/13/23 UNIVERSITY OF WISCONSIN 6
![Page 7: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/7.jpg)
AdministrativeAdministrativeControlsControls
These include the developing and publishing of policies, standards, procedures and guidelines for risk management, the screening of personnel, conducting security awareness training, and implementing change control procedures
04/13/23 UNIVERSITY OF WISCONSIN 7
![Page 8: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/8.jpg)
Technical ControlsTechnical Controls(Also Called Logical (Also Called Logical
Controls)Controls)These consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices and the configuration of the infrastructure
Opinion note from the lecturer
04/13/23 UNIVERSITY OF WISCONSIN 8
![Page 9: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/9.jpg)
Physical ControlsPhysical Controls
These entail controlling individual access into the facilities, locking systems, removing un-necessary access points to systems such as CD drives and USB ports, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls
04/13/23 UNIVERSITY OF WISCONSIN 9
![Page 10: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/10.jpg)
All Three ControlsAll Three ControlsMust Work TogetherMust Work Together
04/13/23 UNIVERSITY OF WISCONSIN 10
![Page 11: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/11.jpg)
Three Core GoalsThree Core Goalsof Information Securityof Information Security
ConfidentialityIntegrityAvailability
04/13/23 UNIVERSITY OF WISCONSIN 11
![Page 12: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/12.jpg)
AvailabilityAvailability
The systems and networks should provide adequate capacity to perform in a predictable manner, with an acceptable level of performanceThey should be able to quickly recover from disruptionSingle points of failure should be avoidedBackup measures should be taken
04/13/23 UNIVERSITY OF WISCONSIN 12
![Page 13: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/13.jpg)
IntegrityIntegrity
Is defined as maintaining the accuracy and reliability of information systems, preventing any unauthorized modificationAttacks or mistakes by users do not compromise the integrity of the dataViruses, Logic Bombs, or back doors can all compromise the integrity of an information system
04/13/23 UNIVERSITY OF WISCONSIN 13
![Page 14: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/14.jpg)
ConfidentialityConfidentiality
Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.This level of confidentiality should prevail while data resides on systems within the network, as it is transmitted and once it reaches its destination.
04/13/23 UNIVERSITY OF WISCONSIN 14
![Page 15: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/15.jpg)
More TerminologyMore Terminology
VulnerabilityThreatRiskExposure
04/13/23 UNIVERSITY OF WISCONSIN 15
![Page 16: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/16.jpg)
VulnerabilityVulnerability
Software, hardware, physical or procedural weakness which may provide an attacker an open door into your information systems environment
04/13/23 UNIVERSITY OF WISCONSIN 16
![Page 17: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/17.jpg)
ThreatThreat
A potential danger to an information system. The treat is that someone or something will identify and take advantage of a vulnerability. The entity which takes advantage of a vulnerability is called a threat entity
04/13/23 UNIVERSITY OF WISCONSIN 17
![Page 18: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/18.jpg)
RiskRisk
A risk is the likelihood of a of a threat agent taking advantage of a vulnerability
04/13/23 UNIVERSITY OF WISCONSIN 18
![Page 19: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/19.jpg)
ExposureExposure
Exposure is a single instance of the damages caused by a vulnerability being exploited by threat agent
Way too many terms here for a normal human to remember!!!
04/13/23 UNIVERSITY OF WISCONSIN 19
![Page 20: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/20.jpg)
CountermeasureCountermeasure
A safeguard put into place to mitigate a potential risk
04/13/23 UNIVERSITY OF WISCONSIN 20
![Page 21: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/21.jpg)
Security Through ObscuritySecurity Through Obscurity
Trying to keep things safe by keeping them hidden
Bad idea – not a true security control
04/13/23 UNIVERSITY OF WISCONSIN 21
![Page 22: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/22.jpg)
Security PlanningSecurity PlanningAreasAreas
Strategic TacticalOperational
04/13/23 UNIVERSITY OF WISCONSIN 22
![Page 23: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/23.jpg)
StrategicStrategicLong and Broad HorizonLong and Broad Horizon
Make sure that risks are properly understoodEnsure compliance with laws and regulationsIntegrate security responsibilities throughout the organizationCreate a maturity model to allow for continual improvementUse security as a business achievement to attract more customers
04/13/23 UNIVERSITY OF WISCONSIN 23
![Page 24: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/24.jpg)
TacticalTacticalInitiatives Supporting Initiatives Supporting
StrategyStrategyInitiatives and planning put in place to support the larger strategic plan
Putting together teams to address specific issuesHiring new employees to be responsible for specific areas such as HIPAA or PCI compliance
04/13/23 UNIVERSITY OF WISCONSIN 24
![Page 25: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/25.jpg)
OperationalOperational
Perform security risk assessmentDo not allow security changes to decrease productivityMaintain and implement controlsContinually scan for vulnerabilities and roll out patchesTrack compliance with policies
04/13/23 UNIVERSITY OF WISCONSIN 25
![Page 26: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/26.jpg)
Judge Against StandardsJudge Against StandardsISO 17799ISO 17799
If you know this, you will be golden in the job interview!ISO is a British organization, recognized around the world for standardsHigh level recommendations of enterprise IT security
04/13/23 UNIVERSITY OF WISCONSIN 26
![Page 27: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/27.jpg)
Information SecurityInformation SecurityPolicy For the OrganizationPolicy For the Organization
Map of objectives to security management’s support, security goals and responsibilities
04/13/23 UNIVERSITY OF WISCONSIN 27
![Page 28: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/28.jpg)
Creation of an InformationCreation of an InformationSecurity InfrastructureSecurity InfrastructureCreate and maintain an organizational security structure through the use of a security forum, a security officer, defining responsibilities, a method for authorizing projects, outsourcing and independent audits and reviews
04/13/23 UNIVERSITY OF WISCONSIN 28
![Page 29: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/29.jpg)
Asset ClassificationAsset Classificationand Controland Control
Develop a security infrastructure to protect organizational assets through accountability through inventory, classification, and handling procedures
04/13/23 UNIVERSITY OF WISCONSIN 29
![Page 30: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/30.jpg)
Personnel SecurityPersonnel Security
Reduce the risks which are inherent in human action by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations
04/13/23 UNIVERSITY OF WISCONSIN 30
![Page 31: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/31.jpg)
Physical and EnvironmentalPhysical and EnvironmentalSecuritySecurity
Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, physical access control, and protecting equipment
04/13/23 UNIVERSITY OF WISCONSIN 31
![Page 32: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/32.jpg)
Communications and Communications and Operations ManagementOperations Management
Carry out operations through documented procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling
04/13/23 UNIVERSITY OF WISCONSIN 32
![Page 33: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/33.jpg)
Access ControlAccess Control
Control electronic access based upon business requirements, user management, authentication methods and monitoring
04/13/23 UNIVERSITY OF WISCONSIN 33
![Page 34: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/34.jpg)
System DevelopmentSystem Developmentand Maintenanceand Maintenance
Make security an integral part of all life phases of system development and management
04/13/23 UNIVERSITY OF WISCONSIN 34
![Page 35: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/35.jpg)
Business Continuity Business Continuity ManagementManagement
Counter disruptions of normal operations by using continuity planning and testing
04/13/23 UNIVERSITY OF WISCONSIN 35
![Page 36: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/36.jpg)
ComplianceCompliance
Comply with regulatory, contractual and statutory requirements by using technical controls, systems audits and continuous legal and regulatory awareness Cost effective, relevant, timely, and responsive
04/13/23 UNIVERSITY OF WISCONSIN 36
![Page 37: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/37.jpg)
Risk AnalysisRisk Analysis
A method for identifying risks and threats
04/13/23 UNIVERSITY OF WISCONSIN 37
![Page 38: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/38.jpg)
Risk AnalysisRisk AnalysisHas Four Main GoalsHas Four Main GoalsIdentify assets and their valuesIdentify vulnerabilities and threatsQuantify the probability and business impact of these potential threatsProvide an economic balance between the impact of the threat and the cost of the countermeasure
04/13/23 UNIVERSITY OF WISCONSIN 38
![Page 39: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/39.jpg)
Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset
What is the value of this asset to the company?How much does it cost to maintain?How much does it make in profits for the company?How much would it be worth to the competition?How much would it cost to re-create or recover?
04/13/23 UNIVERSITY OF WISCONSIN 39
![Page 40: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/40.jpg)
Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset
How much did it cost to acquire or develop this asset?How much liability do you face if the asset is compromised?
04/13/23 UNIVERSITY OF WISCONSIN 40
![Page 41: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/41.jpg)
Risk Analysis – Step 2Risk Analysis – Step 2Estimate Potential Loss Per Estimate Potential Loss Per
ThreatThreatWhat physical damage could the threat cause and how much would that cost?How much loss of productivity could the threat cause and how much would that cost?What is the value lost if the confidential information is disclosed?What is the cost of recovering from this threat?What is the value of the loss if critical devices were to fail?What is the Single Loss Expectancy (SLE) for each asset and each threat?
04/13/23 UNIVERSITY OF WISCONSIN 41
![Page 42: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/42.jpg)
Risk Analysis – Step ThreeRisk Analysis – Step ThreePerform a Threat AnalysisPerform a Threat Analysis
Gather information about the likelihood of each threat taking place, from people in each department. Examine past records which provide this type of dataCalculate the Annualized Rate of Occurrence (ARO), which is the number of times the threat can take place in a twelve month period
04/13/23 UNIVERSITY OF WISCONSIN 42
![Page 43: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/43.jpg)
Risk Analysis – Step FourRisk Analysis – Step FourDerive the Overall Annual Loss Derive the Overall Annual Loss
Per ThreatPer ThreatCombine potential loss and probabilityCalculate the Annualized Loss Expectancy (ALE) per threat, by using the information calculated in the first three stepsChoose remedial measures to counteract each threatCarry out cost-benefit analysis on the identified countermeasures04/13/23 UNIVERSITY OF WISCONSIN 43
![Page 44: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/44.jpg)
Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or
Accept the RiskAccept the RiskInstall security controlsImprove proceduresAlter the environmentProvide early detection methods to catch the threat as it is happening and reduce possible damage it can causeProduce a contingency plan of how a business can continue if a specific threat takes place, reducing further damages
04/13/23 UNIVERSITY OF WISCONSIN 44
![Page 45: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/45.jpg)
Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or
Accept the RiskAccept the RiskPut up barriers to the threatCarry out security awareness trainingPerform risk transfer (buy insurance and make it someone else’s problem)Risk acceptance (live with the risks and spend no more money for protection)Risk avoidance (discontinue the activity that is causing the risk)
04/13/23 UNIVERSITY OF WISCONSIN 45
![Page 46: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/46.jpg)
Results of the Risk AnalysisResults of the Risk Analysis
1. Monetary values are assigned to assets
2. You have a comprehensive list of all possible and significant threats
3. You have a probability of the occurrence rate of each threat
4. You have the loss potential which the company can endure per threat, annually.
5. A list of recommended safeguards, countermeasures and actions
04/13/23 UNIVERSITY OF WISCONSIN 46
![Page 47: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/47.jpg)
Countermeasure SelectionCountermeasure Selection
Product costsDesign and planning costsImplementation costsEnvironment modificationsCompatibility with other countermeasuresMaintenance requirementsTesting requirements
04/13/23 UNIVERSITY OF WISCONSIN 47
![Page 48: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/48.jpg)
Countermeasure SelectionCountermeasure Selection
Repair, replacement or update costsOperating and support costsEffects on productivitySubscription costsExtra person hoursTolerance for headaches caused by new countermeasure
04/13/23 UNIVERSITY OF WISCONSIN 48
![Page 49: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/49.jpg)
Next TimeNext Time
Security policiesInformation classificationSecurity awareness training
04/13/23 UNIVERSITY OF WISCONSIN 49
![Page 50: Information systems 365 lecture three - Performing an IT Security Risk Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062707/5580b5e8d8b42ac6088b4b30/html5/thumbnails/50.jpg)
04/13/23 UNIVERSITY OF WISCONSIN 50