planning chapter 2. orientation the first chapter focused on threats the rest of the book focuses on...
TRANSCRIPT
![Page 1: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/1.jpg)
PlanningChapter 2
![Page 2: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/2.jpg)
Orientation
• The first chapter focused on threats
• The rest of the book focuses on defense
• In this chapter, we will see that defensive thinking is build around the plan-protect-respond cycle
• In this chapter, we will focus on planning
• Chapters 3 to 8 focus on protection (day-by-day defense)
• Chapter 9 focuses on response
Copyright Pearson Prentice-Hall 2010
2
![Page 3: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/3.jpg)
But FirstMr. Swartz
Copyright Pearson Prentice-Hall 2010
3
![Page 4: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/4.jpg)
Illegal?
• Illegal - 30
• Legal – 1ish
• Unethical - 16
Copyright Pearson Prentice-Hall 2010
4
![Page 5: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/5.jpg)
JSTOR
• Early Journal Content• Journal content in JSTOR published prior to 1923 in the United
States and prior to 1870 elsewhere freely available to anyone, anywhere in the world
• Register & Read• give researchers read-only access to some journal articles, no
payment required• Users won’t be able to download the articles• Access only three at a time• minimum viewing time frame of 14 days per article
• The Register & Read beta is an exciting next step that we are taking, working closely with our publisher partners who own this content.”
Copyright Pearson Prentice-Hall 2009
5
![Page 6: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/6.jpg)
Computer Fraud and Abuse Act
• Pertains to Financial and Government Computers
• Pertains to affecting interstate commerce or communication• Knowingly accessing a computer without authorization in order to obtain national security data
• Intentionally accessing a computer without authorization to obtain:• Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a
consumer.
• Information from any department or agency of the United States
• Information from any protected computer if the conduct involves an interstate or foreign communication
• Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
• Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
• Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:• Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
• The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
• Physical injury to any person.
• A threat to public health or safety
• .Damage affecting a government computer system
• Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.
Copyright Pearson Prentice-Hall 2009
6
![Page 7: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/7.jpg)
2-9: Legal Driving Forces
• Privacy Protection Laws• The European Union (E.U.) Data Protection
Directive of 2002• Many other nations have strong commercial data
privacy laws• The U.S. Gramm–Leach–Bliley Act (GLBA)• The U.S. Health Information Portability and
Accountability Act (HIPAA) for private data in health care organizations
Copyright Pearson Prentice-Hall 2010
7
![Page 8: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/8.jpg)
2-9: Legal Driving Forces
• Data Breach Notification Laws• California’s SB 1386• Requires notification of any California citizen
whose private information is exposed• Companies cannot hide data breaches anymore
• Federal Trade Commission (FTC)• Can punish companies that fail to protect private
information• Fines and required external auditing for several
years
Copyright Pearson Prentice-Hall 2010
8
![Page 9: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/9.jpg)
California Senate Bill 24
Since 2002, California law has required data holders to notify individuals if their data is lost or stolen.
The new law, however, requires each notice to contain in "plain language”◦ name and contact information of the data holder◦ types of personal information compromised by the breach◦ Brief description of the incident◦ contact information for the major credit reporting agencies◦ whether the notification was delayed as a result of an
investigation by law enforcement.
Copyright Pearson Prentice-Hall 2010
9
![Page 10: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/10.jpg)
2-9: Legal Driving Forces
• Industry Accreditation• For hospitals, etc.• Often have to security requirements
• PCS-DSS• Payment Card Industry–Data Security Standards• Applies to all firms that accept credit cards• Has 12 general requirements, each with specific
subrequirements
Copyright Pearson Prentice-Hall 2010
10
![Page 11: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/11.jpg)
2-9: Legal Driving Forces
• FISMA• Federal Information Security Management Act of 2002• Processes for all information systems used or operated
by a U.S. government federal agencies• Also by any contractor or other organization on behalf
of a U.S. government agency• Certification, followed by accreditation• Continuous monitoring• Criticized for focusing on documentation instead of
protectionCopyright Pearson Prentice-Hall 2010
11
![Page 12: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/12.jpg)
2-9: Legal Driving Forces
• Compliance Laws and Regulations• Compliance laws and regulations create
requirements for corporate security• Documentation requirements are strong
• Identity management requirements tend to be strong
• Compliance can be expensive• There are many compliance laws and regulations,
and the number is increasing rapidly
Copyright Pearson Prentice-Hall 2010
12
![Page 13: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/13.jpg)
2-9: Legal Driving Forces• Sarbanes–Oxley Act of 2002
• Massive corporate financial frauds in 2002• Act requires firm to report material deficiencies in
financial reporting processes• Material deficiency a significant deficiency, or
combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected
Copyright Pearson Prentice-Hall 2010
13
![Page 14: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/14.jpg)
2-9: Legal Driving Forces• Sarbanes–Oxley Act of 2002
• Report material control deficiencies in the financial reporting process
Copyright Pearson Prentice-Hall 2010
14
![Page 15: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/15.jpg)
Back to Planning
Copyright Pearson Prentice-Hall 2010
15
![Page 16: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/16.jpg)
2-1: Management is the Hard Part
• Technology Is Concrete• Can visualize devices and transmission lines
• Can understand device and software operation
• But we can’t just focus on the concrete vs. the abstract
• Management Is Abstract
• Management Is More Important• Security is a process, not a product (Bruce Schneier)
Copyright Pearson Prentice-Hall 2010
16
![Page 17: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/17.jpg)
What to Protect?
• Databases and Servers – easy to identify
• Organizational Processes – less so• Financial Reporting (should be easier for
Accountants)• New Product Development (ie. I.P)
Copyright Pearson Prentice-Hall 2010
17
![Page 18: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/18.jpg)
2-4: Security Management Is a Disciplined Process
• Complex• Cannot be managed informally
• Need Formal Processes• Planned series of actions in security management• Annual planning• Processes for planning and developing individual countermeasures
• Must be Continuous
• Must meet legal and other compliance regulations
• Thus…
Copyright Pearson Prentice-Hall 2010
18
![Page 19: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/19.jpg)
2-5: The Plan-Protect-Respond Cycle for
Security Management
Copyright Pearson Prentice-Hall 2010
19
Dominates security management thinking
![Page 20: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/20.jpg)
2-7: Vision
• Security as an Enabler• Security is often thought of as a preventer• But security is also an enabler• If a company has good security, it can do things
otherwise impossible• Engage in interorganizational systems with other
firms (Dell, Wal Mart)• Can use SNMP SET commands to manage their
systems remotely• Must get in early on projects to reduce
inconvenience
Copyright Pearson Prentice-Hall 2010
20
![Page 21: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/21.jpg)
2-8: Strategic IT Security Planning
• Identify Current IT Security Gaps
• Identify Driving Forces• The threat environment• Compliance laws and regulations• Corporate structure changes, such as mergers
• Identify Corporate Resources Needing Protection• Enumerate all resources• Rate each by sensitivity
Copyright Pearson Prentice-Hall 2010
21
![Page 22: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/22.jpg)
2-8: Strategic IT Security Planning
• Develop Remediation Plans• Develop a remediation plan for all security gaps• Develop a remediation plan for every resource
unless it is well protected
• Develop an Investment Portfolio• You cannot close all gaps immediately• Choose projects that will provide the largest
returns• Implement these
Copyright Pearson Prentice-Hall 2010
22
![Page 23: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/23.jpg)
2-13: Risk Analysis
• Realities• Can never eliminate risk• “Information assurance” is impossible
• Risk Analysis• Goal is reasonable risk• Risk analysis weighs the probable cost of
compromises against the costs of countermeasures• Also, security has negative side effects that must
be weighed
Copyright Pearson Prentice-Hall 2010
23
![Page 24: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/24.jpg)
2-13: Risk Analysis
Single Loss Expectancy (SLE)
• Asset Value (AV)
• X Exposure Factor (EF)• Percentage lost in asset
value if a compromise occurs
• = Single Loss Expectancy (SLE)• Expected loss in case of a
compromise
Annualized Loss Expectancy (ALE)
• SLE• X Annualized Rate of
Occurrence (ARO)• Annual probability of a
compromise
• = Annualized Loss Expectancy (ALE)• Expected loss per year
from this type of compromise
Copyright Pearson Prentice-Hall 2010
24
![Page 25: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/25.jpg)
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
25
Base Case
Countermeasure
A
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 20%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000
Annualized Rate of Occurrence (ARO) 50% 50%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000
ALE Reduction for Countermeasure NA $30,000
Annualized Countermeasure Cost NA $17,000
Annualized Net Countermeasure Value NA $13,000
Countermeasure A should reduce the exposure factor by 75%Countermeasure A should reduce the exposure factor by 75%
![Page 26: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/26.jpg)
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
26
Base Case
Countermeasure
B
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 25%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000
ALE Reduction for Countermeasure NA $20,000
Annualized Countermeasure Cost NA $4,000
Annualized Net Countermeasure Value NA $16,000
Counter measure B should cut the frequency of compromises in half
Counter measure B should cut the frequency of compromises in half
![Page 27: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/27.jpg)
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
27
Base Case
Countermeasure
A B
Asset Value (AV) $100,000 $100,000 $100,000
Exposure Factor (EF) 80% 20% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 50% 25%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 $20,000
ALE Reduction for Countermeasure NA $30,000 $20,000
Annualized Countermeasure Cost NA $17,000 $4,000
Annualized Net Countermeasure Value NA $13,000 $16,000
Although Countermeasure A reduces the ALE more,Countermeasure B is much less expensive.
The annualized net countermeasure value for B is larger.
The company should select countermeasure B.
Although Countermeasure A reduces the ALE more,Countermeasure B is much less expensive.
The annualized net countermeasure value for B is larger.
The company should select countermeasure B.
![Page 28: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/28.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Uneven Multiyear Cash Flows• For both attack costs and defense costs• Must compute the return on investment (ROI) using
discounted cash flows• Net present value (NPV) or internal rate of return
(ROI)
Copyright Pearson Prentice-Hall 2010
28
![Page 29: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/29.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Total Cost of Incident (TCI)• Exposure factor in classic risk analysis assumes that a
percentage of the asset is lost• In most cases, damage does not come from asset loss• For instance, if personally identifiable information is
stolen, the cost is enormous but the asset remains• Must compute the total cost of incident (TCI)• Include the cost of repairs, lawsuits, and many other
factors
Copyright Pearson Prentice-Hall 2010
29
![Page 30: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/30.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Many-to-Many Relationships between Countermeasures and Resources• Classic risk analysis assumes that one countermeasure
protects one resource• Single countermeasures, such as a firewall, often
protect many resources• Single resources, such as data on a server, are often
protected by multiple countermeasures• Extending classic risk analysis is difficult
Copyright Pearson Prentice-Hall 2010
30
![Page 31: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/31.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Impossibility of Knowing the Annualized Rate of Occurrence• There simply is no way to estimate this• This is the worst problem with classic risk analysis• As a consequence, firms often merely rate their
resources by risk level
Copyright Pearson Prentice-Hall 2010
31
![Page 32: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/32.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Problems with “Hard-Headed Thinking”• Security benefits are difficult to quantify• If only support “hard numbers” may underinvest in
security
Copyright Pearson Prentice-Hall 2010
32
![Page 33: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/33.jpg)
2-15: Problems with Classic Risk Analysis Calculations
• Perspective• Impossible to do perfectly• Must be done as well as possible• Identifies key considerations• Works if countermeasure value is very large or very
negative• But never take classic risk analysis seriously
Copyright Pearson Prentice-Hall 2010
33
![Page 34: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/34.jpg)
Risk Management
OCTAVE Allegro
![Page 35: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/35.jpg)
OCTAVE
• Operationally
• Critical
• Threat,
• Asset,
• Vulnerability
• Evaluation
![Page 36: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/36.jpg)
Risk
• The combination of a threat (a condition) and the resulting impact of the threat if acted upon (a consequence).
![Page 37: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/37.jpg)
OCTAVE
• Methodology for identifying and evaluating security risks
• develop qualitative risk evaluation criteria that describe the organization’s operational risk tolerances
• identify assets that are important to the mission of the organization
• identify vulnerabilities and threats to those assets
• determine and evaluate the potential consequences to the organization if threats are realized
![Page 38: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/38.jpg)
OCTAVE Methodologies
• OCTAVE
• OCTAVE-S
• OCTAVE-Allegro
![Page 39: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/39.jpg)
OCTAVE• For large Organizations >300 employees
• have a multi-layered hierarchy
• maintain their own computing infrastructure
• have the ability to run vulnerability evaluation tools
• have the ability to interpret the results of vulnerability evaluations
• performed in a series of workshops conducted and facilitated by an interdisciplinary analysis team drawn from business units throughout the organization (e.g. senior management, operational area managers, and staff) and members of the IT department [Alberts 2002].
• Phase I• Organizational View
• Identify important information assets
• Phase II• Technological View
• Supplement Threat Analysis
• Phase III• Strategy and Plan
• Risk Identification• Risk Mitigation
![Page 40: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/40.jpg)
OCTAVE-S
• For Small Manufacturing Companies
• performed by an analysis team that has extensive knowledge of the organization
• designed to include a limited examination of infrastructure risks• No vulnerability testing (or limited)
![Page 41: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/41.jpg)
OCTAVE Allegro
• Broad Assessment of Operational Risk Environment
• Focus on Information Assets• How they are used• Where they are used• Where they are stored, transported, & processed• How are they exposed to
• Threats, Vulnerabilities & Disruptions
![Page 42: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/42.jpg)
8 Steps / 4 Phases
Step1:Establish Risk Measurement Criteria
Step2:Develop Information Asset Profile
Step 3:Identify Information Asst Containers
Step 4:Identify Areas of Concern
Step 5:Identify Threat Scenarios
Step 6:Identify Risks
Step 7:AnalyzeRisks
Step 8:SelectMitigationApproach
Establish Drivers Profile Assets Identify Threats Identify/Mitigate Risks
The outputs of each step are recorded in a worksheet and become inputs for the next step
![Page 43: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/43.jpg)
Step 1 Establish Risk Measurement Criteria
• Risk Measurement Criteria Determined:• Qualitative Measure
• Used to evaluate effect of Risk
• Forms information asset risk assessment
• Rank Significance of Impact Area• E.g. Customers vs. Compliance
![Page 44: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/44.jpg)
![Page 45: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/45.jpg)
![Page 46: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/46.jpg)
The most important category should receive the highest score and the least important the lowest.
![Page 47: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/47.jpg)
Step 2: Develop Information Asset Profile
• Information Asset• information or data that is of value to the organization• Can exist in physical form (on paper, CDs, or other
media) or• Electronically (stored in databases, in files, on personal
computers).
• Describe Assets:• unique features, qualities, characteristics, and value• unambiguous definition of the asset’s boundaries• security requirements for the asset are adequately
defined• Confidentiality, Integrity, Availability
![Page 48: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/48.jpg)
Step 2: Select Critical Information Assets
• Focus on “critical few”
• Which would have the largest impact on your organization, based on the Risk Measurement if:• The asset or assets were disclosed to unauthorized
people. • The asset or assets were modified without
authorization. • The asset or assets were lost or destroyed.• Access to the asset or assets was interrupted.
![Page 49: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/49.jpg)
![Page 50: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/50.jpg)
Step 3: Identify Information Asset Containers
• Places where Information Assets are:• Stored• Processed• Transported
• Three Types of Containers• Technical:
• hardware, software, application systems, servers, and networks or
• Physical:• file folders (where information is stored in written form)
• People (who may carry around important information such as intellectual property).
• Containers are both Internal to the Organization and External
• an organization must identify all of the locations where its information assets are stored, transported, or processed, whether or not they are within the organization’s direct control.
• Containers Risks are inherited by Information Assets within them
![Page 51: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/51.jpg)
Step 3: Security of Information Asset Containers
• Controls are at the Container level
• Security depends on how well the control reflects security requirements of container
• Any vulnerabilities or threats to a Container is inherited by the Information Asset inside
![Page 52: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/52.jpg)
![Page 53: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/53.jpg)
![Page 54: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/54.jpg)
![Page 55: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/55.jpg)
Step 4: Identify Areas of Concern
• Identify Conditions that can threaten information assets
• Not intended to be an exhaustive list of all Threats
• Rather a list of threats that are immediately thought of
![Page 56: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/56.jpg)
![Page 57: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/57.jpg)
Step 5: Identify Threat Scenarios
• Areas of Concern are expanded into
• Threat Scenarios• Actor Involved• Means• Motive• Outcome• Security Requirements
• From Threat Scenario Questionnaires• Probability of Occurrence
• High, Medium, Low
![Page 58: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/58.jpg)
![Page 59: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/59.jpg)
![Page 60: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/60.jpg)
![Page 61: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/61.jpg)
![Page 62: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/62.jpg)
![Page 63: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/63.jpg)
For Any Yes from the questionnaireCreate anInformationAssetRiskWorksheet
![Page 64: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/64.jpg)
Step 6: Identify Risks
• Determine Consequences if Threat Occurs
• More than one consequence is possible• Reputation Consequence• Financial Consequence
• Threat (condition) + Impact (consequence) = Risk
• [Steps 4 and 5] + [Step 6] = Risk
![Page 65: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/65.jpg)
![Page 66: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/66.jpg)
Step 7: Analyze Risk
• Compute Quantitative Measure of Risk• Using Consequence and Relative Importance of
Impact Area• High = 3, Medium = 2 or Low = 1
• Probability (if used)
![Page 67: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/67.jpg)
The scores generated in this activity
are only meant to be used as a
prioritization tool. Differences between
risk scores are not considered to be
relevant. In other words, a score of 48
means that the risk is relatively more
important to the organization than a
score of 25, but there is no importance
to the difference of 13 points.
![Page 68: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/68.jpg)
Step 8: Select Mitigation Approach
• First, Prioritize Risks based on Risk Score (7)
• Mitigation strategies are developed that consider the value of the asset
• The Assets security requirements
• The containers in which it lives
• The organization’s unique operating environment.
![Page 69: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/69.jpg)
Types of Mitigation
• Accept• Take no action, risk has low or zero impact
• Mitigate• Develop controls to counter risk
• Defer• Gather more information and re-analyze in the
future
![Page 70: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/70.jpg)
Risk Matrix
Take Relative Risk score and divide into 4 even Pools. Than use pools to determine Mitigation, Defer, or Accept decision. If probabilities are used than create Matrix (Probability of Occurrence x Risk score)
![Page 71: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/71.jpg)
![Page 72: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/72.jpg)
2-16: Responding to Risk
• Risk Reduction / Mitigation• The approach most people consider• Install countermeasures / controls to reduce harm• Makes sense only if risk analysis justifies the
countermeasure / control
• Risk Acceptance• If protecting against a loss would be too expensive,
accept losses when they occur• Good for small, unlikely losses• Good for large but rare losses
Copyright Pearson Prentice-Hall 2010
72
![Page 73: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/73.jpg)
2-16: Responding to Risk
• Risk Transference• Buy insurance against security-related losses• Especially good for rare but extremely damaging attacks• Does not mean a company can avoid working on IT
security• Security in place = Lower Premiums• Bad or Little Security = Not insurable
• Risk Avoidance• Not to take a risky action• Lose the benefits of the action• May cause anger against IT security
Copyright Pearson Prentice-Hall 2010
73
![Page 74: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/74.jpg)
Example
• Hospital Patient Information Database
![Page 75: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/75.jpg)
2-10: Organizational Issues
• Chief Security Officer (CSO)• Also called chief information security officer (CISO)
• Where to Locate IT Security?• Within IT
• Compatible technical skills• CIO will be responsible for security
• Outside of IT• Gives independence
• Hard to blow the whistle on IT and the CIO• This is the most commonly advised choice
• Hybrid• Place planning, policy making, and auditing outside of IT• Place operational aspects such as firewall operation within IT
Copyright Pearson Prentice-Hall 2010
75
![Page 76: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/76.jpg)
2-10: Organizational Issues
• Relationships with Other Departments• Special relationships
• Auditing departments• IT auditing, internal auditing, financial auditing
• Might place security auditing under one of these
• This would give independence from the security function
• Facilities (buildings) management
• Uniformed security
Copyright Pearson Prentice-Hall 2010
76
![Page 77: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/77.jpg)
2-10: Organizational Issues
• Relationships with Other Departments• All corporate departments
• Cannot merely toss policies over the wall
• Business partners• Must link IT corporate systems together
• Before doing so, must exercise due diligence in assessing their security
Copyright Pearson Prentice-Hall 2010
77
![Page 78: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/78.jpg)
2-10: Organizational Issues
• Outsourcing IT Security• Only e-mail or webservice (Figure 2-11)• Managed Security Service Providers (MSSPs)
(Figure 2-12)• Outsource most IT security functions to the MSSP
• But usually not policy
• Example of MSSP Companies (From RSA)
Copyright Pearson Prentice-Hall 2010
78
![Page 79: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/79.jpg)
2-11: E-Mail Outsourcing
Copyright Pearson Prentice-Hall 2010
79
![Page 80: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/80.jpg)
2-12: Managed Security Service Provider (MSSP)
Copyright Pearson Prentice-Hall 2010
80
![Page 81: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/81.jpg)
2-17: Corporate Technical Security Architecture
• Technical Security Architectures• Definition
• All of the company’s technical countermeasures
• And how these countermeasures are organized
• Into a complete system of protection
• Architectural decisions• Based on the big picture
• Must be well planned to provide strong security with few weaknesses
Copyright Pearson Prentice-Hall 2010
81
![Page 82: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/82.jpg)
2-2: The Need for Comprehensive Security
Copyright Pearson Prentice-Hall 2010
82
Aka Defenders Dilemma
![Page 83: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/83.jpg)
2-3: Weakest Link Failure
Copyright Pearson Prentice-Hall 2010
83
A failure in any component will lead to failure for the entire system. Keep in mind this is a single counter-measure (Firewall)
![Page 84: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/84.jpg)
2-17: Corporate Technical Security Architecture
• Principles• Defense in depth
• Resource is guarded by several countermeasures in series
• Attacker must breach them all, in series, to succeed
• If one countermeasure fails, the resource remains safe
Copyright Pearson Prentice-Hall 2010
84
![Page 85: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/85.jpg)
2-17: Corporate Technical Security Architecture
• Principles• Defense in depth versus weakest links
• Defense in depth: multiple independent countermeasures that must be defeated in series
• Weakest link: a single countermeasure with multiple interdependent components that must all succeed for the countermeasure to succeed
Copyright Pearson Prentice-Hall 2010
85
![Page 86: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/86.jpg)
2-17: Corporate Technical Security Architecture
• Principles• Avoiding single points of vulnerability
• Failure at a single point can have drastic consequences
• DNS servers, central security management servers, etc.
Copyright Pearson Prentice-Hall 2010
86
![Page 87: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/87.jpg)
2-17: Corporate Technical Security Architecture
• Principles• Minimizing security burdens• Realistic goals
• Cannot change a company’s protection level overnight
• Mature as quickly as possible
Copyright Pearson Prentice-Hall 2010
87
![Page 88: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/88.jpg)
2-17: Corporate Technical Security Architecture
• Elements of a Technical Security Architecture• Border management• Internal site management• Management of remote connections• Interorganizational systems with other firms• Centralized security management
• Increases the speed of actions
• Reduces the cost of actions
Copyright Pearson Prentice-Hall 2010
88
![Page 89: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/89.jpg)
2-18: Policies
• Policies• Statements of what is to be done• Provides clarity and direction• Does not specify in detail how the policy is to be
implemented in specific circumstances• This allows the best possible implementation at
any time• Vary widely in length
Copyright Pearson Prentice-Hall 2010
89
![Page 90: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/90.jpg)
2-18: Policies
• Tiers of Security Policies• Brief corporate security policy to drive everything• Major policies
• Hiring and firing
• Personally identifiable information
• …
Copyright Pearson Prentice-Hall 2010
90
![Page 91: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/91.jpg)
2-18: Policies
• Tiers of Security Policies• Acceptable use policy
• Summarizes key points of special importance for users
• Typically, must be signed by users
• Policies for specific countermeasures• Again, separates security goals from
implementation
Copyright Pearson Prentice-Hall 2010
91
![Page 92: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/92.jpg)
Policy vs. Laws
• Ignorance of Policy is valid Defense• Criteria for Enforceable Policy
• Dissemination• Policy is readily available to employees
• Review• Policy is intelligible, including different languages and
disabilities• Comprehension
• Employee understood the policy (Quizzes, etc.)• Compliance
• Employee Agrees to comply with policy (written or “click”)• Uniform Enforcement
• Regardless of employee status or position
Copyright Pearson Prentice-Hall 2010
92
![Page 93: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/93.jpg)
2-18: Policies
• Writing Policies• For important policies, IT security cannot act alone
• There should be policy-writing teams for each policy
• For broad policies, teams must include IT security, management in affected departments, the legal department, and so forth
• The team approach gives authority to policies
• It also prevents mistakes because of IT security’s limited viewpoint
Copyright Pearson Prentice-Hall 2010
93
![Page 94: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/94.jpg)
2-19: Policies, Implementation, and Oversight
Copyright Pearson Prentice-Hall 2010
94
![Page 95: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/95.jpg)
2-20: Implementation Guidance
• Types of Implementation Guidance• Procedures: detailed specifications for how
something should be done
• Can be either standards or guidelines
• Segregation of duties: two people are required to complete sensitive tasks
• In movie theaters, one sells tickets and the other takes tickets
• No individual can do damage, although
Copyright Pearson Prentice-Hall 2010
95
![Page 96: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/96.jpg)
2-20: Implementation Guidance
• Types of Implementation Guidance• Request/authorization control
• Limit the number of people who may make requests on sensitive matters
• Allow even fewer to be able to authorize requests
• Authorizer must never be the requester
• Mandatory vacations to uncover schemes that require constant maintenance
• Job rotation to uncover schemes that require constant maintenance
Copyright Pearson Prentice-Hall 2010
96
![Page 97: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/97.jpg)
2-20: Implementation Guidance
• Types of Implementation Guidance• Procedures: detailed descriptions of what should
be done• Processes: less detailed specifications of what
actions should be taken• Necessary in managerial and professional business
function
• Baselines: checklists of what should be done but not the process or procedures for doing them
Copyright Pearson Prentice-Hall 2010
97
![Page 98: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/98.jpg)
2-20: Implementation Guidance
• Types of Implementation Guidance• Best practices: most appropriate actions in other
companies• Recommended practices: normative guidance• Accountability
• Owner of resource is accountable
• Implementing the policy can be delegated to a trustee, but accountability cannot be delegated
• Codes of ethics
Copyright Pearson Prentice-Hall 2010
98
![Page 99: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/99.jpg)
2-21: Ethics
• Ethics• A person’s system of values• Needed in complex situations• Different people may make different decisions in
the same situation• Companies create codes of ethics to give guidance
in ethical decisions
Copyright Pearson Prentice-Hall 2010
99
![Page 100: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/100.jpg)
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• Importance of good ethics to have a good workplace
and to avoid damaging a firm’s reputation
• The code of ethics applies to everybody• Senior managers usually have additional requirements
• Improper ethics can result in sanctions, up to termination
• An employee must report observed ethical behavior
Copyright Pearson Prentice-Hall 2010
100
![Page 101: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/101.jpg)
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• An employee must involve conflicts of interest
• Never exploit one’s position for personal gain
• No preferential treatment of relatives
• No investing in competitors
• No competing with the company while still employed by the firm
Copyright Pearson Prentice-Hall 2010
101
![Page 102: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/102.jpg)
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• No bribes or kickbacks
• Bribes are given by outside parties to get preferential treatment
• Kickbacks are given by sellers when they place an order to secure this or future orders
• Employees must use business assets for business uses only, not personal use
Copyright Pearson Prentice-Hall 2010
102
![Page 103: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/103.jpg)
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• An employee may never divulge
• Confidential information
• Private information
• Trade secrets
Copyright Pearson Prentice-Hall 2010
103
![Page 104: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/104.jpg)
2-22: Exception Handling
• Exceptions Are Always Required• But they must be managed
• Limiting Exceptions• Only some people should be allowed to request
exceptions• Fewer people should be allowed to authorize
exceptions• The person who requests an exception must never
be authorizer
Copyright Pearson Prentice-Hall 2010
104
![Page 105: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/105.jpg)
2-22: Exception Handling
• Exception Must be Carefully Documented• Specifically what was done and who did each
action
• Special Attention Should be Given to Exceptions in Periodic Auditing
• Exceptions Above a Particular Danger Level• Should be brought to the attention of the IT
security department and the authorizer’s direct manager
Copyright Pearson Prentice-Hall 2010
105
![Page 106: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/106.jpg)
2-23: Oversight
• Oversight• Oversight is a term for a group of tools for policy
enforcement• Policy drives oversight, just as it drives
implementation
• Promulgation• Communicate vision• Training• Stinging employees?
Copyright Pearson Prentice-Hall 2010
106
![Page 107: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/107.jpg)
2-23: Oversight
• Electronic Monitoring• Electronically-collected information on behavior• Widely done in firms and used to terminate
employees• Warn subjects and explain the reasons for
monitoring
Copyright Pearson Prentice-Hall 2010
107
![Page 108: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/108.jpg)
2-23: Oversight
• Security Metrics• Indicators of compliance that are measured
periodically• Percentage of passwords on a server that are
crackable, etc.• Periodic measurement indicates progress in
implementing a policy
Copyright Pearson Prentice-Hall 2010
108
![Page 109: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/109.jpg)
2-23: Oversight
• Auditing• Samples information to develop an opinion about
the adequacy of controls• Database information in log files and prose
documentation• Extensive recording is required in most
performance regimes• Avoidance of compliance is a particularly
important finding
Copyright Pearson Prentice-Hall 2010
109
![Page 110: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/110.jpg)
2-23: Oversight
• Auditing• Internal and external auditing may be done• Periodic auditing gives trends• Unscheduled audits trip up people who plan their
actions around periodic audits
Copyright Pearson Prentice-Hall 2010
110
![Page 111: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/111.jpg)
2-23: Oversight
• Anonymous Protected Hotline• Often, employees are the first to detect a serious
problem• A hotline allows them to call it in• Must be anonymous and guarantee protection
against reprisals• Offer incentives for heavily damaging activities
such as fraud?
Copyright Pearson Prentice-Hall 2010
111
![Page 112: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/112.jpg)
2-23: Oversight
• Behavioral Awareness• Misbehavior often occurs before serious security
breaches• The fraud triangle indicates motive. (see Figure 2-
24)
Copyright Pearson Prentice-Hall 2010
112
![Page 113: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/113.jpg)
2-23: Oversight
• Vulnerability Tests• Attack your own systems to find vulnerabilities• Free and commercial software• Never test without a contract specifying the exact
tests, signed by your superior• The contract should hold you blameless in case of
damage
Copyright Pearson Prentice-Hall 2010
113
![Page 114: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/114.jpg)
2-23: Oversight
• Vulnerability Tests• External vulnerability testing firms have expertise
and experience• They should have insurance against accidental
harm and employee misbehavior• They should not hire hackers or former hackers• Should end with a list of recommended fixes• Follow-up should be done on whether these fixed
occurred
Copyright Pearson Prentice-Hall 2010
114
![Page 115: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/115.jpg)
2-25: Governance Frameworks
Copyright Pearson Prentice-Hall 2010
115
![Page 116: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/116.jpg)
2-26: COSO• Origins
• Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org)
• Ad hoc group to provide guidance on financial controls
• Focus• Corporate operations, financial controls, and
compliance• Effectively required for Sarbanes–Oxley compliance• Goal is reasonable assurance that goals will be met
Copyright Pearson Prentice-Hall 2010
116
![Page 117: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/117.jpg)
2-26: COSO
• Components• Control Environment
• General security culture
• Includes “tone at the top”
• If strong, weak specific controls may be effective
• If weak, strong controls may fail
• Major insight of COSO
Copyright Pearson Prentice-Hall 2010
117
![Page 118: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/118.jpg)
2-26: COSO
• Components• Risk assessment
• Ongoing preoccupation
• Control activities• General policy plus specific procedures
Copyright Pearson Prentice-Hall 2010
118
![Page 119: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/119.jpg)
2-26: COSO
• Components• Monitoring
• Both human vigilance and technology
• Information and communication• Must ensure that the company has the right
information for controls
• Must ensure communication across all levels in the corporation
Copyright Pearson Prentice-Hall 2010
119
![Page 120: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/120.jpg)
2-27: CobiT
• CobiT• Control Objectives for Information and Related
Technologies• CIO-level guidance on IT governance• Offers many documents that help organizations
understand how to implement the framework
Copyright Pearson Prentice-Hall 2010
120
![Page 121: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/121.jpg)
2-27: CobiT• The CobiT Framework
• Four major domains (Figure 2-26)
Copyright Pearson Prentice-Hall 2010
121
![Page 122: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/122.jpg)
2-27: CobiT
• The CobiT Framework• Four major domains (Figure 2-26)• 34 high-level control objectives
• Planning and organization (11)
• Acquisition and implementation (60)
• Delivery and support (13)
• Monitoring (4)
• More than 300 detailed control objectives
Copyright Pearson Prentice-Hall 2010
122
![Page 123: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/123.jpg)
2-27: CobiT
• Dominance in the United States• Created by the IT governance institute• Which is part of the Information Systems Audit
and Control Association (ISACA)• ISACA is the main professional accrediting body
of IT auditing• Certified information systems auditor (CISA)
certification
Copyright Pearson Prentice-Hall 2010
123
![Page 124: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/124.jpg)
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27000• Family of IT security standards with several individual
standards• From the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC)
• ISO/IEC 27002• Originally called ISO/IEC 17799• Recommendations in 11 broad areas of security
management
Copyright Pearson Prentice-Hall 2010
124
![Page 125: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/125.jpg)
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27002: Eleven Broad Areas
Copyright Pearson Prentice-Hall 2010
125
Security policy Access control
Organization of information security Information systems acquisition, development and maintenance
Asset management Information security incident management
Human resources security Business continuity management
Physical and environmental security Compliance
Communications and operations management
![Page 126: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/126.jpg)
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27001• Created in 2005, long after ISO/IEC 27002• Specifies certification by a third party
• COSO and CobiT permit only self-certification
• Business partners prefer third-party certification
• Other 27000 Standards• Many more 27000 standards documents are under
preparation
Copyright Pearson Prentice-Hall 2010
126
![Page 127: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/127.jpg)
The End
127
![Page 128: Planning Chapter 2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e915503460f94b96606/html5/thumbnails/128.jpg)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice HallPublishing as Prentice Hall