Dr. Faisal Abdullah CISSP, CISA, ACE.
Associate Professor of Management Information Systems
Dr. Faisal Abdullah
• Director of the Master of Science in Information Security Program
(MSIS)
• Associate Professor of MIS
• Research and Teaching Interests include:
– Information Security Risk Analysis
– Computer Forensics
– Management of Information Security
Lewis University
•
•
•
Founded in 1932 on 376 acre campus in Romeoville, IL
Offers 80 undergraduate and 25 graduate programs to approximately 6,500
students
Guided by its Catholic and Lasallian heritage
•
Nationally recognized by
•
Lewis is playing the University of Southern California in NCAA National
Collegiate Men’s Volleyball Championship at 8pm PST this evening
MSIS
• MSIS Program
– This online degree program explores the theory and
practice of IT security on a global scale, the latest
advances in all of the involved technologies, as well
as legal and ethical levels facing IT security
professionals.
– Outcomes map to eleven certifications including
CISSP, CISM, CEH, CRISC
– 2 concentrations: Managerial and Technical
– To learn more, visit online.lewisu.edu or call 1-866967-7046
Technology and Non-Profit
Organization
• Connectivity and Internet presence is vital to any
organization
• Non-profit organizations use information technology to
– disseminate information
– raise funds
– manage resources.
Information Security and
Non-profits
• Most non-profits mainly focus their strategies on
– fundraising
– operations,
• Not on information security and data protection.
Information Security and
Non-profits
• Non-profit organizations face the same information security threats
as any other organization
• But do not do not have the same resources available to for-profit
companies
• According to the FBI non-profit organizations are most
susceptible to security incidents
Data Assets of a Non-profit
organization
• Donor records
– personal information
– Addresses
– phone numbers
• Donor credit card details
• Donor bank information
• Organizational data
Data Assets of a Healthcare
Non-profit organization
• confidential patient information
– Patient names,
– Patient addresses,
– Medical history
– Family information
RISKS OF LOSSES TO NON-PROFIT
ORGANIZATIONS
•
•
•
•
•
Financial Loss
Loss of Reputation
Damaged Employee Morale and Defections
Donor Disenchantment and Loss
Litigation
How to protect your
organization?
• Information security is a technical business discipline.
• Protect your organization by mitigating Risks
• Use qualitative and quantitative techniques for risk assessment
What is Risk Management?
• Process of identifying and controlling risks facing an
organization
• Involves identifying organization’s assets and identifying
threats/vulnerabilities
• Know yourself and know the enemy
• Management buy-in crucial for Risk Management. Topdown approach
Risk Management
•
•
•
•
•
Step 1 Identify Assets
Step 2 Identify Value of Assets
Step 3 Identify Vulnerabilities of Assets
Step 4 Threat Identification
Step 5 Assess the exposure of the asset to a particular
Threat
Risk Management
• Step 6 Calculate the loss from a single incident
• Step 7 Assess the likelihood of occurrence for each
Threat
• Step 8 Calculate the losses per year from each threat
• Step 9 Indentify Controls
• Step 10 Constant evaluation and maintenance
Risk Management Step 1 –
Identify Assets
• Inventory of all Data and Information Assets
• IT Department may have a list of all IT Assets
Risk Management Step 1 –
Identify Assets
• Determine location of the Data Assets
– Donor information
– Credit card and financial information
– Campaign plans
– Employee data
– Healthcare data
– Anything valuable to the organization
Risk Management: Step 2
Value of Tangible Assets
• Calculate the Asset value (AV) – Tangible and Intangible
• For Tangible Assets consider
– Purchase cost
– Installation cost
– Troubleshooting cost
– Contingencies
– Loss of business services to outside customers
– Loss of business services to internal employees
Ding Tan, 2002.
Risk Management: Step 2
Value of Intangible Assets
• For Intangible Assets – goodwill, reputation
– Income Approach
• Economic Benefit of an Asset
– Consider Cost of Litigation
Ding Tan, 2002.
Risk Management Step 3
Identify Vulnerabilities of
Assets
• Identify Logical and Physical vulnerabilities
• Conduct a vulnerability assessment and a penetration
test
• For an independent evaluation
• Hire an independent firm or outside consultant
Risk Management Step 4
Threat Identification
• Realistic threats
• Identify threats based on Vulnerabilities identified in Step
3
Risk Management Step 4
Threat Identification
• Sources of internal data
• IT Help Desk
• Users
• Managers and Supervisors
• Human Resourses Department
Risk Management Step 4
Threat Identification
• Sources of external data
– Threat advisories
– Industry and peer reports
– Insurance reports
– Government reports
– National Weather Bureau
Risk Management Step 5
Exposure of an Asset
• Evaluate robustness of existing controls – Exposure
Factor (EF)
Ding Tan, 2002.
Risk Management Step 5
Exposure of an Asset
Start with 100% for the starting exposure factor and answer each of the following
questions
1.
Does the system under attack have any redundancies/ backups/ copies ?
Subtract 30% if the answer is YES.
2.
Is the system under attack behind a firewall?
Subtract 10% if the answer is YES
3.
Is the attack from outside ?
Subtract 20% if the answer is YES
4.
What is the potential rate of attack? (10% damage / hour vs. 10% damage /
min)
Subtract 20% if the answer is less than 20% damage/hr
Subtract 40% if the answer is less than 2% damage/hr
5.
What is the likelihood that the attack will go undetected in time for a full
recovery?
Subtract 10% if the probability of being undetected is less than 20%
Subtract 30% if the probability of being undetected is less than 10%
6.
How soon can countermeasures be implemented in time if at all?
Subtract 30% if the countermeasure can be implemented within ½ hour
Subtract 20% if the countermeasure can be implemented within 1 hour
Subtract 10% if the countermeasure can be implemented within 2 hours
Risk Assessment Step 6
Loss from an incident
• Calculate the loss from a one time occurrence of a threat
• Single Loss Expectancy (SLE) = Asset Value (AV) X Exposure
Factor (EF)
Ding Tan, 2002.
Risk Assessment: Step 7
Likelihood of Occurrence
• Assess the likelihood of occurrence for each threat
during a period of one year.
– Annual Rate of occurrence (ARO)
Risk Assessment: Step 7
Likelihood of Occurrence
• Assess ARO from internal resources
• IT Help Desk
• Users
• Managers and Supervisors
• Human Recourses Department
Risk Assessment: Step 7
Likelihood of Occurrence
• Assess ARO from External resources
– Threat advisories
– Industry and peer reports
– Insurance reports
– Government reports
– National Weather Bureau data
Risk Management – Step 8
Loss per year
• Calculate the Annual Loss Expectancy (ALE)
– Losses per year from each threat
• Annual Loss Expectancy (ALE) = Single Loss
Expectancy (SLE) x Annual Rate of Occurrence (ARO)
Ding Tan, 2002.
Risk Assessment Example
Vulnerability: Unsecured Data server
Threat: Loss of proprietary software - outsider attack
EF Calculations
back Up copies: NO
System behind Firewall: NO
Attack from outside: YES
Potential Rate of Attack: less than 20%
damage/hour
Likelihood attack will be undetected: less than
20%
Countermeasures: Implemented within 2 hours
EF =
Asset Value (Value of the proprietary software)
SLE = Asset Value * EF
SLE
ALE = SLE * ARO
ARO
ALE
Ding Tan, 2002.
Less
100%
0%
Less
20%
Less
20%
Less
less
10%
10%
40%
100000
40000
2
80000
Risk Management Step 9
Identify Controls
• Indentify Controls based on the Risk from each threat
• Mitigate risks to an acceptable level by applying controls
Risk Management Step 9
Identify Controls
• Controls can be
– Good Policies
– Security Awareness
– Employee and user training
– Software Controls
– Hardware Controls
– Personnel Controls
Risk Management Step 9
Identify Controls
• Cost-Benefit Analysis
– Cost of implementing a control
– Benefit – reduction in losses from a threat
Risk Management Step 10
constant evaluation of
controls
• Test and implement controls
• Periodic evaluation to assess efficacy of controls