Uploaded by marik.puzzle

Risk Management Lecture 1 - Spring 2023

advertisement
CSCI-618: Information Security
Risk Management and Legal
Issues
Introduction
Maryam Hamidirad
• Course instructor
• Head of Risk & Compliance
• Email address: mhamidir@nyit.edu
Text Books
Chapter 1: Why Study
Information Security
Objectives
■
■
■
Recognize the growing importance of information security
specialists
Develop a strategy for pursuit of a career in information security
Comprehend information security in the context of the mission of a
business
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
5
Information is gold and it can be robbed and stolen
Introduction
■
■
To protect computers, networks, and the information they store,
organizations are increasingly turning to information security
specialists
An information security specialist is more than a technician who
prevents hackers from attacking a web site
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
7
Introduction (cont.)
■
■
You might ask yourself: Why study information security?
In this class, we’ll examine both practical and theoretical skills
security specialists use to protect information systems
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
8
The Growing Importance of IT Security and
New Career Opportunities
■
■
Increased services to both vendors and employees create worlds of
possibilities in satisfying customer needs, but …
They also create risks to the confidentiality, integrity, and availability of
confidential or sensitive data
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
9
“It is not a matter of if you will be compromised, it is when.”
“There are only two types of companies–those
that know they’ve been compromised and those
that do not know”
Recent cyber attacks
Information security resource shortage
•Global IT security skills shortages have now surpassed four
million, according to (ISC)2.
•(ISC)2 claimed the global security workforce needs to
increase by 145% to cope with a surge in hiring demand
•The future is digital and the demand is going to increase
even more
Becoming an Information Security Specialist (cont’d)
13
Becoming an Information Security Specialist (cont’d)
14
Becoming an Information Security Specialist
•
Getting a degree in information security will involve taking classes in security architecture, laws and ethics,
access control, disaster recovery and planning
•
Get the right certification
•
Certified Information Systems Security Professional (CISSP)
•
System Security Certified Practitioner (SSCP)
•
Global Information Assurance Certification (GIAC):www.giac.org
•
Consider earning a graduate degree in INFOSEC
•
Increase your disaster recovery and risk management skills (DRI or CBCI)
•
Build a home laboratory
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
15
Becoming an Information Security Specialist (cont’d)
16
Becoming an Information Security Specialist (cont.)
•
•
•
•
Give something back to the INFOSEC community
Get on a project working with strategic partners
Consider an internship in IS
Take a second look at government jobs
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
17
Multidisciplinary Approach
•
•
•
•
Security professionals must think like business leaders
Exposure to nontechnical areas gives INFOSEC professionals a greater
ability to address and resolve complex problems
Including probability and statistics, psychology, English, foreign
languages, philosophy, ethics, history, and so on
A wide range of educational experiences is a good foundation for an
INFOSEC career
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
18
Cyber security is not an IT issue, it is a business issue
Contextualizing Information Security
Information security draws upon the best practices and experiences from multiple domains
including
•
Compliance, policies, and standards
•
Administration, auditing, access controls, and permission controls
•
Intrusion detection and prevention and incident response
•
Software development security
•
Physical security
•
Operations control
•
Public key infrastructure and key management
•
Disaster recovery
•
Security testing
•
Software development security
•
Antivirus solutions
•
Training and awareness
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
20
Information Security Careers Meet the Needs of Business
To support business operations a number of common positions and
career opportunities are needed
•
•
•
•
Security administrators
Access coordinators
Security architects and network engineers
Security consultants
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
21
Information Security Careers Meet the Needs of Business (cont.)
•
•
•
•
•
Security testers
Policymakers and standards developers
Compliance officers
Incident response team members
Governance and vendor managers
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
22
Summary
•
•
•
Networked systems remain vulnerable to attacks from within and
outside an organization
The explosive growth of e-commerce and the pervasive personal and
business uses of the Internet have created a growing demand for
information security professionals
The principles, approaches, and concepts in INFOSEC should work
together to provide the harmonious mix of risk and reward that modern
business demands
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition
23
Chapter 1: “Risk
Management
Fundamentals”
Key Concepts
▪ Defining risk
▪ Balancing risk
▪ Seven domains of a typical IT infrastructure
▪ Addressing confidentiality, integrity, and availability
▪ Compliance laws and regulations
▪ Standards and guidelines used for compliance
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
What Is Risk?
▪ Risk: The likelihood that a loss will occur. Losses occur when a threat
exposes a vulnerability.
▪ Threat: Any activity that represents a possible danger.
▪ Vulnerability: A weakness.
▪ Loss: A loss results in a compromise to business functions or assets.
▪ Tangible
▪ Intangible
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Example
Risk-Related Concerns for Business
Compromise of business functions
Compromise of business assets
Driver of business costs
Profitability versus survivability
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Seven Domains of a Typical IT Infrastructure
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Addressing CIA
▪ Confidentiality
▪ Integrity
▪ Availability
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Why CIA matters?
Crown jewel assets that are critical assets for organizations to achieve their mission, strategy and objectives. Each
crown jewel has been classified based on its confidentiality (C), integrity (I)and availability (A) requirements, to
understand which security controls would be most important to ensure the asset is protected.
Crown Jewel
Category
Description
ERP management system
System
Solution used for customer order processing and supply
change
Customer information
Data
Customer information, order history and inventory
prices
Employee information
Data
Employee information stored for payroll and other HR
related purposes
High
Medium
Low
C
I
A
Risk Management
Risk
Probability of Loss
Risk
Management
Threat
Potential Harm
Managing Risk in Information Systems
Vulnerability
System Weakness
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Risk Management Elements/Process
Assess risks
Managing Risk in Information Systems
Identify risks to
manage
Select controls
Evaluate controls
Implement and
test controls
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Survivability, and Balancing Risk and Cost
▪ Consider the cost to implement a control and the cost of not
implementing the control
▪ Spending money to manage a risk rarely adds profit; important point is
that spending money on risk management can help ensure a business’s
survivability
▪ Cost to manage a risk must be balanced against the impact value
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Survivability, and Balancing Risk and Cost (Continued)
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Role-based Perceptions of Risk
▪ Management
▪ System administrator
▪ Tier 1 administrator
▪ Developer
▪ End user
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Risk Identification Process
Identify threats
Managing Risk in Information Systems
Identify
vulnerabilities
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Estimate
likelihood of a
threat exploiting
a vulnerability
Page 37
Risk Identification Elements
Component
Threats
Type or Source
▪ External or internal
▪ Natural or man-made
▪ Intentional or accidental
Vulnerabilities
▪ Audit
▪ Certification/accreditation records
▪ System logs
▪ Prior event
▪ Trouble reports
▪ Incident response teams
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38
Techniques of Risk Management
Avoidance
Transfer
Various
Techniques of
Risk
Management
Mitigation
Cost-Benefit Analysis
Managing Risk in Information Systems
Acceptance
Residual Risk
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 39
Next Lecture
TEXT 1: Chapter 2 Information Security Principles of Success
TEXT 2: Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits
Quiz #1
Download