CSCI-618: Information Security Risk Management and Legal Issues Introduction Maryam Hamidirad • Course instructor • Head of Risk & Compliance • Email address: mhamidir@nyit.edu Text Books Chapter 1: Why Study Information Security Objectives ■ ■ ■ Recognize the growing importance of information security specialists Develop a strategy for pursuit of a career in information security Comprehend information security in the context of the mission of a business © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 5 Information is gold and it can be robbed and stolen Introduction ■ ■ To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists An information security specialist is more than a technician who prevents hackers from attacking a web site © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 7 Introduction (cont.) ■ ■ You might ask yourself: Why study information security? In this class, we’ll examine both practical and theoretical skills security specialists use to protect information systems © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 8 The Growing Importance of IT Security and New Career Opportunities ■ ■ Increased services to both vendors and employees create worlds of possibilities in satisfying customer needs, but … They also create risks to the confidentiality, integrity, and availability of confidential or sensitive data © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 9 “It is not a matter of if you will be compromised, it is when.” “There are only two types of companies–those that know they’ve been compromised and those that do not know” Recent cyber attacks Information security resource shortage •Global IT security skills shortages have now surpassed four million, according to (ISC)2. •(ISC)2 claimed the global security workforce needs to increase by 145% to cope with a surge in hiring demand •The future is digital and the demand is going to increase even more Becoming an Information Security Specialist (cont’d) 13 Becoming an Information Security Specialist (cont’d) 14 Becoming an Information Security Specialist • Getting a degree in information security will involve taking classes in security architecture, laws and ethics, access control, disaster recovery and planning • Get the right certification • Certified Information Systems Security Professional (CISSP) • System Security Certified Practitioner (SSCP) • Global Information Assurance Certification (GIAC):www.giac.org • Consider earning a graduate degree in INFOSEC • Increase your disaster recovery and risk management skills (DRI or CBCI) • Build a home laboratory © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 15 Becoming an Information Security Specialist (cont’d) 16 Becoming an Information Security Specialist (cont.) • • • • Give something back to the INFOSEC community Get on a project working with strategic partners Consider an internship in IS Take a second look at government jobs © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 17 Multidisciplinary Approach • • • • Security professionals must think like business leaders Exposure to nontechnical areas gives INFOSEC professionals a greater ability to address and resolve complex problems Including probability and statistics, psychology, English, foreign languages, philosophy, ethics, history, and so on A wide range of educational experiences is a good foundation for an INFOSEC career © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 18 Cyber security is not an IT issue, it is a business issue Contextualizing Information Security Information security draws upon the best practices and experiences from multiple domains including • Compliance, policies, and standards • Administration, auditing, access controls, and permission controls • Intrusion detection and prevention and incident response • Software development security • Physical security • Operations control • Public key infrastructure and key management • Disaster recovery • Security testing • Software development security • Antivirus solutions • Training and awareness © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 20 Information Security Careers Meet the Needs of Business To support business operations a number of common positions and career opportunities are needed • • • • Security administrators Access coordinators Security architects and network engineers Security consultants © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 21 Information Security Careers Meet the Needs of Business (cont.) • • • • • Security testers Policymakers and standards developers Compliance officers Incident response team members Governance and vendor managers © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 22 Summary • • • Networked systems remain vulnerable to attacks from within and outside an organization The explosive growth of e-commerce and the pervasive personal and business uses of the Internet have created a growing demand for information security professionals The principles, approaches, and concepts in INFOSEC should work together to provide the harmonious mix of risk and reward that modern business demands © Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition 23 Chapter 1: “Risk Management Fundamentals” Key Concepts ▪ Defining risk ▪ Balancing risk ▪ Seven domains of a typical IT infrastructure ▪ Addressing confidentiality, integrity, and availability ▪ Compliance laws and regulations ▪ Standards and guidelines used for compliance Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25 What Is Risk? ▪ Risk: The likelihood that a loss will occur. Losses occur when a threat exposes a vulnerability. ▪ Threat: Any activity that represents a possible danger. ▪ Vulnerability: A weakness. ▪ Loss: A loss results in a compromise to business functions or assets. ▪ Tangible ▪ Intangible Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26 Example Risk-Related Concerns for Business Compromise of business functions Compromise of business assets Driver of business costs Profitability versus survivability Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 28 Seven Domains of a Typical IT Infrastructure Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 29 Addressing CIA ▪ Confidentiality ▪ Integrity ▪ Availability Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 30 Why CIA matters? Crown jewel assets that are critical assets for organizations to achieve their mission, strategy and objectives. Each crown jewel has been classified based on its confidentiality (C), integrity (I)and availability (A) requirements, to understand which security controls would be most important to ensure the asset is protected. Crown Jewel Category Description ERP management system System Solution used for customer order processing and supply change Customer information Data Customer information, order history and inventory prices Employee information Data Employee information stored for payroll and other HR related purposes High Medium Low C I A Risk Management Risk Probability of Loss Risk Management Threat Potential Harm Managing Risk in Information Systems Vulnerability System Weakness © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 32 Risk Management Elements/Process Assess risks Managing Risk in Information Systems Identify risks to manage Select controls Evaluate controls Implement and test controls © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 33 Survivability, and Balancing Risk and Cost ▪ Consider the cost to implement a control and the cost of not implementing the control ▪ Spending money to manage a risk rarely adds profit; important point is that spending money on risk management can help ensure a business’s survivability ▪ Cost to manage a risk must be balanced against the impact value Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 34 Survivability, and Balancing Risk and Cost (Continued) Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 35 Role-based Perceptions of Risk ▪ Management ▪ System administrator ▪ Tier 1 administrator ▪ Developer ▪ End user Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 36 Risk Identification Process Identify threats Managing Risk in Information Systems Identify vulnerabilities © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Estimate likelihood of a threat exploiting a vulnerability Page 37 Risk Identification Elements Component Threats Type or Source ▪ External or internal ▪ Natural or man-made ▪ Intentional or accidental Vulnerabilities ▪ Audit ▪ Certification/accreditation records ▪ System logs ▪ Prior event ▪ Trouble reports ▪ Incident response teams Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 38 Techniques of Risk Management Avoidance Transfer Various Techniques of Risk Management Mitigation Cost-Benefit Analysis Managing Risk in Information Systems Acceptance Residual Risk © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 39 Next Lecture TEXT 1: Chapter 2 Information Security Principles of Success TEXT 2: Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits Quiz #1