Jing_Zhang

advertisement
Topic: Information Security Risk Management
Framework: China Aerospace Systems Engineering
Corporation (Case Study)
Supervisor: Dr. Raymond Choo
Student: Jing Zhang
Presentation outline
Background
Research question
Literature founding
Case study
• Threat landscape
• Risk framework (Case study company)
• Comparison and improvement
Conclusion
Background
Cybercrime influence faced by company
75 billion USD financial losing each year in United States
Target: E-commerce, sensitive information
Attack type: E-mail spoofing, phishing, malware installation, etc.
Reason: counterfeit software, employee security awareness, etc.
Research questions
What are the (cyber) threat landscape and the emerging trends and
challenges that would have an impact on the China Aerospace
Systems Engineering Corporation (Case Study Company)?
What are the limitations of existing information security risk
management frameworks and/or how can existing frameworks be
adapted in the Case Study Company?
Literature finding
Three international risk management frameworks:
NIST sp800-30 (National institute of Standard and Technology) USA
ISO 31000 (International Organization for Standardization) Australia
ENISA (European Network and Information Security Agency)
European country
Literature finding (Cont’d)
Terminology and risk management phases
NIST sp800-30
First phase
ISO 31000
ENISA
Mandate and
commitment
Corporate risk
management
strategy
Design of framework
for managing risk
Second phase
Risk assessment
Risk mitigation
Implementing risk
management
Risk assessment
Risk treatment
Risk acceptance
(optional)
Third phase
Evaluation and
assessment
Monitoring and
review of the
framework
Continual
improvement of the
framework
Monitoring and
review
Literature finding (Cont’d)
NIST sp800-30
Literature finding (Cont’d)
ISO 31000
Literature finding (Cont’d)
ENISA
Case study
Threat landscape
• Phishing: online shopping, ticket selling, travelling agency, Internet
banking
• Mobile device attacking: steal Email account, mobile banking information,
unauthorised charging fee (premium SMS)
• Advanced Persistent Threat (APT): enterprise level attack, more specific
target, sensitive information.
Case study (Cont’d)
Risk framework (Case study company)
Risk management process: risk identification, risk analysis, risk treatment,
control implementation, risk monitoring and control improvement,
communication
• Risk identification:
information assets (system, software, hardware, employee and archived
data)
Threat (Non-human, human)
vulnerability (technical, operational, management)
• Risk analysis:
Likelihood (attraction level of each information asset) and consequence
(financial: both information value and recovery cost)
Case study (Cont’d)
Risk framework (Case study company)
• Risk treatment:
Control method: Risk avoidance, Risk transformation, Risk minimisation,
Risk acceptance
Control category: Technical control, Operation control, Management control
Cost benefit analysis: Purchase cost, Continuing cost, Employee training
cost
• Control implementation
Implementation report: timeline, responsibility
• Risk monitoring and control improvement
new risk treatment plan after review and monitoring
• Communication
Case study (Cont’d)
Risk framework (Case study company)
Implementation plan: Planning and preparation, Deployment and
implementation, Monitoring and improvement
• Planning and preparation:
Achieve the support: senior management team, related department
(human, physical, financial and timing support)
Main processor and responsibility: information security team, IT group,
Human resources, Financial department
Security control selection and implementation: Economic factor, Timing
factor, Technical factor, Control implementation plan
Case study (Cont’d)
Risk framework (Case study company)
• Deployment and implementation
Security training: User training, Manager training, Security staff training
• Monitoring and improvement
Mitigation plan: Internal and external network data exchange policy,
Security auditing, Accessing control, etc.
Case study (Cont’d)
Comparison and improvement:
What feature missed in company framework:
• Context establishment (ISO 31000 and ENISA), system characterization
(NIST), risk criteria (ISO)
• Motivation analysis (NIST), organisation processor, stakeholder concern
and expertise decision, organisation risk attitude and tolerance (ISO
31000, ENISA)
• Cost benefit (NIST): implementing effect, non-implementing effect,
implementing cost
• Positive risk (ENISA)
• Risk assessment and mitigation activity (NIST)
• Residual risk (all three frameworks)
Conclusion
• Different perspective in some fields
• Still could improvement
• Risk management is vital in organisation activity
Reference
E. G. Amoroso, "Cyber attacks: awareness," Network Security, vol. 2011, pp. 10-16, 2011.
E. E. Anderson and J. Choobineh, "Enterprise information security strategies," Computers &
Security, vol. 27, pp. 22-29, 2008.
K. K. R. Choo, "Cyber threat landscape faced by financial and insurance industry." Trends and Issues in
Crime and Criminal Justice 408: 1-6, 2011.
B. Kakoli, P. Peter, K. M. Mykytyn, "A framework for integrated risk management in information
technology", Management Decision, vol. 37 no: 5, pp.437 – 445, 1999.
M. Burdon, B. Lane, and P. von Nessen, "The mandatory notification of data breaches: Issues arising for
Australian and EU legal developments," Computer Law & Security Review, vol. 26, pp. 115 -129, 2010.
K.K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers &
Security, vol. 30, pp. 719-731, 2011.
G. Locke, P. D. Gallagher, “Guide for applying the risk management framework to federal information
system: a security life cycle approach”, NIST Special Publication 800-37, 2010.
Standard. A and Standard. N. Z, “Risk management”, Standard Australia and Standard New Zealand,
AS/NZS 4360:2004, 2004.
N. I. S. A. European, “Risk Management: Implementation principles and Inventories for Risk
Management/Risk Assessment methods and tools”, European Network and Information Security Agency,
2006.
G. Stoneburner, A. Goguen, et al. "Risk management guide for information technology systems" NIST
special publication 800(30): 800–830, 2002.
Question?
Download