1 / 50

Information Security Governance & Risk Management Best Practices

Learn about roles, responsibilities, ethics, and best practices for managing information security risks & governance effectively.

Download Presentation

Information Security Governance & Risk Management Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2013 Information Security Governance and Risk Management

  2. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  3. C. I.A. • Confidentiality: Preventing from unauthorized disclosure • Integrity: Preventing from unauthorized modification • Availability: Preventing denial of service

  4. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  5. Security Best Practices • Job Rotation • Separation of Duty • Security Awareness training • Information Classification • Risk Analysis • Ethics Education

  6. Roles and Responsibilities • Specific • General • Communicated at hiring • Verified capabilities and limitations • 3rd party considerations • Good practices • Reinforced via training

  7. Internal Roles • Executive Management • Information Systems Security Professionals • Owners • Custodians • Operations Staff • Security Staff • Data and System Owners • Users

  8. External Roles • Vendors/Suppliers • Contractors • Temporary Employees • Customers • Business Partners • Outsourced Relationships • Outsourced Security

  9. Human Resources and Related Issues • Human Resources • Employee development • Employee management • Hiring and Termination • Consult the Human Resources Department • Low-level checks • Termination Procedures • Hiring New Staff • Background checks/security clearances • Verify references and educational records • Signed Employment Agreements • Acceptable use • Non-disclosure • Non-compete • Ethics

  10. Personnel andSecurity AwraenessTraining / Good Pratices • Personnel • Job descriptions / Defined roles and responsibilities • Least privilege • Need to know • Separation of duties • Job rotation • Mandatory vacations • Security Awareness training • Job training • Professional education • Good Practices • Be relevant • Scope properly • Address the audience

  11. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  12. Security Blueprints and Single Point of Failure • Documnted Security Program • Focus on the mission • Organizations are different • Cost-effective • Blueprints • Identify and design security requirements • Infrastructure security blueprints • Holistic • Single Point of Failure • Identify processes • Identify risks to the plan • Be prepared

  13. ISO/IEC 27000 Series = ISMS Blueprints • 27000 – Glossary of terms • 27001:2005 - Attainment certification • 27002:2005/Cor1:2007 – Code of practice • 27003 – ISMS Implementation guidance under development as of Sept 08 • 27004 – Information security measurement • 27005-2008 – Information security – Risk management • 27006:2007 – Certification vendor process • 27799:2008 – Information Security for Health Care Organizations

  14. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  15. Security Management, Administration and Governance • Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. • The risks to these assets can be calculated by analysis of the following issues: • Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets • Vulnerabilities. How susceptible your assets are to attack • Impact. The magnitude of the potential loss or the seriousness of the event.

  16. Security Management, Administration and Governance • Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. • Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. • Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations

  17. Security Management, Administration and Governance • Develop the information security strategy in support of business strategy and direction. • Obtain senior management commitment and support • Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. • Establish reporting and communication channels that support information security governance activities. • Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. • Establish and maintain information security policies that support business goals and objectives. • Ensure the development of procedures and guidelines that support information security policies. • Develop business case for information security program investments.

  18. Management’s Security Policy • Management’s goals and objectives in writing • Documents compliance • Creates security culture

  19. Define the following Area IV Buddy System Policy THIS AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION. ALL PERSONNEL WILL CARRY S.O.F.A. AND AN EMERGENCY TELEPHONE NUMBER CARD AST ALL TIMES. LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES. BY ORDER OF THE AREA IV COMMANDER

  20. Policies, Standards, Guidelines and Procedures • Policies are the top tier of formalized security documents. These high-level documents offer a general statement about the organization’s assets and what level of protection they should have. • Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.. • Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.

  21. Policies, Standards, Guidelines and Procedures • A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. • A guideline points to a statement in a policy or procedure by which to determine a course of action. It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations. • A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. • A security model is a scheme for specifying and enforcing security policies. Examples include: Bell and LaPadula, Biba, Access control lists

  22. Information Classification • It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. • A system of classification should ideally be: • simple to understand and to administer • effective in order to determine the level of protection the information is given. • applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).

  23. Information Classification • With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. • Violations of the Information Classification Policy should result in disciplinary proceedings against the individual. • Number of information classification levels in an organization should be a manageable number as having too many makes maintenance and compliance difficult.

  24. Information Classification • Top Secret: Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible. • Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

  25. Information Classification • Proprietary: Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high. • Internal Use Only: Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal. • Public Documents: Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.

  26. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  27. Roles and Responsibilities • Internal Roles • Executive Management; Information System Security Professionals; Owners: Data and System Owners; Custodians • Operational Staff; Users; Legal, Compliance and Privacy Officers; Internal Auditors; Physical Security Officers • External Roles • Vendors and Supplies; Contractors; Temporary Employees; Customers; Business Partners; Outsourced Relationships; Outsourced Security • Human Resources • Employee development and management; Hiring and termination; Signed employee agreements; Education

  28. Risk Management and Analysis • Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. • The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

  29. Risk Managementg and Analysis • A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. • The assessment may use a subjective qualitative analysis based on informed opinion (scenarios), or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis • For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business.

  30. Risk Management and Analysis • Identification of assets and estimating their value. Include: people, buildings, hardware, software, data supplies. • Conduct a threat assessment. Include: Acts of nature, accidents, malicious acts originating from inside or outside the organization. • Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, - - - • Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. • Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. • Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

  31. Risk Management and Analysis • Step 1: Estimate Potential Loss • SLE = AV ($) x EF (%) • SLE: Single Loss Expectancy, AV: Asset Value. EF: Exposure Factor (percentage of asset value) • Step 2: Conduct Threat Likelihood Analysis • ARO Annual Rate of Occurrence • Number of times per year that an incident is likely to occur • Step 3: Calculate ALE • ALE: Annual Loss Expectancy • ALE = SLE x ARO

  32. Risk Management • Identifying and reducing total risks • Choosing mitigation strategies • Setting residual risk at an acceptable level • Integrating risk management processes into the organization

  33. Risk Management • The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, including but not limited to its IT assets. • Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization.

  34. Risk Management Benefits • Focuses policy and resources • Identifies areas with specific risk requirements • Directs budget • Supports • Business continuity process • Insurance and liability decisions • Legitimizes security awareness programs

  35. Risk Management Definitions • Assets • Threat-source/agent • Threat • Exposure • Vulnerability • Likelihood • Attack • Controls • Countermeasures • Safeguards • Total risk • Residual risk

  36. Risk Assessment / Analysis Steps: SP 800-30 • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation

  37. Information Valuation Considerations • Exclusive possession • Utility • Cost to acquire or create • Liability • Convertibility • Operational impact • Timing • Methods • Modified – Delphi • Facilitated sessions • Survey • Interview • Checklist

  38. Quantitative Risk Analysis • Assign monetary values • Labor and time intensive • Difficult to achieve • Steps • Estimate potential losses • Conduct a threat likelihood analysis • Calculate annual loss expectancy

  39. Step One: Estimate Potential Losses SINGLE LOSS EXPECTANCY SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor)

  40. Step Two: Conduct ThreatLikelihood Analysis ARO - Annual Rate of Occurrence • Number of exposures or incidents that can be expected in a given year • Likelihood of an unwanted event occurring

  41. Step Three: Calculate ALE ALE –Annual Loss Expectancy ALE = SLE x ARO • Magnitude of risk = ALE • Purpose: Justify security countermeasures

  42. Qualitative and Hybrid Risk Analysis • Qualitative • Scenario-oriented • No $ values • Rank seriousness of threats and sensitivity of assets • Perform a carefully reasoned risk assessment • Hybrid • Quantitative • Qualitative • FMEA (Failure Modes and Effect Analysis) • FTA (Fault Tree Analysis)

  43. Risk Mitigation and Assurance • Risk Mitigation • Acceptance = Absorb the effect of an incident • Reduction = Implement controls • Transference = Insurance • Avoidance = Stop it • Risk Assurance • Cyclical nature • Liability

  44. Countermeasure Selection Principles • Cost/benefit analysis • Accountability • Absence of design secrecy • Audit capability • Vendor trustworthiness • Independence of control and subject • Universal application • Compartmentalization • Defense in depth • Isolation, economy and least common mechanism • Acceptance and tolerance by personnel • Minimum human intervention • Sustainability • Reaction and recovery • Override and fail-safe defaults • Residuals and reset

  45. Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

  46. Ethical Environments and Reponsibilities • Ethics are difficult to define • Begin with senior management • “Set the example” • Encourage adoption of ethical guidelines and standards • Inform users about ethical responsibilities through security awareness training • Responsibilities • Global responsibility • National • Organizational • Personal

  47. Basis and Origin of Ethics • Religion • Law • National interest • Individual rights • Common good/interest • Enlightened self-interest • Professional ethics/practices • Standards of good practice • Tradition/culture • Formal Ethical Theories • Teleology • Ethics in terms of goals, purposes or ends • Deontology • Ethical behavior is a duty

  48. Relevant Professional Codes of Ethics • (ISC)2 • RFC 1087 • Access and use of the Internet is a PRIVILEGE and should be treated as such by all users • RFC 1087 refers to “Negligence in the conduct of Internet-wide experiments” as “irresponsible and unacceptable”, but does not specifically label such conduct as “unethical”. • Internet Architecture Board • ISC2 Code of Ethics and Cannons • “Safety of the commonwealth, duty to our principals and to each other requires that we adhere and be seen to adhere, to the highest ethical standards of behavior” • “Therefore, strict adherence to this code is a condition of certification”. • “Protect society, the commonwealth and the infrastructure” • “Act honorably, honestly, justly, responsibly and legally” • “Provide diligent and competent service to principals” • “Advance and protect the profession”

  49. Internet Architecture Board (IAB) Any activity is unethical and unacceptable that purposely: • Seeks to gain unauthorized access to Internet resources • Disrupts the intended use of the Internet • Waste resources (people, capacity, computer) through such actions • Destroys the integrity of computer-based information • Compromises the privacy of users • Involves negligence in the conduct of Internet-wide experiments

  50. Domain Summary • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics

More Related