340 likes | 533 Views
Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems. Dr. Faisal Abdullah. Director of the Master of Science in Information Security Program (MSIS) Associate Professor of MIS Research and Teaching Interests include: Information Security Risk Analysis
E N D
Dr. Faisal Abdullah CISSP, CISA, ACE. Associate Professor of Management Information Systems
Dr. Faisal Abdullah • Director of the Master of Science in Information Security Program (MSIS) • Associate Professor of MIS • Research and Teaching Interests include: • Information Security Risk Analysis • Computer Forensics • Management of Information Security
Lewis University • Founded in 1932 on 376 acre campus in Romeoville, IL • Offers 80 undergraduate and 25 graduate programs to approximately 6,500 students • Guided by its Catholic and Lasallian heritage • Nationally recognized by • Lewis is playing the University of Southern California in NCAA National Collegiate Men’s Volleyball Championship at 8pm PST this evening
MSIS • MSIS Program • This online degree program explores the theory and practice of IT security on a global scale, the latest advances in all of the involved technologies, as well as legal and ethical levels facing IT security professionals. • Outcomes map to eleven certifications including CISSP, CISM, CEH, CRISC • 2 concentrations: Managerial and Technical • To learn more, visit online.lewisu.edu or call 1-866-967-7046
Technology and Non-Profit Organization • Connectivity and Internet presence is vital to any organization • Non-profit organizations use information technology to • disseminate information • raise funds • manage resources.
Information Security and Non-profits • Most non-profits mainly focus their strategies on • fundraising • operations, • Not on information security and data protection.
Information Security and Non-profits • Non-profit organizations face the same information security threats as any other organization • But do not do not have the same resources available to for-profit companies • According to the FBI non-profit organizations are most susceptible to security incidents
Data Assets of a Non-profit organization • Donor records • personal information • Addresses • phone numbers • Donor credit card details • Donor bank information • Organizational data
Data Assets of a Healthcare Non-profit organization • confidential patient information • Patient names, • Patient addresses, • Medical history • Family information
Risks of losses to Non-profit organizations • Financial Loss • Loss of Reputation • Damaged Employee Morale and Defections • Donor Disenchantment and Loss • Litigation
How to protect your organization? • Information security is a technical business discipline. • Protect your organization by mitigating Risks • Use qualitative and quantitative techniques for risk assessment
What is Risk Management? • Process of identifying and controlling risks facing an organization • Involves identifying organization’s assets and identifying threats/vulnerabilities • Know yourself and know the enemy • Management buy-in crucial for Risk Management. Top-down approach
Risk Management • Step 1 Identify Assets • Step 2 Identify Value of Assets • Step 3 Identify Vulnerabilities of Assets • Step 4 Threat Identification • Step 5 Assess the exposure of the asset to a particular Threat
Risk Management • Step 6 Calculate the loss from a single incident • Step 7 Assess the likelihood of occurrence for each Threat • Step 8 Calculate the losses per year from each threat • Step 9 Indentify Controls • Step 10 Constant evaluation and maintenance
Risk Management Step 1 – Identify Assets • Inventory of all Data and Information Assets • IT Department may have a list of all IT Assets
Risk Management Step 1 – Identify Assets • Determine location of the Data Assets • Donor information • Credit card and financial information • Campaign plans • Employee data • Healthcare data • Anything valuable to the organization
Risk Management: Step 2 Value of Tangible Assets • Calculate the Asset value (AV) – Tangible and Intangible • For Tangible Assets consider • Purchase cost • Installation cost • Troubleshooting cost • Contingencies • Loss of business services to outside customers • Loss of business services to internal employees Ding Tan, 2002.
Risk Management: Step 2 Value of Intangible Assets • For Intangible Assets – goodwill, reputation • Income Approach • Economic Benefit of an Asset • Consider Cost of Litigation Ding Tan, 2002.
Risk Management Step 3 Identify Vulnerabilities of Assets • Identify Logical and Physical vulnerabilities • Conduct a vulnerability assessment and a penetration test • For an independent evaluation • Hire an independent firm or outside consultant
Risk Management Step 4 Threat Identification • Realistic threats • Identify threats based on Vulnerabilities identified in Step 3
Risk Management Step 4 Threat Identification • Sources of internal data • IT Help Desk • Users • Managers and Supervisors • Human Resourses Department
Risk Management Step 4 Threat Identification • Sources of external data • Threat advisories • Industry and peer reports • Insurance reports • Government reports • National Weather Bureau
Risk Management Step 5 Exposure of an Asset • Evaluate robustness of existing controls – Exposure Factor (EF) Ding Tan, 2002.
Risk Management Step 5 Exposure of an Asset Start with 100% for the starting exposure factor and answer each of the following questions • Does the system under attack have any redundancies/ backups/ copies ? Subtract 30% if the answer is YES. • Is the system under attack behind a firewall? Subtract 10% if the answer is YES • Is the attack from outside ? Subtract 20% if the answer is YES • What is the potential rate of attack? (10% damage / hour vs. 10% damage / min) Subtract 20% if the answer is less than 20% damage/hr Subtract 40% if the answer is less than 2% damage/hr • What is the likelihood that the attack will go undetected in time for a full recovery? Subtract 10% if the probability of being undetected is less than 20% Subtract 30% if the probability of being undetected is less than 10% • How soon can countermeasures be implemented in time if at all? Subtract 30% if the countermeasure can be implemented within ½ hour Subtract 20% if the countermeasure can be implemented within 1 hour Subtract 10% if the countermeasure can be implemented within 2 hours
Risk Assessment Step 6 Loss from an incident • Calculate the loss from a one time occurrence of a threat • Single Loss Expectancy (SLE) = Asset Value (AV) X Exposure Factor (EF) Ding Tan, 2002.
Risk Assessment: Step 7 Likelihood of Occurrence • Assess the likelihood of occurrence for each threat during a period of one year. • Annual Rate of occurrence (ARO)
Risk Assessment: Step 7 Likelihood of Occurrence • Assess ARO from internal resources • IT Help Desk • Users • Managers and Supervisors • Human Recourses Department
Risk Assessment: Step 7 Likelihood of Occurrence • Assess ARO from External resources • Threat advisories • Industry and peer reports • Insurance reports • Government reports • National Weather Bureau data
Risk Management – Step 8 Loss per year • Calculate the Annual Loss Expectancy (ALE) • Losses per year from each threat • Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) Ding Tan, 2002.
Risk Assessment Example Ding Tan, 2002.
Risk Management Step 9 Identify Controls • Indentify Controls based on the Risk from each threat • Mitigate risks to an acceptable level by applying controls
Risk Management Step 9 Identify Controls • Controls can be • Good Policies • Security Awareness • Employee and user training • Software Controls • Hardware Controls • Personnel Controls
Risk Management Step 9 Identify Controls • Cost-Benefit Analysis • Cost of implementing a control • Benefit – reduction in losses from a threat
Risk Management Step 10 constant evaluation of controls • Test and implement controls • Periodic evaluation to assess efficacy of controls