1 / 24

Assessment Presentation

Assessment Presentation. Fundamentals of Information Systems Security. Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus. Scope & Applicability. UOPX Courses CIS 207 Information Systems Fundamentals CMGT 244 Intro to IT Security CMGT 245 IS Security Concepts

lars
Télécharger la présentation

Assessment Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Assessment Presentation Fundamentals of Information Systems Security Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus

  2. Scope & Applicability • UOPX Courses • CIS 207Information Systems Fundamentals • CMGT 244Intro to IT Security • CMGT 245IS Security Concepts • CMGT 400Intro to Information Assurance & Security • CMGT 440Intro to Information Systems Security • CMGT 441 Intro to Information Systems Security Management • CMGT 430Enterprise Security • CMGT 442Information Systems Risk Management

  3. Objectives • Review of Concepts. What is (are): • Information Systems? • Information Security? • Information Systems Security? • Information Assurance? • Cyber Security? • Defense in Depth? • Significance / Importance of Concepts • Advanced Topics in Security Risk Analysis • Present & Future Challenges • Q&A

  4. Who am I? • Information Systems Authorizing Official Representative • United States Pacific Command (USPACOM) • Risk Management Field • Assessments to USPACOM Authorizing Official / CIO • Former Electronics Engineer • Bachelor of Science in Electrical Engineering • Master of Science in Information Systems • Ph.D. Student in Communication & Information Sciences • Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP)

  5. Review of Concepts • What are Information Systems? • Systems that store, transmit, and process information. + • What is Information Security? • The protection of information. ------------------------------------------------------------------------------- • What is Information Systems Security? • The protection of systems that store, transmit, and process information.

  6. Review of Concepts • What is Information Assurance? • Emphasis on Information Sharing • Establishing and controlling trust • Authorization and Authentication (A&A) • What is Cyber Security? • Protection of information and systems within networks that are connected to the Internet.

  7. Review of Concepts • Progression of Terminology • Computer Security • (COMPUSEC) • Legacy Term (no longer used). • Information Security • (INFOSEC) • Legacy Term (still used). • Information Assurance • (IA) • Term widely accepted today with focus on Information Sharing. • Cyber Security • Broad Term quickly being adopted.

  8. Review of Concepts • What is the Defense in Depth Strategy? • Using layers of defense as protection. • People, Technology, and Operations. • Onion Model

  9. Review of Concepts

  10. ISS Management • What is a Backup Plan (BP) vsDisaster Recovery Plan (DRP) vsEmergency Response Plan (ERP) vsBusiness Recovery Plan (BRP)vsBusiness Impact Analysis (BIA) vsIncident Response Plan (IRP) vsContinuity of Operations Plan (COOP) vsContingency Plan? • Policy & Planning • Test, Audit, Update • Configuration Control • Protection, Detection, Reaction • (Assessment, CND, Incident Response)

  11. Why is this important? • Information is valuable. therefore, • Information Systems are valuable. • etc… • Compromise of Information Security Services (C-I-A) have real consequences (loss) • Confidentiality: death, proprietary info, privacy, theft • Integrity: theft, disruption • Availability: productivity lost, C2, defense, emergency services

  12. Why is this important? • Fixed Resources • Sustainable strategies reduce costs

  13. Advanced Topics: Measuring Risk • What is Risk? • thus • Qualitative v.s. Quantitative Methods • Risk Assessments v.s. Risk Analysis • Security Risk Analysis (SRA) • Units for measurement?

  14. Advanced Topics: Measuring Risk • Risk is conditional, NOT independent.

  15. Advanced Topics: Measuring Risk • Quantitative, time-dependent (continuous), • Risk Distribution Function: Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems (Master's Thesis). Hawaii Pacific University, Honolulu, HI.

  16. Advanced Topics: Measuring Risk • Expected Value of Risk = Product of Risks • Risk is never zero • Risk Dimension (units): confidence in ISS, C-I-A

  17. Advanced Topics: Measuring Risk • Expected Value and Risk Loss Confidence vs Cumulative Risk Product

  18. Advanced Topics: Measuring Risk • Quantitative Risk Determination Expression • Risk Rate & Risk Variability • Adjudication of Risk

  19. Advanced Topics: Measuring Risk • Determining Risk Tolerance / Threshold Levels

  20. Advanced Topics: Measuring Risk • Risk Areas as a function of Probability and Impact

  21. Present Challenges • Rapid growth of Advanced Persistent Threats (APTs) • Half million cases of cyber related incidents in 2012. • Is this a problem? • What about vulnerabilities • associated with • interconnections? Source: US-CERT

  22. Future Challenges • Cyberspace: Are we at war? • Cyber Crime vs Cyber Warfare vs Cyber Conflict

  23. Closing Thoughts • Information Systems Security (Cyber Security) is an explosive field. - Spanning Commercial, Private and Government Sectors - Demand >> Capacity: Strategies, solutions, workforce - $ - Evolving field (not fully matured) • Security will change our communications landscape - Efficiencies (centralization of services, technology) - Intelligent design of network interconnections and interdependencies - Regulations

  24. Thank you! Got Questions?

More Related