CMGT 442 Information Systems Risk Management Philip Robbins – November 14, 2012 (Week 1) University of Phoenix Mililani Campus
Agenda: Week 1 • Introductions • Enterprise Information Systems Risk Management • Review of Information Systems Security Fundamental Concepts • Cover Objectives • Readings • Review Textbook Chapters • Discuss Articles • Learning Team Activities • Quiz #1 • Assignments
Review of Concepts • Information Systems • Systems that store, transmit, and process information. + • Information Security • The protection of information. _______________________________________________ • Information Systems Security • The protection of systems that store, transmit, and process information.
Review of Fundamental Concepts • Progression of Terminology • Computer Security • (COMPUSEC) • Legacy Term (no longer used). • Information Security • (INFOSEC) • Legacy Term (still used). • Information Assurance • (IA) • Term widely accepted today with focus on Information Sharing. • Cyber Security • Broad Term quickly being adopted.
Review of Fundamental Concepts • What is the Defense in Depth Strategy? • Using layers of defense as protection. • People, Technology, and Operations. • Onion Model
Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning, policies, procedures • Configuration management and control • Contingency planning • Incident response planning • Security awareness and training • Security in acquisitions • Physical security • Personnel security • Security assessments and authorization • Continuous monitoring • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Boundary and network protection devices (Firewalls, guards, routers, gateways) • Intrusion protection/detection systems • Security configuration settings • Anti-viral, anti-spyware, anti-spam software • Smart cards Adversaries attack the weakest link…where is yours?
Review of Fundamental Concepts • A single point of failure (SPOF) • Failure of a single component results in the failure of the entire system
Review of Fundamental Concepts • What is Cyberspace? • Term adopted by the USG • The virtual environment of information and interactions between people. • Telecommunication Network infrastructures • Information Systems • The Internet
Review of Fundamental Concepts • What is Information Assurance (IA)? • Our assurance (confidence) in the protection of our information / Information Security Services. • What are Information Security Services (ISS)? • Confidentiality: Making sure our information is protected from unauthorized disclosure. • Integrity: Making sure the information we process, transmit, and store has not been corrupted or adversely manipulated. • Availability: Making sure that the information is there when we need it and gets to those who need it.
Review of Fundamental Concepts Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Why is this important? • Information is valuable. therefore, • Information Systems are valuable. • etc… • Compromise of Information Security Services (C-I-A) have real consequences (loss) • Confidentiality: death, proprietary info, privacy, theft • Integrity: theft, loss of confidence, validity • Availability: lost productivity, disruption of C2, defense, emergency services
Why is this important? • Fixed Resources • Sustainable strategies reduce costs
Privacy • Defined: the protection and proper handling of sensitive personal information - Requires proper technology for protection - Requires processes and controls for appropriate handling
Personally Identifiable Information (PII) • Name • SSN • Phone number • Driver's license number • Credit card numbers • etc…
Governance • Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”
Governance (cont.) • The process and action that supports executive oversight • Steering committee oversight • Resource allocation and prioritization • Status reporting • Strategic decisions
Policies • Policies • Constraints of behavior on systems and people • Specifies activities that are required, limited, and forbidden • Example • Information systems should be configured to require good security practices in the selection and use of passwords
Requirements • Requirements • Required characteristics of a system or process. • Often the same as or similar to the policy • Specifies what should be done, not how to do it. • Example • Information systems must enforce password quality standards.
Guidelines • Defines how to support a policy • Example: ‘As a guideline’ passwords should not be dictionary words, don’t write passwords down, etc…
Standards and Procedures • What products, technical standards, and methods will be used to support policy • Examples • All fiber optic cables must be ACME brand • Passwords must be at least 8 characters, contain 2 upper and lower case chars… • Procedures: step by step instructions
Develop Learning Teams • Create Learning Teams A, B, C, D • 4 students each • Create Team Name • Assignment: Learning Team Charter • Post to OLS (due Week 2) • Learning Team Activity: Review of Concepts 1, 2, 3 • Information Security & Information Assurance • Physical and Logical Information Systems Security • Risk
Concept 1: Info Security & Assurance • You leave your job at ACME, Inc. to become the new Information Systems Security Manager (ISSM) for University of University College (UUC). • The Chief Information Officer (CIO) of UUC drops by your office to let you know that they have no ISS program at UUC! • A meeting with the Board of Directors is • scheduled and you are asked by the CIO to • attend. • The Board wants to hear your considerations • on how to start the new ISS program spanning • all national and international networks.
Concept 1: Info Security & Assurance • - What would you tell the Board? • - As an ISSM, what would you consider first? • - What types of questions would you ask the Board and/or to the CIO?
Concept 2: Physical & Logical ISS • First day on the job and you find yourself already meeting with the local Physical Security and IT Services Managers at UUC. • You introduce yourself as the new ISSM and both managers eagerly ask you “what can we do to help?”
Concept 2: Physical & Logical ISS • - What do you tell these Managers? • - What types of questions would you ask the Managers? • - As an ISSM, what are some IT, computer, and network security issues you consider important to a new ISS program at UUC? • - What about your meeting with the Board of Directors earlier? How does it apply here?
Concept 3: Risk • After a month on the job, as an ISSM, you decide to update the CIO on the progress of the UUC ISS program via email when all of a sudden the entire internal network goes down! • Your Computer Network Defense Team is able to determine the source of the disruption to an unknown vulnerability that was exploited on a generic perimeter router. • The CIO calls you into his office and indicates to you that he is “concerned about the Risk to the networks at UUC” and ‘wants a risk assessment conducted’ ASAP.
Concept 3: Risk • - What does the CIO mean by “Risk to the networks at UUC”? • - As an ISSM, how would you conduct a risk assessment for the CIO? • - What are some of the elements of risk? • - How is risk measured and why is it important?
Break? • Are you falling asleep? This is probably time for a break…
Security Management Attempts to manage security. • Includes Risk Management, IS Policies, Procedures, Standards, Guidelines, Baselines, Information Classification, Security Organization. • These build a security program – Purpose… protect the companies assets • A security program requires balanced application of Technical and non-technical methods!* • Process is circular, asses risks, determine needs, monitor, evaluate… start all over.
Security Management • Management is ULTIMATELY responsible for security… NOT admins, not security workers.. MANAGEMENT… let me repeat… MANAGEMENT. • Management must lead and direct all security programs. They must provide the vision AND support.
Security Management • Any good security program should be “top down” with an ultimate goal. • This approach management creates the vision and lays out the framework. It does not make sense just to run about locking down machines without a vision. Though this is often how things are actually done.* - Why would a bottom up approach fail? (can you build a house by just starting to build?)
IMPORTANT REMINDER • Reminder: MANAGEMENT should direct security. • A security officer or groups is to ensure the managements directives are fulfilled - they do NOT create security policy.
Functional vs. Assurance • All solutions must be evaluated by it’s functional and assurance requirements • Functional: “Does the solution carry out the required tasks” • Assurance: “How sure are we of the level of protection this solution provides”
Vulnerability • A software, hardware, or procedural weakness that may provide an attacker the opportunity to obtain unauthorized access. • Could be an un-patched application • Zero Days • “Lax” physical security • Weak protocols
Threat • A natural or man-made event that could have some type of negative impact on the organization.
Threat Agent • An actual person that takes advantage of a vulnerability
Risk • This likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact - Risk ties the vulnerability, threat and likelihood of exploitation together.
Exposure • An instance of being exposed to losses from a threat agent. • Example: A public web server that has a known vulnerability (that is not patched) is exposed.
Countermeasure / Safeguard • Some safeguard or countermeasure put into place to mitigate the potential risk. • A countermeasure reduces the possibility that a threat agent will be able to exploit a vulnerability.
Security Controls The following “controls” should be utilized to achieve security management directives: • Administrative – policies, standards, procedures, guidelines, personnel screening, training • Technical Controls (logical controls)* - authentication, firewalls, biometrics etc. • Physical Controls – locks, monitoring, mantraps, environmental controls.
Organizational Security Models • Each organization creates it’s own security model which will have many entities, protection mechanisms, logical, administrative and physical components, procedures, business processes and configurations that all support the end goal. • A model is a framework made up of many entities, protection mechanisms, processes, procedures that all work together and rely on each other to protect the company.
Security Program Development • A program is more than just a policy! It’s everything that protects data. • Security Program development is a LIFECYCLE!!! • Plan and Organize • Implement • Operate and Maintain • Monitor and Evaluate • Then start all over again!
Private vs. Military Requirements • Which security model an organization uses depends on it’s goals and objectives. • Military is generally concerned with CONFIDENTIALITY • Private businesses are generally concerned with AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY (ex. Banks). • Some private sector companies are concerned with CONFIDENTIALITY (ex. hospitals). • Which ISS do you believe is most important?
Information Risk Management • Information Systems Risk Management is the process of identifying, assessing, and mitigating (reducing) risks to an acceptable level. - Why is this important? • There is no such thing as 100% security. - Can risk ever be eliminated?
Risks • Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company. • Risk is difficult to measure and quantify, however, we must prioritize the risks and attempt to address them!
Information Systems Risk Management • Did I mention that IRM is ULTIMATELY the responsibility of MANAGEMENT? • Should support the organizations mission. • Should have an IRM policy. • Should have an IRM team. • IRM should be a subset of the companies total Risk Management Policy.
Information Systems Risk Management • Goal of IRM is to ensure the company is protected in the most COST EFFECTIVE manner! (it doesn’t make sense to spend more to protect something than the “something” is worth)
Risk Analysis IRM team will need to analyze risk, what is risk analysis? • A tool for risk management, which identifies assets, vulnerabilities and threats (What are these again?) • Access possible damage and determine where to implement safeguards.
Risk Analysis Goals • Identify assets and their values • Identify Vulnerabilities and threats • Quantify the probability of damage and cost of damage • Implement cost effective countermeasures! • ULTIMATE GOAL is to be cost effective. That is: ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*