ISA 562 Summer 2008 1 Personnel good practice Personnel good practice • Job description; roles and responsibilities • Least privilege/Need to know • Compliance with need to share • Separation of duties / responsibilities • Job rotation • Mandatory vacations
33
Embed
ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ISA 562 Summer 20081
Personnel good practicePersonnel good practice• Job description; roles and
responsibilities• Least privilege/Need to know• Compliance with need to share• Separation of duties / responsibilities• Job rotation• Mandatory vacations
ISA 562 Summer 2008
Security AwarenessSecurity Awareness
• Awareness training– Remind employees of security
responsibility– Motivate personnel to comply with them
– Videos– Newsletters– Posters– Key-chains
ISA 562 Summer 2008
Training and EducationTraining and EducationJob training
– Provide skills to perform security functions.• Focus on security-related job skills • Address security requirements of the
organization, etc.
Professional Education– Provide decision-making and security
management skills important for success of security program.
ISA 562 Summer 20084
Good training practiceGood training practice
Address all the audience– Management– Data Owner and custodian– Operations personnel– User– Support personnel
ISA 562 Summer 2008
Risk in NIST SP 800-30Risk in NIST SP 800-30
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization
ISA 562 Summer 2008
Risk related DefinitionsRisk related Definitions• Vulnerability: A Flaw or weakness in
system procedures, design, implementation or internal controls that could be used breach or violate the system
• Likelihood: probability that a vulnerability may be used in the threat environment.
• Threat: the Potential for a mal-actor to exercise a vulnerability.
• Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)
• Threat Agent: anything that can pose or cause a threat.
• Exposure: situation when a threat can cause loss.
• Vulnerability: weakness that could be exploited.
• Attack: Intentional action attempting to cause harm.
• Risk: probability that some event can occur
• Residual Risk: risk remaining after countermeasures and safeguards have been applied
ISA 562 Summer 20089
Risk ManagementRisk Management
To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project
ISA 562 Summer 200810
The Risk EquationThe Risk Equation
ISA 562 Summer 200811
Risk ManagementRisk ManagementIdentify and reduce risks
Determine monetary value• Fully quantitative if all elements are
quantified, but this is difficult to achieve. Requires much time and personnel effort
ISA 562 Summer 200821
Determining Asset ValueDetermining Asset ValueCost to acquire, develop, and maintain• Value to owners, custodians, or users• Liability for protection• Recognize real world cost and value
– Price others are willing to pay for it – Value of intellectual property– Convertibility/negotiability
ISA 562 Summer 200822
Quantitative analysis stepsQuantitative analysis steps1. Estimate potential single loss expectancy
SLE = Asset Value ($) * Exposure FactorExposure Factor=% of asset loss when threat succeedsTypes of loss
– Physical destruction, theft, Loss of data, etc
2. Conduct threat analysis ARO-Annual Rate of OccurrenceExpected number of exposures/incidents per yearLikelihood of unwanted event happening
3. Determine Annual Loss Expectancy (ALE)Magnitude of risk = Annual Loss ExpectancyPurpose to justify security countermeasuresALE=SLE * ARO
ISA 562 Summer 200823
Qualitative Risk analysis Qualitative Risk analysis • Scenario oriented• Does not assign numeric values to risk
components• Qualitative risk analysis is possible• Qualitative risk analysis factors
– Rank seriousness of threats and sensitivity of assets
– Perform a reasoned risk assessment
ISA 562 Summer 200824
Other risk analysis methodsOther risk analysis methodsFailure modes and effects analysis
– Potential failures of each part or module– Examine effects of failure at three levels
• Immediate (part or module)• Intermediate (process or package)• System-wide
Fault tree or spanning tree analysis– Create a “tree” of all possible threats and
faults• “Branches” are general categories [network threats,
physical threats, component failures, etc.]• Prune “branches” that do not apply• Concentrate on remaining threats.
• Based on cost/benefit analysis, cost of safeguard• Selection and acquisition• Construction and placement• Environment modification• Nontrivial operating cost• Maintenance, testing• Potential side effects
• Cost justified by potential loss• Accountability
– At least one person for each safeguard– Associate directly with performance review
Audit capability– Must be testable– Include auditors in design and implementation
Vendor Trustworthiness– Review past performance
Independence of control and subject– Safeguards control/constrain subjects– Controllers administer safeguards– Controllers and subject have different populations
Countermeasures, when activated, should:• Avoids asset destruction and stop further damage• Prevent disclosure of sensitive information through a covert
channel• Maintain confidence in system security• Capture information related to the attack and attacker
• Override and fail-safe defaults • Residual and reset
ISA 562 Summer 200831
Basis and Origin of EthicsBasis and Origin of Ethics• Religion, law, tradition, culture• National interest• Individual rights• Enlightened self interest • Common good/interest• Professional ethics/practices• Standards of good practice
ISA 562 Summer 200832
EthicsEthics• Formal ethical theories
– Teleology: Ethics in terms of goals, purposes, or ends– Deontology: Ethical behavior is duty
• Common ethical fallacies– Computers are a game– Law-abiding citizen, Gentlemanly conduct, Free
• Difficult to define– Start with senior management
ISA 562 Summer 200833
ProfessionalProfessional Codes of ethics Codes of ethicsInternet Activities Board (IAB)
– Any activity is unethical & unacceptable that purposely:• Seeks to gain unauthorized access to the internet resources• Disrupts the intended use of the internet• Wastes resources through such actions• Destroys the integrity of computer-based information• Compromises the privacy of users• Involves negligence in the conduct of internet-wide experiments
ACM and IEEE (look them up)(ISC)2
– Protect society, the commonwealth, and the infrastructure – Provide diligent and competent services to principals, etc