ISA 562 Summer 2008 1 Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation.

ISA 562 Summer 20081

Personnel good practicePersonnel good practice• Job description; roles and

responsibilities• Least privilege/Need to know• Compliance with need to share• Separation of duties / responsibilities• Job rotation• Mandatory vacations

ISA 562 Summer 2008

Security AwarenessSecurity Awareness

• Awareness training– Remind employees of security

responsibility– Motivate personnel to comply with them

– Videos– Newsletters– Posters– Key-chains

ISA 562 Summer 2008

Training and EducationTraining and EducationJob training

– Provide skills to perform security functions.• Focus on security-related job skills • Address security requirements of the

organization, etc.

Professional Education– Provide decision-making and security

management skills important for success of security program.

ISA 562 Summer 20084

Good training practiceGood training practice

Address all the audience– Management– Data Owner and custodian– Operations personnel– User– Support personnel

ISA 562 Summer 2008

Risk in NIST SP 800-30Risk in NIST SP 800-30

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization

ISA 562 Summer 2008

Risk related DefinitionsRisk related Definitions• Vulnerability: A Flaw or weakness in

system procedures, design, implementation or internal controls that could be used breach or violate the system

• Likelihood: probability that a vulnerability may be used in the threat environment.

• Threat: the Potential for a mal-actor to exercise a vulnerability.

• Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)

ISA 562 Summer 2008

Risk Management concept Risk Management concept flowflow

ISA 562 Summer 20088

Risk Management DefinitionsRisk Management Definitions• Asset: something valued (to accomplish goals and objectives)

• Threat Agent: anything that can pose or cause a threat.

• Exposure: situation when a threat can cause loss.

• Vulnerability: weakness that could be exploited.

• Attack: Intentional action attempting to cause harm.

• Risk: probability that some event can occur

• Residual Risk: risk remaining after countermeasures and safeguards have been applied

ISA 562 Summer 20089

Risk ManagementRisk Management

To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project

ISA 562 Summer 200810

The Risk EquationThe Risk Equation

ISA 562 Summer 200811

Risk ManagementRisk ManagementIdentify and reduce risks

– Mitigating controls [Safeguards & Countermeasures]

– Residual Risk when countermeasures exist but are not sufficient should be at acceptable level

ISA 562 Summer 200812

Purpose of Risk AnalysisPurpose of Risk AnalysisIdentify and justify risk mitigation

– Assess threats to business processes and IS

– Justify use of countermeasures

Describe security based on risk to the organization

ISA 562 Summer 200813

Benefits of Risk Analysis Benefits of Risk Analysis • Focus on policy and resources• Identify areas with specific risk

– good IT Governance, supporting– Business continuity– Insurance and liability decisions– Legitimize security awareness program

ISA 562 Summer 200814

Emerging threatsEmerging threats• Risk Assessment must address new

threats– New technology– Change in culture of the organization– Unauthorized use of technology.

• May be discovered by periodic risk assessment

ISA 562 Summer 200815

Sources of identity threatsSources of identity threats• Users

– System administrators– Security officers– Auditors

• Operations – Facility records– Community and government records

• Vendor/security provider alerts• Other threats:

– Natural disasters – flood, tornado, etc.– Environment -- overcrowding or poor morale– Facility -- physical security or location of

building

ISA 562 Summer 200816

Risk analysis key factorsRisk analysis key factors• Obtain senior management support• Establish risk assessment team

• Define and approve purpose and scope• Select team members• State their authority and responsibility• Have management review findings and

recommendations

• Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc

ISA 562 Summer 200817

Use of automated tools for risk Use of automated tools for risk managementmanagement

• Objective: to minimize manual effort• May be time consuming in setup• Perform calculations quickly

– Estimate future expected loss– Determine benefit of security measures

ISA 562 Summer 200818

Preliminary security Preliminary security evaluation evaluation

Identify vulnerabilities

Review existing security measures

Document findings

Obtain management review and approval

ISA 562 Summer 200819

Risk analysis typesRisk analysis typesTwo types

– Quantitative– Qualitative

• Both provide valuable metrics

• Both required for a full picture

ISA 562 Summer 200820

Quantitative risk analysisQuantitative risk analysis

Determine monetary value• Fully quantitative if all elements are

quantified, but this is difficult to achieve. Requires much time and personnel effort

ISA 562 Summer 200821

Determining Asset ValueDetermining Asset ValueCost to acquire, develop, and maintain• Value to owners, custodians, or users• Liability for protection• Recognize real world cost and value

– Price others are willing to pay for it – Value of intellectual property– Convertibility/negotiability

ISA 562 Summer 200822

Quantitative analysis stepsQuantitative analysis steps1. Estimate potential single loss expectancy

SLE = Asset Value ($) * Exposure FactorExposure Factor=% of asset loss when threat succeedsTypes of loss

– Physical destruction, theft, Loss of data, etc

2. Conduct threat analysis ARO-Annual Rate of OccurrenceExpected number of exposures/incidents per yearLikelihood of unwanted event happening

3. Determine Annual Loss Expectancy (ALE)Magnitude of risk = Annual Loss ExpectancyPurpose to justify security countermeasuresALE=SLE * ARO

ISA 562 Summer 200823

Qualitative Risk analysis Qualitative Risk analysis • Scenario oriented• Does not assign numeric values to risk

components• Qualitative risk analysis is possible• Qualitative risk analysis factors

– Rank seriousness of threats and sensitivity of assets

– Perform a reasoned risk assessment

ISA 562 Summer 200824

Other risk analysis methodsOther risk analysis methodsFailure modes and effects analysis

– Potential failures of each part or module– Examine effects of failure at three levels

• Immediate (part or module)• Intermediate (process or package)• System-wide

Fault tree or spanning tree analysis– Create a “tree” of all possible threats and

faults• “Branches” are general categories [network threats,

physical threats, component failures, etc.]• Prune “branches” that do not apply• Concentrate on remaining threats.

ISA 562 Summer 200825

Risk mitigation optionsRisk mitigation options• Risk Acceptance

• Risk Reduction

• Risk Transference

• Risk Avoidance

ISA 562 Summer 200826

The right amount of securityThe right amount of security

• Cost/Benefit analysis- balance cost of protection versus asset value

• Need to assess:• Threats, Adversary, means , motives, and

opportunity.• Vulnerabilities and Resulting risk • Risk tolerance

ISA 562 Summer 200827

Countermeasures Selection Countermeasures Selection PrinciplesPrinciples

• Based on cost/benefit analysis, cost of safeguard• Selection and acquisition• Construction and placement• Environment modification• Nontrivial operating cost• Maintenance, testing• Potential side effects

• Cost justified by potential loss• Accountability

– At least one person for each safeguard– Associate directly with performance review

• Absence of design secrecy

ISA 562 Summer 200828

Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)

Audit capability– Must be testable– Include auditors in design and implementation

Vendor Trustworthiness– Review past performance

Independence of control and subject– Safeguards control/constrain subjects– Controllers administer safeguards– Controllers and subject have different populations

Universal application – Impose safeguards uniformly– Minimize exceptions

ISA 562 Summer 200829

Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)

• Compartmentalization and defense in depthRole of Safeguards– to improve security through layers

• Isolation, economy, and least common mechanism– Isolate from other safeguards– Simple design is cost effective and reliable, etc

• Acceptance and tolerance by personnel– Care taken to avoid implementing controls that pose

unreasonable constraints– Less intrusive controls more acceptable

• Minimize human intervention– Reduce possibility of errors and “exceptions” by

reducing reliance on administrative staff to maintain control

ISA 562 Summer 200830

Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)

• Sustainability• Reaction and recovery

Countermeasures, when activated, should:• Avoids asset destruction and stop further damage• Prevent disclosure of sensitive information through a covert

channel• Maintain confidence in system security• Capture information related to the attack and attacker

• Override and fail-safe defaults • Residual and reset

ISA 562 Summer 200831

Basis and Origin of EthicsBasis and Origin of Ethics• Religion, law, tradition, culture• National interest• Individual rights• Enlightened self interest • Common good/interest• Professional ethics/practices• Standards of good practice

ISA 562 Summer 200832

EthicsEthics• Formal ethical theories

– Teleology: Ethics in terms of goals, purposes, or ends– Deontology: Ethical behavior is duty

• Common ethical fallacies– Computers are a game– Law-abiding citizen, Gentlemanly conduct, Free

information– Shatterproof– Candy-from-a-baby– Hackers

• Difficult to define– Start with senior management

ISA 562 Summer 200833

ProfessionalProfessional Codes of ethics Codes of ethicsInternet Activities Board (IAB)

– Any activity is unethical & unacceptable that purposely:• Seeks to gain unauthorized access to the internet resources• Disrupts the intended use of the internet• Wastes resources through such actions• Destroys the integrity of computer-based information• Compromises the privacy of users• Involves negligence in the conduct of internet-wide experiments

ACM and IEEE (look them up)(ISC)2

– Protect society, the commonwealth, and the infrastructure – Provide diligent and competent services to principals, etc

Auditors

Professional codes may have legal importance