You are on page 1of 33

ITC596 IT Risk Management

Li-minn Ang (Kenneth)

Please check that you can hear me and see the slides
on your computer
If you need to communicate, please use the chat box

For Todays Class

Subject Information

Topic 1: Information Security Basics

Assessment Item 1

Cengage Learning 2014

Subject Overview

IT Security

Online meeting every week

* Information security basics

Thur. 7 to 8pm (most popular from 34 responses)

* Security planning and rules

Meetings will be recorded and available online

* Policy and program


* Management models and practices

Risk Management
* Foundations of risk management 1: Identifying risks
* Foundations of risk management 2: Controlling risks
* Quantitative risk assessment
* Qualitative risk assessment

Related Topics
* Cyberinsurance
* Risk perception and communication
* Security metrics

Cengage Learning 2014

Textbook

Comprehensive and systematic text on


information security

Cengage Learning 2014

Is IT security a problem?

Cengage Learning 2014

Is IT security a problem?

Cengage Learning 2014

To Get Started

Watch the video in Topic 5 on IT risk management

Cengage Learning 2014

Assessment Information

Please note that we do not have a final


exam for this subject
Learning strategy: Text and readings
are a resource for you to do your
assessment items.

Cengage Learning 2014

About Me
Preferred communication is email.

Li-minn Ang (Kenneth)


Email: lang@csu.edu.au
Phone: (02) 6933 2591
Campus: 01/216

If you need to, we can set-up individual meeting


times to go through specific needs/problems (e.g.
setting up software).
I can discuss anything with you except for anything
directly related to your assessment items.

Background: Academic experience at UK (Nottingham) & Australian (Monash, Edith Cowan)


universities
Currently, senior lecturer in computing (Wagga campus)
Research in security, sensor/communication networks, signal/image processing
Implemented encryption algorithms (Advanced Encryption Standard) onto sensor nodes
Some background as an analyst/programmer (COBOL)
https://www.csu.edu.au/faculty/business/scm/staff/profiles/senior-lecturers/li-minn-ang
10

Cengage Learning 2014

Information Security Basics

Key characteristics of information security

Differentiate information security management from general business


management

11

Cengage Learning 2014

Introduction

Security funding and planning decisions should involve three distinct


groups of decision makers, or communities of interest:

Information security community - protects the information assets of an


organization

Information technology community - supports the business objectives by


supplying and supporting IT that is appropriate to the organizations needs

General business community - articulates and communicates organizational


policy and objectives and allocates resources to the other groups

Information security is about identifying, measuring, and mitigating the risk


associated with operating information assets.

About 1 in 12 IT jobs will be in security

12

Cengage Learning 2014

Think about potential vulnerabilities (hasnt happened yet, what-if?), and shut the door
cf. typical business activity customer tells you of actual need, you resolve it

Another CSU subject: ITC593 Network Security

Cengage Learning 2014

What is Security? Part


1

Security: the quality or state of being secureto be


free from danger

To be secure is to be protected from the risk of loss,


damage, or unwanted modification, or other hazards

Security is often achieved by means of several


strategies undertaken simultaneously or used in
combination with one another

Managements role is to ensure that each strategy is


properly planned, organized, staffed, directed, and
controlled

14

Cengage Learning 2014

What is Security? Part


2 Specialized areas of security include:

Physical security - protecting people, physical assets, and


the workplace from various threats

Fire, unauthorized access, and natural disasters

Operations security - protecting the to carry out


operational activities without interruption or compromise

Communications security - protecting communications


media, technology, and content

Network security - protecting data networking devices,


connections, and contents
Denial-of-service (DoS) attack
Transmission of a large number of
connection/ information requests to a
target and blocking other legitimate
traffic

15

Cengage Learning 2014

Threats to Information Security


What threats do we need to think about? Scope is broad and varied (technical
attacks to human errors)
Threat
Description/Example
Compromises to intellectual property
Deviations in quality of service from service
providers
Espionage or trespass

Software piracy or other copyright


infringement
Fluctuations in power, data, and other
services
Unauthorized access and/or data collection

Forces of nature

Fire, flood, earthquake, lightning, etc

Human error or failure

Accidents, employee mistakes, failure to


follow policy
Blackmail threat of information disclosure

information extortion
Sabotage or vandalism
Software attacks

Damage to or destruction of systems or


information
Malware: viruses, worms, macros, denial-ofservices. or script injections

Technical hardware failures or errors

Hardware equipment failure

Technical software failures or errors

Bugs, code problems, loopholes, back doors

Technological obsolescence

Antiquated or outdated technologies

Theft

Illegal confiscation of equipment or


16
information
Cengage Learning 2014

What is Security? Part


3
Information security (InfoSec): the protection of
information and its critical elements (confidentiality,
integrity and availability), including the systems and
hardware that use, store, and transmit that information

CNSS Security Model

CNSS Security Model

Also known as the McCumber Cube

Serves as the standard for understanding aspects of InfoSec

Main goal is to identify gaps in the coverage of an InfoSec program

The model covers the three dimensions central to InfoSec:

Information characteristics

Information location

Security control categories

CNSS Committee on National Security Systems (chaired by US


Secretary of Defense)
18
National Training Standard for Information Systems Security (InfoSec)
Professionals
Cengage Learning 2014

CNSS security model

Model is represented with a 3x3x3 cube with 27 cells

Each cell represents an area of intersection among the three dimensions

When using this model to design or review any InfoSec program:

Must make sure each of the 27 cells is properly addressed

Cell for (Technology, Integrity, Storage) address the use of technology to


protect the integrity of information while in storage (e.g. intrusion detection
19
system alert security administrators when a critical file was modified/deleted)
Cengage Learning 2014

Key Concepts of Information


Security Part 1

C.I.A. triangle: industry standard for computer security since the


development of the mainframe

Confidentiality, integrity, and availability are the characteristics of the


original C.I.A triangle

Due to todays constantly changing IT environment, the C.I.A. triangle


has been expanded to include:

Privacy, identification, authentication, authorization, and accountability

20

Cengage Learning 2014

Key Concepts of Information


Security Part 2

Confidentiality: only those with sufficient privileges


and a demonstrated need may access it

Measures used to protect the confidentiality of


information:

Information classification

Secure document (and data) storage destroy vs discard

Application of general security policies

Education of information custodians and end users

Cryptography (encryption)

Closely related to privacy


Only allow authorised users to view
21
information (e.g. different levels of
Cengage Learning
access)

2014

Key Concepts of Information


Security Part 3

Integrity: the quality or state of being whole, complete, and


uncorrupted

Informations integrity is threatened when exposed to corruption, damage,


destruction, or other disruption of its authentic state

Error-control techniques: use of redundancy bits and check bits

Computer virus can be designed to corrupt data change


certain bits in a file
Availability: authorized users have access to information in a usable
format, without interference or obstruction
CSU library once logged in, you expect to be able to locate
and access resources
22

Cengage Learning 2014

Key Concepts of Information


Security Part 4

Privacy: information will be used only in ways approved by the person


who provided it

Many organizations collect, swap, and sell personal information

In information security, privacy does not mean freedom from


observation. Rather, it means that information will be used only in
ways approved by the person

Identification: when an information system is able to recognize


individual users

First step in gaining access to secured material and serves as the foundation
for subsequent authentication and authorization

Typically performed by means of a user name or ID


23

Cengage Learning 2014

Key Concepts of Information


Security Part 5

Authentication: the process by which a control


establishes whether a user (or system) has the identity
it claims to have

Authorization: a process that defines what an


authenticated user has been specifically authorized by
the proper authority to do

Example: use of cryptographic certificates, passwords

Example: access, modify, or delete information

Accountability: occurs when a control provides


assurance that every activity undertaken can be
attributed to a named person or automated process
e.g. audit
logs

24

Cengage Learning 2014

Principles of Information
Security Management

The extended characteristics of information security are


known as the six Ps

Planning

Policy

Programs

Protection

People

Projects

IT management team ensure effective and efficient


processing of information
InfoSec management team ensure confidentiality,
integrity and availability of information
Security will slow down the information flow as
information needs to be validated, verified and
assessed against security criteria (possible conflicting
goals)
25

Cengage Learning 2014

Planning

The planning model includes activities necessary to


support the design, creation, and implementation of
InfoSec strategies

Types of InfoSec plans:

Incident response planning

Business continuity planning

Disaster recovery planning

Policy planning and Personnel planning

Technology rollout planning

Risk management planning and Security program planning

Next class will discuss


planning for security and
contingencies

26

Cengage Learning 2014

Policy

Policy: the set of organizational guidelines that dictates certain


behavior within the organization

Three general policy categories:

Enterprise information security policy (EISP) - sets the tone for the InfoSec
department (e.g. bank encryption systems must use industry-specific
systems for key management)

Issue-specific security policy (ISSP) - sets of rules that define acceptable


behavior within a specific technology (e.g. acceptable email/Internet usage)

System-specific policies (SysSPs) - control the configuration and/or use of a


piece of equipment or technology (e.g. access control list)

27

Cengage Learning 2014

Programs

Programs: InfoSec operations that are specifically


managed as separate entities

Example: a security education training and awareness


(SETA) program

Other types of programs

Physical security program

complete with fire protection, physical access, gates, guards,


etc.

Programs dedicated client/customer privacy and


awareness

28

Cengage Learning 2014

Protection

Executed through risk management activities including:

Risk assessment and control

Protection mechanisms

Technologies

Tools

Discussed in second
section on risk
management

Each of these mechanisms represents some aspect of


the management of specific controls in the overall
InfoSec plan

29

Cengage Learning 2014

People and Projects

People are the most critical link in the InfoSec program

Encompasses security personnel

Each process undertaken by the InfoSec group should be


managed as a project (project management)

Example: implementing a new firewall

Identifying and controlling the resources applied to the


project as well as measuring progress and adjusting the
process as progress is made.

30

Cengage Learning 2014

Assessment Item 1

31

Cengage Learning 2014

Assessment Item 1

32

Cengage Learning 2014

What Do I Need to Work On

Forum post 1 read widely and/or use personal experience


encountered in workplace (three to four paragraphs)

How has the IT landscape changed?


What are the new risks/threats? (e.g. confidentiality, integrity, availability
think back on CNSS model)
How severe are the risks?
What can we do to mitigate/reduce the risks?
Contributed to every forum discussion in a meaningful way. Posts
demonstrate a deep understanding of the content, well supported
33
by evidence. Posts are clear and well written, leading discussions.
Cengage Learning 2014

You might also like