Advanced IT Risk, Security management and Cybercrime Prevention

Transcription

1 Advanced IT Risk, Security management and Cybercrime Prevention Course Goal and Objectives Information technology has created a new category of criminality, as cybercrime offers hackers and other tech-savvy miscreants opportunities for online fraud, identity theft and other cyber-attacks. Denial of service (DDOS), botnets and malware are just a few of the techniques being used to target critical corporate data and business IT users. You will be introduced to a full range of cyber-security risks facing corporate business and other large organisations. Using practical examples you will see how cyber-crime is committed and the impact it can have. Importantly you will gain a practical understanding of the role you can play in identifying key vulnerability and gaps in business processes, and specifying the most appropriate control frameworks to reduce exposure. Course Outline: The course is divided thematically into five parts, covering: Risk Analysis the Basis for Appropriate and Economical Asset Characterization and Identification Estimating Probability Developing Effective Security Policies Countermeasure Selection and Budgeting Tools Date: Outline /Topics to be covered Day 1 & 2 Risk Analysis the Basis for Appropriate and Economical. Countermeasures Critical Thinking Qualitative versus Quantitative Analysis Theory, Practice, and Tools Organization Risk Analysis Approved Risk Analysis Methods Risk Analysis for Facilities and Structures Many Interested Stakeholders and Agendas Commercially Available Software Tools Risk Analysis Basics Risk Assessment Steps Which Methodology to Use? Risk Analysis Skills and Tools Skill #1: Gathering Data Skill #2: Research and Evidence Gathering Skill #3: Critical Thinking in the Risk Analysis Process

2 Skill #4: Quantitative Analysis Skill #5: Qualitative Analysis Skill #6: Countermeasure Selection Skill #7: Report Writing Commercially Available Software Tools Lesser Software Tools Affordable Tool Examples Critical Thinking and the Risk Analysis Process Overview of Critical Thinking The Importance of Critical Thinking Analysis Requires Critical Thinking The Eight Elements That Make Up the Thinking Process The Concepts, Goals, Principles, and Elements of Critical Thinking Theory Practice Asset Characterization and Identification Tools Asset List Asset Categorization Interviews Facility and Asset Lists Research Surveys Criticality and Consequence Analysis Twofold Approach Criticality Consequence Analysis Building Your Own Criticality / Consequences Matrix Criticality / Consequence Matrix Instructions Threat Analysis Theory Threats versus Hazards All Hazards Risk Analysis Design Basis Threat Practice Day 3 & 4 Estimating Probability Tools Adversary / Means Matrix Assessing Vulnerability Review of Vulnerability Assessment Model Define Scenarios and Evaluate Specific Consequences Asset / Attack Matrix Threat / Target Nexus Matrix Weapons / Target Nexus Matrix Adversary Sequence Diagram Path Analysis Surveillance Opportunities Matrix Evaluate Vulnerability Survey Points Quantitative Analysis Matrices Determine Accessibility Identify Intrinsic Vulnerabilities Natural Countermeasures Evaluate Effectiveness of Existing Security Measures

3 The Vulnerability Calculation Spread sheet Qualitative Analysis Section Vulnerability Detail Spread sheet Vulnerability Detail Matrix Introduction Basic Risk Formula Likelihood Terrorism Probability Estimates and Surrogates Resources for Likelihood Viewing the Range of Possible Threat Actors Criminal versus Terrorism Likelihood Resources General Comparison for Resources Terrorism Asset Target Value Estimates Criminal Incident Likelihood Estimates Criminal Statistics Economic Crime Asset Target Value Estimate Non-terrorism Violent Crime Asset Target Value Estimate Petty Crimes Asset Target Value Estimate The Risk Analysis Process Objective The Complete Risk Analysis Process The Risk Analysis Process Diagram Analysis Asset Target Value Matrices Probability Summary Matrix Vulnerability Components Prioritizing Risk Prioritization Criteria Natural Prioritization (Prioritizing by Formula) Prioritization of Risk Communicating Priorities Effectively Best Practices Ranking Risk Results Security Policy Introduction The Hierarchy of Security Program Development What Are Policies, Standards, Guidelines, and Procedures? Security Policy Introduction The Hierarchy of Security Program Development What Are Policies, Standards, Guidelines, and Procedures? Day 5 & 6 Developing Effective Security Policies Other Key Documents The Key Role in Policies in the Overall Security Program Benefits to Having Proper Policies Security Policy and Countermeasure Goals Theory The Role of Policies in the Security Program

4 The Role of Countermeasures in the Security Program Why Should Policies Precede Countermeasures? Security Policy Goals Security Countermeasure Goals Policy Support for Countermeasures Key Policies Process for Developing and Introducing Security Policies Triggers for Policy Changes Policy Request Review Policy Impact Statement Subject Matter Expert and Management Review Process Policy Requirements Basic Security Policies Security Policy Implementation Guidelines Regulatory-Driven Policies Non-regulatory-Driven Policies Countermeasure Selection and Budgeting Tools Countermeasure Goals and Strategies Countermeasure Objectives, Goals, and Strategies Access Control Deterrence Detection Assessment Response (Including Delay) Evidence Gathering Comply with the Business Culture of the Organization Minimize Impediments to Normal Business Operations Safe and Secure Environments Design Programs to Mitigate Possible Harm from Hazards and Threat Actors Types of Countermeasures Baseline Security Program Specific Countermeasures Countermeasure Selection Basics o Hi-Tech Elements o Lo-Tech Elements o No-Tech Elements The Challenge Countermeasure Effectiveness Functions of Countermeasures o Examples o Attack Objective Parameters o Criminal Violent Offender Types o Economic Criminal Types o Economic Criminal Objectives o Criminal Offender Countermeasures Countermeasure Effectiveness Metrics o Functional Effectiveness Helping Decision Makers Reach a Consensus on Countermeasure Alternatives Day 7 & 8 Security Effectiveness Metrics Theory Sandia Model A Useful Commercial Model What Kind of Information Do We Need to Evaluate to Determine Security

5 Program Effectiveness? What Kind of Metrics Can Help Us Analyse Security Program Effectiveness? Adversary Sequence Diagrams Vulnerability / Countermeasure Matrix Security Event Logs Patrol Logs (Vulnerabilities Spotting / Violations Spotting) Annual Risk Analysis Cost-Effectiveness Metrics What Are the Limitations of Cost-Effectiveness Metrics? What Metrics Can Be Used to Determine Cost-Effectiveness? Communicating Priorities Effectively Basis of Argument Complete Cost-Effectiveness Matrix Complete Cost-Effectiveness Matrix Elements o Security Program Recommendations Summary Board o Vertical and Horizontal Elements o Vertical Elements o Horizontal Elements o Risk Descriptions o Countermeasure Options and Cost Elements o Countermeasure Mitigation Values o Risk Rankings and Budgets o Phase Recommendations and Phasing Budgets o Budget Breakdowns by Phases and Risks Day 9 & 10 Writing Effective Reports Introduction o Presentation o Graphics o Preparation for a Successful Presentation The Comprehensive Risk Analysis Report o Executive Summary o Introduction o Assessment Process o Facility Characterization o Threat Assessment o Vulnerability Assessment Asset / Attack Matrix Threat / Target Nexus Matrix Weapon / Target Nexus Matrix Surveillance Opportunities Risk Calculation Countermeasures Baseline Security Program Identifying Key Assets for Special Consideration Develop Countermeasure Budgets Countermeasure Implementation Recommendations Report Supplements Risk Register Footnotes Tables Index and Glossary Attachments Countermeasure Budget Presentation A Microsoft PowerPoint Presentation

6 Hand-outs for the Presentation