L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N

Similar documents
CHAPTER 2 COMPLIANCE AND OPERATIONAL SECURITY

The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

QuickBooks Online Security White Paper July 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Introduction to Business continuity Planning

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

KantanMT.com. Security & Infra-Structure Overview

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Security Standards for Electric Market Participants

Information Security Policy

Information Security in Corporation

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Policy and Procedure: SDM Guidance for HIPAA Business Associates

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

CSE 3482 Introduction to Computer Security. Security Risk Management Cost-Benefit Analysis

EXHIBIT A. - HIPAA Security Assessment Template -

Certified Information Systems Auditor (CISA)

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

ADIENT VENDOR SECURITY STANDARD

Critical Information Infrastructure Protection Law

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

April Appendix 3. IA System Security. Sida 1 (8)

Keys to a more secure data environment

Watson Developer Cloud Security Overview

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

Internet of Things Toolkit for Small and Medium Businesses

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Security Policies and Procedures Principles and Practices

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Infrastructure Security Overview

WHITE PAPER- Managed Services Security Practices

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

MIS5206-Section Protecting Information Assets-Exam 1

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

InterCall Virtual Environments and Webcasting

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Projectplace: A Secure Project Collaboration Solution

Awareness Technologies Systems Security. PHONE: (888)

Cyber security tips and self-assessment for business

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Infocomm Professional Development Forum 2011

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Heavy Vehicle Cyber Security Bulletin

Lakeshore Technical College Official Policy

Checklist: Credit Union Information Security and Privacy Policies

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Layer Security White Paper

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Technology General Control Review

PRACTICE QUESTIONS INFORMATION SECURITY AUDITORS MODULE PART II

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Hosted Testing and Grading

Data Security and Privacy Principles IBM Cloud Services

HIPAA Security and Privacy Policies & Procedures

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Integrated Cloud Environment Security White Paper

NEN The Education Network

Healthcare Privacy and Security:

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Cybersecurity Auditing in an Unsecure World

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Security Note. BlackBerry Corporate Infrastructure

NYDFS Cybersecurity Regulations

Security+ SY0-501 Study Guide Table of Contents

Trust Services Principles and Criteria

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Security of Information Technology Resources IT-12

Security & Privacy Guide

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Security Audit What Why

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Table of Contents. Sample

4 Information Security

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

What is a Breach? 8/28/2017

Risk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Google Cloud & the General Data Protection Regulation (GDPR)

Subject: University Information Technology Resource Security Policy: OUTDATED

CCISO Blueprint v1. EC-Council

10 Hidden IT Risks That Might Threaten Your Business

Transcription:

L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N Revision Date: 7/31/2014 Time: 1 hour OBJECTIVES The following objectives are covered in this Lecture Note. These objectives are from the CompTIA Objectives posted at the beginning of the course in the Course Start section. Some objectives will be covered in more detail in the Lecture or Reading Assignments. 2.1 Risk Related Concepts Control types Policies in reducing risk Risk calculation Vulnerabilities Threat vectors Quantitative vs. qualitative Risk-avoidance, transference, acceptance, mitigation, deterrence 2.7 Compare And Contrast Physical Security And Environmental Controls Environmental controls Control types Physical security Mantraps Proximity readers Access list Proper lighting Signs Guards Barricades Biometrics RISK RELATED CONCEPTS Risk is the possibility that something could happen to damage, destroy, or disclose data or other resources. Security controls are safeguards or counter measures to avoid, counteract or minimize data loss. Security management procedures use risk assessment and risk analysis to identify threats, categorize assets, and rate system vulnerabilities so that they can implement effective controls. These control types are categorized by the nature of the control. CONTROL GROUPS PREVENTIVE Preventive controls are intended to prevent an incident from occurring. Preventive controls include: Security Awareness Training Firewalls/Anti-viruses/Malware Security Guards Locks on Doors Cyanna Education Services, 2014 Page 1

DETECTIVE Detective controls monitor activity to identify instances where practices or procedures were not followed. It lets you know when a problem has occurred. These include: System Monitoring Documentation and Testing Motion Detectors CORRECTIVE Corrective controls are put in place to help investigate and correction a problem that has occurred. It can restore the system or process back to the state prior to a harmful event, and are put in place to minimize the impact of the loss by restoring the system to the point before the event. These include: Upgrades to systems Backup and Data Recovery Error statistics Audit trails DETERRENT Deterrent controls are put in place to warn others not to do something. COMPENSATING Compensating controls are alternate controls designed to be used when the other controls cannot be used due to limitations of the environment. This control uses a combination of controls to increase the risk protection. These include: Backup Generator (if power goes out) Server Isolation Alarm system (will activate if preventive locked doors or barriers are breached) CONTROL TYPES There are three control types that can be applied to mitigate risk. By using all three (layering them) you are using the defense in depth strategy to protect and secure data. These control types are Technical, Administrative/Managerial and Operational. TECHNICAL Technical Controls are logical controls that use software and data to secure resources and include: User authentication (login) access Antivirus software Cyanna Education Services, 2014 Page 2

Firewalls Access control lists Data encryption ADMINISTRATIVE/MANAGERIAL Administrative Controls are procedural controls that are written and implemented by people and include: Policies Procedures Standards Guidelines OPERATIONAL Operational Controls are controls that protect the work place. These controls monitor facilities and protect the workplace and are divided into physical and environment controls P H YS ICAL C ONT R OL S Mantraps Video Surveillance Gates /Fencing/ Barricades Proximity readers Access list have permission to enter a building or area Signs warn others to stay away Security Guards - provide access based upon facial recognition Biometrics - to authorize access to sensitive systems on a need-to-know basis Alarms Motion detection E NVIR ON ME NT A L CONT R OL S Heating, Ventilation, Air Conditioning (HVAC) keep employees and equipment comfortable/safe Proper lighting provide safety to employees Protected distribution (cabling) Fire extinguishers / Smoke alarms EMI shielding reduces electrostatic and electromagnetic fields by creating a barrier made of conductive materials Hot and cold aisles is a layout design concept for computing equipment. The goal is to conserve energy and lower cooling costs by managing air flow. Environmental monitoring Cyanna Education Services, 2014 Page 3

Temperature and humidity controls proper room temperature and humidity will protect sensitive computer equipment RISK REDUCING POLICIES It is important to establish security policies that are created by management given to employees and users. It goes without saying that policies in which the users have no knowledge have little effect on risk prevention. The following are policies that should be in place and shared: PRIVACY POLICY Personally Identifiable Information (PII) is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Many states have specific laws regarding PII and commercial websites or companies that handle this information must have and provide a privacy policy to it s customer s. PII includes: SSN Phone Number Email Address Credit Card Information ACCEPTABLE USE An Acceptable Use Policy specifies to employees or users what they may do with their network access and provide users the least possible access rights while allowing them to fulfill legitimate actions. This includes: Email and instant messaging usage for personal purposes Limitations on access times How much storage space available to each user An Acceptable Use Policy should contain: Clear, specific language Detailed standards of behavior Detailed enforcement guidelines and standards Outline of acceptable and not acceptable uses Consent forms Privacy statement Disclaimer of liability LEAST PRIVILEGE This Policies addresses the rights or privileges essential for each process, user or program to perform their work. It defines access that is necessary only to perform their legitimate task. This separation of work ensures that not one person has control or access to a Cyanna Education Services, 2014 Page 4

company s vital assets. It is an important design consideration in enhancing the protection of data and functionality A System Administrator can configure and maintain computers in a domain, but only the System Assurance Officer can add new computers to the domain SEPARATION OF DUTIES This policy is a preventative control that is put in place to ensure that power is balanced so no individual cannot complete a critical task or have control over a system by his or herself. MANDATORY VACATIONS /JOB ROTATION Job Rotation is the practice used where employees switch roles in the company for a period of time With this policy, access is rotated between individuals in order to reduce corruption, allow for cross-checks, and minimize personnel loss. RISK CALCULATION LIKELIHOOD To calculate risk, use this formula: Risk = Threat Vulnerability SINGLE LOSS EXPECTANCY (SLE) SLE equals asset value multiplied by the threat exposure factor or probability. The formula looks like this: SLE = Asset value Probability Example: If an attack or system failure affects 25% of sales which are $100,000/day. SLE = $100,000 x.25 or $25,000 ANNUALIZED RATE OF OCCURRENCE (ARO) The ARO is the estimated possibility of a specific threat taking place in a one-year time frame. Example: if a company estimates that an attack will occur to be 50%, the ARO is.50 ANNUAL LOSS EXPECTANCY (ALE) ALE determines the probability of failures per year. This is done by calculating SLE and the value of the asset. ALE equals the SLE times the ARO. ALE = SLE ARO Cyanna Education Services, 2014 Page 5

From the example above, if we have SLE of $25,000 and ARO of.50, our ALE = $12,500 ALE is used to determine the number of failures per year MTTR Mean Time to Repair (MTTR) is the time needed to repair a failed hardware module MTTF Mean Time to Failure (MTTR) is a basic measure of reliability for non-repairable systems. MTBF Mean Time Between Failure (MTBF) is a term used to provide the amount of failures per million hours for a product. QUANTITATIVE /QUALITATIVE MEASURES Quantitative measures allow for the clearest measure of relative risk and expected return on investment or risk reduction on investment. Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. RISK RESPONSES Risk management deals with the alignment of five potential responses with an identified risk: ACCEPTANCE Risk Acceptance is an important step in identifying residual risk because now something can be done to mitigate that risk. Once risk has been identified, it needs to be accepted so its impact can be determined. Risk acceptance must be documented, approved and regularly reviewed by management. AVOIDANCE Avoiding risk by eliminating vulnerability is the most effective solution, but often not possible due to organizational requirements. For example, in order to avoid email viruses, you could eliminate company email, but this is not realistic in order to run a business. Cyanna Education Services, 2014 Page 6

MITIGATION/DETERRENCE Risk mitigation involves the reduction in likelihood or impact of a risk s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result. TRANSFERENCE Transference of risk is done to limit exposure. This can be a simple as purchasing insurance on equipment or hiring an outside company to host content. RISKS ASSOCIATED WITH CLOUD COMPUTING AND VI RTUALIZATION There are a number of risks associated with cloud computing. These include: CLOU D RI S K N O. 1: S H A R E D ACCE S S One of the key tenets of public cloud computing is multitenancy, meaning that multiple, usually unrelated customers share the same computing resources: CPU, storage, memory, namespace, and physical building. CLOU D R I S K N O. 2: VIRTUA L E X PLO IT S Every large cloud provider is a huge user of virtualization. However, it holds every risk posed by physical machines, plus its own unique threats, including exploits that target the virtual server hosts and the guests. You have four main types of virtual exploit risks: Server host only Guest to guest Host to guest Guest to host. CLOU D RI S K N O. 3: A U T H E NT I CATI ON, A U T H ORIZAT IO N, A N D A CCESS C ONT R OL A cloud vendor's choice of authentication, authorization, and access control mechanisms is crucial. Things to look for in a secure cloud vendor are: Data protection - Is data encryption is used and enforced, are private keys shared among tenants? Does the vendor share a common namespace with other tenants? Where is data physically stored? How is it handled when no longer needed? CLOU D RI SK N O. 4: A VA I LA B IL IT Y As a customer of a public cloud provider, redundancy and fault tolerance are not under your control. Cyanna Education Services, 2014 Page 7

CLOU D R I S K NO. 5: O WNE R S H IP Often the customer is not the only owner of the data. Cloud vendors like owning the data because it gives them more legal protection if something goes wrong plus, they can search and mine customer data to create additional revenue opportunities for themselves. CONTINUITY PLAN A continuity plan is a plan for how operations should continue if adverse conditions occur. The plan includes recovering operations or moving operations to another location if a disaster occurs at a worksite or datacenter. An overall continuity plan includes the RTO and RPO RECOVERY TIME OBJECTIVE Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable. RECOVERY POINT OBJECTIVE Recovery Point Objective (RPO) is the acceptable amount of data loss measured in time due to an incident. Cyanna Education Services, 2014 Page 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback