Risk Management PDF - CAVITE STATE UNIVERSITY 2022

2022 Republic of the Philippines CAVITE STATE UNIVERSITY Bacoor City Campus SHIV, Molino VI, City of Bacoor RISK MANAGEMENT NIÑO M. RODIL Contents COURSE DESCRIPTION.................................................................................................................................................... 2 MISSION............................................................................................................................................................................. 2 VISION................................................................................................................................................................................ 2 NIÑO M. RODIL................................................................................................................................................................... 2 COURSE REQUIREMENTS............................................................................................................................................... 2 INTENDED LEARNING OUTCOMES..................................................................................................................................... 3 PRE-TEST:........................................................................................................................................................................... 3 RISK MITIGATION PROCESS................................................................................................................................................... 5 OVERVIEW OF THE SYSTEM DEVELOPMENT LIFE CYCLE...................................................................................................... 5 INFORMATION ASSURANCE IN THE SYSTEM DEVELOPMENT LIFE CYCLE............................................................................. 7 PHYSICAL AND ENVIRONMENTAL SECURITY CONTROLS....................................................................................................... 9 RISK MANAGEMENT............................................................................................................................................................ 11 RISK IDENTIFICATION.......................................................................................................................................................... 12 RISK ASSESSMENT............................................................................................................................................................. 12 RISK CONTROL.................................................................................................................................................................... 14 POST-TEST:...................................................................................................................................................................... 21 ANSWER KEY:................................................................................................................................................................. 22 1 COURSE DESCRIPTION ITEC85 – INFORMATION ASSURANCE AND SECURITY This course provides an understanding about the information security, integrity and privacy techniques. Topics include the nature and challenges of computer security, the relationship between policy and security, Republic of the Philippines role and application of cryptography, the mechanisms CAVITE STATE used to implement policies, the methodologies and UNIVERSITY technologies for assurance and vulnerability analysis Bacoor City Campus and intrusion detection SHIV, Molino VI, City of Bacoor The students are expected to recognize the growing importance of information security specialist to the IT Infrastructure particularly in designing and innovating the methods, tools and techniques in information assurance and security. MISSION PROGRAM OUTCOMES ADDRESSED BY Cavite State University shall provide THE COURSE. AFTER COMPLETING THIS excellent, equitable and relevant COURSE, THE STUDENTS MUST BE educational opportunities in the arts, ABLE TO: science and technology through quality instruction and relevant 1. Attain the vision, mission, goals and objectives research and development activities. of the university, campus and department; (E) It shall produce professional, skilled and morally upright individuals for 2. Deliver a gender fair and gender sensitive global competitiveness. instruction to students aligned with University goals and objectives. (D) 3. Understand the basic concepts in information security, including the security technology and VISION principles, software security and trusted The premier university in historic systems and IT security management (I) Cavite recognized for excellence in 4. Analyze the various cryptographic tools and the development of globally the requirements and mechanisms for competitive and morally upright identification and authentication (E) individuals. 5. Understand the characteristics of typical security architectures and the multi-level security systems. (E) 6. Understand the different database security issues and solutions, models, architectures NIÑO M. RODIL and its mechanisms (E) Instructor I COURSE REQUIREMENTS [email protected] 1. Homework/Activity 2. Long Examination 3. Midterm and Final Examination 2 Republic of the Philippines CAVITE STATE UNIVERSITY Bacoor City Campus SHIV, Molino VI, City of Bacoor INTENDED LEARNING OUTCOMES After the completion of the unit, students will be able to: 1. Understand the strategy in managing risk and preventing threats from exploiting existing vulnerabilities. 2. Understand the preventive controls that an organization should consider 3. Understand the importance of awareness, training and education to prevent security incident. PRE-TEST: Direction: Identify the terms describe by the following: 1. The overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. 2. Relies on stakeholders to establish requirements for the developers. 3. Solutions provide “turn-key” access to information systems, the organization and senior management must be aware of the limitations and restrictions these providers may entail 4. The process of ensuring changes to the organization are communicated to all relevant stakeholders and impacts are understood prior to changes being implemented. 5. Focuses on the information systems and services used by an organization. 6. Restriction of employee access depends on the need for access, job function, and responsibilities. 7. Visitors include vendors, consultants, maintenance personnel, contractors, and other nonemployees. 8. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. 9. The process of examining & documenting the security posture of an organization’s information technology and the risks it faces 10. Determination of the extent to which the organization’s information assets are exposed or at risk. 11. Application of controls to reduce the risks to an organization’s data and information systems. 12. Applying safeguards that eliminate or reduce the business risks that can harm the organization’s assets. 13. Shifting the risk to other areas of the business or to outside entities, such as an insurance company. 14. Risk mitigation means having policies and procedures in place to lessen the adverse effects when something happens. 15. Understanding the potential consequences of a risk, and accepting the chance of those consequences without control or mitigation. 16. Involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. 3 17. Controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. 18. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. 19. Serve to motivate a sense of responsibility and encourage employees to be more cautious about their work environment. 20. Aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function, while awareness aims to focus an individual’s attention on an issue or a set of issues. 21. The employee is taught to use specific skills as part of specific job performance. 4 RISK MITIGATION PROCESS OVERVIEW OF THE SYSTEM DEVELOPMENT LIFE CYCLE The system development life cycle is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. Initiation In this phase, the need for a system is established, and the requirement capabilities of the system are stated. Acquisition/development In this phase, a system based on the user’s input, time, and financial constraints is purchased, outsourced, or developed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. Implementation This phase involves vigorous initial testing. Once satisfactory results are obtained, the system is installed or integrated. Operation/maintenance During this phase, the system is made to perform the intended task and maintained. The system is also modified by adding new hardware and software when needed. Disposal This stage occurs when the system fails to cater to new expectations or requirements. Here, the system is disposed of and usually replaced by a new system Information Assurance in the System Development Life Cycle Integrate information assurance activities into the system development life cycle to ensure proper identification, design, integration, and maintenance of applicable information assurance controls throughout an information system’s life cycle. A. Initiation Phase Need establishment Identify the purpose of and need of having a system. Conduct interviews to estimate the user requirementsand needs. Document the needs gaps and findings. Ensure that the information assurance team is involved. Security Organization Determine the categories or classification of the information that will be processed or handled by the system. Establish the security requirements based on the sensitivity and categorization (classification) of information. 5 Initial Risk Assessment Identify threats and vulnerabilities in which the system or product will operate. If required, select the appropriate minimum information assurance control baseline. Define and tailor the basic minimal security requirements of the system. B. Development/Acquisition Phase Requirement analysis/ development Conduct more in-depth study of the security requirements and incorporate them with user requirements. Develop security specifications needed for the system. Analyze the security functional requirements. Analyze assurance requirements. Risk assessment Conduct formal risk assessment in greater depth than the initial risk assessment. Identify additional system protection requirements. Document priority list of which risks to address first. Budgeting Determine the budget. Include all the costs of hardware, software, personnel, and training. Ensure that information assurance costs are included. Security planning Document the final security controls either planned or in place in a system security plan. Refine the system security plan. Make sure it is comprehensive enough. Develop other supporting documents (for example, contingency plan, incident response plan, risk assessment, awareness, and training plan). Develop a user/operational manual for the system. Security control development Put the plans into practice by implementing security controls as described in the respective security plans. Security test and evaluation Test security controls developed for a new information system or product for proper and effective operation. Ensure the independence of the assessor (tester) is understood by all parties. Develop technical test cases. C. Implementation Phase Security test and evaluation Develop test data (a copy of some parts of real data can be used). Try to simulate the environment and test unit, subsystem, and entire system. Evaluate whether the system conforms to technical aspects and to regulations, policies, guidelines, and standards. Inspection and acceptance Check that the functionality is exactly as specified in the system and can be used to its optimum level. System integration/installation Ensure that after system testing and employee training, the system may be integrated at the operational site. Make sure the relevant prescribed security control settings are implemented. 6 Security accreditation This process should aim to determine to what level the information processed, stored, or transmitted through the system is free from vulnerabilities and risks. Authorization can be granted by a senior official through verification of the effectiveness of the security controls to some desired level. The senior official is also responsible for accepting residual risk on behalf of the organization. D. Operation/Maintenance Phase Configuration management and control Refine the configuration management plan and baselines. Ensure that the potential security impacts because of specific changes to an information system or its surrounding environment are taken into consideration. Schedule proper audits. Continuous monitoring and continuous accreditation (authorization) Monitor to ensure that security controls continue to be effective and function as expected. Perform independent security audits or other assessments periodically. Make sure the audits are comprehensive. Monitor the system and/or users. It can be done by reviewing logs and reports using automated tools. Ensure residual risk is reported to the senior management team on a regular basis. Risk information should be updated commensurate with the criticality of the system. The most critical systems should have near-real-time reporting available if possible. E. Disposal Phase Information preservation Make sure the vital information is retained to conform to current legal requirements (if any) or to accommodate future technological changes. Determine the archiving method. Make sure there is written approval from the senior management to destroy information. Media sanitization Delete, erase, and overwrite data as necessary. It is a good idea to have observers oversee the process. Hardware and software disposal Dispose of hardware and software as directed by the existing policy. INFORMATION ASSURANCE IN THE SYSTEM DEVELOPMENT LIFE CYCLE Integrating information assurance into business processes and development or acquisition life cycles can be a challenging, yet necessary, business function. System developers and system owners are most interested in ensuring their system is up and operational at the lowest cost and the greatest performance. System Development System development relies on stakeholders to establish requirements for the developers. Information assurance teams must be represented at the table, and they must deliver accurate and concise information assurance requirements for the development process. Information assurance teams should perform the following to ensure they are part of any system development process: 7 Gain management buy-in for mandatory involvement of the information assurance team during the requirements gathering phase of system development. Develop and use standard information assurance enterprise architectures that explain commonly available security services and controls throughout the organization Information assurance teams must be able to provide solutions. Stating an application cannot be developed because of security concerns is largely seen as obstructionist; development teams may try to circumvent information assurance processes. System Acquisition Solutions provide “turn-key” access to information systems, the organization and senior management must be aware of the limitations and restrictions these providers may entail. To ensure information assurance risk is uncovered and treated as part of a system acquisition, the information assurance team should do the following: Ensure the team is involved in the budget authorization process for all information technology and service acquisitions. Develop standard contract and procurement language with the aid of legal counsel. Review contract proposals and provide input into the information assurance advantages and deficiencies of providers. Participate in negotiations with vendors to ensure information assurance requirements are initially met and are continuously monitored for compliance. If needed, assess, audit, or independently verify and validate the provider to ensure it has met the requirements of the contract and the organization. Change Management Organizational change management often separates chaotic low-performing organizations for nimble high-performing organizations. Change management is the process of ensuring changes to the organization are communicated to all relevant stakeholders and impacts are understood prior to changes being implemented. Information assurance teams should do the following: Ensure a change management process exists and ensure they are part of the voting process. Information assurance team members often have a “veto” vote for projects that are not fully information assurance compliant. Collaborate with business lines and stakeholders to understand which changes are on the horizon and what direction the organization is headed. Clearly communicate the risk of a change through a formal assurance impact assessment process. This assessment process should review the change in light of the organization’s risk posture and risk tolerance. Configuration Management Configuration management is a more specific subset of change management. Configuration management specifically focuses on the information systems and services used by an organization. To ensure configuration management does not introduce information assurance risk, the information assurance team should do the following: Ensure they are involved in any configuration development or modification processes. Assess and test new configuration baselines and proposed changes to configuration baselines. Monitor patches and vendors to ensure new security and information assurance– related patches are acquired, tested, added to the baseline, and propagated as quickly as possible. Scan and monitor the organization’s networks and information systems to determine whether all systems are in compliance with the approved configurations. 8 PHYSICAL AND ENVIRONMENTAL SECURITY CONTROLS Physical and environmental security protects an organization’s physical infrastructure, its equipment, and its facilities, as well as its employees, from physical events, threats, or incidents. The main threats for physical and environmental security are Energy, for example, electricity Equipment, for example, mechanical or electronic component failure Fire and Chemical, for example, explosion, smoke, or industrial pollution Human, for example, riot, war, terrorist attack, or bombing Natural Disaster, for example, earthquake, volcano, landslide, or tornado Pandemic disease, for example, bacteria or virus Radiation, for example, electromagnetic pulse Weather, for example, sandstorm, humidity, flood, or lightning Physical and environmental security is best managed using a layered defense approach. The concept of a layered defense approach (also known as defense-in-depth approach) is that if an intruder successfully manages to penetrate one control layer, there will be other control layers in his way before he can access the organization’s assets. Physical Security of Premises The first line of defense in safeguarding employees, information resources, and property isthe security perimeter. The following provides further explanation about access controls for employees and visitors: Employee access Restriction of employee access depends on the need for access, job function, and responsibilities. Visitor access Visitors include vendors, consultants, maintenance personnel, contractors, and other nonemployees. Permit visitor access only to those areas where they have specific and official purposes. Securing Offices, Rooms, and Facilities Secure areas are frequently called enclaves. Organizations must select the location of the enclaves within the security perimeter carefully. Locked offices or rooms located inside the perimeter may be considered as enclaves. Working in Secure Areas The physical security should accommodate third parties working in the area. A secure work area may include closed circuit television (CCTV) and card-controlled doors. Public Access Delivery and Loading Areas Frequently, there is continuous movement of incoming and outgoing items at several portals on premises. Duress In high-risk environments, organizations should establish a duress alarm or code that gives a covert alert about a increased risk situations. A person can use it secretly to indicate that a serious information or physical security event has occurred or is in progress. Physical Security of Equipment Organizations should physically protect information-processing equipment to minimize the risk of unauthorized access to information, as well as to safeguard against loss or damage. 9 Organizational assets face destruction from exposure to fire, smoke, water, and other hazards, so information and information processing resources should be protected with a diverse set of countermeasures: Fire Information processing equipment may be damaged in fires. Installing fire sensors, heat sensors, smoke sensors, fire extinguishers, or sprinkler systems can reduce risks from fire hazards. Sprinklers Water-based sprinklers should be dry pipe systems that do not have water in normal conditions. In the equipment rooms, avoid water. Smoke Smoke is hazardous to both personnel and equipment. Smoke may originate from malfunctioning computer systems or electrical fires, such as those caused by power transformers. Water Water can damage power supply facilities and information-processing equipment. It may render these devices unserviceable through short-circuits or mechanical damage. Organizations require supporting utilities such as electric power, heating and air conditioning, and telecommunications equipment, which if disrupted lead to a loss of availability. Electric power Information processing systems fail without a continuous supply of stable power. Thus, they require redundancy in electric power system availability. If electrical power to the building in which information systems are hosted gets cut off, a backup device needs to be ready to take over and keep those systems powered. Heating, ventilation, and air conditioning (HVAC) Computer systems that manage critical information should have air-conditioning units that provide continuous monitoring and recording of temperature and humidity. Humidity must be managed to minimize static electricity from low humidity and equipment damage from condensation from high humidity. Equipment Maintenance Organizations should perform maintenance of informationprocessing equipment based on the manufacturer‘s recommended service intervals and specifications. Secure Disposal and Reuse of Equipment Careless disposal, disposition, or recycling of equipment can put information at risk. Storage devices have long-term memory, so simple or mere file deletion is insufficient, destroying them is possible. Recovering overwritten data on hard drives, removable disks, and tapes is not impossible. There are software tools that can be downloaded freely from the Internet that may recover the data easily. Proper protection and disposal of sensitive or confidential information is important. This is the dissolution of the system. Handling of Media Protect all media used to store information. Apply a method appropriate to the sensitivity and value of the information to safeguard it from the time of creation to the time of disposal and dissolution of the system. Organizations should ensure that the correct physical and information assurance controls are implemented to manage the use of removable media devices securely. This will aid in minimizing damage from malicious code and loss of proprietary information or intellectual property and consequently avoid lawsuits and loss of reputation. 10 To guard against exposing and damaging an organization’s image and reputation, the organization should practice proper methods for disposing of media. Management should establish procedures for disposing of and destroying media containing sensitive information. These procedures should be risk-based relative to the sensitivity of information and the types of media used to store it. Disposal procedures should acknowledge that records kept on media such as tapes and disk drives could cause disposal problems because residual data can remain on the media even after erasure. RISK MANAGEMENT Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. It is an assessment of probability, possibility, or chance. The more likely it is that a threat event will occur, the greater the risk. Every instance of exposure is a risk. When written as a formula, risk can be defined as follows: Risk = Threat * Vulnerability Thus, reducing either the threat agent or the vulnerability directly results in a reduction in risk. Managing risk is therefore an element of sustaining a secure environment. Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. RISK MANAGEMENT RISK RISK RISK CONTROL IDENTIFICATION ASSESSMENT Identify and Identify Inventory Assets vulnerabilities Select Strategy Classify and between assets and Justify Controls prioritize assets threats Implement and Identify and Identify and quantify monitor controls prioritize threats asset exposure 11 RISK IDENTIFICATION The process of examining & documenting the security posture of an organization’s information technology and the risks it faces. Identify Threats and Vulnerabilities An essential part of When compiling a list of threats, be sure to consider the following: Viruses Cascade errors (a series of escalating errors) and dependency faults (caused by relying on events or items that don’t exist) Criminal activities by authorized users Movement (vibrations, jarring, etc.) Intentional attacks Reorganization Authorized user illness or epidemics Malicious hackers Disgruntled employees User errors Natural disasters (earthquakes, floods, fire, volcanoes, hurricanes, tornadoes, tsunamis, and so on) Physical damage (crushing, projectiles, cable severing, and so on) Misuse of data, resources, or services Changes or compromises to data classification or security policies Government, political, or military intrusions or restrictions Processing errors, buffer overflows Personnel privilege abuse Temperature extremes Energy anomalies (static, EM pulses, radio frequencies [RFs], power loss, power surges, and so on) Loss of data Information warfare Bankruptcy or alteration/interruption of business activity Coding/programming errors Intruders (physical and logical) Environmental factors (presence of gases, liquids, organisms, and so on) Equipment failure Physical theft Social engineering RISK ASSESSMENT Determination of the extent to which the organization’s information assets are exposed or at risk. Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. 12 Quantitative Risk Analysis The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards The six major steps or phases in quantitative risk analysis are as follows: 1. Inventory assets, and assign a value (asset value, or AV). 2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE). 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year —that is, the annualized rate of occurrence (ARO). 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE). 5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure. 6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat. Qualitative Risk Analysis Qualitative risk analysis is more scenario based than it is calculator based. Rather than assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects. The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis. You can use many techniques to perform qualitative risk analysis: Brainstorming Delphi technique Storyboarding Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews The results of risk analysis are many: Complete and detailed valuation of all assets An exhaustive list of all threats and risks, rate of occurrence, and extent of loss if realized A list of threat-specific safeguards and countermeasures that identifies their effectiveness and ALE A cost/benefit analysis of each safeguard Once the risk analysis is complete, management must address each specific risk. There are four possible responses to risk: Reduce or mitigate Assign or transfer Accept Reject or ignore 13 RISK CONTROL Application of controls to reduce the risks to an organization’s data and information systems. A business strategy that allows organizations to evaluate potential losses and take action to reduce or eliminate those risks. What does risk control include? Risk avoidance Applying safeguards that eliminate or reduce the business risks that can harm the organization’s assets. While risk management seeks to control the damages and financial consequences of threats, risk avoidance aims to avoid the threats entirely. Risk transference Shifting the risk to other areas of the business or to outside entities, such as an insurance company. The goal here is to let another entity accept the risk. For example, a company could outsource business processes as data storage or IT management, transferring the risk to providers of those services (under the logic that they are experts in those fields, better able to handle the risk). Risk mitigation Reducing the impact if a bad actor exploits a vulnerability. Risk mitigation means having policies and procedures in place to lessen the adverse effects when something happens. These risk mitigation strategies include incident response plans, disaster recovery plans, and business continuity plans. Risk acceptance Understanding the potential consequences of a risk, and accepting the chance of those consequences without control or mitigation. An organization might do this when it believes the chance of the risk happening is minimal, or the potential harm from the risk wouldn’t be significant. Countermeasure Selection and Assessment Selecting a countermeasure within the realm of risk management relies heavily on the cost/benefit analysis results. However, you should consider several other factors when assessing the value or pertinence of a security control: The cost of the countermeasure should be less than the value of the asset. The cost of the countermeasure should be less than the benefit of the countermeasure. The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack. The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.) The benefit of the countermeasure should not be dependent on its secrecy. This means that “security through obscurity” is not a viable countermeasure and that any viable countermeasure can withstand public disclosure and scrutiny. The benefit of the countermeasure should be testable and verifiable. The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. The countermeasure should have few or no dependencies to reduce cascade failures. 14 The countermeasure should require minimal human intervention after initial deployment and configuration. The countermeasure should be tamperproof. The countermeasure should have overrides accessible to privileged operators only. The countermeasure should provide fail-safe and/or fail-secure options. CATEGORIES OF SECURITY CONTROLS Security controls, countermeasures, and safeguards can be implemented administratively, logically/technically, or physically. These three categories of security mechanisms should be implemented in a defense-in-depth manner in order to provide maximum benefit The categories of security controls in a defense-in-depth implementation 1. Technical Technical or logical access involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. Examples of logical or technical access controls include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels. 2. Administrative Administrative access controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. They are sometimes referred to as management controls. These controls focus on personnel and business practices. 15 Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing. 3. Physical Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms. TYPES OF CONTROLS The term access control refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources. Deterrent A deterrent access control is deployed to discourage violation of security policies. Deterrent and preventive controls are similar, but deterrent controls often depend on individuals deciding not to take an unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security-awareness training, locks, fences, security badges, guards, mantraps, and security cameras. Preventive A preventive access control is deployed to thwart or stop unwanted or unauthorized activity from occurring. Examples of preventive access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access-control methods, encryption, auditing, presence of security cameras or CCTV, smartcards, callback procedures, security policies, security-awareness training, antivirus software, firewalls, and intrusion prevention systems (IPSs). Detective A detective access control is deployed to discover or detect unwanted or unauthorized activity. Detective controls operate after the fact and can discover the activity only after it has occurred. Examples of detective access controls include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations. Compensating A compensation access control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies. They can be any controls used in addition to, or in place of, another control. 16 For example, an organizational policy may dictate that all PII must be encrypted. A review discovers that a preventive control is encrypting all PII data in databases, but PII transferred over the network is sent in cleartext. A compensation control can be added to protect the data in transit. Corrective A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. Corrective controls can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active IDs that can modify the environment to stop an attack in progress. Recovery Recovery controls are an extension of corrective controls but have more advanced or complex abilities. Examples of recovery access controls include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing. Directive A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples of directive access controls include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures. Monitoring and Measurement Security controls should provide benefits that can be monitored and measured. If a security control’s benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. A security control may provide native or internal monitoring, or external monitoring might be required. You should take this into consideration when making initial countermeasure selections. 17 The six (6) steps of risk management framework INFORMATION ASSURANCE AWARENESS, TRAINING, AND EDUCATION (AT&E) The AT&E program ensures that employees understand personal responsibility and organizational policies. It allows them to better use and protect information system resources entrusted to them. Purpose of the AT&E Program The purposes of information assurance AT&E are as follows: To circulate and ensure effective implementation of the organization’s information assurance policies, procedures, and guidelines To cultivate a strong information assurance culture by making employees aware of their responsibilities with regard to information assurance To emphasize the fact that the organization is taking information assurance seriously and therefore will train its employees about the importance of protecting the organization’s information assets To encourage employees to seek additional education about information assurance To encourage employees to be more information assurance–conscious in their daily tasks, for example, by considering information assurance risks when making business decisions To highlight management’s support for and commitment to information assurance To inform employees about information assurance risks and controls in a general sense and provide more specific information and guidance where necessary Benefits of the AT&E Program The following are the benefits introduced by awareness, training, and education programs: An AT&E program raises an organization’s reputation and brand. An organization’s reputation and brand are enhanced if their customers perceive the organization as an entity that protects the availability, integrity, sensitivity, and confidentiality of their customers’ data. 18 An AT&E program minimizes the severity and number of information assurance incidents. Early detection of information assurance incidents reduces impacts to an organization. This reduction decreases direct costs such as data recovery and customer notification. A significant reduction in crucial indirect costs such as loss of reputation, customers, and productivity is an additional benefit. An AT&E program provides better protection for assets. An organization’s information and information assets can be better protected by training employees to recognize and respond proactively to real or potential information assurance concerns. An AT&E program reduces the risk of lawsuits against the organization. Organizations should exhibit a genuine corporate concern for information assurance. They should implement processes to ensure its workforce will provide adequate protection for information assets. TYPES OF LEARNING PROGRAMS 1. Information Assurance Awareness Awareness programs serve to motivate a sense of responsibility and encourage employees to be more cautious about their work environment. Because people tend to forget, awareness also reminds people of basic information assurance practices, such as changing passwords at predetermined intervals. The following guidelines can help organizations develop an effective information assurance awareness program: Obtain management commitment Management’s commitment should be clearly stated in the information assurance policy. Appoint personnel to lead the planning process Organizations should assemble a team or taskforce to begin the process of planning an awareness program. Ensure establishment of an information assurance program and associated policy An information assurance policy is the basis of an effective information assurance program Get their attention To ensure that the awareness initiatives reach everyone in the organization, introducing information assurance as a fun and interesting topic is the most practical approach. Make it applicable to the employee As more information is being stored online and more people are using online services for banking, health, travel, and personal matters, people are interested in protecting themselves online. Measure the effectiveness The effectiveness of an awareness program and its ability to improve information assurance can be measured. Test the awareness level An awareness program is an agent to create change. Its purpose is not just to convey information but also to change behavior. 19 2. Information Assurance Training The distinction between training and awareness is that training aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function, while awareness aims to focus an individual’s attention on an issue or a set of issues. A distinction between them is that in awareness activities the learner is a passive recipient of information, while in the training environment the learner has a more active role in the learning process. In other words, awareness explains “what” needs to be done and training explains “how” it should be done. 3. Information Assurance Education The distinction between training and education can be made by examining the intent and scope of the instruction. In a training environment, the employee is taught to use specific skills as part of specific job performance. In an education context, the employee would be encouraged to examine and evaluate not only skills and methods of work but fundamental operating principles and tenants upon which job skills are based. 20 POST-TEST: Direction: Identify the terms describe by the following: 1. The overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. 2. Relies on stakeholders to establish requirements for the developers. 3. Solutions provide “turn-key” access to information systems, the organization and senior management must be aware of the limitations and restrictions these providers may entail 4. The process of ensuring changes to the organization are communicated to all relevant stakeholders and impacts are understood prior to changes being implemented. 5. Focuses on the information systems and services used by an organization. 6. Restriction of employee access depends on the need for access, job function, and responsibilities. 7. Visitors include vendors, consultants, maintenance personnel, contractors, and other nonemployees. 8. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. 9. The process of examining & documenting the security posture of an organization’s information technology and the risks it faces 10. Determination of the extent to which the organization’s information assets are exposed or at risk. 11. Application of controls to reduce the risks to an organization’s data and information systems. 12. Applying safeguards that eliminate or reduce the business risks that can harm the organization’s assets. 13. Shifting the risk to other areas of the business or to outside entities, such as an insurance company. 14. Risk mitigation means having policies and procedures in place to lessen the adverse effects when something happens. 15. Understanding the potential consequences of a risk, and accepting the chance of those consequences without control or mitigation. 16. Involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. 17. Controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. 18. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. 19. Serve to motivate a sense of responsibility and encourage employees to be more cautious about their work environment. 20. Aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function, while awareness aims to focus an individual’s attention on an issue or a set of issues. 21. The employee is taught to use specific skills as part of specific job performance. 21 ANSWER KEY: PRE-TEST POST-TEST IDENTIFICATION: IDENTIFICATION: 1. System Development Life Cycle 1. System Development Life Cycle 2. System Development 2. System Development 3. System Acquisition 3. System Acquisition 4. Change Management 4. Change Management 5. Configuration Management 5. Configuration Management 6. Employee access 6. Employee access 7. Visitor access 7. Visitor access 8. Risk 8. Risk 9. Risk Identification 9. Risk Identification 10. Risk Assessment 10. Risk Assessment 11. Risk Control 11. Risk Control 12. Risk avoidance 12. Risk avoidance 13. Risk transference 13. Risk transference 14. Risk mitigation 14. Risk mitigation 15. Risk Acceptance 15. Risk Acceptance 16. Technical Access 16. Technical Access 17. Administrative Access 17. Administrative Access 18. Physical access 18. Physical access 19. Information Assurance 19. Information Assurance Awareness Awareness 20. Information Assurance Training 20. Information Assurance Training 21. Information Assurance Education 21. Information Assurance Education 22

Risk Management PDF - CAVITE STATE UNIVERSITY 2022

Document Details

Tags

Related

Summary

Full Transcript