Unit 3 Risk Mitigation Process1-revised.pptx

Full Transcript

CIT220 Unit 3 Ris Mitigati k on Process U N I T 3. 1 SYS T E M D E VE LO PM E N T A C Q U I S I T I O N Benefi ts of Incorporating Security 0Considerations Early integration reduces disruptions a n d costs. 1 O n g o i n g security...

CIT220 Unit 3 Ris Mitigati k on Process U N I T 3. 1 SYS T E M D E VE LO PM E N T A C Q U I S I T I O N Benefi ts of Incorporating Security 0Considerations Early integration reduces disruptions a n d costs. 1 O n g o i n g security adaptation to evolving threats. 0 Retrofi tting p o s t - incident is costly 2 a n d less eff ective. 0 Regular u pda tes to the security plan are vital. 3 Documenting decisions a i d s comprehensive coverage a n d audits. 0 4 OVERVIEW OF THE SDLC S O FT WA R E D E V E LO P M E N T LIFE CYCLE The system development life cycle is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. INITIATION PHASE Need establishment Security categorization Initial Risk Assessment DEVELOPMENT/ACQUISITION PHASE Requirement analysis/ Security planning development Security control Risk assessment development Security test Budgeting and evaluation IMPLEMENTATION PHASE Security test and evaluation Inspection and acceptance System integration/installation OPERATION/MAINTENANCE PHASE Configuration management and control Continuous monitoring and continuous accreditation (authorization) DISPOSAL PHASE Information preservation Media sanitization Hardware and software disposal U N I T 3. 2 PHYSICAL & ENVIRONMENTAL S E C U R I T Y C O N T R O L S Main Threats For Physical and Environmental Security Energy (Electricity) Equipment (Mechanical or electronic components) Fire and Chemical Hazard (smoke, industrial pollution) Manmade Disasters (war, terrorist attack, bombing) Natural Disaster (earthquake, volcano, landslide, storms) Pandemic Disease (bacteria, virus) Radiation (electromagnetic pulse) Weather (Sandstorm, humidity, flood, lightning) 2 Layer of Defense Physical security of premises and offi ces Premises that contain critical information or systems require special protection. The following controls are related to the physical security of premises. One of the controls is to establish the security perimeter as the outer boundary. This perimeter should contain all critical assets. Within this perimeter, there may be more secure areas or enclaves. Physical security of equipment Protect information-processing equipment physically to minimize the risk of unauthorized access to information and to safeguard against loss or damage. Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan. PHYSICAL SECURITY OF PREMISES Physical Entry Controls Access Controls for Employees and Visitors Employee Access - Positive identification and access control are mandatory; therefore, all employees should be required to always wear some form of visible identification (ID badge) whenever they are on the premises. Visitor Access - Permit visitors access only to those areas where they have specific and official purposes. In most cases, they should also always be escorted and informed of the physical security requirements of the area and emergency procedures Supporting Utilities Electrical Power - require redundancyin electric power system availability. (UPS or Backup Generators) Equipment Maintenance Maintenance of information processing equipment based on the manufacturer's recommended service intervals and specifi cations. All maintenance services to the equipment either onsite or sent off from the premises also need to be recorded and tracked. PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES Use of any equipment outside an organization's premises should be authorized by management. SECURE DISPOSAL AND REUSE OF EQUIPMENT Careless disposal, disposition, or recycling of equipment can put information at risk. HANDLING OF MEDIA OF REMOVABLE MEDIA MANAGEMENT These devices can help mitigate the risks associated with malicious code and the loss of proprietary information by raising employee awareness about removable media usage policies and minimizing potential damage. Disposal of Media The following are some guidelines of proper media disposal: Electronic media containing sensitive customer information should be degaussed prior to disposal. Degaussing completely erases the information stored on the magnetic surface. Printed materials, which hold confidential and restricted data, should be destroyed in a secure way, such as by shreddin U N I T 3. 3 I N F O R M AT I O N AS S U R A N C E AT & E A W A R E N E S S , TR A IN IN G , A N D E D U C A T I O N WHAT’S THE WEAKEST LINK IN INFORMATION ASSURANCE? An effective AT&E program has four stages: literacy, awareness, training, a n d education (LATE). The AT&E program will not succeed if literacy is not established. Purpose of the AT&E Program To cultivate a strong information assurance culture among employees, emphasize the organization's commitment assets informati to safeguarding through on training, ongoing encourag information education assurance, in promote e vigilance in daily tasks with a focus on risk awareness, and highlight management's unwavering support. It also ensures employees are informed about risks and controls, offering specific guidance as necessary. Types of Learning Programs IA IA IA AWARENESS TRAINING EDUCATION Awareness programs Training aims to Using internalized serve to motivate a teach or improve an concepts and skills sense of individual’s skill, to perform responsibility and knowledge, or operations such as encourage attitude, which analyzing, employees to be allows a person to evaluating, and more cautious about carry out a specific judging to reach their work function. higher cognitive- environment. level decisions. U N I T 3. 4 PREVENTIVE TOOLS A N D T E C H N I Q U E S Preventive Assurance Information Tools Network Intrusion Prevention Content Filters System Restrict internet access for end users, enabling Public Key administrators to block Infrastructure specifi c websites based on local policies. Virtual Private Cryptographic Networks Protocols a n d Tools Safeguard information by Proxy transforming it, allowing only authorized users to access it in its original Servers form. They ensure confidentiality, integrity, and non-repudiation. Firewal ls Encryption methods can apply to entire hard disks, databases, folders, or individual files on hosts. Specially designed secure network protocols are used to secure data traveling over networks such as the Internet. Examples of protocols that implement network services include: 0 Secure Sockets Layer (SSL) 1 0 Transport Layer Security (TLS) 2 IP Security (IPSec) protocols 0 3 SSL and TLS are preferred information protocols security in web environments, while IPSec protocols are preferred for implementing virtual private networks (VPNs). Cryptographic Protocols and Tools FIREWALL PUBLIC KEY S INFRASTRUCTURE Primary information assurance Provides secure communication control. over unsecured networks. NETWORK INTRUSION PREVENTION SYSTEM Enforces organizational infosec policies by analyzing network traffic (Content- based and Anomaly-based) PROXY SERVERS Serve as intermediaries between clients and the internet. (e.g., gateway) VIRTUAL PRIVATE NETWORKS A secure network that uses the Internet for user connections, ensuring security through encryption. (e.g., IPSec, SSL, and PPTP) Preventive Assurance IT InformationControls Support In a dynamic tech landscape, Handles various issues. Trained organizations must adapt and technicians bolster their security measures. address security problems. Media Controls and Documentation Backups Securing information goes beyond servers; Environmental safeguards Vital for information assurance, against fires, temperature, and providing copies of data, software, and humidity issues. hardware. (e.g., full, differential, Usage logging (e.g., check-in/check- incremental, and mirror) out). Maintenance (data overwriting, disposal). Change and Configuration Unauthorized access prevention. Management Proper labeling (owner, date, Organizations must adapt constantly in version, classification). an ever-changing environment. (e.g., Storage options (off-site or locked alliances, market demands, server rooms). competition, operations, and regulations) Patch Management U N I T 3. 5 ACCESS CONTROL ACCESS CONTROL SYSTEM An access control system prevents actions on an object (target to be accessed) by unauthorized users (subjects). Access control should protect vital resources not only from unauthorized external access but also from internal attacks. Access control is the first line of defense to protect the system from unauthorized modification A benefit of access control is that it serves as an auditing tool (to trace information security breaches, incidents, and events). A CCESS CONTROL TYPES 01 PHYSICAL Organizations usually manage physical access with human, technological, or mechanical controls. A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons. 0 LOGIC 2 AL Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability. Examples of logical access controls are digital signatures and hashing. A cce ss Control Models An access control model defines how subjects access objects 01 Discretionary Mandator y 0 Role-b a s e d 02 Owner of the object control access to 3 Uses a centrally determines the sensitive or controlled managed set of rules, access policy. data in systems with which grants access to multiple level objects based on the Owner decides which classification roles of the subject subjects may access the object and what Owner does not Since subjects are not privileges the subject establish access policy assigned permission has. since the system directly like other models, decides on the access they acquire it through This model is adapted control based on the roles and the by Windows, Apple and information security management of access various linux system classification and policy becomes relatively rules easier A cce ss Control Techniques Selecting an access control model needs to complement the selection of proper access control techniques. RULE-BASED ACCESS CONTROL uses simple rules to determine the result of privileges, which a subject can have over an object. determines what can and cannot be allowed. ACCESS CONTROL MATRIX a static, abstract, formal computer protection and information assurance model used in computer systems represents the relationship of subjects and objects in a tabulated form ACCESS CONTROL LISTS a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object. two types of ACLs: a. Network - implemented on servers and routers b. File System - implement file access by tracking subjects’ access to objects CAPABILITY TABLES an authorization table that identifies a subject and specifies the access right allowed to that subject the rows list the capabilities that the subject can have frequently used to implement the RBAC model CONSTRAINED USER INTERFACES a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges. CONTENT-DEPENDENT ACCESS CONTROL technique is used in databases access to objects is dependent on the content of the objects aims at controlling the availability of information by means of views CONTEXT-DEPENDENT ACCESS CONTROL defines the access controls of a subject on objects based on a context or situation A firewall is a good example A CCESS CONTROL ADMINISTRATION CENTRALIZED DECENTRALIZED contained in a department, gives control to people who unit or information security are closer to the objects administrator ensures uniformity does not ensure simplified method and uniformity more relaxed cost effective faster since changes are slow because all changes made to function rather to are processed by single the whole organization entity UNIT 3 END OF THAN YO SLIDE K U! CIT220 - INFORMATION ASSURANCE & SECURITY 2

Use Quizgecko on...
Browser
Browser