Unit 3 Risk Mitigation Process1-revised.pptx

Full Transcript

CIT220 Unit
3

Ris
Mitigati
k
on
Process
 U N I T 3.
1
SYS T E M D E VE LO PM E N T
A C Q U I S I T I O
N
 Benefi ts of
Incorporating
Security
0Considerations
Early integration reduces disruptions
a n d costs.
1
O n g o i n g security adaptation to evolving
threats.
0
Retrofi tting p o s t - incident is costly
2 a n d less eff ective.

0 Regular u pda tes to the security plan
are vital.
3
Documenting decisions a i d s
comprehensive coverage a n d audits.
0
4
OVERVIEW OF THE SDLC
S O FT WA R E D E V E LO P M E N T LIFE
CYCLE

The system development life cycle is the overall process of
creating, implementing, and decommissioning information systems
through a multistep process from initiation, analysis, design,
implementation, and maintenance to disposal.
INITIATION PHASE
Need establishment
Security
categorization Initial
Risk Assessment

DEVELOPMENT/ACQUISITION
PHASE
Requirement
analysis/ Security planning
development Security control
Risk assessment development Security test
Budgeting and evaluation

IMPLEMENTATION
PHASE
Security test and evaluation
Inspection and acceptance
System
integration/installation
OPERATION/MAINTENANCE
PHASE
Configuration management and control
Continuous monitoring and continuous
accreditation (authorization)

DISPOSAL PHASE
Information
preservation Media
sanitization
Hardware and software
disposal
 U N I T 3.
2
PHYSICAL &
ENVIRONMENTAL
S E C U R I T Y C O N T R O L
S
Main Threats For Physical and
Environmental Security
Energy (Electricity)
Equipment (Mechanical or electronic components) Fire
and Chemical Hazard (smoke, industrial pollution)

Manmade Disasters (war, terrorist attack, bombing) Natural
Disaster (earthquake, volcano, landslide, storms)

Pandemic Disease (bacteria, virus)
Radiation (electromagnetic pulse)
Weather (Sandstorm, humidity,
flood, lightning)
 2 Layer of
Defense
Physical security of premises and offi ces
Premises that contain critical information or systems
require special protection. The following controls are
related to the physical security of premises. One of the
controls is to establish the security perimeter as the outer
boundary. This perimeter should contain all critical assets.
Within this perimeter, there may be more secure areas or
enclaves.

Physical security of equipment
Protect information-processing equipment physically to
minimize the risk of unauthorized access to information and to
safeguard against loss or damage. Offsite computing
systems for reconstitution or contingency operations should
also be addressed in a physical security plan.
PHYSICAL SECURITY OF
PREMISES
Physical Entry Controls
Access Controls for Employees and Visitors
Employee Access - Positive identification and
access control are mandatory; therefore, all employees
should be required to always wear some form of visible
identification (ID badge) whenever they are on the
premises.

Visitor Access - Permit visitors access only to those areas where
they have specific and official purposes. In most cases, they
should also always be escorted and informed of the physical
security requirements of the area and emergency procedures
Supporting Utilities
Electrical Power - require redundancyin
electric power system availability. (UPS or Backup
Generators)

Equipment Maintenance
Maintenance of information processing equipment
based on the manufacturer's recommended service
intervals and specifi cations. All maintenance
services to the equipment either onsite or sent off
from the premises also need to be recorded and
tracked.
PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES
Use of any equipment outside an organization's
premises should be authorized by management.

SECURE DISPOSAL AND REUSE OF EQUIPMENT
Careless disposal, disposition, or recycling of equipment
can put information at risk.
HANDLING OF
MEDIA OF REMOVABLE MEDIA
MANAGEMENT
These devices can help mitigate the risks associated with
malicious code and the loss of proprietary information by
raising employee awareness about removable media usage
policies and minimizing potential damage.

Disposal of Media
The following are some guidelines of proper media disposal:
Electronic media containing sensitive customer information should be
degaussed prior to disposal. Degaussing completely erases the
information stored on the magnetic surface.
Printed materials, which hold confidential and restricted data, should be
destroyed in a secure way, such as by shreddin
 U N I T 3.
3
I N F O R M AT I O N AS S U R A N C E AT &
E
A W A R E N E S S , TR A IN IN G , A N
D E D U C A T I O N
WHAT’S THE
WEAKEST LINK
IN INFORMATION
ASSURANCE?
An effective AT&E program has four
stages: literacy, awareness,
training, a n d education (LATE).

The AT&E
program will not
succeed if
literacy
is not
established.
Purpose of the
AT&E Program
To cultivate a strong information
assurance culture among employees,
emphasize the organization's
commitment assets
informati to safeguarding
through
on training, ongoing
encourag
information education
assurance, in promote
e
vigilance in daily tasks with a focus
on risk awareness, and highlight
management's unwavering support.
It also ensures employees are
informed about risks and controls,
offering specific guidance as
necessary.
 Types of Learning
Programs
IA IA IA
AWARENESS TRAINING EDUCATION
Awareness programs Training aims to Using internalized
serve to motivate a teach or improve an concepts and skills
sense of individual’s skill, to perform
responsibility and knowledge, or operations such as
encourage attitude, which analyzing,
employees to be allows a person to evaluating, and
more cautious about carry out a specific judging to reach
their work function. higher cognitive-
environment. level decisions.
 U N I T 3.
4
PREVENTIVE
TOOLS
A N D T
E C H N I Q U E S
Preventive
Assurance
Information
Tools Network Intrusion Prevention
Content Filters System
Restrict internet access for
end users, enabling Public Key
administrators to block Infrastructure
specifi c websites based on
local policies.
Virtual Private
Cryptographic Networks
Protocols a n d Tools
Safeguard information by
Proxy
transforming it, allowing only
authorized users to access it in its original
Servers
form. They ensure confidentiality, integrity,
and non-repudiation. Firewal
ls
Encryption methods can apply to entire hard
disks, databases, folders, or individual
files on hosts.
Specially designed secure network protocols are
used to secure data traveling over networks such
as the Internet. Examples of protocols that implement
network services include:

0 Secure Sockets Layer
(SSL)
1
0 Transport Layer Security
(TLS)
2
IP Security (IPSec)
protocols
0
3
SSL and TLS are preferred information
protocols security
in web environments, while IPSec
protocols are preferred for implementing
virtual private networks (VPNs).
 Cryptographic Protocols and
Tools
FIREWALL PUBLIC KEY
S INFRASTRUCTURE
Primary information assurance Provides secure communication
control. over unsecured networks.
NETWORK INTRUSION PREVENTION
SYSTEM
Enforces organizational infosec
policies by analyzing network traffic
(Content- based and Anomaly-based)

PROXY SERVERS

Serve as intermediaries between
clients and the internet. (e.g., gateway)

VIRTUAL PRIVATE
NETWORKS
A secure network that uses the
Internet for user connections, ensuring
security through encryption. (e.g.,
IPSec, SSL, and PPTP)
Preventive
Assurance IT
InformationControls Support
In a dynamic tech landscape, Handles various issues. Trained
organizations must adapt and technicians
bolster their security measures. address security problems.

Media Controls and
Documentation

Backups Securing information goes beyond
servers; Environmental safeguards
Vital for information assurance, against fires, temperature, and
providing copies of data, software, and humidity issues.
hardware. (e.g., full, differential, Usage logging (e.g., check-in/check-
incremental, and mirror) out).
Maintenance (data overwriting,
disposal).
Change and Configuration Unauthorized access prevention.
Management Proper labeling (owner, date,
Organizations must adapt constantly in version, classification).
an ever-changing environment. (e.g., Storage options (off-site or locked
alliances, market demands, server rooms).
competition, operations, and
regulations) Patch Management
 U N I T 3. 5

ACCESS
CONTROL
ACCESS CONTROL
SYSTEM
An access control system prevents actions
on an object (target to be accessed)
by unauthorized users (subjects).

Access control should protect vital
resources not only from unauthorized
external access but also from internal
attacks.

Access control is the first line of defense
to protect the system from
unauthorized modification

A benefit of access control is that it serves
as an auditing tool (to trace
information security breaches, incidents, and
events).
A CCESS CONTROL
TYPES
01
PHYSICAL
Organizations usually manage physical access with human,
technological, or mechanical controls. A physical control might be
biometric identification technology used to restrict entry to a
property, a building, or a room to authorized persons.

0 LOGIC
2 AL
Logical access controls manage access based on processes such
as identification, authentication, authorization, and accountability.
Examples of logical access controls are digital signatures and
hashing.
 A cce ss Control
Models
An access control model defines how subjects access
objects

01 Discretionary Mandator y 0 Role-b a s e d
02 Owner of the object control access to 3 Uses a centrally
determines the sensitive or controlled managed set of rules,
access policy. data in systems with which grants access to
multiple level objects based on the
Owner decides which classification roles of the subject
subjects may access
the object and what Owner does not Since subjects are not
privileges the subject establish access policy assigned permission
has. since the system directly like other models,
decides on the access they acquire it through
This model is adapted control based on the roles and the
by Windows, Apple and information security management of access
various linux system classification and policy becomes relatively
rules easier
A cce ss Control
Techniques
Selecting an access control model needs to complement the selection of proper
access control techniques.

RULE-BASED ACCESS CONTROL
uses simple rules to determine the result of privileges, which a subject can have
over an object.
determines what can and cannot be allowed.

ACCESS CONTROL MATRIX
a static, abstract, formal computer protection and
information assurance model used in computer
systems represents the relationship of subjects and
objects in a tabulated form
ACCESS CONTROL
LISTS
a list containing information about the individual or
group permission given to an object; the ACL specifies the
access level and functions allowed onto the object.
two types of ACLs:
a. Network - implemented on servers and routers
b. File System - implement file access by tracking
subjects’ access to objects

CAPABILITY TABLES
an authorization table that identifies a subject
and specifies the access right allowed to that subject
the rows list the capabilities that the subject can have
frequently used to implement the RBAC model
CONSTRAINED USER INTERFACES
a way to limit access of subjects to a resource or
information by presenting them with only the information,
function, or access to the resource for which they have
privileges.

CONTENT-DEPENDENT ACCESS CONTROL
technique is used in databases
access to objects is dependent on the content of the objects
aims at controlling the availability of information by means
of views

CONTEXT-DEPENDENT ACCESS CONTROL
defines the access controls of a subject on objects based on
a context or situation
A firewall is a good example
A CCESS CONTROL
ADMINISTRATION

CENTRALIZED DECENTRALIZED
contained in a department, gives control to people who
unit or information security are closer to the objects
administrator

ensures uniformity does not ensure

simplified method and uniformity more relaxed
cost effective
faster since changes are
slow because all changes
made to function rather to
are processed by single
the whole organization
entity
UNIT
3

END OF
THAN YO
SLIDE
K U!

CIT220 - INFORMATION ASSURANCE &
SECURITY 2