Unit 3 Risk Mitigation Process PDF

Summary

This document provides an overview of risk mitigation, specifically within the context of a software development lifecycle. It covers topics such as security considerations and various phases of security planning. The document also details physical security measures, equipment maintenance, and media handling.

Full Transcript

CIT220 Unit 3

Risk
Mitigation
Process
 U N I T 3. 1

SYSTEM DEVELOPMENT
A C Q U IS IT IO N
Benefits of Incorporating
Security Considerations

01 Early integration reduces disruptions a n d costs.

02 O n g o i n g security adaptation to evolving threats.

Retrofitting p o s t - incident is costly a n d less
03 effective.

04 Regular updates to the security plan are vital.

Documenting decisions a i d s comprehensive
05 coverage a n d audits.
OVERVIEW OF THE SDLC
S O F T W A R E D E V E L O P M E N T LIFE CYCLE

The system development life cycle is the overall process of creating,
implementing, and decommissioning information systems through a
multistep process from initiation, analysis, design, implementation, and
maintenance to disposal.
INITIATION PHASE
Need establishment
Security categorization
Initial Risk Assessment

DEVELOPMENT/ACQUISITION PHASE
Requirement analysis/
development Security planning
Risk assessment Security control development
Budgeting Security test and evaluation

IMPLEMENTATION PHASE
Security test and evaluation
Inspection and acceptance
System integration/installation
Security accreditation
OPERATION/MAINTENANCE PHASE
Configuration management and control
Continuous monitoring and continuous accreditation
(authorization)

DISPOSAL PHASE
Information preservation
Media sanitization
Hardware and software disposal
 U N I T 3. 2

PHYSICAL & ENVIRONMENTAL
S E C U R IT Y C O N T R O L S
Main Threats For Physical and
Environmental Security
Energy (Electricity)
Equipment (Mechanical or electronic components)
Fire and Chemical Hazard (smoke, industrial pollution)

Manmade Disasters (war, terrorist attack, bombing)
Natural Disaster (earthquake, volcano, landslide, storms)

Pandemic Disease (bacteria, virus)

Radiation (electromagnetic pulse)
Weather (Sandstorm, humidity, flood, lightning)
 2 Layer of Defense
Physical security of premises and offices
Premises that contain critical information or systems require
special protection. The following controls are related to the
physical security of premises. One of the controls is to establish
the security perimeter as the outer boundary. This perimeter
should contain all critical assets. Within this perimeter, there may
be more secure areas or enclaves.

Physical security of equipment
Protect information-processing equipment physically to minimize
the risk of unauthorized access to information and to safeguard
against loss or damage. Offsite computing systems for
reconstitution or contingency operations should also be addressed
in a physical security plan.
PHYSICAL SECURITY OF PREMISES

Physical Entry Controls
Access Controls for Employees and Visitors

Employee Access - Positive identification and access
control are mandatory; therefore, all employees should be
required to always wear some form of visible identification
(ID badge) whenever they are on the premises.

Visitor Access - Permit visitors access only to those areas where they
have specific and official purposes. In most cases, they should also
always be escorted and informed of the physical security requirements
of the area and emergency procedures
Supporting Utilities
Electrical Power - require redundancy in electric
power system availability. (UPS or Backup Generators)

Equipment Maintenance
Maintenance of information processing equipment based
on the manufacturer's recommended service intervals and
specifications. All maintenance services to the equipment
either onsite or sent off from the premises also need to be
recorded and tracked.
PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES
Use of any equipment outside an organization's premises
should be authorized by management.

SECURE DISPOSAL AND REUSE OF EQUIPMENT
Careless disposal, disposition, or recycling of equipment can
put information at risk.
HANDLING OF MEDIA
MANAGEMENT OF REMOVABLE MEDIA
These devices can help mitigate the risks associated with malicious
code and the loss of proprietary information by raising employee
awareness about removable media usage policies and minimizing
potential damage.

Disposal of Media
The following are some guidelines of proper media disposal:
Electronic media containing sensitive customer information should be
degaussed prior to disposal. Degaussing completely erases the information
stored on the magnetic surface.
Printed materials, which hold confidential and restricted data, should be
destroyed in a secure way, such as by shreddin
 U N I T 3. 3

INFORMATION ASSURANCE AT& E
A W A R E N E S S , TR A IN IN G , A N D
E D U C A TIO N
WHAT’S THE
WEAKEST LINK
IN INFORMATION
ASSURANCE?
An effective AT&E program has four
stages: literacy, awareness, training,
a n d education (LATE).

The AT&E program
will not succeed if
literacy
is not established.
Purpos e of the
AT&E Program
To cultivate a strong information assurance
culture among employees, emphasize the
organization's commitment to safeguarding
information assets through training,
encourage ongoing education in
information assurance, promote vigilance in
daily tasks with a focus on risk awareness,
and highlight management's unwavering
support. It also ensures employees are
informed about risks and controls, offering
specific guidance as necessary.
 Types of Learning Programs
IA AWARENESS IA TRAINING IA EDUCATION

Awareness programs Training aims to Using internalized
serve to motivate a teach or improve an concepts and skills to
sense of responsibility individual’s skill, perform operations
and encourage knowledge, or such as analyzing,
employees to be attitude, which allows evaluating, and
more cautious about a person to carry out judging to reach
their work a specific higher cognitive-level
environment. function. decisions.
 U N I T 3. 4

PREVENTIVE TOOLS
A N D T E C H N IQ U E S
Preventive Information
Assurance Tools
Network Intrusion Prevention System
Content Filters
Restrict internet a c c es s for end
users, enabling administrators to Public Key Infrastructure
block specific websites based on
local policies.

Virtual Private Networks
Cryptographic Protocols
a n d Tools
Safeguard information by transforming it,
allowing only authorized users to access it in
Proxy Servers
its original form. They ensure confidentiality,
integrity, and non-repudiation.
Firewalls
Encryption methods can apply to entire hard disks,
databases, folders, or individual files on hosts.
Specially designed secure network protocols are used to
secure data traveling over networks such as the Internet.
Examples of protocols that implement network services
include:

01 Secure Sockets Layer (SSL)

02 Transport Layer Security (TLS)

03 IP Security (IPSec) protocols

SSL and TLS are preferred information security
protocols in web environments, while IPSec protocols
are preferred for implementing virtual private
networks (VPNs).
 Cryptographic Protocols and Tools

FIREWALLS PUBLIC KEY INFRASTRUCTURE

Primary information assurance control. Provides secure communication over
unsecured networks.

NETWORK INTRUSION PREVENTION SYSTEM

Enforces organizational infosec policies
by analyzing network traffic (Content-
based and Anomaly-based)

PROXY SERVERS

Serve as intermediaries between clients
and the internet. (e.g., gateway)

VIRTUAL PRIVATE NETWORKS
A secure network that uses the Internet
for user connections, ensuring security
through encryption. (e.g., IPSec, SSL, and
PPTP)
Preventive Information
Assurance Controls IT Support

In a dynamic tech landscape, organizations Handles various issues. Trained technicians
must adapt and bolster their security address security problems.
measures.
Media Controls and Documentation

Securing information goes beyond servers;
Environmental safeguards against fires,
Backups temperature, and humidity issues.
Usage logging (e.g., check-in/check-out).
Vital for information assurance, providing Maintenance (data overwriting, disposal).
copies of data, software, and hardware. Unauthorized access prevention.
(e.g., full, differential, incremental, and Proper labeling (owner, date, version,
classification).
mirror)
Storage options (off-site or locked server
rooms).
Change and Configuration Management
Patch Management
Organizations must adapt constantly in an
ever-changing environment. (e.g., alliances, Involves timely and planned updates
market demands, competition, operations, Establishing dedicated resources
and regulations) Monitoring/identifying patches
Identifying risk in applying a patch
Testing a patch before installing
 U N I T 3. 5

ACCESS CONTROL
ACCESS CONTROL SYSTEM
An access control system prevents actions on
an object (target to be accessed) by
unauthorized users (subjects).

Access control should protect vital resources
not only from unauthorized external access
but also from internal attacks.

Access control is the first line of defense to
protect the system from unauthorized
modification

A benefit of access control is that it serves as
an auditing tool (to trace information
security breaches, incidents, and events).
A C C E S S CONTROL TYPES

01 PHYSICAL

Organizations usually manage physical access with human,
technological, or mechanical controls. A physical control might be
biometric identification technology used to restrict entry to a property,
a building, or a room to authorized persons.

02 LOGICAL
Logical access controls manage access based on processes such as
identification, authentication, authorization, and accountability.
Examples of logical access controls are digital signatures and hashing.
A c c e s s Control Models
An access control model defines how subjects access objects

01 Discretionary 02 Mandatory 03 Role-b as ed
Owner of the object control access to sensitive Uses a centrally managed
determines the access or controlled data in set of rules, which grants
policy. systems with multiple access to objects based
level classification on the roles of the subject
Owner decides which
subjects may access the Owner does not establish Since subjects are not
object and what access policy since the assigned permission
privileges the subject system decides on the directly like other models,
has. access control based on they acquire it through
the information security roles and the
This model is adapted by classification and policy management of access
Windows, Apple and rules becomes relatively easier
various linux system
A c c e s s Control Techniques
Selecting an access control model needs to complement the selection of proper
access control techniques.

RULE-BASED ACCES S CONTROL
uses simple rules to determine the result of privileges, which a subject can have over
an object.
determines what can and cannot be allowed.

AC C ES S CONTROL MATRIX
a static, abstract, formal computer protection and
information assurance model used in computer systems
represents the relationship of subjects and objects in a
tabulated form
AC C ES S CONTROL LISTS
a list containing information about the individual or group
permission given to an object; the ACL specifies the access
level and functions allowed onto the object.
two types of ACLs:
a. Network - implemented on servers and routers
b. File System - implement file access by tracking subjects’
access to objects

CAPABILITY TABLES
an authorization table that identifies a subject and
specifies the access right allowed to that subject
the rows list the capabilities that the subject can have
frequently used to implement the RBAC model
CONSTRAINED USER INTERFACES
a way to limit access of subjects to a resource or information
by presenting them with only the information, function, or
access to the resource for which they have privileges.

CONTENT-DEPENDENT ACCES S CONTROL
technique is used in databases
access to objects is dependent on the content of the objects
aims at controlling the availability of information by means of
views

CONTEXT-DEPENDENT ACCES S CONTROL
defines the access controls of a subject on objects based on a
context or situation
A firewall is a good example
A C C E S S CONTROL ADMINISTRATION

CENTRALIZED DECENTRALIZED
contained in a department, unit gives control to people who are
or information security closer to the objects
administrator

ensures uniformity does not ensure uniformity

simplified method and cost more relaxed
effective

slow because all changes are faster since changes are made
to function rather to the whole
processed by single entity
organization
UNIT 3

END OF SLIDE
TH A N K Y O U !

CIT220 - INFORMATION ASSURANCE & SECURITY 2