Unit 3 Risk Mitigation Process PDF

Document Details

StupendousPipa

Uploaded by StupendousPipa

Tags

risk mitigation information assurance security considerations software development

Summary

This document provides an overview of risk mitigation, specifically within the context of a software development lifecycle. It covers topics such as security considerations and various phases of security planning. The document also details physical security measures, equipment maintenance, and media handling.

Full Transcript

CIT220 Unit 3 Risk Mitigation Process U N I T 3. 1 SYSTEM DEVELOPMENT A C Q U IS IT IO N Benefits of Incorporating Security Considerations 01 Early integration reduces disruptions a n d costs. 02 O n g o i n g security adaptation to evolving threats. Retrofitting...

CIT220 Unit 3 Risk Mitigation Process U N I T 3. 1 SYSTEM DEVELOPMENT A C Q U IS IT IO N Benefits of Incorporating Security Considerations 01 Early integration reduces disruptions a n d costs. 02 O n g o i n g security adaptation to evolving threats. Retrofitting p o s t - incident is costly a n d less 03 effective. 04 Regular updates to the security plan are vital. Documenting decisions a i d s comprehensive 05 coverage a n d audits. OVERVIEW OF THE SDLC S O F T W A R E D E V E L O P M E N T LIFE CYCLE The system development life cycle is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. INITIATION PHASE Need establishment Security categorization Initial Risk Assessment DEVELOPMENT/ACQUISITION PHASE Requirement analysis/ development Security planning Risk assessment Security control development Budgeting Security test and evaluation IMPLEMENTATION PHASE Security test and evaluation Inspection and acceptance System integration/installation Security accreditation OPERATION/MAINTENANCE PHASE Configuration management and control Continuous monitoring and continuous accreditation (authorization) DISPOSAL PHASE Information preservation Media sanitization Hardware and software disposal U N I T 3. 2 PHYSICAL & ENVIRONMENTAL S E C U R IT Y C O N T R O L S Main Threats For Physical and Environmental Security Energy (Electricity) Equipment (Mechanical or electronic components) Fire and Chemical Hazard (smoke, industrial pollution) Manmade Disasters (war, terrorist attack, bombing) Natural Disaster (earthquake, volcano, landslide, storms) Pandemic Disease (bacteria, virus) Radiation (electromagnetic pulse) Weather (Sandstorm, humidity, flood, lightning) 2 Layer of Defense Physical security of premises and offices Premises that contain critical information or systems require special protection. The following controls are related to the physical security of premises. One of the controls is to establish the security perimeter as the outer boundary. This perimeter should contain all critical assets. Within this perimeter, there may be more secure areas or enclaves. Physical security of equipment Protect information-processing equipment physically to minimize the risk of unauthorized access to information and to safeguard against loss or damage. Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan. PHYSICAL SECURITY OF PREMISES Physical Entry Controls Access Controls for Employees and Visitors Employee Access - Positive identification and access control are mandatory; therefore, all employees should be required to always wear some form of visible identification (ID badge) whenever they are on the premises. Visitor Access - Permit visitors access only to those areas where they have specific and official purposes. In most cases, they should also always be escorted and informed of the physical security requirements of the area and emergency procedures Supporting Utilities Electrical Power - require redundancy in electric power system availability. (UPS or Backup Generators) Equipment Maintenance Maintenance of information processing equipment based on the manufacturer's recommended service intervals and specifications. All maintenance services to the equipment either onsite or sent off from the premises also need to be recorded and tracked. PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES Use of any equipment outside an organization's premises should be authorized by management. SECURE DISPOSAL AND REUSE OF EQUIPMENT Careless disposal, disposition, or recycling of equipment can put information at risk. HANDLING OF MEDIA MANAGEMENT OF REMOVABLE MEDIA These devices can help mitigate the risks associated with malicious code and the loss of proprietary information by raising employee awareness about removable media usage policies and minimizing potential damage. Disposal of Media The following are some guidelines of proper media disposal: Electronic media containing sensitive customer information should be degaussed prior to disposal. Degaussing completely erases the information stored on the magnetic surface. Printed materials, which hold confidential and restricted data, should be destroyed in a secure way, such as by shreddin U N I T 3. 3 INFORMATION ASSURANCE AT& E A W A R E N E S S , TR A IN IN G , A N D E D U C A TIO N WHAT’S THE WEAKEST LINK IN INFORMATION ASSURANCE? An effective AT&E program has four stages: literacy, awareness, training, a n d education (LATE). The AT&E program will not succeed if literacy is not established. Purpos e of the AT&E Program To cultivate a strong information assurance culture among employees, emphasize the organization's commitment to safeguarding information assets through training, encourage ongoing education in information assurance, promote vigilance in daily tasks with a focus on risk awareness, and highlight management's unwavering support. It also ensures employees are informed about risks and controls, offering specific guidance as necessary. Types of Learning Programs IA AWARENESS IA TRAINING IA EDUCATION Awareness programs Training aims to Using internalized serve to motivate a teach or improve an concepts and skills to sense of responsibility individual’s skill, perform operations and encourage knowledge, or such as analyzing, employees to be attitude, which allows evaluating, and more cautious about a person to carry out judging to reach their work a specific higher cognitive-level environment. function. decisions. U N I T 3. 4 PREVENTIVE TOOLS A N D T E C H N IQ U E S Preventive Information Assurance Tools Network Intrusion Prevention System Content Filters Restrict internet a c c es s for end users, enabling administrators to Public Key Infrastructure block specific websites based on local policies. Virtual Private Networks Cryptographic Protocols a n d Tools Safeguard information by transforming it, allowing only authorized users to access it in Proxy Servers its original form. They ensure confidentiality, integrity, and non-repudiation. Firewalls Encryption methods can apply to entire hard disks, databases, folders, or individual files on hosts. Specially designed secure network protocols are used to secure data traveling over networks such as the Internet. Examples of protocols that implement network services include: 01 Secure Sockets Layer (SSL) 02 Transport Layer Security (TLS) 03 IP Security (IPSec) protocols SSL and TLS are preferred information security protocols in web environments, while IPSec protocols are preferred for implementing virtual private networks (VPNs). Cryptographic Protocols and Tools FIREWALLS PUBLIC KEY INFRASTRUCTURE Primary information assurance control. Provides secure communication over unsecured networks. NETWORK INTRUSION PREVENTION SYSTEM Enforces organizational infosec policies by analyzing network traffic (Content- based and Anomaly-based) PROXY SERVERS Serve as intermediaries between clients and the internet. (e.g., gateway) VIRTUAL PRIVATE NETWORKS A secure network that uses the Internet for user connections, ensuring security through encryption. (e.g., IPSec, SSL, and PPTP) Preventive Information Assurance Controls IT Support In a dynamic tech landscape, organizations Handles various issues. Trained technicians must adapt and bolster their security address security problems. measures. Media Controls and Documentation Securing information goes beyond servers; Environmental safeguards against fires, Backups temperature, and humidity issues. Usage logging (e.g., check-in/check-out). Vital for information assurance, providing Maintenance (data overwriting, disposal). copies of data, software, and hardware. Unauthorized access prevention. (e.g., full, differential, incremental, and Proper labeling (owner, date, version, classification). mirror) Storage options (off-site or locked server rooms). Change and Configuration Management Patch Management Organizations must adapt constantly in an ever-changing environment. (e.g., alliances, Involves timely and planned updates market demands, competition, operations, Establishing dedicated resources and regulations) Monitoring/identifying patches Identifying risk in applying a patch Testing a patch before installing U N I T 3. 5 ACCESS CONTROL ACCESS CONTROL SYSTEM An access control system prevents actions on an object (target to be accessed) by unauthorized users (subjects). Access control should protect vital resources not only from unauthorized external access but also from internal attacks. Access control is the first line of defense to protect the system from unauthorized modification A benefit of access control is that it serves as an auditing tool (to trace information security breaches, incidents, and events). A C C E S S CONTROL TYPES 01 PHYSICAL Organizations usually manage physical access with human, technological, or mechanical controls. A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons. 02 LOGICAL Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability. Examples of logical access controls are digital signatures and hashing. A c c e s s Control Models An access control model defines how subjects access objects 01 Discretionary 02 Mandatory 03 Role-b as ed Owner of the object control access to sensitive Uses a centrally managed determines the access or controlled data in set of rules, which grants policy. systems with multiple access to objects based level classification on the roles of the subject Owner decides which subjects may access the Owner does not establish Since subjects are not object and what access policy since the assigned permission privileges the subject system decides on the directly like other models, has. access control based on they acquire it through the information security roles and the This model is adapted by classification and policy management of access Windows, Apple and rules becomes relatively easier various linux system A c c e s s Control Techniques Selecting an access control model needs to complement the selection of proper access control techniques. RULE-BASED ACCES S CONTROL uses simple rules to determine the result of privileges, which a subject can have over an object. determines what can and cannot be allowed. AC C ES S CONTROL MATRIX a static, abstract, formal computer protection and information assurance model used in computer systems represents the relationship of subjects and objects in a tabulated form AC C ES S CONTROL LISTS a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object. two types of ACLs: a. Network - implemented on servers and routers b. File System - implement file access by tracking subjects’ access to objects CAPABILITY TABLES an authorization table that identifies a subject and specifies the access right allowed to that subject the rows list the capabilities that the subject can have frequently used to implement the RBAC model CONSTRAINED USER INTERFACES a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges. CONTENT-DEPENDENT ACCES S CONTROL technique is used in databases access to objects is dependent on the content of the objects aims at controlling the availability of information by means of views CONTEXT-DEPENDENT ACCES S CONTROL defines the access controls of a subject on objects based on a context or situation A firewall is a good example A C C E S S CONTROL ADMINISTRATION CENTRALIZED DECENTRALIZED contained in a department, unit gives control to people who are or information security closer to the objects administrator ensures uniformity does not ensure uniformity simplified method and cost more relaxed effective slow because all changes are faster since changes are made to function rather to the whole processed by single entity organization UNIT 3 END OF SLIDE TH A N K Y O U ! CIT220 - INFORMATION ASSURANCE & SECURITY 2

Use Quizgecko on...
Browser
Browser