Transcription
Concepts (10)Intellectual property laws (24)Data Breaches (27)CIADAD - NEGATIVE - (disclosure alteration and destruction)Confidentiality - prevent unauthorized disclosure, need to know,and least privilege. assurance that information is not disclosed tounauthorized programs, users, processes, encryption, logical andphysical access control,Integrity - no unauthorized modifications, consistent data,protecting data or a resource from being altered in an unauthorizedfashionAvailability - reliable and timely, accessible, fault tolerance andrecovery procedures, WHEN NEEDEDIAAA – requirements for accountabilityIdentification - user claims identity, used for user access controlAuthentication - testing of evidence of users identityAccountability - determine actions to an individual personAuthorization - rights and permissions grantedPrivacy - level of confidentiality and privacy protectionsPatent - grants ownership of an invention and provides enforcementfor owner to exclude others from practicing the invention. After 20years the idea is open source of applicationCopyright protects the expression of ideas but not necessarily theidea itself ex. Poem, song @70 years after author diesTrade Secret - something that is propriety to a company andimportant for its survival and profitability (like formula of Coke orPepsi) DON’T REGISTER – no applicationTrademarks - words, names, product shape, symbol, color or acombination used to identify products and distinguish them fromcompetitor products (McDonald’s M) @10 yearsWassenaar Arrangement (WA) – Dual use goods & trade,International cryptographic agreement, prevent destabilizingComputer Crimes – loss, image, penaltiesIncident – an event that has potential to do harmBreach – incident that results in disclosure or potential disclosureof dataData Disclosure – unauthorized acquisition of personalinformationEvent – Threat events are accidental and intentional exploitationsof vulnerabilities.RegulationsNot possible to get rid of all risk.Get risk to acceptable/tolerable levelBaselines – minimum standardsISO 27005 – risk management frameworkBudget – if not constrained go for the SOX, Sarbanes Oxley, 2002 after ENRON and World Onlinedebacle Independent review by external accountants.Section 302: CEO’s CFO’s can be sent to jail when information theysign is incorrect. CEO SIGNSection 404 is the about internal controls assessment: describinglogical controls over accounting files; good auditing and informationsecurity.Responsibilities of the ISO (15)Corporate Officer Liability (SOX)Risk (12)Written Products – ensure they are doneCIRT – implement and operateSecurity Awareness – provide leadershipCommunicate – risk to higher managementReport to as high a level as possibleSecurity is everyone’s responsibilityControl Frameworks (17)Consistent – approach & applicationMeasurable – way to determine progressStandardized – all the sameComprehension – examine everythingModular – to help in review and adaptive. Layered, abstractionDue Care Which means when a company did all that it could havereasonably done to try and prevent security breach / compromise /disaster, and took the necessary steps required ascountermeasures / controls (safeguards). The benefit of "due care"can be seen as the difference between the damage with or without"due care" safeguards in place. AKA doing something about thethreats, Failing to perform periodic security audits can result in theperception that due care is not being maintainedDue Diligence means that the company properly investigated all ofits possibly weaknesses and vulnerabilities AKA understanding thethreats-Executives are now held liable if the organization theyrepresent is not compliant with the law.Negligence occurs if there is a failure to implement recommendedprecautions, if there is no contingency/disaster recovery plan, failureto conduct appropriate background checks, failure to instituteappropriate information security measures, failure to follow policy orlocal laws and regulations.COSO – framework to work with Sarbanes-Oxley 404 complianceEuropean laws: TREADWAY COMMISSIONNeed for information security to protect the individual.Privacy is the keyword here! Only use information of individuals forwhat it was gathered for(remember ITSEC, the European version of TCSEC that came fromthe USA/Orange Book, come together in Common Criteria, but therestill is some overlap) strong in anti-spam and legitimate marketing Directs public directories to be subjected to tight controls Takes an OPT-IN approach to unsolicited commercialelectronic communications User may refuse cookies to be stored and user must beprovided with information Member states in the EU can make own laws e.g.retention of dataCOBIT – examines the effectiveness, efficiency, confidentiality,integrity, availability, compliance, and reliability of high level controlobjectives. Having controls, GRC heavy auditing, metrics, regulatedindustryLaws (28)ITAR, 1976. Defense goods, arms export control actFERPA – EducationGLBA, Graham, Leach, Bliley; credit related PII (21)ECS, Electronic Communication Service (Europe); notice ofbreachesFourth Amendment - basis for privacy rights is the FourthAmendment to the Constitution.1974 US Privacy Act - Protection of PII on federal databases1980 Organization for Economic Cooperation andDevelopment (OECD) - Provides for data collection,specifications, safeguards1986 (amended in 1996) US Computer Fraud and Abuse Act Trafficking in computer passwords or information that causes aloss of 1,000 or more or could impair medical treatment.1986 Electronic Communications Privacy Act - Prohibitseavesdropping or interception w/o distinguishing private/publicCommunications Assistance for Law Enforcement Act(CALEA) of 1994 - amended the Electronic CommunicationsPrivacy Act of 1986. CALEA requires all communications carriersto make wiretaps possible for law enforcement with anappropriate court order, regardless of the technology in use.1987 US Computer Security Act - Security training, develop asecurity plan, and identify sensitive systems on govt. agencies.1991 US Federal Sentencing Guidelines - Responsibility onsenior management with fines up to 290 million. Invoke prudentman rule. Address both individuals and organizations1996 US Economic and Protection of ProprietyInformation Act - industrial and corporate espionage1996 Health Insurance and Portability Accountability Act(HIPPA) – amended1996 US National Information Infrastructure ProtectionAct - Encourage other countries to adopt similar framework.Health Information Technology for Economic and ClinicalHealth Act of 2009 (HITECH) - Congress amended HIPAA bypassing this Act. This law updated many of HIPAA’s privacy andsecurity requirements. One of the changes is a change in the waythe law treats business associates (BAs), organizations whohandle PHI on behalf of a HIPAA covered entity. Any relationshipbetween a covered entity and a BA must be governed by awritten contract known as a business associate agreement(BAA). Under the new regulation, BAs are directly subject toHIPAA and HIPAA enforcement actions in the same manner as acovered entity. HITECH also introduced new data breachnotification requirements
.Ethics (33)Just because something is legal doesn’t make it right.Within the ISC context: Protecting information through CIAISC2 Code of Ethics CanonsProtect society, the commonwealth, and theinfrastructure.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession.Internet Advisory Board (IAB)Ethics and Internet (RFC 1087)Don’t compromise the privacy of users. Access to and use ofInternet is a privilege and should be treated as suchIt is defined as unacceptable and unethical if you, for example, gainunauthorized access to resources on the internet, destroy integrity,waste resources or compromise privacy.Business Continuity plans development (38)-Defining the continuity strategyComputing strategy to preserve the elements of HW/SW/communication lines/data/applicationFacilities: use of main buildings or any remote facilitiesPeople: operators, management, technical support personsSupplies and equipment: paper, forms HVACDocumenting the continuity strategyBIA (39)Goal: to create a document to be used to help understand whatimpact a disruptive event would have on the businessGathering assessment materialOrg charts to determine functional relationshipsExamine business success factorsVulnerability assessmentIdentify Critical IT resources out of criticalprocesses, Identify disruption impacts andMaximum, Tolerable Downtime (MTD)Loss Quantitative (revenue, expenses forrepair) or Qualitative (competitive edge,public embarrassment). Presented as low,high, medium.Develop recovery proceduresAnalyze the compiled informationDocument the process Identify interdependabilityDetermine acceptable interruption periodsDocumentation and RecommendationRTO MTDAdministrative Management Controls (47)Risk Management (52)Separation of duties - assigns parts of tasks to differentindividuals thus no single person has total control of thesystem’s security mechanisms; prevent collusionM of N Control - requires that a minimum number of agents (M)out of the total number of agents (N) work together to performhigh-security tasks. So, implementing three of eight controls wouldrequire three people out of the eight with the assigned work task ofkey escrow recovery agent to work together to pull a single key outof the key escrow databaseLeast privilege - a system’s user should have the lowest level ofrights and privileges necessary to perform their work and shouldonly have them for the shortest time. Three types:Read only, Read/write and Access/changeTwo-man control - two persons review and approve the work ofeach other, for very sensitive operationsDual control -two persons are needed to complete a taskRotation of duties - limiting the amount of time a person isassigned to perform a security related task before being moved todifferent task to prevent fraud; reduce collusionMandatory vacations - prevent fraud and allowing investigations,one week minimum; kill processesNeed to know - the subject is given only the amount ofinformation required to perform an assigned task, businessjustificationAgreements – NDA, no compete, acceptable useGOAL - Determine impact of the threat and risk of threat occurringThe primary goal of risk management is to reduce risk to anacceptable level.Step 1 – Prepare for Assessment (purpose, scope, etc.)Step 2 – Conduct AssessmentID threat sources and eventsID vulnerabilities and predisposing conditionsDetermine likelihood of occurrenceDetermine magnitude of impactDetermine riskStep 3 – Communicate Risk/resultsStep 4 – Maintain Assessment/regularlyTypes of RiskInherent chance of making an error with no controls in placeControl chance that controls in place will prevent, detect or controlerrorsDetection chance that auditors won’t find an errorResidual risk remaining after control in placeBusiness concerns about effects of unforeseen circumstancesOverall combination of all risks aka Audit risk PreliminarySecurity Examination (PSE): Helps to gather the elements thatyou will need when the actual Risk Analysis takes place.ANALYSIS Steps: Identify assets, identify threats, and calculaterisk.ISO 27005 – deals with riskEmployment (48)-staff members pose more threat thanexternal actors, loss of money stolenequipment, loss of time work hours, loss ofreputation declining trusts and loss ofresources, bandwidth theft, due diligenceVoluntary & involuntary ------------------Exit interview!!!Third Party Controls (49)VendorsConsultantsContractorsProperly supervised, rights based on policyRisk Management Concepts (52)Threat – damageVulnerability – weakness to threat vector (never does anything)Likelihood – chance it will happenImpact – overall effectsResidual Risk – amount left overOrganizations own the riskRisk is determined as a byproduct of likelihood and impactITIL (55)ITIL – best practices for IT core operational processes, not forauditServiceChangeReleaseConfigurationStrong end to end customer focus/expertiseAbout services and service strategyRisk Assessment Steps (60)Four major steps in Risk assessment?Prepare, Perform, Communicate, MaintainQualitative (57)Approval –Form Team –Analyze Data –Calculate Risk –Countermeasure Recommendations REMEMBER HYBRID!
Quantitative Risk Analysis (58)-Quantitative VALUES!!SLE (single Loss Expectancy) Asset Value * Exposurefactor (% loss of asset)ALE (Annual loss expectancy) SLE * ARO(Annualized Rate of occurrence)Accept, mitigate(reduce by implementing controls calculate costs-),Assign (insure the risk to transfer it), Avoid (stop business activity)Loss probability * costResidual risk - where cost of applying extra countermeasures ismore than the estimated loss resulting from a threat or vulnerability(C L). Legally the remaining residual risk is not counted whendeciding whether a company is liable.Controls gap - is the amount of risk that is reduced byimplementing safeguards. A formula for residual risk is as follows:total risk – controls gap residual riskRTO – how quickly you need to have that application’s informationavailable after downtime has occurredRPO -Recovery Point Objective: Point in time that application datamust be recovered to resume business functions; AMOUNT OFDATA YOUR WILLING TO LOSEMTD -Maximum Tolerable Downtime: Maximum delay a businesscan be down and still remain viableMTD minutes to hours: criticalMTD 24 hours: urgentMTD 72 hours: importantMTD 7 days: normalMTD 30 days non-essentialPLANAcceptBuild Risk TeamReviewOnce in 100 years ARO of 0.01SLE is the dollar value lost when an asset is successfully attackedExposure Factor ranges from 0 to 1NO – ALE is the annual % of the asset lost when attacked – NOTDetermination of Impact (61)Life, dollars, prestige, market shareRisk Response (61)Risk Avoidance – discontinue activity
security plan, and identify sensitive systems on govt. agencies. 1991 US Federal Sentencing Guidelines - Responsibility on senior management with fines up to 290 million. Invoke prudent man rule. Address both individuals and organizations 1996 US Economic and Protection of Propriety Information Act - industrial and corporate espionage
