1.

Information Security
Governance and Risk
Management

Objective
Information Security Management
The Big Three - CIA
Security Governance
Policies, Procedures, Standards & Guidelines
Organizational Structures
Roles and Responsibilities
Information Classification
Risk Management
Security Awareness training

Information Security Management

To protect an organizations valuable resources, such
as information, hardware, and software
Identification of an organizations information assets
The development, documentation, and
implementation of policies, standards, procedures,
and guidelines
Ensure Availability, Integrity and Confidentiality

CIA - Confidentiality
Confidentiality
Protection of information within systems so that unauthorized
people, resources, and processes cannot access that
information

The Threat
Hackers, Masqueraders, Unauthorized user activity
Unprotected downloaded files, networks, and unauthorized
programs (e.g., Trojan horses and viruses)
Social Engineering

The Action
Granting access on a need-to-know (least privilege) basis
Well-Formed Transaction
Awareness

CIA - Integrity
Integrity
Protection of Information System or Processes from
intentional or accidental unauthorized changes

The Threat
Hackers, Masqueraders, Unauthorized user activity
Unprotected downloaded files, networks, and unauthorized
programs (e.g., Trojan horses and viruses)
Authorized users can corrupt data and programs accidentally
or intentionally

The Action
Granting access on a need-to-know (least privilege) basis
Separation of duties
Rotation of duties

CIA Integrity Cont

The Action
Granting access on a need-to-know (least privilege) basis
Separation of duties
Rotation of duties

Separation of Duties
No single employee has control of a transaction from
beginning to end

Rotation of Duties
Change Job assignments periodically
Works well when used in conjunction with a separation of
duties
Helps organization when losing a key employee

The security program must employ a careful balance

between ideal security and practical productivity

CIA - Availability
Availability
Availability is the assurance that a computer system is accessible
by authorized users whenever needed.

The Threat
Denial of Service & Distributed Denial of Service
Natural disasters (e.g., fires, floods, storms, or earthquakes)
Human actions (e.g., bombs or strikes)

The Action
Contingency planning which may involve business resumption
planning, alternative-site processing, or simply disaster recovery
planning provides an alternative means of processing, thereby
ensuring availability.
Physical, Technical, and Administrative controls are important
aspects of security initiatives

CIA Availability Cont

The Physical controls
Restrict unauthorized persons from coming into contact with
computing resources and Facilities

The Technical controls

Fault-tolerance mechanisms (e.g., hardware redundancy, disk
mirroring, and application checkpoint restart)
Electronic vaulting (i.e., automatic backup to a secure, offsite location)
Access control software to prevent unauthorized users

The Administrative controls

access control policies, operating procedures, contingency
planning, and user training

Ensuring CIA
Think in terms of the core information
security principles
How does this threat impact the CIA?
What controls can be used to reduce the
risk to CIA?
If we increase confidentiality, will we
decrease availability? And Vice versa

Security
Governance

Security Governance
is the
organizational processes and
relationships for managing risk
Policies, Procedures, Standards,
Guidelines, Baselines
Organizational Structures
Roles and Responsibilities

Security Governance - Reference

Policy - An information security policy contains senior

managements directives to create an information security

program, establish its goals, measures, and target and assign

responsibilities
Standards - Standards are mandatory activities, actions,
rules, or regulations designed to provide policies with the
support structure and specific direction they require to be
meaningful and effective
Procedures - Procedures spell out the step-by-step specifics
of how the policy and the supporting standards and guidelines
will actually be implemented in an operating environment

Security Governance - Reference

Guidelines - Guidelines are more general statements
designed to achieve the policys objectives by providing a
framework within which to implement controls not covered
by procedures
Baselines - Baselines are similar to standards but account
for differences in technologies and versions from different
vendors

Security Governance - Reference

Organizational Structure
Audit should be separate from implementation
and operations
Responsibilities for security should be defined
in job descriptions
Senior management has ultimate responsibility
for security
Security officers/managers have functional
responsibility

Organizational Structure
Directors

President

CIO

Compliance

IT Security

Auditor

Architect

Analyst

Roles & Responsibilities

Information owner - A business executive or business
manager who is responsible for a company business
information asset
Information custodian - The information custodian,
usually an information technology or operations person,
is the system administrator or operator for the
Information Owner, with primary responsibilities dealing
with running the program for the owner and backup and
recovery of the business information
Application owner - Manager of the business unit who
is fully accountable for the performance of the business
function served by the application
User manager - The immediate manager or supervisor
of an employee

Roles & Responsibilities

Security administrator - Any company employee who owns
an administrative user ID that has been assigned
attributes or privileges that are associated with any type
of access control system
Security analyst - Person responsible for determining the
data security directions (strategies, procedures,
guidelines) to ensure information is controlled and
secured based on its value, risk of loss or compromise, and
ease of recoverability
Change control analyst - Person responsible for analyzing
requested changes to the Information Technology
infrastructure and determining the impact on applications
Data analyst - This person analyzes the business
requirements to design the data structures and
recommends data definition standards and physical
platforms

Roles & Responsibilities

Solution provider - Person who participates in the
solution (application) development and delivery
processes in deploying business solutions
End user - Any employee, contractor, or vendor of the
company who uses information systems resources as
part of their job
Process owner - This person is responsible for the
management, implementation, and continuous
improvement of a process that has been defined to
meet a business need
Product line manager - Person responsible for
understanding business requirements and translating
them into product requirements, working with the
vendor/user area

Information Classification
Information Protection Requirements
Data confidentiality, integrity, and availability are improved
because appropriate controls are used for all data across the
enterprise
The organization gets the most for its information protection dollar
because protection mechanisms are designed and implemented
where they are needed most, and less costly controls can be put in
place for non-critical information
The quality of decisions is improved because the data upon which
the decisions are made can be trusted
The company is provided with a process to review all business
functions and informational requirements on a periodic basis to
determine appropriate data classifications

Information Classification
Getting started: questions to ask
Is there an executive sponsor for this project?
What are you trying to protect, and from what?
Are there any regulatory requirements to consider?
Has the business accepted ownership responsibilities for the data?
Policy
An essential tool in establishing a data classification scheme
Define information as an asset of the business unit
Declare local business managers as the owners of information
Establish IT as the custodians of corporate information
Clearly define roles and responsibilities of those involved in the
ownership and classification of information
Define the classifications and criteria that must be met for each
Determine the minimum range of controls to be established for
each classification

Data Classification
Classification is part of a mandatory access control model
to ensure that sensitive data is properly controlled and
secured
DoD multi-level security policy has 4 classifications:

Top Secret
Secret
Confidential
Unclassified

Other levels in use are:

Eyes only
Officers only
Company confidential
Public

Data Classification
Criteria

Value
Age
Useful Life
Personal Association

Government classifications

Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

Private Sector classifications

Confidential
Private
Sensitive
Public

Data Classification
Top Secret - applies to the most sensitive business information which is

intended strictly for use within the organization. Unauthorized

disclosure could seriously and adversely impact the company,
stockholders, business partners, and/or its customers
Secret - Applies to less sensitive business information which is intended

for use within a company. Unauthorized disclosure could adversely

impact the company, its stockholders, its business partners, and/or its
customers
Confidential - Applies to personal information which is intended for use

within the company. Unauthorized disclosure could adversely impact the

company and/or its employees
Unclassified - Applies to all other information which does not clearly fit

into any of the above three classifications. Unauthorized disclosure isnt

expected to seriously or adversely impact the company

Risk Management
The processes of identifying, analyzing and assessing,
mitigating, or transferring risk are generally
characterized as Risk Management
Risk Management Process
What could happen (threat event)?
If it happened, how bad could it be (threat impact)?
How often could it happen (threat frequency,
annualized)?
How certain are the answers to the first three questions
(recognition of uncertainty)?
What can be done (risk mitigation)?
How much will it cost (annualized)?
Is it cost-effective (cost/benefit analysis)?

Risk Management
Risk Analysis
This term represents the process of analyzing a target
environment and the relationships of its risk-related
attributes

Qualitative / Quantitative
Quantitative risk analysis attempts to assign independently
objective numeric numbers (i.e., monetary values) to all
elements of the risk analysis
Qualitative risk analysis, on the other hand, does not attempt
to assign numeric values at all, but rather is scenario
oriented

Risk Management
Risk Assessment
This term represents the assignment of value to assets,
threat frequency (annualized), consequence (i.e., exposure
factors), and other elements of chance

Information Asset
Information is regarded as an intangible asset separate from
the media on which it resides
Simple cost of replacing the information
The cost of replacing supporting software
Costs associated with loss of the informations
confidentiality, availability, and integrity
Supporting hardware and network

Risk Management
Exposure Factor (EF)
A measure of the magnitude of loss or impact on the value of
an asset
A percent, ranging from 0 to 100%, of asset value loss arising
from a threat event
Single Loss Expectancy
Single Loss Expectancy = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO)
The frequency with which a threat is expected to occur
For example, a threat occurring once in ten years has an ARO
of 1/10 or 0.1
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy = Single Loss Expectancy X
Annualized Rate of Occurrence

Risk Management
Probability
The chance or likelihood that an event will occur
For example, the probability of getting a 6 on a single roll of a die is
1/6, or 0.16667
The Probability can between 0 to 1
Safeguard
Risk Analysis and Assessment Cont occurrence of a specified threat or
category of threats
Safeguard Effectiveness
The degree, expressed as a percent, from 0 to 100%, to which a
safeguard can be characterized as effectively mitigating a vulnerability
and reducing associated loss risks
Uncertainty
The degree, expressed as a percent, from 0.0% to 100%, to which there
is less than complete confidence in the value of any element of the
risk assessment

Risk Management
Establish Information Risk Management Policy
IRM policy should begin with a high-level policy statement
and supporting objectives, scope, constraints,
responsibilities, and approach
Communicate and Enforce
Establish an IRM Team
Top Down Approach will work well
Establish IRM Methodology and Tools
Determine current status of Information Security
Plan Strategic risk assessment
Identify and Measure Risk
Perform Risk Assessment based on the IRM policy and IRM
methodology & tools

Risk Management
Asset Identification and Valuation
Threat Analysis
Vulnerability Analysis
Risk Evaluation
Interim Reports and Recommendations
Cost/Benefit Analysis
Establish Risk Acceptance Criteria
Example : do not accept more than a 1 in 100 chance of losing
$1,000,000
Risk Treatment (Mitigate Risk / Transfer the Risk)
Safeguard Selection and Risk Mitigation Analysis
Final Report
Monitor Information Risk Management Performance

Risk Management
Qualitative versus Quantitative Approach
The Qualitative Approach is much more subjective approach
to the valuation of information assets and the scaling of risk
In General the risks are described as low, medium, or
high
The Quantitative is talks about real numbers
Uses Algorithms
ALE=ARO X (Asset Value X Exposure Factor = SLE)
Assume the asset value is $1M, the exposure factor is 50%,
and the annualized rate of occurrence is 1/10 (once in ten
years)
($1M X 50% = $500K) X 1/10 = $50K

Risk Management
Pros
Calculations, if any, are simple
Usually not necessary to determine the monetary value of
Information (CIA)
Not necessary to determine quantitative threat frequency and impact
data
Not necessary to estimate the cost of recommended risk mitigation
measures and calculate cost/benefit because the process is not
quantitative.
A general indication of significant areas of risk
Cons
The risk assessment and results are essentially subjective in both
process and metrics
The perception of value may not realistically reflect actual value at
risk
Only subjective indication of a problem
It is not possible to track risk management performance objectively
when all measures are subjective

Risk Management
Pros
Meaningful statistical analysis is supported
The value of information (CIA), as expressed in monetary terms with
supporting rationale, is better understood. Thus, the basis for
expected loss is better understood
Information security budget decision making is supported
Risk management performance can be tracked and evaluated.
Risk assessment results are derived and expressed in managements
language, monetary value, percentages, and probability annualized.
Thus, risk is better understood.
Cons
Calculations are complex.
Not practical to execute a quantitative risk assessment without using
a recognized automated tool and associated knowledge bases,
A substantial amount of information gathering is required
Standard, independent Threat population and threat frequency
knowledgebase not yet developed and maintained, so vendor
dependent

Awareness Training
Security policies, standards, procedures, baselines, and
guidelines
Threats to physical assets and stored information
Threats to open network environments
Laws and regulations they are required to follow
Specific organization or department policies they are
required to follow
How to identify and protect sensitive (or classified)
information
How to store, label, and transport information
Who they should report security incidents to, regardless of
whether it is just a suspected or an actual incident
Email/Internet policies and procedures
Social engineering

Implementation (Delivery) Options

Posters
Posting motivational and catchy slogans
Videotapes
Classroom instruction
Computer-based delivery, such as CD-ROM, DVD,
intranet access, Web-based access, etc.
Brochures/flyers
Pens/pencils/key-chains (any type of trinket) with
motivational slogans
Post-it notes with a message on protecting the
Information Technology system
Stickers for doors and bulletin boards

Implementation (Delivery) Options

Cartoons/articles published monthly or quarterly in an
in-house newsletter or specific department notices
Special topical bulletins (security alerts in this instance)
Monthly email notices related to security issues or email
broadcasts of security advisories
Security banners or pre-logon messages that appear on
the computer monitor
Distribution of items as an incentive

Questions & Feedback

???