SlideShare una empresa de Scribd logo

CNIT 160 Ch 4b: Security Program Management

Sam Bowne
Sam Bowne

Part of a college class on Security Responsibilities. More information at https://samsclass.info/160/160_F19.shtml

Educación
1 de 58
Descargar para leer sin conexión
CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 2 Pages 202 - 235
Chapter Topics • Information Security Programs • Security Program Management • We won't cover anything past page 235
Topics in This Lecture • Risk Management • The Risk Management Program • The Risk Management Process • Risk Treatment • Audits and Reviews
Risk Management
Risk Management • Purpose of risk management • Identify risk and enact changes to bring risks to acceptable levels • Risk management program supports and aligns with overall business objectives • Includes adopting a risk appetite • Ex: banks are risk-averse • Startups accept more risk
Four Possible Actions • When a risk is identified • Accept • Mitigate • Transfer • Avoid
The Risk Management Program
Principles • Objectives • Scope • Authority • Roles and Responsibilities • Resources • Policies, processes, procedures, and records
The Risk Management Lifecycle
The Risk Management Process
ISACA's Risk-IT Framework • Risk Governance • Integrating with Enterprise Risk Management (ERM) • Risk Evaluation • Risk Response
Identifying and Grouping Assets • Many organizations are unaware of their assets • Especially virtual and information assets • Usually it's enough to list groups of assets • Such as laptop computers, servers, etc. • Because they all have similar risks
Risk Analysis • Simplest terms • Risk = Probability x Impact • But often risk is qualitative • High, medium, low • Requires identifying threats and impacts • Including vulnerabilities
Threat Analysis • An event that might harm an asset • List all threats with a realistic chance of occurring, with probability • Storms, earthquakes, floods, power outages • Labor strikes, riots, terrorism • Malware, intrusions, crime • Hardware or software failures • Errors
Threat Analysis Approach • Geographic for each location • Logical for each type of asset • Unique threat analysis for each highly valued asset
Data is Sparse • Lack of data on probability of many types of threats • Unlike auto and airplane accidents and human lifespan • Cyber risks are educated guesses
Vulnerability Identification
Ranking Vulnerabilities • How serious is a vulnerability? • https://www.cvedetails.com/cvss-score- distribution.php
Probability Analysis • Probability that the threat will be realized • Difficult to do accurately
Impact Analysis • Estimate the effect on the organization, for highest-ranked threats on critical assets • Consider relationship between an asset and business processes • Must include statement of impact for each threat, in business terms • Ex: "inability to process customer support calls", • not "inability to authenticate users"
Qualitative Risk Analysis • Used to quickly identify most critical risks • Without the burden of identifying precise financial impacts • High-Medium-Low, or 1-5 scale, or 1-10 scale • Often precedes a quantitative risk analysis
Quantitative Risk Analysis • Uses numeric methods • Asset Value (AV) • Often replacement value • Exposure Factor (EF) • Financial loss from realization of a threat
Quantitative Risk Analysis • Single Loss Expectancy (SLE) • SLE = AV x EF • Annualized Rate of Occurrence (ARO) • Annualized Loss Expectancy (ALE) • ALE = SLE x ARO
Business Continuity Planning • Uses risk analysis to plan for disasters • Same as the risk analysis discussed in this chapter
High-Impact Events • Threaten the viability of the organization • Require risk treatment with executive management visibility • Belongs in business continuity planning and disaster recovery planning
Risk Analysis Standards
Risk Treatment
Who Decides • Security Manager • Most knowledgable about risk • Should not decide alone, because others may not support the decisions • Security Steering Committee • Consensus of stakeholders: best • Undefined • No effective security management program
Risk Mitigation • Lowers risk • Residual risk remains • Usually preceded by cost analysis
Risk Transfer • To an insurance company or business partner • Examine policy carefully • Check for exclusions
Risk Avoidance • Organization abandons risky activity
Risk Acceptance • Should be a calculated decision, not just ignoring the risk
Residual Risk • Remaining risk after risk treatment • May be regarded as a new risk and subjected to another risk management cycle
Compliance Risk • Regulations • GLBA for financial businesses • PCI-DSS for businesses that accept payment cards • Fines and other sanctions for non- compliance
Risk Ledger • Records discovery of risks and decisions • Risk identification • Risk description • Affected assets • Risk score • Risk treatment analysis • Risk treatment
Risk Ledger Form • Spreadsheet is OK when first starting out • More mature organizations need a Governance, Risk, and Compliance (GRC) tool
Audits and Reviews
Security Audit • Determines whether safeguards are in place and working properly • Security Audit • Formal and rigorous • Requires presenting evidence • Security Review • Less formal and rigorous
Audits • Systematic and repeatable process • Performed by a competent and independent person • Interviews personnel • Gathers and analyzes evidence • Delivers a written opinion on effectiveness of controls • May be internal or external audit
• Will hopefully be taught at CCSF soon
Audit Planning • Purpose • Scope • Risk analysis • Focus on problematic areas • Audit procedures • Resources • Schedule
Audit Objectives • Determine whether controls exist • And whether they are effective • Often part of regulations, compliance, or other legal obligation • Or aftermath of an incident
Types of Audits • Operational audit • Financial audit • Integrated audit • IS audit • Administrative audit • Compliance audit
Types of Audits • Forensic audit • Preparation for a lawsuit • Service provider audit • Because organizations outsource to third parties • Those third parties undergo external audits • To increase customer confidence
Standards for Attestation Engagements No. 18 (SSAE 18) • Performed on a service provider's operations • Audit report transmitted to customers • Closely aligned with global standard • International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization (ISAE 3402), from the International Auditing and Assurance Standards Board (IAASB)
Pre-Audit • An examination of business processes, information systems, applications, or business records • In anticipation of an upcoming audit
Audit Methodology • Formal methodologies ensure consistency • Even when performed by different personnel • Phases • Subject, objective, type, scope, pre-audit planning
Audit Statement of Work • Describes purpose, scope, duration, and costs • May require written approval from client before work begins
Audit Procedures
Audit Communication Plan • Evidence requested • Regular written status reports • Regular status meetings • Contact information for IS auditor and auditee
Report Preparation • Format and content of report • How findings will be established and documented • Report must comply with applicable audit standards • Identifies parties that perform internal review
Wrap-Up • Deliver report to auditee • Closed meeting to discuss report and collect feedback • Send invoice • Collect and archive work papers
Post-Audit Follow-Up • Contact auditee • To determine progress on audit findings • Establishes tone of concern • Establishes a dialogue • Helps auditor understand management's commitment • Improves goodwill and prospect for repeat business
Audit Evidence • Observations • Written notes • Correspondence • Independent confirmations from other auditors • Internal process and procedure documentation • Business records
Evidence Characteristics
Observing Personnel • Real tasks • Skills and experience • Security awareness • Segregation of duties
Control Self-Assessment
Ch 4b

Recomendados

CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 

Recomendados

CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
Sam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
Sam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
Sam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
Sam Bowne
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 

Similar a CNIT 160 Ch 4b: Security Program Management

Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
a3virani
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
Financial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefingFinancial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefing
Bovill
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 

Similar a CNIT 160 Ch 4b: Security Program Management (20)

CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Internal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approachInternal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approach
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
Contego Fraud Solutions Ltd fin tech week 2014
Contego Fraud Solutions Ltd fin tech week 2014Contego Fraud Solutions Ltd fin tech week 2014
Contego Fraud Solutions Ltd fin tech week 2014
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Financial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefingFinancial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefing
 
Enterprise Risk Management.pdf
Enterprise Risk Management.pdfEnterprise Risk Management.pdf
Enterprise Risk Management.pdf
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvas
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 

Más de Sam Bowne

Más de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Último (20)

How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 

CNIT 160 Ch 4b: Security Program Management

  • 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 2 Pages 202 - 235
  • 2. Chapter Topics • Information Security Programs • Security Program Management • We won't cover anything past page 235
  • 3. Topics in This Lecture • Risk Management • The Risk Management Program • The Risk Management Process • Risk Treatment • Audits and Reviews
  • 5. Risk Management • Purpose of risk management • Identify risk and enact changes to bring risks to acceptable levels • Risk management program supports and aligns with overall business objectives • Includes adopting a risk appetite • Ex: banks are risk-averse • Startups accept more risk
  • 6. Four Possible Actions • When a risk is identified • Accept • Mitigate • Transfer • Avoid
  • 8. Principles • Objectives • Scope • Authority • Roles and Responsibilities • Resources • Policies, processes, procedures, and records
  • 11. ISACA's Risk-IT Framework • Risk Governance • Integrating with Enterprise Risk Management (ERM) • Risk Evaluation • Risk Response
  • 12. Identifying and Grouping Assets • Many organizations are unaware of their assets • Especially virtual and information assets • Usually it's enough to list groups of assets • Such as laptop computers, servers, etc. • Because they all have similar risks
  • 13. Risk Analysis • Simplest terms • Risk = Probability x Impact • But often risk is qualitative • High, medium, low • Requires identifying threats and impacts • Including vulnerabilities
  • 14. Threat Analysis • An event that might harm an asset • List all threats with a realistic chance of occurring, with probability • Storms, earthquakes, floods, power outages • Labor strikes, riots, terrorism • Malware, intrusions, crime • Hardware or software failures • Errors
  • 15. Threat Analysis Approach • Geographic for each location • Logical for each type of asset • Unique threat analysis for each highly valued asset
  • 16. Data is Sparse • Lack of data on probability of many types of threats • Unlike auto and airplane accidents and human lifespan • Cyber risks are educated guesses
  • 18. Ranking Vulnerabilities • How serious is a vulnerability? • https://www.cvedetails.com/cvss-score- distribution.php
  • 19. Probability Analysis • Probability that the threat will be realized • Difficult to do accurately
  • 20. Impact Analysis • Estimate the effect on the organization, for highest-ranked threats on critical assets • Consider relationship between an asset and business processes • Must include statement of impact for each threat, in business terms • Ex: "inability to process customer support calls", • not "inability to authenticate users"
  • 21. Qualitative Risk Analysis • Used to quickly identify most critical risks • Without the burden of identifying precise financial impacts • High-Medium-Low, or 1-5 scale, or 1-10 scale • Often precedes a quantitative risk analysis
  • 22. Quantitative Risk Analysis • Uses numeric methods • Asset Value (AV) • Often replacement value • Exposure Factor (EF) • Financial loss from realization of a threat
  • 23. Quantitative Risk Analysis • Single Loss Expectancy (SLE) • SLE = AV x EF • Annualized Rate of Occurrence (ARO) • Annualized Loss Expectancy (ALE) • ALE = SLE x ARO
  • 24. Business Continuity Planning • Uses risk analysis to plan for disasters • Same as the risk analysis discussed in this chapter
  • 25. High-Impact Events • Threaten the viability of the organization • Require risk treatment with executive management visibility • Belongs in business continuity planning and disaster recovery planning
  • 28. Who Decides • Security Manager • Most knowledgable about risk • Should not decide alone, because others may not support the decisions • Security Steering Committee • Consensus of stakeholders: best • Undefined • No effective security management program
  • 29. Risk Mitigation • Lowers risk • Residual risk remains • Usually preceded by cost analysis
  • 30. Risk Transfer • To an insurance company or business partner • Examine policy carefully • Check for exclusions
  • 31. Risk Avoidance • Organization abandons risky activity
  • 32. Risk Acceptance • Should be a calculated decision, not just ignoring the risk
  • 33. Residual Risk • Remaining risk after risk treatment • May be regarded as a new risk and subjected to another risk management cycle
  • 34. Compliance Risk • Regulations • GLBA for financial businesses • PCI-DSS for businesses that accept payment cards • Fines and other sanctions for non- compliance
  • 35. Risk Ledger • Records discovery of risks and decisions • Risk identification • Risk description • Affected assets • Risk score • Risk treatment analysis • Risk treatment
  • 36. Risk Ledger Form • Spreadsheet is OK when first starting out • More mature organizations need a Governance, Risk, and Compliance (GRC) tool
  • 38. Security Audit • Determines whether safeguards are in place and working properly • Security Audit • Formal and rigorous • Requires presenting evidence • Security Review • Less formal and rigorous
  • 39. Audits • Systematic and repeatable process • Performed by a competent and independent person • Interviews personnel • Gathers and analyzes evidence • Delivers a written opinion on effectiveness of controls • May be internal or external audit
  • 40. • Will hopefully be taught at CCSF soon
  • 41. Audit Planning • Purpose • Scope • Risk analysis • Focus on problematic areas • Audit procedures • Resources • Schedule
  • 42. Audit Objectives • Determine whether controls exist • And whether they are effective • Often part of regulations, compliance, or other legal obligation • Or aftermath of an incident
  • 43. Types of Audits • Operational audit • Financial audit • Integrated audit • IS audit • Administrative audit • Compliance audit
  • 44. Types of Audits • Forensic audit • Preparation for a lawsuit • Service provider audit • Because organizations outsource to third parties • Those third parties undergo external audits • To increase customer confidence
  • 45. Standards for Attestation Engagements No. 18 (SSAE 18) • Performed on a service provider's operations • Audit report transmitted to customers • Closely aligned with global standard • International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization (ISAE 3402), from the International Auditing and Assurance Standards Board (IAASB)
  • 46. Pre-Audit • An examination of business processes, information systems, applications, or business records • In anticipation of an upcoming audit
  • 47. Audit Methodology • Formal methodologies ensure consistency • Even when performed by different personnel • Phases • Subject, objective, type, scope, pre-audit planning
  • 48. Audit Statement of Work • Describes purpose, scope, duration, and costs • May require written approval from client before work begins
  • 50. Audit Communication Plan • Evidence requested • Regular written status reports • Regular status meetings • Contact information for IS auditor and auditee
  • 51. Report Preparation • Format and content of report • How findings will be established and documented • Report must comply with applicable audit standards • Identifies parties that perform internal review
  • 52. Wrap-Up • Deliver report to auditee • Closed meeting to discuss report and collect feedback • Send invoice • Collect and archive work papers
  • 53. Post-Audit Follow-Up • Contact auditee • To determine progress on audit findings • Establishes tone of concern • Establishes a dialogue • Helps auditor understand management's commitment • Improves goodwill and prospect for repeat business
  • 54. Audit Evidence • Observations • Written notes • Correspondence • Independent confirmations from other auditors • Internal process and procedure documentation • Business records
  • 56. Observing Personnel • Real tasks • Skills and experience • Security awareness • Segregation of duties
  • 58. Ch 4b