CSCI-618: Information Security

Risk Management and Legal

Issues
Introduction

Maryam Hamidirad
• Course instructor
• Head of Risk & Compliance
• Email address: [email protected]
Text Books
Chapter 1: Why Study
Information Security
Objectives

■ Recognize the growing importance of information security

specialists
■ Develop a strategy for pursuit of a career in information security
■ Comprehend information security in the context of the mission of a
business

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 5
Information is gold and it can be robbed and stolen
Introduction

■ To protect computers, networks, and the information they store,

organizations are increasingly turning to information security
specialists
■ An information security specialist is more than a technician who
prevents hackers from attacking a web site

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 7
Introduction (cont.)

■ You might ask yourself: Why study information security?

■ In this class, we’ll examine both practical and theoretical skills
security specialists use to protect information systems

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 8
The Growing Importance of IT Security and
New Career Opportunities
■ Increased services to both vendors and employees create worlds of
possibilities in satisfying customer needs, but …
■ They also create risks to the confidentiality, integrity, and availability of
confidential or sensitive data

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 9
“It is not a matter of if you will be compromised, it is when.”

“There are only two types of companies–those

that know they’ve been compromised and those
that do not know”
Recent cyber attacks
Information security resource shortage
•Global IT security skills shortages have now surpassed four
million, according to (ISC)2.
•(ISC)2 claimed the global security workforce needs to
increase by 145% to cope with a surge in hiring demand
•The future is digital and the demand is going to increase
even more
Becoming an Information Security Specialist (cont’d)

13
Becoming an Information Security Specialist (cont’d)

14
 Becoming an Information Security Specialist
• Getting a degree in information security will involve taking classes in security architecture, laws and ethics,
access control, disaster recovery and planning
• Get the right certification
• Certified Information Systems Security Professional (CISSP)
• System Security Certified Practitioner (SSCP)
• Global Information Assurance Certification (GIAC):www.giac.org
• Consider earning a graduate degree in INFOSEC
• Increase your disaster recovery and risk management skills (DRI or CBCI)
• Build a home laboratory

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 15
Becoming an Information Security Specialist (cont’d)

16
Becoming an Information Security Specialist (cont.)

• Give something back to the INFOSEC community

• Get on a project working with strategic partners
• Consider an internship in IS
• Take a second look at government jobs

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 17
Multidisciplinary Approach

• Security professionals must think like business leaders

• Exposure to nontechnical areas gives INFOSEC professionals a greater
ability to address and resolve complex problems
• Including probability and statistics, psychology, English, foreign
languages, philosophy, ethics, history, and so on
• A wide range of educational experiences is a good foundation for an
INFOSEC career

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 18
Cyber security is not an IT issue, it is a business issue
Contextualizing Information Security
Information security draws upon the best practices and experiences from multiple domains
including
• Compliance, policies, and standards
• Administration, auditing, access controls, and permission controls
• Intrusion detection and prevention and incident response
• Software development security
• Physical security
• Operations control
• Public key infrastructure and key management
• Disaster recovery
• Security testing
• Software development security
• Antivirus solutions
• Training and awareness © Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition 20
Information Security Careers Meet the Needs of Business

To support business operations a number of common positions and

career opportunities are needed
• Security administrators
• Access coordinators
• Security architects and network engineers
• Security consultants

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 21
Information Security Careers Meet the Needs of Business (cont.)

• Security testers
• Policymakers and standards developers
• Compliance officers
• Incident response team members
• Governance and vendor managers

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 22
Summary

• Networked systems remain vulnerable to attacks from within and

outside an organization
• The explosive growth of e-commerce and the pervasive personal and
business uses of the Internet have created a growing demand for
information security professionals
• The principles, approaches, and concepts in INFOSEC should work
together to provide the harmonious mix of risk and reward that modern
business demands

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 23
Chapter 1: “Risk
Management
Fundamentals”
 Key Concepts
▪ Defining risk
▪ Balancing risk
▪ Seven domains of a typical IT infrastructure
▪ Addressing confidentiality, integrity, and availability
▪ Compliance laws and regulations
▪ Standards and guidelines used for compliance

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 25
All rights reserved.
 What Is Risk?
▪ Risk: The likelihood that a loss will occur. Losses occur when a threat
exposes a vulnerability.

▪ Threat: Any activity that represents a possible danger.

▪ Vulnerability: A weakness.

▪ Loss: A loss results in a compromise to business functions or assets.

▪ Tangible

▪ Intangible

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 26
All rights reserved.
Example
 Risk-Related Concerns for Business

Compromise of business functions

Compromise of business assets

Driver of business costs

Profitability versus survivability

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 28
All rights reserved.
 Seven Domains of a Typical IT Infrastructure

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 29
All rights reserved.
 Addressing CIA
▪ Confidentiality

▪ Integrity

▪ Availability

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 30
All rights reserved.
Why CIA matters?
Crown jewel assets that are critical assets for organizations to achieve their mission, strategy and objectives. Each
crown jewel has been classified based on its confidentiality (C), integrity (I)and availability (A) requirements, to
understand which security controls would be most important to ensure the asset is protected.

Crown Jewel Category Description C I A

Solution used for customer order processing and supply

ERP management system System
change

Customer information, order history and inventory

Customer information Data
prices

Employee information stored for payroll and other HR

Employee information Data
related purposes

High Medium Low

 Risk Management
Risk
Probability of Loss

Risk
Management
Threat
Vulnerability
Potential Harm
System Weakness
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Managing Risk in Information Systems www.jblearning.com Page 32
All rights reserved.
 Risk Management Elements/Process

Identify risks to
Assess risks Select controls
manage

Implement and
Evaluate controls
test controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 33
All rights reserved.
 Survivability, and Balancing Risk and Cost
▪ Consider the cost to implement a control and the cost of not
implementing the control

▪ Spending money to manage a risk rarely adds profit; important point is

that spending money on risk management can help ensure a business’s
survivability

▪ Cost to manage a risk must be balanced against the impact value

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 34
All rights reserved.
 Survivability, and Balancing Risk and Cost (Continued)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 35
All rights reserved.
 Role-based Perceptions of Risk

▪ Management

▪ System administrator

▪ Tier 1 administrator

▪ Developer

▪ End user

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 36
All rights reserved.
 Risk Identification Process

Estimate
Identify likelihood of a
Identify threats
vulnerabilities threat exploiting
a vulnerability

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 37
All rights reserved.
 Risk Identification Elements

Component Type or Source

Threats ▪ External or internal

▪ Natural or man-made
▪ Intentional or accidental

Vulnerabilities ▪ Audit
▪ Certification/accreditation records
▪ System logs
▪ Prior event
▪ Trouble reports
▪ Incident response teams

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 38
All rights reserved.
 Techniques of Risk Management

Avoidance Transfer

Various
Mitigation Techniques of
Acceptance
Risk
Management

Cost-Benefit Analysis Residual Risk

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 39
All rights reserved.
Next Lecture
TEXT 1: Chapter 2 Information Security Principles of Success

TEXT 2: Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits

Quiz #1