BLM5102

Computer Systems and

Network Security

Prof. Dr. Hasan Hüseyin BALIK

(2nd Week)
 Outline
• 2. Management issues
—2.1. IT Security Management and Risk Assessment
—2.2. IT Security Controls, Plans and Procedures
—2.3. Physical and Infrastructure Security
—2.4. Human Resources Security
—2.5. Security Auditing
—2.6. Legal and Ethical Aspects
2.1. IT Security Management and Risk
Assessment
 2.1. Outline
• IT Security Management
• Organizational Context and Security Policy
• Security Risk Assessment
• Detailed Security Risk Analysis
• Case Study: Silver Star Mines
 IT Security Management
Overview
Is the formal process of answering the questions:

What assets How are those What can be

need to be assets done to counter
protected threatened those threats

• Ensures that critical assets are sufficiently protected in a cost-effective

manner
• Security risk assessment is needed for each asset in the organization
that requires protection
• Provides the information necessary to decide what management,
operational, and technical controls are needed to reduce the risks
identified
ISO/IEC 27000 Series of Standards on IT Security Techniques

27000:2016 “Information security management systems - Overview and vocabulary”

provides an overview of information security management systems, and
defines the vocabulary and definitions used in the 27000 family of standards.
27001:2013 “Information security management systems – Requirements” specifies the
requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented Information Security
Management System.
27002:2013 “Code of practice for information security management” provides guidelines
for information security management in an organization and contains a list of
best-practice security controls. It was formerly known as ISO17799.
27003:2010 “Information security management system implementation guidance” details
the process from inception to the production of implementation plans of an
Information Security Management System specification and design.
27004:2009 “Information security management – Measurement” provides guidance to
help organizations measure and report on the effectiveness of their
information security management system processes and controls.
27005:2011 “Information security risk management” provides guidelines on the
information security risk management process. It supersedes ISO13335-3/4.
27006:2015 “Requirements for bodies providing audit and certification of information
security management systems” specifies requirements and provides guidance
for these bodies.
 IT Security Management
IT SECURITY MANAGEMENT: A process used to achieve and
maintain appropriate levels of confidentiality, integrity, availability,
accountability, authenticity, and reliability. IT security management
functions include:

Monitoring the
implementation
Determining Identifying and and operation of Developing
safeguards that
organizational Determining analyzing Identifying and Detecting
Specifying are necessary in
IT security organizational security threats and implementing and
appropriate order to cost
objectives, IT security to IT assets analyzing a security reacting to
safeguards effectively
strategies, and requirements within the risks protect the
awareness incidents
policies organization information and program
services within
the organization
 Organizational
IT Security Policy
Aspects

Risk Analysis Options

Security Risk Analysis

Baseline Informal Formal Combined

Selection of Controls

Development of Security Plan

and Procedures

Implementation

Implement Security Awareness

Controls & Training

Follow-Up

Security
Maintenance
Compliance

Change Incident
Management Handling

Figure 14.1 Overview of IT Security Management

Interested Interested
Parties Parties
Act

Plan Check

Information
Security Do Managed
Needs Security

Figure 14.2 The Plan - Do - Check - Act Process Model

Organizational Context and
Security Policy
• Maintained and First examine
updated regularly organization’s IT
• Using periodic security security:
reviews
Objectives - wanted
• Reflect changing IT security outcomes
technical/risk
environments
Strategies - how to
• Examine role and meet objectives

importance of IT
Policies - identify
systems in organization what needs to be done
 Security Policy
Needs to address:
• Scope and purpose including relation of objectives to business, legal,
regulatory requirements
• IT security requirements
• Assignment of responsibilities
• Risk management approach
• Security awareness and training
• General personnel issues and any legal sanctions
• Integration of security into systems development
• Information classification scheme
• Contingency and business continuity planning
• Incident detection and handling processes
• How and when policy reviewed, and change control to it
 Management Support
• IT security policy must be supported by senior
management
• Need IT security officer
• To provide consistent overall supervision
• Liaison with senior management
• Maintenance of IT security objectives, strategies, policies
• Handle incidents
• Management of IT security awareness and training programs
• Interaction with IT project security officers
• Large organizations need separate IT project
security officers associated with major projects and
systems
• Manage security policies within their area
Security Risk Assessment
Critical component of process

Ideally examine every organizational asset

• Not feasible in practice

Approaches to identifying and mitigating risks

to an organization’s IT infrastructure:

• Baseline
• Informal
• Detailed risk
• Combined
 Baseline Approach
• Goal is to implement agreed controls to provide
protection against the most common threats
• Forms a good base for further security measures
• Use “industry best practice”
• Easy, cheap, can be replicated
• Gives no special consideration to variations in risk exposure
• May give too much or too little security
• Generally recommended only for small
organizations without the resources to
implement more structured approaches
Involves conducting an
informal, pragmatic risk
Exploits knowledge and
analysis on Fairly quick and cheap
expertise of analyst
organization’s IT
systems

Judgments can be
made about
Some risks may be Skewed by analyst’s
vulnerabilities and risks
incorrectly assessed views, varies over time
that baseline approach
would not address

Suitable for small to

medium sized
organizations where IT
systems are not
necessarily essential
Detailed Risk Analysis
Most May be a
comprehensive legal
approach requirement
Significant to use
cost in time,
resources,
expertise

Assess using Suitable for large

formal structured organizations
process with IT systems
•Number of stages critical to their
•Identify threats and
vulnerabilities to assets business
•Identify likelihood of risk objectives
occurring and consequences
 Combined Approach
• Combines elements of the baseline, informal, and detailed risk analysis
approaches
• Aim is to provide reasonable levels of protection as quickly as possible then to
examine and adjust the protection controls deployed on key systems over time
• Approach starts with the implementation of suitable baseline security
recommendations on all systems
• Next, systems either exposed to high risk levels or critical to the organization's
business objectives are identified in the high-level risk assessment

• A decision can then be made to possibly conduct an immediate informal risk

assessment on key systems, with the aim of relatively quickly tailoring controls to
more accurately reflect their requirements

• Lastly, an ordered process of performing detailed risk analyses of these systems

can be instituted

• Over time, this can result in the most appropriate and cost-effective security
controls being selected and implemented on these systems
 Detailed Security Risk
Analysis
Provides the most accurate evaluation of an
organization's IT system’s security risks

Highest cost

Initially focused on addressing defense

security concerns

Often mandated by government

organizations and associated businesses
 Step 1: Prepare for Assessment
Derived from Organizational Aspects

Step 2: Conduct Risk Analysis

Step 4: Maintain Assessment

Identify Threat Sources and Events
Step 3:Communicate Results

Identify Vulnerabilities and

Predisposing Conditions

Determine Likelihood of Occurance

Determine Magnitude of Impact

Determine Risk

Figure 14.3 Risk Assessment Process

 Establishing the Context
• Initial step
• Determine the basic parameters of the risk assessment
• Identify the assets to be examined

• Explores political and social environment in which the

organization operates
• Legal and regulatory constraints
• Provide baseline for organization’s risk exposure

• Risk appetite
• The level of risk the organization views as acceptable
 Media Utilities Banking &
Finance

Construction Retail Health Care

Less Vulnerable More Vulnerable

Agriculture Communications Transportation

Education Manufacturing Government

Figure 14.4 Generic Organizational Risk Context

 Asset Identification
• Last component is to identify assets to examine
• Draw on expertise of people in relevant areas of
organization to identify key assets
• Identify and interview such personnel

Asset

•“anything that needs to be protected” because

it has value to the organization and contributes
to the successful attainment of the
organization’s objectives
 Terminology
• Asset: A system resource or capability of
value to its owner that requires
protection
• Threat: A potential for a threat source to
exploit a vulnerability in some asset,
which if it occurs may compromise the
security of the asset and cause harm to
the asset’s owner
• Vulnerability: A flaw or weakness in an asset’s design,
implementation, or operation and
management that could be exploited
by some threat
• Risk: The potential for loss computed as the
combination of the likelihood that a given
threat exploits some vulnerability to an
asset, and the magnitude of harmful
consequence that results to the asset’s
owner
 Threat Identification
• A threat is:

Anything that
might hinder or
prevent an asset
from providing
appropriate levels
of the key security
services
 Threat Sources
• Threats may be
• Natural “acts of God”
• Man-made
• Accidental or deliberate

Evaluation of human threat sources should consider:

• Motivation
• Capability
• Resources
• Probability of attack
• Deterrence

• Any previous experience of attacks seen by the

organization also needs to be considered
 Vulnerability
Identification
• Identify exploitable flaws or weaknesses in
organization’s IT systems or processes
• Determines applicability and significance of threat to
organization
• Need combination of threat and vulnerability to
create a risk to an asset
• Outcome should be a list of threats and
vulnerabilities with brief descriptions
of how and why they might occur
 Analyze Risks
• Specify likelihood of occurrence of each
identified threat to asset given existing controls
• Specify consequence should threat occur
• Derive overall risk rating for each threat
• Risk = probability threat occurs x cost to
organization
• Hard to determine accurate
probabilities and realistic cost
consequences
• Use qualitative, not quantitative,
ratings
Analyze Existing Controls
• Existing controls used to attempt to minimize
threats need to be identified
• Security controls include:
• Management
• Operational
• Technical processes and procedures

• Use checklists of existing controls and interview

key organizational staff to solicit information
 Extreme Implement
Treatment

Risk Level Judgement

Needed

Uneconomic
so accept
Low
$ Cost of Treatment $$$$$

Figure 14.5 Judgment About Risk Treatment

Risk Treatment Alternatives
Choosing to accept a
Risk risk level greater
than normal for
acceptance business reasons

Not proceeding
Risk with the activity
or system that
avoidance creates this risk

Sharing
Risk responsibility for
the risk with a
transfer third party

Modifying the structure or use of

Reduce the assets at risk to reduce the
impact on the organization should
consequence the risk occur

Reduce Implement suitable controls to

lower the chance of the
likelihood vulnerability being exploited
 Case Study: Silver Star
Mines
• Fictional operation of global mining company
• Large IT infrastructure
• Both common and specific software
• Some directly relates to health and safety
• Formerly isolated systems now networked
• Decided on combined approach
• Mining industry less risky end of spectrum
• Subject to legal/regulatory requirements
• Management accepts moderate or low risk
 Assets
Reliability and integrity
of SCADA nodes and
net

Availability, integrity Integrity of stored file

and confidentiality of and database
mail services information

Availability, integrity of
Availability, integrity
maintenance/production
of financial system
system

Availability, integrity of
procurement system