0% found this document useful (0 votes)

1 views

Lesson5 Risks and Management

Uploaded by

reuben.gitau

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1 views

Lesson5 Risks and Management

Uploaded by

reuben.gitau

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 61

JOMO KENYATTA UNIVERSITY

OF
AGRICULTURE & TECHNOLOGY
JKUAT SODeL

SCHOOL OF OPEN, DISTANCE AND eLEARNING

P.O. Box 62000, 00200
©2015

Nairobi, Kenya
E-mail: [email protected]

BIT 2317 Computer Systems Security

JJ II LAST REVISION ON January 15, 2015

J I
J DocDoc I
Back Close
BIT 2317 Computer Systems Security
This presentation is intended to be covered within one
week. The notes, examples and exercises should be sup-
plemented with a good textbook. Most of the exercises
have solutions/answers appearing elsewhere and accessi-
JKUAT SODeL

ble by clicking the green Exercise tag. To move back to

the same page click the same tag appearing at the end of
the solution/answer.
©2015

Errors and omissions in these notes are entirely the re-

sponsibility of the author who should only be contacted
through the Department of Curricula & Delivery
(SODeL) and suggested corrections may be e-mailed to
[email protected].
JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 0
BIT 2317 Computer Systems Security
LESSON 5
Risks and Management

Learning outcomes
JKUAT SODeL

By the end of this topic you should be able to;

• Explain risk analysis
• Describe the concepts risk management
©2015

• Describe security governance

• Explain steps in making a feasible risk plan
• Explain the types of information security policy
• Explain Bulls-eye model layers of security policy
JJ II
• Analyze guidelines for Policy Development
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 1
BIT 2317 Computer Systems Security
5.1. Security Risk Analysis & Management
Risk Analysis & Management needs to be a part of system de-
velopment, not tackled on afterwards. Organization information
has value and must be available where and when needed for use
JKUAT SODeL

by authorized personnel. Security experts must minimize the

chances of C-I-A (Confidentiality, Integrity & Availability) col-
lapsing.
©2015

When describing risk analysis and management, the follow-

ing definitions are important:
• Threat: Harm that can happen to an asset
• Impact: A measure of the seriousness of a threat
JJ II
J I • Attack: A threatening event
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 2
BIT 2317 Computer Systems Security
JKUAT SODeL

Figure 5.1: Risk analysis and management

• Attacker: The agent causing an attack (not necessarily

human)
• Vulnerability: a weakness in the system that makes an
attack more likely to succeed

JJ II • Risk: a quantified measure of the likelihood of a threat

J I being realized.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 3
BIT 2317 Computer Systems Security
• Risk Analysis involves the identification and assessment of
the levels of risk, calculated from the:
– Values of assets
– Threats to the assets
JKUAT SODeL

– Their vulnerabilities and likelihood of exploitation

• Risk Management involves the identification, selection and
adoption of security measures justified by:
©2015

– The identified risks to assets

– The reduction of these risks to acceptable levels

5.1.1. Goals of Risk Analysis

The goals of risk analysis include:
JJ II
1. Identification of all the assets
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 4
BIT 2317 Computer Systems Security
2. Identification of all the threats to the assets
3. Determination of the risk impact on assets and the cost
4. Identification of all vulnerabilities and assessment of the
risk
JKUAT SODeL

5.1.2. Problems of Measuring Risk

Businesses normally wish to measure risk in terms of money, but
©2015

many of the entities below do not allow:

1. Valuation of assets: Value of data and in-house soft-
ware - no market value; value of goodwill and customer
confidence
2. Likelihood of threats: how relevant is past data to the
JJ II
calculation of future probabilities: the nature of future
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 5
BIT 2317 Computer Systems Security
attacks is unpredictable; the actions of future attackers
are unpredictable
3. Measurement of benefit from security measures:
problems with the difference of two approximate quanti-
JKUAT SODeL

ties; how does an extra security measure affect a ˜10-5

probability of attack?
©2015

5.1.3. Risk Levels

Stating risk level in terms of monetary value gives false precision.
However, it is better to use the following in determining the
levels:
1. High, Medium, Low
JJ II
• High: major impact on the organization
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 6
BIT 2317 Computer Systems Security
• Medium: noticeable impact (“material” in auditing
terms)
• Low: can be absorbed without difficulty: 1 - 10
2. Express money values in levels, e.g. For a large University
JKUAT SODeL

Department a possibility is
• High
• Medium
©2015

• Low

5.1.4. Risk Analysis Steps

The following are the steps used to carryout the risk analysis:
1. Decide on scope of analysis. Draw a context diagram and
JJ II decide on the boundary. Make explicit assumptions about
J I the security of neighbouring domains and verify them.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 7
BIT 2317 Computer Systems Security
2. Identification of assets & business processes. These in-
clude:
• Hardware
• Software: purchased or developed programs
JKUAT SODeL

• Data
• People: who run the system
• Documentation: manuals, administrative procedures,
©2015

etc
• Supplies: paper forms, magnetic media, printer liq-
uid, etc
• Money
• Intangibles:
JJ II – Goodwill
J I – Organization confidence
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 8
BIT 2317 Computer Systems Security
– Organization image
3. Identification of threats and valuation of their impact on
assets (impact valuation) for each group of assets:
• Identify threats, e.g. for stored data
JKUAT SODeL

– Loss of confidentiality
– Loss of integrity
– Loss of completeness
©2015

– Loss of availability (Denial of Service)

• For many asset types the only threat is loss of avail-
ability
• Assess impact of threat
– Assess in levels, e.g H-M-L or 1 - 10. This gives
JJ II
the valuation of the asset in the face of the threat
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 9
BIT 2317 Computer Systems Security
• Every company or organization has some processes
that are critical to its operation
• The criticality of a process may increase the impact
valuation of one or more assets identified therefore:
JKUAT SODeL

– Identify critical processes

– Review assets needed for critical processes
– Revise impact valuation of these assets
©2015

4. Identification and assessment of vulnerabilities to threats.

Identify vulnerabilities against a baseline system
• For risk analysis of an existing system :Existing sys-
tem with its known security measures and weaknesses
• For development of a new system:
JJ II – Security facilities of the envisaged software, e.g.
J I Windows NT
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 10
BIT 2317 Computer Systems Security
– Standard good practice, e.g. BS 7799 recommen-
dations of good practice
For each threat:
• Identify vulnerabilities and devise ways to exploit a
JKUAT SODeL

threat successfully;
• Assess levels of likelihood - High, Medium, and Low of
attempt. Expensive attacks are less likely (e.g. brute-
©2015

force attacks on encryption keys) to be successful in

exploitation of vulnerability.

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 11
BIT 2317 Computer Systems Security
JKUAT SODeL
©2015

5. Risk assessment
• If there was accurate probabilities and values, risk would
be:
– Impact valuation x probability of threat x probability
of exploitation
JJ II – Plus a correction factor for risk aversion
J I • Since it is not available, the following matrices are con-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 12
BIT 2317 Computer Systems Security
structed:
JKUAT SODeL

5.1.5. Responses to Risk

1. Avoid it completely by withdrawing from an activity

2. Accept it and do nothing
3. Reduce it with security measures

• Security Measures
JJ II The Possible security measures include:
J I 1. Transfer the risk, e.g. insurance
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 13
BIT 2317 Computer Systems Security
2. Reduce vulnerability
• Reduce likelihood of attempt
– e.g. publicize security measures in order to deter
attackers
JKUAT SODeL

– e.g. competitive approach - the lion-hunter’s ap-

proach to security
• Reduce likelihood of success by preventive measures
©2015

– e.g. access control, encryption, firewall

3. Reduce impact, e.g. use fire extinguisher / firewall
4. Recovery measures, e.g. restoration from backup

5.2. Risk management

JJ II The goal of risk management is to reduce risk and maintain the
J I C-I-A triad. This is achieved by determining what the risks are,
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 14
BIT 2317 Computer Systems Security
identifying threats and vulnerabilities with an aim of reducing
them. Risks are minimized by identifying them and creating a
mitigation plan for those risks. Mitigation is defined as making
something less harmful or less painful, therefore, planning is
JKUAT SODeL

meant to lessen the risks.

To minimize risks, potential risks are identified, threats and
vulnerabilities that the organization faces. The figure below
©2015

shows a complete process used to identify, control, and mitigate

the impact of uncertain events.

1. Identify possible security measures

2. Decide which to choose
JJ II 3. Ensure complete coverage with confidence that:
J I • The selected security measures address all threats
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 15
BIT 2317 Computer Systems Security
JKUAT SODeL
©2015

Figure 5.2: Risk management

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 16
BIT 2317 Computer Systems Security
• The results are consistent
• The expenditure and its benefits are commensurate
with the risks
4. Iterate
JKUAT SODeL

• Adding security measures changes the system: Vulnerabil-

ities may have been introduced
• After deciding on security measures, revisit the risk analy-
©2015

sis and management processes e.g. introduction of encryp-

tion of stored files may remove the threat to Confidentiality
but introduce a threat to Availability

5.2.1. Problems of Risk Analysis and Management

JJ II
1. Lack of precision
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 17
BIT 2317 Computer Systems Security
2. Volume of work and volume of output
3. Integrating them into a ”normal” development process

• Steps in making a feasible risk plan

JKUAT SODeL

There is a limit to the value of implementing protection of in-

formation. Organizations must combine the knowledge of value,
threat, vulnerabilities and risks to develop a feasible plan. To
©2015

do this:
• Place a value on the information
• Identify as many risk as possible and their associated threats
and vulnerabilities.
• Mitigate the identified risks
JJ II
• Be ware that there are always things that are overlooked
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 18
BIT 2317 Computer Systems Security
There is a limit to ones ability to mitigate risk, and sometimes
the cost or difficulties of reducing the risk is greater than the risk
it self. Every risk plan is different because every organization
has a different set of circumstances, budget, and workforce to use
JKUAT SODeL

in minimizing risks. The following are questions that you can

ask to help better identify the constraints that an organization
is working under:
©2015

• What information needs to be secured?

• What is the value of information?
• What are the chances that the information can be com-
promised?
• What is the cost to the organization if the information is
JJ II
compromised?
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 19
BIT 2317 Computer Systems Security
• In what manner is the information accessed?
• How many people access the information?
• Is the information easily secured?
Regardless of whether the decision is to mitigate the risks or
JKUAT SODeL

not, there is need to identify as many potential risks as possible

and develop a mitigating plan that encompasses each of them.
©2015

Once the risks are identified and assigned a cost (in time and
money) to secure the information, comparison is made between
it and the value of information to determine reasonable security
measures that can be taken. Using the software company as an
example, the following might be identified:
• The value of the software application is Kshs 5 million
JJ II
because the sales of the software are Kshs 5 million
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 20
BIT 2317 Computer Systems Security
• The risk is that competitors might obtain the technology
used
• The threats are that someone from outside will locate and
access the technology or the employee will gain access to
JKUAT SODeL

the technology and sell or give it to competitors

• The vulnerabilities are that the technology is accessible to
many people
©2015

• To mitigate the risks, the technology should be protected

and made inaccessible to no one, which is impractical. A
better mitigation plan might be to limit access to a specific
number of people specifically the Chief Information Officer
(CIO) who must be guided by strict company policies on
JJ II
intellectual property rights.
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 21
BIT 2317 Computer Systems Security
• Things one might have thought of would be limiting access
to the computer laboratories where the application is be-
ing developed, post a list of people authorized access and
authenticating people who want to access the application.
JKUAT SODeL

• Summary
• Information security revolves around ensuring that organi-
©2015

zation’s information security plan provides data confiden-

tiality, data integrity and data availability. The key points
to remember are the following:
• Confidentiality is ensuring information is secure, with
access limited to appropriate persons
JJ II • Integrity is ensuring information is not accidentally or
J I maliciously altered or destroyed
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 22
BIT 2317 Computer Systems Security
• Availability is assuring information and communication
services will be ready for use when expected.
To ensure that information plans maintain confidentiality, in-
tegrity and availability, security is necessary. Possible threats
JKUAT SODeL

and intrusion points, vulnerabilities, risks due to failure of se-

curity plan and ways to mitigate those risks must be identified
and appropriate defense must be mounted.
©2015

Value of the information being protected must be determined

considering the liabilities that would accrue if that information
falls into the wrong hands. Managers of the organizations must
understand the legal ramifications of what to do and ensure that
the strings of evidence remain intact to allow legal authorities
JJ II to gather the necessary data and prosecute those responsible for
J I the security breach.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 23
BIT 2317 Computer Systems Security
5.3. Organizational security policy
5.3.1. Security Governance
Security Governance is the organizational processes and rela-
tionships for managing risk. It includes:
JKUAT SODeL

1. Policies, Procedures, Standards, Guidelines, Baselines

2. Organizational Structures
©2015

3. Roles and Responsibilities

5.3.2. Policies
A policy is an essential foundation of effective information secu-
rity program. The success of an information resources protec-
JJ II tion program depends on the policy generated and on the atti-
J I tude of management toward securing information on automated
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 24
BIT 2317 Computer Systems Security
JKUAT SODeL
©2015

Figure 5.3: Policy Mapping

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 25
BIT 2317 Computer Systems Security
systems. A Policy maker sets the tone and the emphasis on
how important a role information security will have within the
agency. The policy maker primary responsibility is to set the
information resource security policy for the organization with
JKUAT SODeL

the objectives of reduced risk, compliance with laws and reg-

ulations, and assurance of operational continuity, information
integrity, and confidentiality.
©2015

Policies are statements of management intentions and goals.

Senior Management support and approval is vital to success.
Example of a general, high-level objectives include: to ensure
acceptable use, internet access, logging, information security,
etc
JJ II A quality information security program begins and ends with
J I policy. Policies are least expensive means of control and often
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 26
BIT 2317 Computer Systems Security
the most difficult to implement. The basic rules to follow when
shaping policy is that policies should:
1. Never conflict with law
2. Stand up in court
JKUAT SODeL

3. Be properly supported and administered

4. Contribute to the success of the organization
©2015

5. Involve end users of information systems

• Policies are the first layer of defense
• Networks: This are the threats that first meet an orga-
nization’s network
• Systems: It involves computers and manufacturing sys-
JJ II
tems
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 27
BIT 2317 Computer Systems Security
JKUAT SODeL
©2015

Figure 5.4: Bulls-eye model layers

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 28
BIT 2317 Computer Systems Security
• Applications: This are all the applications systems
Policies are important reference documents for internal audits
and for resolution of legal disputes about management’s due
diligence. Policy documents can act as a clear statement of
JKUAT SODeL

management’s intent.

1. Procedures: Procedures are detailed steps to perform

a specific task which are usually required by policy e.g.

decommissioning resources, adding user accounts, deleting
user accounts, change management, etc.
2. Standards: Standards specify the use of specific technolo-
gies in a uniform manner. It requires uniformity through-
JJ II out the organization e.g. standard assets include: Oper-
J I ating systems, applications, server tools, router configura-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 29
BIT 2317 Computer Systems Security
JKUAT SODeL
©2015

JJ II
Figure 5.5: Policies, standards, and practices
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 30
BIT 2317 Computer Systems Security
tions, etc.
3. Guidelines: Guidelines are recommended methods for
performing a task; recommended, but not required e.g.
guidelines on Malware cleanup, spyware removal, data con-
JKUAT SODeL

version, sanitization, etc.

4. Baselines: Baselines are similar to standards but account
for differences in technologies and versions from different
©2015

vendors. For instance, operating system security base-

lines include: FreeBSD 6.2, Mac OS X Panther, Solaris
10, Red Hat Enterprise Linux 5, Windows 2000, Windows
XP, Windows Vista, etc
For policies to be effective, they must be:
JJ II
1. Properly disseminated
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 31
BIT 2317 Computer Systems Security
2. Read
3. Understood
4. Agreed-to
JKUAT SODeL

5.3.3. Policy modification & maintenance

Policies require constant modification & maintenance. In order
to produce a complete information security policy, management
©2015

must define 3 types of information security policy:

• Enterprise information security program policy (EISP)

which addresses:
• Issue-Specific Security Policy (ISSP):
JJ II – System-Specific Policy
J I – Guidelines for Policy Management
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 32
BIT 2317 Computer Systems Security
– Another Approach to Policy Development
– SP 800-18 Guide for Developing
To ensure effective enterprise information security, the fol-
lowing processes are followed:
JKUAT SODeL

1. Sets strategic direction, scope, & tone for organiza-

tion’s security efforts
2. Assigns responsibilities for various areas of informa-
©2015

tion security
3. Guides development, implementation, & management
requirements of information security program
EISP documents should provide:
1. An overview of corporate philosophy on security
JJ II 2. Information about information security organization
J I & information security roles:
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 33
BIT 2317 Computer Systems Security
– Responsibilities for security shared by all organi-
zation members
– Responsibilities for security unique to each orga-
nizational role
JKUAT SODeL

Components of the EISP

The following are the Components of the EISP
©2015

1. Statement of Purpose: What the policy is for

2. Information Technology Security Elements: Defines infor-
mation security
3. Need for Information Technology Security: justifies impor-
tance of information security in the organization
JJ II 4. Information Technology Security Responsibilities & Roles:
J I Defines organizational structure
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 34
BIT 2317 Computer Systems Security
5. References Information Technology standards & guidelines
A sample EISP
• Protection of Information: Information must be pro-
tected in a manner commensurate with its sensitivity, value,
JKUAT SODeL

& criticality. Use Of Information: Company X information

must be used only for business purposes expressly autho-
rized by management. Information Handling & Access
©2015

• Usage: Information is a vital asset & all accesses to, uses

of, & processing of Company X information must be con-
sistent with policies & standards.
• Data & Program Damage Disclaimers: Company X
disclaims any responsibility for loss or damage to data or
JJ II software that results from its efforts to protect the confi-
J I dentiality, integrity, & availability of the information han-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 35
BIT 2317 Computer Systems Security
dled by computers & communications systems.
• Legal Conflicts: Company X information security poli-
cies were drafted to meet or exceed the protections found
in existing laws & regulations, & any Company X informa-
JKUAT SODeL

tion security policy believed to be in conflict with existing

laws or regulations must be promptly reported to informa-
tion security management.
©2015

• Exceptions to Policies: Exceptions to information secu-

rity policies exist in rare instances where a risk assessment
examining the implications of being out of compliance has
been performed, where a standard risk acceptance form
has been prepared by the data owner or management, &
JJ II where this form has been approved by both Information
J I security management & Internal Audit management. Pol-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 36
BIT 2317 Computer Systems Security
icy Non-Enforcement: Management’s non-enforcement of
any policy requirement does not constitute its consent
• Violation Of Law: Company X management must seri-
ously consider prosecution for all known violations of the
JKUAT SODeL

law.
• Revocation Of Access Privileges: Company X re-
serves the right to revoke a user’s information technology
©2015

privileges at any time

• Industry-Specific Information security Standards:
Company X information systems must employ industry-
specific information security standards

JJ II • Use Of information security Policies & Procedures:

J I All Company X information security documentation in-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 37
BIT 2317 Computer Systems Security
cluding, but not limited to, policies, standards, & pro-
cedures, must be classified as “Internal Use Only,” unless
expressly created for external business processes or part-
ners
JKUAT SODeL

• Security Controls Enforceability: All information sys-

tems security controls must be enforceable prior to being
adopted as a part of standard operating procedure
©2015

• Issue-Specific Security Policy (ISSP)

ISSP provides detailed, targeted guidance to instruct organiza-
tions in secure use of tech systems. It begins with intro to fun-
damental technological philosophy of organization and serves to
JJ II protect employee & organization from inefficiency/ambiguity. It
J I documents how technology-based system is controlled; Identi-
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 38
BIT 2317 Computer Systems Security
fies Processes & authorities that provide this control and serves
to indemnify organization against liability for inappropriate or
illegal system use. Therefore ISSP:
1. Address specific technology-based systems
JKUAT SODeL

2. Require frequent updates

3. Contain an issue statement on the organization’s position
on an issue
©2015

The issues addressed by ISSP are: email, use of Internet &

World Wide Web, specific minimum configurations of comput-
ers to defend against malware, prohibitions against hacking or
testing organization security controls, home use of company-
owned computer equipment, use of personal equipment on com-
JJ II pany networks, use of telecommunications technologies and use
J I of photocopy equipment.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 39
BIT 2317 Computer Systems Security
Components of the ISSP
These include:
1. Statement of Purpose: Scope & Applicability, definition of
technology, Addressed and responsibilities
JKUAT SODeL

2. Authorized Access & Usage of Equipment: User access,

3. Prohibited Usage of Equipment: Disruptive use or misuse,

criminal use, offensive or harassing materials, copyrighted,
licensed, or other intellectual property and other restric-
tions
4. Systems Management: Management of stored materials,
JJ II employer monitoring, virus protection, physical security,
J I encryption
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 40
BIT 2317 Computer Systems Security
5. Violations of Policy: Procedures for reporting violations
and penalties for violations
6. Policy Review & Modification: Scheduled review of policy
and procedures for modification
JKUAT SODeL

7. Limitations of Liability: Statements of liability or dis-

claimers
©2015

• Systems-Specific Policies (SysSPs)

They may often be created to function as standards or pro-
cedures to be used when configuring or maintaining systems.
SysSPs can be separated into:
1. Management guidance SysSPs: This is created by
JJ II management to guide the implementation & configuration
J I of technology. It applies to any technology that affects the
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 41
BIT 2317 Computer Systems Security
confidentiality, integrity or availability of information and
informs technologists of management intent.
2. Technical specifications SysSPs: It is the System ad-
ministrators’ responsibility to issue directions on imple-
JKUAT SODeL

menting managerial policy. Each type of equipment has

(a) Access control lists: ACLs enable administrations

to restrict access according to user, computer, time,
duration, or even a particular file. It includes user
access lists, matrices, & capability tables that govern
rights & privileges. It can control access to file storage
JJ II systems, object brokers, or other network communi-
J I cations devices.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 42
BIT 2317 Computer Systems Security
(b) Capability Table: A similar method that specifies
which subjects & objects users or groups can access.
Specifications are frequently complex matrices, rather
than simple lists or tables. The level of detail & speci-
JKUAT SODeL

ficity (often called granularity) may vary from system

i. Who can use the system

ii. What authorized users can access
iii. When authorized users can access the system
iv. Where authorized users can access the system
from
JJ II v. How authorized users can access the system
J I vi. Restricting what users can access, e.g. printers,
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 43
BIT 2317 Computer Systems Security
files, communications, & applications
ACL Administrators set user privileges: read, write,
create, modify, delete, compare and copy
(c) Configuration rules: Configuration rules are spe-
JKUAT SODeL

cific configuration codes entered into security systems

tem operation than ACLs & may or may not deal with
users directly. Many security systems require specific
configuration scripts telling systems what actions to
perform on each set of information processed.
3. Combined in a single policy document
JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 44
BIT 2317 Computer Systems Security
5.3.4. Guidelines for Policy Development
It is often useful to view policy development as a two-part project:
1. Design & develop policy (or redesign & rewrite outdated
policy)
JKUAT SODeL

2. Establish management processes to perpetuate policy within

The former is an exercise in project management, while the lat-

ter requires adherence to good business practices. Policy de-
velopment or re-development projects should be well planned,
properly funded, & aggressively managed to ensure completion
on time & within budget. When a policy development project
is undertaken, the project can be guided by the Security System
JJ II
Development Life Cycle (SDLC) process.
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 45
BIT 2317 Computer Systems Security
• Investigation Phase
The policy development team should: Obtain support from se-
nior management, & active involvement of IT management, specif-
ically Chief information Officer (CIO). Clearly articulate goals of
JKUAT SODeL

policy project. Gain participation of correct individuals affected

by recommended policies. The team must:
• Be composed from Legal, Human Resources & end-users.
©2015

• Assign project champion with sufficient stature & prestige

• Acquire a capable project manager
• Develop detailed outline of & sound estimates for, the cost
& scheduling of the project

JJ II • Analysis Phase
J I This includes the following activities:
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 46
BIT 2317 Computer Systems Security
1. New or recent risk assessment or IT audit documenting
the current information security needs of the organization
2. Key reference materials, including any existing policies

• Design phase
JKUAT SODeL

This phase spells out:

2. How verification of distribution will be accomplished

3. Specifications for any automated tools
4. Revisions to feasibility analysis reports based on improved
costs & benefits as design is clarified

JJ II • Implementation Phase
J I This phase involves:
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 47
BIT 2317 Computer Systems Security
1. Writing the policies
2. Ensuring that the policies are enforceable as written
Policy distribution is not always as straightforward. Effective
policy:
JKUAT SODeL

• Is written at a reasonable reading level

minology

• Maintenance Phase
Maintain & modify policy as needed to ensure that it remains
effective as a tool to meet changing threats. Policy should have
a built-in mechanism via which users can report problems with
JJ II the policy, preferably anonymously. Periodic review should be
J I built into the process.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 48
BIT 2317 Computer Systems Security
A Final Note on Policy
• Lest you believe that the only reason to have policies is to
avoid litigation, it is important to emphasize the preven-
tative nature of policy
JKUAT SODeL

• Policies exist first & foremost to inform employees of what

potentially embarrassing situations

5.3.5. Organizational Structure

This is structure that lays out duties and responsibilities of the
personnel employed in an organization. The organization and
JJ II
official responsibilities for security vary:
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 49
BIT 2317 Computer Systems Security
• BoD, CEO, BoD Committee
• CFO, CIO, CSO, CISO
• Director, Manager
• IT/IS Security
JKUAT SODeL

tions to ensure that:

1. Independence is not compromised
2. Responsibilities for security should be defined in job de-
scriptions
3. Senior management has ultimate responsibility for security
JJ II
4. Security officers/managers have functional responsibility
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Figure 5.6: Security-Oriented Organization Chart

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 51
BIT 2317 Computer Systems Security
5.3.6. Roles and Responsibilities
The best practice to ensure that employees play their roles and
responsibilities effectively include:
• Least Privilege
JKUAT SODeL

• Separation of Duties
This encompasses the roles and responsibilities of the:
1. Owners: Determine security requirements
2. Custodians: Manage security based on requirements
3. Users: Access as allowed by security requirements
JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 52
BIT 2317 Computer Systems Security
5.3.7. Information classification
Information can be classified based on the following:
1. Not all information has the same value
2. Need to evaluate value based on CIA
JKUAT SODeL

3. Value determines protection level

5. Labeling informs users on handling

Governments classify information as:
1. Top Secret
2. Secret

JJ II 3. Confidential
J I 4. Sensitive but Unclassified
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 53
BIT 2317 Computer Systems Security
5. Unclassified
Private Sector classifications:
1. Confidential
2. Private
JKUAT SODeL

The Criteria used when classifying information include:

1. Value
2. Age
3. Useful Life
4. Personal Association
JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 54
BIT 2317 Computer Systems Security
Revision Questions

Exercise 1. Explain two techniques use in implementing

technical controls.
Example . Explain the purpose of Issue-Specific Security
JKUAT SODeL

geted guidance to instruct organization in secure use of tech sys-

tems. It begins with intro to fundamental technological philoso-
phy of organization and serves to protect employee & organiza-
tion from inefficiency/ambiguity. It documents how technology-
based system is controlled; Identifies Processes & authorities
JJ II that provides this control and serves to indemnify organization
J I against liability for inappropriate or illegal system use.
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 55
BIT 2317 Computer Systems Security
Exercise 2. Explain the procedure of protecting the com-
puter against data loss.
JKUAT SODeL
©2015

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 56
BIT 2317 Computer Systems Security
Solutions to Exercises
Exercise 1.
Access control lists: ACLs enable administrations to restrict
access according to user, computer, time, duration, or even a
JKUAT SODeL

particular file. It includes user access lists, matrices, & capabil-

nications devices.
Configuration rules: Configuration rules are specific con-
figuration codes entered into security systems to guide execution
of system when information is passing through it. Rule poli-
cies are more specific to system operation than ACLs & may
JJ II or may not deal with users directly. Many security systems re-
J I quire specific configuration scripts telling systems what actions
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 57
BIT 2317 Computer Systems Security
to perform on each set of information processed. Exercise 1
JKUAT SODeL
©2015

JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 58
BIT 2317 Computer Systems Security
Exercise 2.
Data loss is one of a computer user’s worst nightmares, and can
be prevented, or at least made tolerable by taking a few steps. To
avoid losing valuable data: i) Keep the computer clean and cool
JKUAT SODeL

by following the previous steps. This will ensure that it won’t

over-heat, which is one of the leading causes of hard disk failure.
ii) Keep backups, there are a variety of cheap backup mediums
©2015

today. CDR’s or DVD-R’s are one of the most cost effective

methods of backing up large amounts of data. Zip drives & Jazz
drives are also popular methods of backing up data onto disks.
iii) Save your work often. Or better yet set the Autosave feature
in Microsoft Word to 2 or 3 minutes. Exercise 2
JJ II
J I
J DocDoc I
JKUAT: Setting trends in higher Education, Research and Innovation

Back Close 59

Privacy 27701 RMISC
No ratings yet
Privacy 27701 RMISC
41 pages
Practical Workbook - IsO27001 Lead Implementor Course
100% (1)
Practical Workbook - IsO27001 Lead Implementor Course
24 pages
NemoSens Briefsheet 008
No ratings yet
NemoSens Briefsheet 008
2 pages
Screen Master Touch: Service Manual
No ratings yet
Screen Master Touch: Service Manual
36 pages
Risk Assessment of It Security Possible Solutions and Mechanisms To Control It Security Risk Unit 8: Security
No ratings yet
Risk Assessment of It Security Possible Solutions and Mechanisms To Control It Security Risk Unit 8: Security
15 pages
It Build An IT Risk Management Program R2
No ratings yet
It Build An IT Risk Management Program R2
109 pages
CW3551 DIS - Key
No ratings yet
CW3551 DIS - Key
18 pages
Cybersecurity Through Secure Software Development
No ratings yet
Cybersecurity Through Secure Software Development
11 pages
Information Security - From Practice To Theory: Case Study Based Learning
100% (1)
Information Security - From Practice To Theory: Case Study Based Learning
24 pages
4. Framework for lifetime mgt of IT Projects
No ratings yet
4. Framework for lifetime mgt of IT Projects
10 pages
Lesson 2
No ratings yet
Lesson 2
41 pages
Cybersecurity Key Competencies & Job Mapping (1) - 1
No ratings yet
Cybersecurity Key Competencies & Job Mapping (1) - 1
11 pages
A Review of Cybersecurity Risk and Consequences For Critical Infrastructure
No ratings yet
A Review of Cybersecurity Risk and Consequences For Critical Infrastructure
7 pages
IT Security Risk Management Model For CL
No ratings yet
IT Security Risk Management Model For CL
13 pages
Risk Management
No ratings yet
Risk Management
34 pages
SWOTEvaluationMLCyberRiskAnalysisConstructionIndustry CCC2021-Dy Bgs
No ratings yet
SWOTEvaluationMLCyberRiskAnalysisConstructionIndustry CCC2021-Dy Bgs
11 pages
Unit 1
No ratings yet
Unit 1
86 pages
Week 4-Intro to IT Risk Management (Part 2)
No ratings yet
Week 4-Intro to IT Risk Management (Part 2)
34 pages
BYOD Security A New Business Challenge
No ratings yet
BYOD Security A New Business Challenge
6 pages
IDC Interview Paper - Jamie Wilkie
No ratings yet
IDC Interview Paper - Jamie Wilkie
3 pages
risk3e_ppt_ch01
No ratings yet
risk3e_ppt_ch01
21 pages
Model Design of Information Security Governance Assessment With Collaborative Integration of Cobit 5 and Itil
No ratings yet
Model Design of Information Security Governance Assessment With Collaborative Integration of Cobit 5 and Itil
6 pages
1280 2556 1 SM
No ratings yet
1280 2556 1 SM
7 pages
Security Threat To It Sector:: Issues To Be Addressed
No ratings yet
Security Threat To It Sector:: Issues To Be Addressed
20 pages
Excel Nba Lio Norea Volwassenheidsmodel Informatiebeveiliging v2 0
No ratings yet
Excel Nba Lio Norea Volwassenheidsmodel Informatiebeveiliging v2 0
23 pages
SAL-DR-01-ELC 10 Understanding The SOC Audience
No ratings yet
SAL-DR-01-ELC 10 Understanding The SOC Audience
15 pages
BYOD Security: A New Business Challenge: Kathleen Downer Maumita Bhattacharya
No ratings yet
BYOD Security: A New Business Challenge: Kathleen Downer Maumita Bhattacharya
6 pages
Risk Assessment
100% (1)
Risk Assessment
13 pages
Principles of Risk Management DR J Jeynes
No ratings yet
Principles of Risk Management DR J Jeynes
21 pages
HN - Duong Quoc Vuong - Solution Engineer
No ratings yet
HN - Duong Quoc Vuong - Solution Engineer
2 pages
2504.01849v1
No ratings yet
2504.01849v1
145 pages
Chapter 02 - Risk Management & Governance Elements
No ratings yet
Chapter 02 - Risk Management & Governance Elements
19 pages
Giu 2722 62 15744 2024-02-08T17 06 00
No ratings yet
Giu 2722 62 15744 2024-02-08T17 06 00
54 pages
ICTrisksregister COBITapproach
No ratings yet
ICTrisksregister COBITapproach
16 pages
ITS 6002 Course Outline
No ratings yet
ITS 6002 Course Outline
7 pages
Week 5 - Risk Assessment (1)
No ratings yet
Week 5 - Risk Assessment (1)
32 pages
Iot Securing
No ratings yet
Iot Securing
27 pages
CH 1
No ratings yet
CH 1
74 pages
2010 04 02 Larry Clinton Aviation Week Presentation
No ratings yet
2010 04 02 Larry Clinton Aviation Week Presentation
13 pages
Energies 15 08692 v3
No ratings yet
Energies 15 08692 v3
22 pages
PoolTogether Audit Report
No ratings yet
PoolTogether Audit Report
8 pages
A Survey On The Evolution of Risk Evaluation For Information Systems Security
No ratings yet
A Survey On The Evolution of Risk Evaluation For Information Systems Security
7 pages
10
No ratings yet
10
4 pages
Information System Audit A Study For Sec
No ratings yet
Information System Audit A Study For Sec
4 pages
1a INTRODUCTION, OVER VIEW, DEFINITIONS AND ATTRIB_240203_132950
No ratings yet
1a INTRODUCTION, OVER VIEW, DEFINITIONS AND ATTRIB_240203_132950
4 pages
Certik Final
No ratings yet
Certik Final
50 pages
Cybersecurity Risks of Blockchain
No ratings yet
Cybersecurity Risks of Blockchain
7 pages
WEF Global Coalition Digital Safety Risk Assessments 2023
No ratings yet
WEF Global Coalition Digital Safety Risk Assessments 2023
50 pages
MIT Presentation
No ratings yet
MIT Presentation
24 pages
Cyber Security Operations Centre A User-Cantered Machine Learning Framework
No ratings yet
Cyber Security Operations Centre A User-Cantered Machine Learning Framework
6 pages
Ortega - Software Engineer - ACTCY22S3
No ratings yet
Ortega - Software Engineer - ACTCY22S3
5 pages
Seminar Presentation Amogh PDF
No ratings yet
Seminar Presentation Amogh PDF
16 pages
Occupational-Safety-and-Health
No ratings yet
Occupational-Safety-and-Health
49 pages
A Review of Information Quality Research - Develop A Research Agenda
No ratings yet
A Review of Information Quality Research - Develop A Research Agenda
17 pages
Jomo Kenyatta University OF Agriculture & Technology: P.O. Box 62000, 00200 Nairobi, Kenya E-Mail: Elearning@jkuat - Ac.ke
No ratings yet
Jomo Kenyatta University OF Agriculture & Technology: P.O. Box 62000, 00200 Nairobi, Kenya E-Mail: Elearning@jkuat - Ac.ke
35 pages
DW1 Correction
No ratings yet
DW1 Correction
5 pages
Salesforce Project
No ratings yet
Salesforce Project
49 pages
PGCB Cybersecurity Policy Review NOTES v3 CUI-IsVI
No ratings yet
PGCB Cybersecurity Policy Review NOTES v3 CUI-IsVI
25 pages
1569748083
No ratings yet
1569748083
6 pages
TNPFL Report
No ratings yet
TNPFL Report
24 pages
Leveraging Agile Project Management for Robust Cybersecurity: A Guide for Leaders & Managers
From Everand
Leveraging Agile Project Management for Robust Cybersecurity: A Guide for Leaders & Managers
Patricia Eromosele
No ratings yet
An Introduction To Digital Forensics: Submitted By: Afroz Khan Neelam Sharma Sneha Jain
No ratings yet
An Introduction To Digital Forensics: Submitted By: Afroz Khan Neelam Sharma Sneha Jain
17 pages
Fynt 40 F - 20221117
No ratings yet
Fynt 40 F - 20221117
6 pages
Deep Learning For Deepfakes Creation and Detection: A Survey
No ratings yet
Deep Learning For Deepfakes Creation and Detection: A Survey
19 pages
Patch Vs Hotfix Vs Coldfix Vs Bugfix Differences Explained
No ratings yet
Patch Vs Hotfix Vs Coldfix Vs Bugfix Differences Explained
5 pages
My Lecture 1
No ratings yet
My Lecture 1
16 pages
NBSC - NBSC Software Help
No ratings yet
NBSC - NBSC Software Help
3 pages
Coverage User Guide
No ratings yet
Coverage User Guide
734 pages
Ipremier and Denial of Service Attack - Case Study - Arif Harbott
No ratings yet
Ipremier and Denial of Service Attack - Case Study - Arif Harbott
5 pages
Matt Tinkler Music - List of Ableton Live Keyboard Shortcuts
No ratings yet
Matt Tinkler Music - List of Ableton Live Keyboard Shortcuts
14 pages
Fy24 7737 BC VMW Vsphere Matrix Uslet Ds Web 20241030final
No ratings yet
Fy24 7737 BC VMW Vsphere Matrix Uslet Ds Web 20241030final
9 pages
Application Letters Assignment
No ratings yet
Application Letters Assignment
2 pages
Phonics Bingo!: Safety First!
No ratings yet
Phonics Bingo!: Safety First!
17 pages
SMS Server Api
No ratings yet
SMS Server Api
14 pages
CTBC "Trust Online Banking": Operating Manual
No ratings yet
CTBC "Trust Online Banking": Operating Manual
20 pages
Assignment
No ratings yet
Assignment
3 pages
PQ, BI, DAX Blogs List
No ratings yet
PQ, BI, DAX Blogs List
1 page
English Programa Series CPT
No ratings yet
English Programa Series CPT
3 pages
20 Types of Technology - Definitions and Examples
No ratings yet
20 Types of Technology - Definitions and Examples
10 pages
Minolta Maxxum 9000 Owners Manual (En)
No ratings yet
Minolta Maxxum 9000 Owners Manual (En)
80 pages
Visvesvaraya Technological University: Computer Graphics and Visualization Lab (10CSL67)
No ratings yet
Visvesvaraya Technological University: Computer Graphics and Visualization Lab (10CSL67)
58 pages
VXLFDGDGDG
No ratings yet
VXLFDGDGDG
23 pages
On Page SEO Techniques - Indexing and Keyword Placement, Content Planning & Optimization - Using Goo
No ratings yet
On Page SEO Techniques - Indexing and Keyword Placement, Content Planning & Optimization - Using Goo
15 pages
Kenticocms Tutorial Aspx
No ratings yet
Kenticocms Tutorial Aspx
99 pages
Lesson 7.2 Online Platforms
No ratings yet
Lesson 7.2 Online Platforms
22 pages
A Complete Guide To DevOps With AWS
100% (1)
A Complete Guide To DevOps With AWS
579 pages
Orchadmin Command: DataStage e
No ratings yet
Orchadmin Command: DataStage e
2 pages
10 User Interface Elements For Mobile Le
No ratings yet
10 User Interface Elements For Mobile Le
7 pages
OOPJ MSE - 2 Question Bank Final
No ratings yet
OOPJ MSE - 2 Question Bank Final
2 pages