Information Security and Risk

Management
First Some Terms

 First we have to discuss some terms we will

use again and again
 Protocol – an official set of steps or language
for communication
 Algorithm – a specific set of steps to solve a
problem or do some task
 String – a series of characters. Example if a
character can be a-z and 0-9 an 8 character
string might be “ar01z14b”
CIA
CIA… wrong CIA

CIA are the main 3 “objectives” of security

CIA
Security Services and
Controls
Confidentiality (53)

 Protects the data from un-authorized

disclosure
 Ensures the necessary level of secrecy is
enforced at each junction of data processing
 confidentiality usually implements
encryption
677d3edabfcd965da3ae4eb7f5e2f539
Confidentiality

The objective of
confidentiality applies to both
data and system information
and is sometimes referred to
as the secrecy object. To
ensure confidentiality,
information

ity
must be protected to

al
eliminate the loss or

nti
disclosure of the information.

de
The actions

nfi
taken to protect information

Co
from disclosure include
numerous controls put in
place to
01 create defense in depth.
Integrity (52)

 Ensuring that the data is not modified.

 Must ensure accuracy and reliability of the
information and Information Systems.
 Must not allow unauthorized modification
( intentional or accidental*)
Integrity
02

Int
eg
rit
y
Integrity ensures that the
system resources are
protected from unauthorized,
unanticipated, or unintentional
modifications. This objective
can apply to both the data
and the hardware system.
Data integrity is the
fundamental concept that
data has not been altered by
any manner while in storage,
during processing, or while in
transit unless
authorized.
Integrity Example

“The trouble began Thursday morning, when

Mizuho Securities tried to sell 610,000 shares
at 1 yen (less than a penny) apiece of a job
recruiting firm called J-Com Co., which was
having its public debut on the exchange.
It had actually intended to sell 1 share at
610,000 yen ($5,041).
http://www.msnbc.msn.com/id/10394551/ns/business-world_business/t/botched-stock-trade-costs-japan-
firm-m/#.Tj350YKZhBk
Integrity

 Hashes and signed messages are examples of

how to ensure integrity (we will talk about
hashes and digital signatures in Chapter 4…
don’t worry about them too much now)

Example
MD5: 164731747fc7236d799e588f60efbbe7
Availability (51)

 The ability to access data and systems by

authorized parties
 This is very easy to attack and hard to defend
against.
 Attacks are often DoS type attacks.
Example of Availability attack:
 Taking down a power grid
 Stopping stock market trades
 Availability ensures
Availability accessibility to all hardware,
software applications, and
data throughout the system.
Availability concepts include
hardware and data physical
availability, system hardware
redundancy, connection and
transmission availability, and
restoration of services,
systems, and data as
required.

Availability 03
 Parkerian Hexad

In 2002, Donn B. Parker, currently a retired

information security consultant and researcher,
introduced an expanded version of the CIA
model the added three additional elements.

The security model was later renamed to the

Parkerian Hexad in honor of Parker.
 Possession/Control

It was added to protect against the idea that

confidential data can be possessed and controlled
by an unauthorized individual or party without
actually violating or breaching confidentiality. 02
This component also addresses the protection of
public data that may be owned and copy written.

Ex : Articles, books, news publications, scholarly journals,

etc. need to be protected even though they are technically
available for anyone to view. EFS is another example
 Authenticity

Authenticity refers to the assurance that a message,

transaction, or other exchange of information is from
the source it claims to be from. Authenticity involves
proof of identity
04
Today, knowing exactly who you are communicating
and sharing data with is key when doing business over
the web.

Ex : performing bank transfers, check credit reports and scores,

and paying bills.
 Utility

Utility simply refers to the usefulness of data.

It focuses on a much overlooked concept when

it comes to data. The data may meet five of the
six PH components (confidentiality, integrity,
availability, authenticity, possession/control),
but is it in a useful state?
06
Ex : Sending an encrypted USB drive to a colleague but
then forget to send the key to decrypt it. Five out of the
six components, except for utility, are met.
Security and Access Control
 Access vs. Security

• When considering security it is important to realize that it is impossible to obtain

perfect security. Security is not an absolute. Instead security should be considered
a balance between protection and availability.

• It is possible to have unrestricted access to a system, so that the system is

available to anyone, anywhere, anytime, through any means. However, this
kind of random access poses a danger to the integrity of information.

• On the other hand complete security of an information system would not

allow anyone access at any given time.
 Access vs. Security
We have to balance

Balancing Security and Access- Too

much security might make access
hard to get and people will stop
using the system. On the other hand,
a too easy access protocol, might be
a security hole for the network. A
balance must be achieved between
those two major “players”
 Physical Controls Technical Controls Administrative
• Facility Protection • Logical Access Control Controls
• •
Security Control •
Security Guards
Locks •
Cryptographic Controls
Security Devices
•
•
Policies
Standards
by Functional • Monitoring • User Authentication • Procedures & Practice
• Environmental • Intrusion Detection •
Types Controls • Forensics •
Personel Screening
Awareness Training
• Intrusion Detection
Security Control by
Categories

“ We have to use a Detective

Preventive Corrective
combination of
Controls
controls to help ensure Controls Controls
that - Warn of
the organizational - Prevent attempts to - Correct errors
processes, people, attempts to exploit or irregularities
and exploit that have been
vulnerabilities
technology operate vulnerabilities detected
within prescribed
Ex: encryption of Ex: Intrusion Ex: Restoring
bounds. “
files Detection from a backup
Systems (IDS)
Security Control by
Information States
• Information Storage
Containers
During Storage • Electronic, physical,
human
“Information
security During • Physical
involves Transmission • Electronic
protecting
information
assets from During • Physical
harm or Processing (use) • Electronic
damage. “
Security Management
Security Management

Now that we know the 3 principles of security

lets talk about how we manage security.

Security Management is the creation,

implementation and maintenance of an
organizations security program.
Security Program
 A Security Program is the methods a company uses to
protect the companies assets
 Any good security program should be “top down” with
an ultimate goal. This approach management creates
the vision and lays out the framework. It does not
make sense just to run about locking down machines
without a vision. Though this is often how things are
actually done.*
 A security program requires balanced application of
Technical and non-technical methods!*
(more)
Security Program Development

 A program is more Start over Plan and

than just a policy! It’s gain organize

everything that
protects data.
 Security Program Monitor
and Implement
development is a Evaluate

LIFECYCLE!!! Operate
and
maintain
Security Program

It includes and we will discuss

 Risk Management
 IS Policies, Procedures, Standards,
Guidelines, Baselines
 Information Classification
 Security Education
 Security Organization
(Positions/Responsibilities)
Security Program Goals*
 All security programs will have goals.. There are 3 main
types of goals that you should be aware of
 Operational goal – These are DAILY goals, very short term
goals.
 Example: installs security patch released today.
 Tactical goals – mid term goals that help to achieve a final
goal.
 Example: create managed domain and move all workstations
into the domain
 Strategic Goals – long term objectives.
 Example: Have all workstations in a domain with centralized
security management, auditing, encrypted data access and PKI.
Business Requirements Private vs.
Military
What security models and methods an
organization uses depends on it’s goals and
objectives.
 Military is generally concerned with
CONFIDENTIALITY
 Private business is generally concerned with
either availability (ex. Netflix, eBay etc) OR
integrity (ex. Banks). Some private sector
companies are concerned with confidentiality (ex.
Drug companies)
Understand this
 Management is ultimately responsible for
security.
 NOT administrators
 NOT security professionals
 Management is ultimately responsible
 let me repeat… MANAGEMENT.
 Management must lead and direct all security
programs. They must provide the vision AND
support*. Without their support a security
program WILL fail. (a story perhaps?)
Lets REPEAT THOSE LAST
CONCEPTS

Management is ultimately responsible for an

organizations security
Information Risk Management
Information Risk Management (73)

 IRM is the process of identifying and

assessing risk and reducing it to an
acceptable level*
 There is no such thing as 100% security!*
 You must identify risks and mitigate them
with either countermeasure or by transferring
risk.
Information Risk Management

 Risk is impossible to totally measure, but we

must prioritize the risks and attempt to
address them!
What are risks*

Some types of risk

 Physical Damage
 Human Interaction (accidental or intentional
action)
 Equipment malfunction
 Inside and Outsides attacks
 Misuse of Data
 Loss of Data
 Application Error
Information Risk management

 IRM is ultimately the responsibility of

management *
 All organizations should have an IRM policy.
 The IRM policy should support the
organizations mission.
 All organizations should have an IRM team.
 IRM should be a subset of the companies
total Risk Management Policy.
 IRM

Goal of IRM is to ensure the company is protected

in the most cost effective manner!*
IRM team

When creating an IRM Team

 Remember goal is to keep things cost effective.
 Therefore
 Many companies will not have a large IRM team.
 IRM team members usually have other full time jobs!

 The team should not just consist of IT staff!

 Senior Management Support is necessary for
success*
Risk Management Terms!

 You need to know these terms we are about

to cover on the next few slides
Vulnerability*

A software hardware or procedural weakness

that may provide an attacker the opportunity
to obtain unauthorized access.

Examples?
 Could be an un-patched application
 Open modems
 Lax physical security
 Weak network protocol
Threat *

A natural or man-made event that could have

some type of negative impact on the
organization.

 A threat requires a vulnerability to create an

impact
A threat vector is a path that an attacker might take to Threat Vector
take advantage of a vulnerability and do harm.

Ex: Fire is a threat that could do harm to your

physical environment
or resources.

The threat vector, in this case, represents how

the fire might originate.
• A component on a circuit board on a server overheats and causes a fire.
• A fuse shorts out and causes a power cable to overheat, causing a fire.
• Air-conditioning in the server room fails, resulting in an extreme amount of heat
and causing a fire.
• A room down the hall catches fire and the fire reaches the server room through
the ceiling or ventilation.
• The standby power supply batteries overheat and cause a fire.
• The maintenance staff mistakenly leaves a flammable liquid in the room and it
catches fire.
• A physical intruder starts a fire in a trash can to cover their tracks.
Threat Agent

An actual person or entity that takes advantage

of a vulnerability.
Risk*

This likelihood of a threat agent taking

advantage of a vulnerability and the
corresponding business impact

 Risk ties the vulnerability, threat and

likelihood of exploitation together.
Exposure

An instance of being exposed to losses from a

threat agent.

 Example: A public web server that has a

known vulnerability that is not patched, is an
exposure.
Countermeasure or Safeguard*

Some control or countermeasure put into place

to mitigate the potential risk. A
countermeasure reduces the possibility that a
threat agent will be able to exploit a
vulnerability.

 You can NEVER 100% safeguard something*

Control Matrix
Controls: Functional vs. Assurance

All controls must be evaluated by there

functional and assurance requirements

Functional:
 “Does the solution carry out the required tasks”*
Assurance:
 “How sure are we of the level of protection this
solution provides”*
Risk Analysis
Risk Analysis (76)

IRM team will need to analyze risk. But is risk

analysis?
 A tool for risk management, which identifies
assets, vulnerabilities and threats.
 Access possible damage and determine where to
implement safeguards
Risk Analysis Goals

 Identify assets and their values

 Identify Vulnerabilities and threats
 Quantify the probability of damage and cost
of damage
 Implement cost effective countermeasures!*
 ULTIMATE GOAL is to be cost effective.
 What does that mean exactly?
Value of information and assets?

It is important to understand an assets value if

you plan on doing risk analysis. So what is
something worth?

Note value can be measured both

quantitatively and qualitatively*
2 types of analysis

 Quantitative analysis
 Qualitative analysis

Lets talk in detail about Qualitative vs.

Quantitative specifically in the next couple
slides
Quantitative

Quantitative analysis attempts to assign real

values to all elements of the risk analysis
process. Including
 Asset value
 Safeguards' costs
 Threat frequency
 Probability of incident
 (more)
Quantitative Analysis

 Purely quantitative risk analysis is impossible

as there are always unknown values, and
there are always “qualitative” values.
 Examples?
 You can automate quantitative analysis with
software and tools. These require tons of data
to be collected though, as such require along
time and effort to complete.
Overview of steps in a quantitative
analysis
1. Assign value to an asset
2. Estimate potential loss for each asset and
threat combination. (see SLE later)
3. Perform a threat analysis – determine the
probability of each threat occurring.
4. Derive the Overall loss potential per threat
per year.
5. Reduce, Transfer Avoid or Accept the Risk.
Steps in Quantitative Analysis

Now lets’ break each step out more

Step 1:Assign value to assets

What is something worth?

 Cost to obtain
 Money an asset brings in
 Value to competitors
 Cost to re-create
 Legal liabilities
 Etc…

At the end of step one we must be able to assign a

value to each asset.
Step 2:Estimate Loss Potential*

For each asset/vulnerability combination we need

how much an instance of damage would cost us.
 Physical damage
 Loss of productivity
 Cost of repairing

The expected percentage of damage of the total

asset value is called the Exposure Factor (EF)*
Step 2:Estimate Loss Potential*

The expected percentage of damage of the

total asset value is called the Exposure
Factor (EF)*

Example:
If you have a warehouse with $1,000,000 of
value, and the threat is a fires, your fire
suppression systems might stop a fire at
25%, this is your EF.
Step 2: Estimate Loss Potential*

Once we have the EF we use it to determine

the Single Loss Expectancy (SLE) of an
incident.

SLE= asset value * EF

Step 2: Estimate Loss Potential*

In the warehouse / fire example

SLE= asset value * EF

▪ asset value was $1,000,000
▪ EF was 25% (.25)

SLE= $1,000,000 * .25

SLE= $250,000
Step 3:Perform a Threat Analysis

Figure out the likely hood of an incident.

 Analyze vulnerabilities and rate of exploits.
 Analyze probabilities of natural disasters to your
location
 Review old records of incidents.

In this step we need to calculate the Annualized

Rate of Occurrence (ARO)*
Example: chance of a fire in any month=10% then the
ARO = .10 * 12 (1 year) So we can expect an ARO=1.2
Step 4: Derive the ALE

Derive the Annual Loss Expectancy

 ALE = SLE * ARO

Example:
The ALE for the warehouse fire is
ALE=SLE * ARO
SLE = $250,000
ARO = 1.2
ALE = $250,000 * 1.2
ALE = $300,000

Be able to do these calculation for the exam

Step 5: Reduce, Transfer, Avoid or
Accept the Risk
For each risk you can do the following
 Reduce risk*
 Install countermeasures to reduce ARO or EF
 Transfer Risk*
 Accept Risk*
 Avoid Risk*
Determining Cost Effective
Countermeasures

When determining whether to implement an

countermeasure, you MUST be concerned
about being cost effective.
Determining Cost Effective
Countermeasures

Here how we determine whether a

countermeasure is cost effective
Determining Cost Effective
Countermeasures
1. Compute the ALE without the
countermeasure in question
2. Compute ALE2 which is the ALE after
installing the countermeasure
3. Add the cost of the countermeasure to ALE2
4. Compare ALE to ALE2
 If ALE > ALE2 then the countermeasure is cost
effective
Word Problem

Details:
 The probability of a virus infection per month is 50%.
 If an outbreak occurred your sales staff of 5, would not be able to
work for the 4 hours while the systems were rebuilt. Each sales
person makes $40/hour.
 IT would require 1 person 4 hours to repair at a cost of $50/hour.
 A certain antivirus system could stop ALL viruses (ok, that’s just to
make the math easier) but the cost is 20K per year for this system.

Questions:
 Should you implement the Anti-virus system?
 If so how much are you saving?
 If not how much are you wasting by buying it?
 Word Problem Answer
Step 1: Determine SLE
(5 sales * 4 hours each * $40) + (1 IT * 4 hours * 50)
= $1000 cost per incident

Step 2: Determine ARO

ARO = 12 months * .50 likelihood per month= 6

Step 3: Determine ALE

ALE = SLE ($1000) * ARO (6) =
ALE = $6000.00
Word Problem Answer

ALE without countermeasure was determined to be

$6000

Compute ALE2
ALE2 (ALE after countermeasure) = $0.00
Countermeasure cost = $20,000
ALE2 + countermeasure cost = ($0) + $20,000.00
ALE2 = $20,000

Which is smaller?
ALE ($6,000) or ALE2 ($20,000)
Word Problem Answer

In this case it is NOT cost effective to

implement the countermeasure.
Details of Reducing Risk

If the cost per year of the countermeasure is

more than the ALE, don’t implement it,
instead either:
 Transfer the risk
 Avoid the risk
 Accept the risk
Risk Analysis Flowchart
 Total Risk vs. Residual Risk
 No matter what controls you place to protect an
asset, it will never be 100% secure. The leftover
risk after applying countermeasures is called the
residual risk.*
 Total Risk is the risk a company faces if they
choose accept the risk.
(more)
Total Risk vs. Residual Risk
 A control gap* is the protection a countermeasure
cannot provide

Conceptual (not actual) formulas*

 Threats x vulnerabilities x asset value = total risk

 (threats, vulnerabilities, asset value = total risk

 (threats x vuln x asset value) x control gap = residual risk

 Total risk – countermeasures = residual risk

 Review of Quantitative
 Assign value to assets
 Estimate potential loss per asset/threat (SLE)
 Estimate likelihood of threat (ARO)
 Estimate Annual Loss per year (ALE)
 Examine available countermeasures and
compute the new ALE + countermeasure cost
(ALE2) after each is applied
 Determine whether to reduce, transfer, avoid or
accept Risk
Qualitative Risk Analysis

Rather than assign values to everything uses

subjective methods to analyze risk and
determined methods of managing the risk.
 Techniques includes
 Judgment
 Best practices
 Intuition
 Experience
 Qualitative*
Specific techniques we will discuss include
 Delphi
 Brainstorming
 Focus groups
 Surveys
 Questionnaires
 Interviews and one-on-one meetings
Delphi
Delphi*

Technique where a groups comes together, each member

gives an honest opinion of what he or she believes the
result of a threat will be.
 Idea is to have everyone express their true ideas and not just go
along with one person dictates

The results are then compiles and given to group members

that ANONYMOUSLY write down there comments and
returned to analysis group.

These comments are compiled and redistributed for

comments until a consensus is reached
 Modified Delphi
A silent form of brainstorming , participants
develop idea individually without a group and
submit their ideas to decision makers.
Other Qualitative Methods

Brainstorming -
 a conference technique of solving specific
problems, amassing information, stimulating
creative thinking, developing new ideas, etc., by
unrestrained and spontaneous participation in
discussion.

http://dictionary.reference.com/browse/brainstorming
Other Qualitative Methods

Focus groups –
 a representative group of people questioned
together about their opinions on political issues,
consumer products, etc.

http://dictionary.reference.com/browse/focus+group
Other Qualitative Methods

 Surveys
 Questionnaires
 Interviews and one-on-one meetings
Review of Quantitative and
Qualitative

Qualitative Cons
 Subjective
 No dollar values
 No standards

Quantitative cons
 Complex calculations
 Extremely difficult without tools
 Lots of preliminary work required
Policies, Standards, Baselines,
Guidelines, and Procedures
Policies Standards, Baselines,
Guidelines and Procedures
A security program must have all the pieces
necessary to provide overall protection to a
company and lay out a long term strategy.
Policies, Standards, Baselines, Guidelines and
Procedures are part of the security program

 You NEED to understand the terms in the

following slides for the exam. (Polices,
standards, baseline, guidelines and procedures)
Security Policy*

An overall GENERAL statement provided by

senior management.
 Very generic
 Provides “missions statement for security”
 Should represent business objectives
 Should be easily understood
 It should be developed at integrate security into
ALL business functions and processes*
 (more)
Security Policy

 It should be reviewed an modified as a company

changes.
 Policy should be dated and version controlled.
 It should be forward thinking
 It should use strong language (MUST, not should)
 Should be non-technical
Security Policy

Can be one of four types

 Regulatory – ensures an organization is following
required regulations (finance, health)
 Advisory – strongly advises employees as to which
types of behaviors should/should not take place
 Informative – informs employees of goals and
missions relevant to a company, not specific or
enforceable
 Directive
System Specific Security Policy
 An organization security policy needs to be
technology and solution independent.. it outlines the
goals and missions.. NOT specific ways of
accomplishing them.

 A systems specific policy represents the

managements decision on SPECIFIC technologies
and situations. These outline for example password
policies or data encryption policies. These system
specific polices are the structure that provides the
support for the organizational security policy.
Standards*

Standards are MANDATORY* actions or rules.

 Defines compulsory* rules.
 Standards give a policy it’s support and start
adding specifics.

Example:
 a standard is “all employees MUST wear their
company ID badge at all times”
Baseline

The row of shields

above your fighter
that protects you
from attack by
hordes of aliens
Close actually…

Baselines – the process of establishing a

minimum set of protections for a computer
system/network in order to protect it attack
from the hordes of script-kiddies and
crackers.
 MINIMUM set of protections and
configurations
Baseline*

Example: a baseline my require that a system

be compliant to some external measurement.
Any systems must meet these requirements,
changes to the system must be assessed to
ensure the baseline is still being met.

 (more)
Baseline

A baseline may also be a technical definition or

configuration of a system.

Examples:
 a baseline my specify that all windows XP systems
must have SP2 installed, and ISS turned off.
 a baseline may also specify all Linux systems run
SElinux in enforcing mode.
Baseline

Why are baselines important?

Guidelines*

Guidelines are RECOMMENDED actions.

 These cover the gray areas and are approaches to
provide flexibility for unforeseen things.
 The are not specific rules, but best practices.

 Can someone provide an example of a

guideline?
Procedures*

Detailed step-by-step tasks that should be

performed in some situation.
 Lowest level In the policy as they are closest to
users and resources.
 Procedures spell out how policy, standards and
guidelines will be implemented for a specific
resources (ex. OS)
Example:
▪ written procedures on OS installation and
configuration.
Random Terminology*

You need to understand the following 2 terms for

the exam
 Due Diligence*: act of investigating and
understanding a risk a company faces.
 Due Care*: demonstrates that a company has
taken responsibility for it’s activities and has
taken necessary steps to protect it’s assets and
employees from threats.
 Not practicing these can lead to charges of
negligence.
 Due Diligence

Due diligence refers to the investigative steps that an

organization takes prior to taking on something new, such as
signing a contract or making a major purchase.

In the IT world, an organization has an obligation to exercise

due diligence to discover risks associated with a large purchase.
From an IT security
perspective, an
Ex: If an organization is planning to purchase a software
organization has a
development company, that organization is obligated to
responsibility to
exercise due diligence to determine as much as it can about the
exercise due diligence
company and whether the purchase is a sound decision.
to discover risks.
 Due Care

Due care is the practice of implementing security policies and

practices to protect resources. It ensures that a certain level of
protection is applied to protect against losses from known risks. The
goal is to reduce the risk to the resources to a manageable level.

Because risks can’t be eliminated, an organization is likely to

experience losses. If these losses are due to negligence, then the
organization may face legal action against it. However, if the
organization took due care to protect the resources but still suffered
the loss, it’s less likely that a court will find the organization
negligent.
Discussion
 Case:
Imagine that a company holds customer data—including
names, addresses, birth dates, and credit card data—in
cleartext in a database hosted on a web server. The
company uses this information when customers make
purchases through a website. A hacker checks out the
website, discovers the database, and realizes that he can
easily retrieve all the data. He steals the data and sells it
to identity thieves, who proceed to steal millions of
dollars.

Did the company take Due Care?

 Situation
A web server accessible by users on the Internet will be attacked. It’s not a matter of if
it will happen, but when. Further, if valuable data is on the server, attackers will find it.
Even if it does have some protection, such as encryption, it’s still at risk if it’s
accessible from the Internet.

Taking due care, the organization would implement security controls to protect the
data. For example, administrators could store the customer information on a different
server within the private network that isn’t accessible from the Internet but is
accessible from the web server.

Additionally, they could encrypt sensitive data on the server to protect against the loss
of confidentiality. They don’t need to encrypt the entire database, but instead just
encrypt columns holding sensitive data such as credit card data.
Review of Policies, Standards…

We just talked about Polices, Standards,

Baselines, Guidelines and Procedures
 Internalize these terms for the exam
Information Classification
Information Classification

We need to be able to assign value to

information, this is Information Classification.
 Data is classified to ensure data is protected in a
COST-EFFECTIVE* manner.
 Each classification should have separate handing
requirements.
Information Classification

Military vs. private sector concerns

 Military is usually more concerned with
confidentiality
 Private Sector is usually more concerned with
integrity and availability
Classification Controls

Once data is classified we must take measures

in order to protect and manage the data
 Access controls
 Encryption of data in transit* and at rest*
 Data access should be logged and audited
 Periodically review classifications
 Backup and restoration procedures
 Change Control procedures
 Proper data disposals
Positions and Responsibilities
Positions and Responsibilities

Senior management is obviously ULTIMATELY

responsible for data security, risk
management and pretty much everything
else. However let’s look at some of the other
positions commonly found and see what their
responsibilities are.
 For the exam, you should know all the
positions we are about to talk about*
Data Owner*

Data owner is usually a member of

management who is in charge of a specific
business unit and responsible for that
information that such a unit possesses.
 Responsible for specifying the classification
of data
 Responsible for determining necessary
controls are in place to protect data
 (more)
Data Owner*

 This is a “Business” role

 Classifying data or authorizing data access
requests
 Defining backup requirements (not
implementing)
 Ensuring security controls are appropriate (not
implementing)
 Delegates day-to-day maintenance to the “data
custodian”
 Act on security violation notifications
Data Custodian
Data Custodian*

The Data Custodian MAINTAINS the data day

to day.
 Performs backups
 Ensures the availability of data.
 Validates data integrity
 Restores data
 Ensures data retention requirements based on
what the data owner specifies
Security Administrator*

 Setup security configurations on a system as

defined by the DATA OWNER*
 Creates accounts
 Sets access rights in support of the policies
defined.
 Technical position.
Understand this (security
administrator)
 A security administrator’s job is to ensure the
managements directives are fulfilled! They do
NOT create security policies*
 They also do NOT authorize access to data or
resources. They are responsible for ensuring
the security controls enforce the access levels
that have been specified by the data owner
or the management’s policies.
Security Analyst*

Helps define a security program elements and

ensures the elements are being implemented
properly by the technical people and
procedures.
 This is NOT an implementation role
 Higher more strategic level.
Supervisor

More of an HR role, you all know what a

supervisor does.
 Managing employees
 Ensuring employees live up to their
responsibilities
 Handle HR tasks such as hiring, firing and
initiating corrective action.
 Informing security admin of changes to an
employee's position.
Data Analyst

 Ensures hat data is stored in a way that

makes the most sense for its application.
 Specifically considered with information
“architecture”, how data is stored in
reference to other data, data structures
 Work with data owners to ensure the
structures support the business objectives.
Process Owner

Are responsible for certain business processes

(not computer processes ;)

Examples:
 Procurement process
 Hiring process
 Order fulfillment process
User *

Someone who uses the data, day to day to

accomplish work tasks and business
objectives
 Responsible for following data and security
procedures that have been laid out by
management.
Auditor*

 Provides a method for independently

ensuring that management and shareholders
can rely upon the appropriateness of security
objectives.
 Determines if controls/methods have been
reached
 Determines if practices are in compliance
with company or legal requirements
 Should be 3rd party
 Auditor (not in book)
The exam might also refer to an auditor in the role
of someone in the company that goes though
security, or usage logs to determine if data and
technical systems are being
used/abused/attacked etc.

 This is the form/usage I remember from the

exam.
Administrative Controls and
Concepts
Separation of Duties*

The idea of ensuring one individual cannot

complete a critical task by themselves.
 Reduces the possibility for fraud, sabotages, theft
or general abuse.
 To subvert separation of duties requires collusion*
(next page)
 Separation of Duties

Separation of duties is a security principle that

ensures that no single person has complete
control over a process.

When properly implemented, separation of

duties significantly reduces the risk of fraud
within an organization.

Implementing separation of duties policies

doesn’t eliminate the possibility of fraud,
because the two employees could choose to
collude to defraud the company.
 Separation of Duties – M of N Requirement

An M of N process requires a certain number of

individuals to agree prior to action being taken.

M represents the minimum number of

individuals that must agree on a course of
action.

N represents the total number individuals

involved.
 Separation of Duties – Two Man Rule

The two-man rule is a procedure popular in very

high-security locations and situations. It features
two individuals who must agree upon action yet
are physically separated and must therefore
take action independent of the other.
 Least Privilege

An important security principle is the principle

of least privilege.

In short, this means that you grant users (or

assets) access to what they need to perform
their jobs, and no more.

This includes granting permissions to access

resources such as files and granting rights to
perform actions such as modifying system
configurations.
Collusion*

At least two people working together to

subvert the security controls.
Hiring Practices*

 All employees should have background

checks and be screened* (even janitors etc in
high security environments)
 Everyone MUST sign an NDA, which should
protect secrets and conflicts of interest.
 Drugs tests
 Education checks
 Reference checks
Rotation of Duties*

 Employees should rotate in their duties

Why?
 For redundancy
 To ensure no-one has too much control over a
segment of business
 Job Rotation

A job rotation policy states that an individual in a critical

position does not stay in that position for too long.

Primarily used as a fraud prevention mechanism,

rotating individuals between positions provides not only
for cross training but also for the capability of cross-
checking individuals’ work.

Job rotation reduces the possibility of fraudulent actions,

repetitive mistakes, or position abuse by retaining an
individual for a limited length of time in a critical position.
 Mandatory Vacation

Requiring mandatory vacations is a security

technique that allows for the review of employee
activities.

Most corporate mandatory vacation policies

require an individual take at least one vacation
each year for a minimum duration of five days.

During the employee’s absence, various audits may

be performed to discover any abnormalities in the
employee’s work.
Mandatory Vacations*

Employees MUST take vacations

Why?
 Gives opportunity for others to discover fraud. If
employees don’t want to take a vacation, they
might be doing something underhanded and do
not want to be found out
 Additionally it enforces that other people can step
in and that the process cannot be disrupted by
that employee being absent for whatever reason.
 Geographic Access Control

Restrictions may be placed on users based upon

where they are currently located.

It’s not unusual for security policy to state that any

network access originating outside the continental
must be blocked.

Additionally, various applications, data, or

organization resources may not be available to
users logging in remotely.

If a specific company resource or certain data is

always and accessed only by users in a local office,
persons logging in from another location in the
country will not be allowed access.
How do we understand location?
Split Knowledge*

Separation of duties concept. An employee

only has enough knowledge to perform part
of a task.
 Again helps fight fraud.

Example:
 Two managers only know their half of a bank vault
combination.
Dual Control
Dual Control

 Like split knowledge, but in this case two or

more people must be available and active to
perform an action.

Example:
 A bank vault has two separate keys that must be
turned at the same time to unlock the vault.
Employee Termination
Employee Termination*

Companies should have a defined procedure

for employee termination, it must be strictly
enforced.
Examples policy could be:
 Employee must complete an exit interview
 Employee must surrender id badges, and keys
 Employee accounts must be locked out.
 Employee must leave the facility immediately
under supervision of a security guard
Security Awareness Training

Any security program MUST provide adequate

thought and resources to training.
 Security is only as good as the weakest link.
 Unless your staff is trained on the importance of
security, proper security procedures and concepts, and
day to day security operations… you are doomed to
fail.
 The most expensive and technical controls will be
rendered useless by uneducated staff.
 Some security threats (etc phishing) can only properly
be mitigated by user education
 Temporal Access Control, Time of Day Control

Temporal or time-of-day restrictions may

be placed on various resources.

For instance, users within a certain

department who are not required to work
on weekends may have their account
logons restricted to only working hours
Monday through Friday.
 Privacy

Protecting privacy has become increasingly important

within IT security.

Two types of data that organizations must take extra

steps to protect are;

• Personally Identifiable Information (PII)

• Protected Health Information (PHI)

Ex : Organizations often apply confidentiality principles to

protect privacy data such as PII and PHI. This includes using
strong access controls to restrict access to the data. It also
includes encrypting privacy data as an added layer of protection.
 Transparency

The principle of transparency is that it allows anyone to

access, view, and test hardware or software systems. During
testing by the general public or computer specialists, flaws
can be found and announced.

The operation of all encryption algorithms is completely

open and known. This allows anyone to test an algorithm in
an attempt to find flaws. Conversely, items that are secret
or nontransparent are difficult to test and verify.

Ex : a once popular cryptographic algorithm called WEP, or Wired Equivalent

Privacy, originating in 1999 was the best algorithm but by 2001 there was a flaw
about it and replaced by WPA (Wi-Fi Protected Access)
 Defense in Depth

One of the primary tenets of security is that you’re

never done. You can’t just write a security policy,
install antivirus software or enable firewalls, and say,
“There. We’re safe and secure now.”

Instead, IT security uses the principle of defense in

depth to implement several layers of security.

One of the primary benefits of a defense in depth

strategy is that even if a single control fails, other
controls still provide protection. .
 Nonrepudiation

Nonrepudiation ensures that a party cannot believably

deny (or repudiate) taking an action.

Audit logging and digital signatures are two common

methods used to enforce nonrepudiation.

Digital signatures use certificates and public/private

key encryption. They also provide authentication,
giving assurances of who sent the e-mail.

Ex: e-commerce transactions require you to enter

additional information such as the expiration date and
the security code on the card. The idea is that only
someone with the card in his or her possession knows
this additional information.
 Implicit Deny

The concept of implicit deny is that access to data or resources

is denied unless specific permission has been granted.

Implicit refers to the fact that no action needs to be taken to

Implicit deny restricts
restrict access. It will just happen automatically.
access to everyone
Explicit refers to actions such as writing rules for a firewall or unless they have been
router that specify access that is granted. explicitly given
specific rights to
Ex: Providing each user with a key is an explicit action giving access.
permission and granting access. By default, all other users are
implicitly denied access because they simply do not have a key.
Chapter - Review

 Q. What is a vulnerability

 Q. What is an SLE

 Q. If a warehouse has a value of $1,000,000 and

an EF in case of a fire is 30%. What is my SLE?

 Q. Who is ultimately responsible for a

companies security?
Chapter - Review
 Q. Can 100% quantitative risk analysis be done? Why or why
not?

 Q. What is the Delphi technique?

 Q. Which of the following is not a method to deal with risk

 avoidance
 transference
 Acceptance
 obfuscation

 Q. What is the primary security purpose of mandatory

vacations?
Chapter - Review
 Q. who classifies data?

 Q. Should a company's security policy statement

include specific technical details on encryption of
data in transit?

 Q. What is the ultimate consideration in choosing a

safe guard?
The safe guard is ______ ______.

 Q. What are the 3 principals of security?

Thank You