Course : COMP8042 – IT Risk Management and Audit

Period : February 2023

An Overview of Information Security and

Risk Management
Session 02

KDS – Name SME

Upon completion of this material, you should be able
to:

1. Define and explain information security

2. Describe the role of information security policy in

the organization

3. Identify and explain the basic concepts and phases

of risk management
 Information Security

Information security (InfoSec) focuses on the protection of

information and the characteristics that give it value, such as
confidentiality, integrity, and availability.

These characteristics, known as the C.I.A. triad, include the

technology that stores, processes, and transmits information
through a variety of protection mechanisms such as policy,
training and awareness programs, and technology
 Key Information Security Concepts (1)

• Access—A subject or object’s ability to use, manipulate, modify, or

affect another subject or object. Authorized users have legal access to a
system, whereas hackers must gain illegal access to a system. Access
controls regulate this ability.
• Asset—The organizational resource that is being protected. An asset can
be logical, such as a Web site, software information, or data. An asset
can also be physical, such as a person, a computer system, hardware, or
other tangible objects.
• Attack—An intentional or unintentional act that can damage or
otherwise compromise information and the systems that support it.
Attacks can be active or passive, intentional or unintentional, and direct
or indirect.
• Control, safeguard, or countermeasure—Security mechanisms,
policies, or procedures that can successfully counter attacks, reduce risk,
resolve vulnerabilities, and otherwise improve security within an
organization.
 Key Information Security Concepts (2)

• Exploit—A technique used to compromise a system. This term can be a

verb or a noun. Threat agents may attempt to exploit a system or other
information asset by using it illegally for their personal gain. Or, an exploit
can be a documented process to take advantage of a vulnerability or
exposure, usually in software, that is either inherent in the software or
created by the attacker.
• Exposure—A condition or state of being exposed; in information security,
exposure exists when a vulnerability is known to an attacker.
• Loss—In this context, a single instance of an information asset that suffers
damage or destruction, unintended or unauthorized modification or
disclosure, or denial of use.
• Risk—The probability of an unwanted occurrence, such as an adverse
event or loss. Organizations must minimize risk to match their risk
appetite—the quantity and nature of the risk they are willing to accept.
 Key Information Security Concepts (3)

• Subjects and objects of attack—A computer can be either the subject of

an attack—an agent entity used to conduct the attack—or the object of an
attack: the target entity. A computer can also be both the subject and
object of an attack. For example, it can be compromised by an attack
(object) and then used to attack other systems (subject).
• Threat—Any event or circumstance that has the potential to adversely
affect operations and assets. The term threat source is commonly used
interchangeably with the more generic term threat.
• Threat agent—The specific instance or a component of a threat. For
example, the threat source of trespass or espionage is a category of
potential danger to information assets, while an external professional
hacker is a specific threat agent. A lightning strike, hailstorm, or tornado
is a threat agent that is part of the threat source known as acts of God/acts
of nature.
 Key Information Security Concepts (4)

• Threat event—An intentional or unintentional act that can damage or

otherwise compromise information and the systems that support it. This
term is commonly used interchangeably with the term attack.
• Threat source—A category of objects, people, or other entities that
represents the origin of danger to an asset—in other words, a category of
threat agents. Threat sources are always present and can be purposeful or
undirected. For example, threat agent hackers, as part of the threat source
acts of trespass or espionage, purposely threaten unprotected
information systems, while threat agent severe storms, as part of the
threat source acts of God/acts of nature, incidentally, threaten buildings
and their contents.
• Vulnerability—A potential weakness in an asset or its defensive control
system(s). Some examples of vulnerabilities are a flaw in a software
package, an unprotected system port, and an unlocked door. Some well-
known vulnerabilities have been examined, documented, and published;
others remain latent (or undiscovered).
The 12 Categories of Threats
 Threat Categories
• Acts of human error or failure:
– Acts performed without intent or malicious
purpose by authorized users
• Compromises to intellectual property (IP):
– Breaches in the controls placed around IP such as
copyrights, trade secrets, trademarks, patents
– Most common IP breach: software piracy
• Deliberate acts of trespass: unauthorized individual
gains access to information being protected
– Hacker: uses software to gain access to
information illegally

9
 Threat Categories (continued)

• Deliberate acts of information extortion:

– Demanding compensation for the return or
nondisclosure of information obtained by attacker or
trusted insider
• Deliberate acts of sabotage or vandalism:
– Attempts to destroy an asset or damage the image of
an organization
– Cyberterrorist: hacks systems to conduct terrorist
activities through network or Internet pathways
• Deliberate acts of theft:
– Illegal taking of another’s property

10
 Threat Categories
(continued)
• Deliberate Software Attacks:
– Malware:
• Malicious code or malicious software
components designed to damage,
destroy, or deny service to the target
system
• Includes viruses, worms, Trojan horses,
logic bombs, backdoors, denial of
service (DoS), and distributed denial of
service (DDoS) attacks
11
 Threat Categories
(continued)
• Viruses:
– Segments of code that perform malicious actions
– Attached to existing programs
– Macro virus: embedded in automatically executing
macrocode; common in word processing
documents, spreadsheets, database applications
– Boot virus: infects key operating system files
• Worms:
– Malicious programs that replicate themselves
without requiring another program
– Can replicate through email, Web servers, network
shares

12
 Threat Categories
(continued)
• Backdoors and Trapdoors:
– A payload carried by a virus or worm that
installs on a system allowing penetration
and control of the system remotely
– Examples: Subseven, Back Orifice
• Polymorphism:
– Virus or worm that evolves, changing its
size and appearance over time

13
 Threat Categories (continued)

• Propagation Vectors:
– Ways that malicious code is spread from one system to
another
– Trojan: a common propagation method in which the
infected program appears to be a desirable program
– Social engineering: getting the user to perform an
action that enables the attack or infection
• Virus and Worm Hoaxes:
– Require as much time and effort to combat as real
virus and worm threats

14
 Threat Categories (continued)

• Forces of Nature (force majeure):

– Unexpected and often unpredictable
– Includes fire, flood, earthquake, lightning,
hurricanes, volcanic eruption, insect
infestation
– Often affect personnel as well as
equipment
• Deviations in Quality of Service, by Service
Providers:
– Products or services not delivered
(electricity, water, network bandwidth, etc.)
15
 Threat Categories (continued)
• Technical Hardware Failures or Errors:
– Defects that cause a system to perform outside
of expected parameters
– Causes unreliable service or lack of availability
– Errors can be intermittent or terminal
• Technical Software Failures or Errors:
– Includes bugs and untested failure conditions
– May include intentional shortcuts left by
programmers for benign or malicious reasons
• Technical Obsolescence:
– Antiquated or outdated infrastructure leads to
unreliable and untrustworthy systems

16
 THE ROLE OF INFORMATION SECURITY
POLICY IN DEVELOPING CONTINGENCY
PLANS
Policy represents a formal statement of the organization’s managerial
philosophy—in the case of information security policies, the
organization’s InfoSec philosophy. This policy then becomes the basis for
planning, operation, and maintenance of the InfoSec profile.
• Key Policy Components. Policies comprise a set of rules that dictate
acceptable and unacceptable behavior within an organization. Policies
should not specify the proper operation of equipment or software—this
information should be placed in other documents called standards,
procedures, practices, and guidelines. Policies define what you must
do and not do, whereas the other documents focus on the how.
• Types of InfoSec Policies:
– Enterprise information security policy (EISP)
– Issue-specific security policies (ISSP)
– Systems-specific security policies (SysSP)
 Information Security Policy in
Developing Contingency Plans

• Policy is needed to enforce requirements for

protection of information before, during, and after
an incident
• Information security is primarily a management
problem, not a technical one
• Shaping policy is difficult because :
– It must never conflict with laws
– It must be properly administered
 Key Policy Definitions

• Policy:
– A plan or course of action used to convey
instructions from senior management to those
who make decisions, take actions, and perform
duties
– An organizational law that dictates acceptable
and unacceptable behavior, and defines
penalties for violations
• Standard:
– Detailed statement of what must be done to
comply with policy
– De facto standard – informal standard
– De jure standard – formal standard
Key Policy Definitions (continued)
 Key Policy Definitions
(continued)

• Mission: written statement of an

organization’s purpose
• Vision: written statement about organization’s
goals
• Strategic planning: process of moving the
organization toward its vision
• Information security policy: provides rules
for the protection of information assets
• 3 types of security policy:
– Enterprise information security policy
– Issue-specific security policies
– Systems-specific security policies
 Enterprise Information
Security Policy
• Enterprise Information Security Policy (EISP):
– Also called general security policy, IT security
policy, or information security policy
– An executive-level document that sets the
strategic direction, scope, and tone for all
security efforts
– Contains the requirements to be met
– Assigns responsibilities for areas of security
– Addresses legal compliance
 Issue-Specific Security
Policy
• Issue-Specific Security Policy (ISSP):
– Addresses specific areas of technology
– 3 common approaches to creating ISSPs:
• Independent ISSP documents, each
tailored to a specific issue
• Single comprehensive ISSP document
covering all issues
• Modular ISSP document that unifies policy
creation and administration while
maintaining each specific issue’s
requirements
Issue-Specific Security Policy
(continued)
 Issue-Specific Security
Policy (continued)
• Statement of Policy: defines scope, who is
responsible for implementation, and the
technologies and issues being addressed
• Authorized Access and Usage of
Equipment: defines who can use the
technology and how it can be used
• Prohibited Usage of Equipment: defines
what the technology cannot be used for
• Systems Management: defines what
responsibilities belong to management and
to users
 Issue-Specific Security
Policy (continued)
• Violations of Policy: specifies penalties and
how to report suspected violations
• Policy Review and Modification: procedures
and timetable for periodic review to keep it
relevant
• Limitations of Liability: indicates that the
company will not protect nor be liable for
users’ unauthorized use of equipment
 Systems-Specific Policy

• Systems-Specific Security Policies (SysSPs):

– Standards and procedures to be used
when configuring or maintaining systems
– Two general groups:
• Access control lists (ACLs): define
rights and privileges of a particular user
to a particular system
• Configuration rules: specific
configuration codes entered into
security systems
 Systems-Specific Policy
(continued)

• ACL Policies:
– Are translated into sets of configurations to
control access to systems
– Regulate who, what, when, and where
access can occur
– Also called capability tables, user profiles, or
user policies
• Rule Policies:
– Specific to the operation of a system, such
as configuration for firewalls, intrusion
detection systems, and proxy servers
 Policy Management

• Policies are dynamic documents that change and

grow, and must be disseminated in the organization
• Security policies must contain:
– Individual responsible for the policy
– Schedule of reviews to ensure currency and
accuracy
– Mechanism for revision recommendations to be
made (preferably anonymously)
– Optionally, policy management software to
manage creation, revision, and dissemination of
policy
 OVERVIEW OF RISK
MANAGEMENT
One part of information security is risk management, which is the process of
identifying and controlling the risks to an organization’s information assets.

All managers are expected to play a role in the risk management process, but
information security managers are expected to play the largest roles. Very often,
the chief information officer (CIO) will delegate much of the responsibility for
risk management to the CISO.

Risk management is the process of discovering and assessing the risks to an

organization’s operations and determining how those risks can be controlled or
mitigated. This process involves discovering and understanding answers to some
key questions with regard to the risk associated with an organization’s
information assets:
1. Where and what is the risk (risk identification)?
2. How severe is the current level of risk (risk analysis)?
3. Is the current level of risk acceptable (risk evaluation)?
4. What do I need to do to bring the risk to an acceptable level (risk treatment)?
The various components of risk management and
their relationships to one another are shown below
 Assessing Value in Information Assets

As each information asset is assigned to its proper category,

posing the following basic questions can help you develop the
weighting criteria to be used for information asset valuation or
impact evaluation.

• Which information asset is the most critical to the success of

the organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the
most embarrassing or cause the greatest liability?
 Risk Identification

• Identify, classify, and prioritize information assets

• Goal: protect assets from threats
• Identify threats
• Identify vulnerabilities of each asset
• Identify controls that will limit possible losses in the
event of attack
 Risk Identification (continued)
• Asset Identification and Valuation:
– Identify each asset and assess its value
– Include people, procedures, data and information
, software, hardware, and networking elements
– Classify and categorize the assets
• Information Asset Classification:
– Classify the sensitivity and security priority of the
data and devices that store, transmit, or process
the data
– Classify the personnel security clearance
structure – who is authorized to view what data
– Categories must be comprehensive and mutually
exclusive
 Risk Identification (continued)

• Information Asset Valuation:

– Determine the criteria for valuation of assets or
impact evaluation
• Which asset is most critical to the success of
the organization?
• Which asset generates the most revenue?
Most profitability?
• Which asset is most expensive to replace? To
protect?
• If revealed, which asset would be most
embarrassing or cause greatest liability?
 Risk Identification (continued)

• Calculate the relative importance of each

asset using weighted factor analysis
• Weighted factor analysis:
– Assign each asset a score from 0.1 to 1.0
for each critical factor
– Assign each critical factor a weight from 1
to 100
 Threat Assessment
The big question every organization wants to answer is: “Which threats
represent the greatest danger to our information assets in our current
environment?”

Posing the following questions can help you find an answer by understanding
the various threats the organization faces and their potential effects on an
information asset:

• Which threats represent an actual danger to our information assets?

• Which threats are internal and which are external?
• Which threats have the highest probability of occurrence?
• Which threats have the highest probability of success?
• Which threats could result in the greatest loss if successful?
• Which threats is the organization least prepared to handle?
• Which threats cost the most to protect against?
• Which threats cost the most to recover from?
Threats-Vulnerabilities-Assets (TVA)
worksheet
For example, between Threat 1 and Asset 1 there may or may not be a
vulnerability. After all, not all threats pose risks to all assets. If a
pharmaceutical company’s most important asset is its research and
development database and that database resides on a stand-alone network (i.e.,
one that is not connected to the Internet), then there may be no vulnerability to
external hackers. If the intersection of T1 and A1 has no
vulnerability, then the risk assessment team simply crosses out that box. It is
much more likely, however, that one or more vulnerabilities exist between the
two, and as these vulnerabilities are identified, they are categorized as follows:

T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1

T1V2A1—Vulnerability 2 that exists between Threat 1 and Asset 1
T2V1A1—Vulnerability 1 that exists between Threat 2 and Asset 1 . . .
and so on.
 Risk Assessment: Risk Analysis
Mitigation of Applicable Controls If a vulnerability is fully managed by an
existing control, the vulnerability can be set aside. If it is partially controlled,
you can estimate what percentage of the vulnerability has been controlled. A
simplistic approach involves determining what recommended controls have
been implemented as part of the security program, and describing the level of
implementation. The organization must research each vulnerability to ensure
complete understanding of the issues.

Determining the Likelihood of a Threat Event Likelihood is the overall

rating—a numerical value on a defined scale—of the probability that a specific
vulnerability will be exploited or attacked. This attempt is commonly referred
to as a threat event, as described earlier.

Risk Likelihood Scale Using this scale, the likelihood of a system being
damaged by a water leak could be rated as 1, while the likelihood of receiving
at least one e-mail that contains a virus or worm in the next year would be
rated as 5.
 Risk Treatment Strategies
When an organization’s general management team determines that risks from
Info-Sec threats are creating a competitive disadvantage, it empowers the
InfoSec and IT communities of interest to treat those risks. After the project
team for InfoSec development has identified the information assets with
unacceptable levels of risk, the team must choose one of five basic strategies to
treat the risks for those assets:
• Defense—Applying controls and safeguards that eliminate or reduce the
remaining uncontrolled risk
• Transference—Shifting risks to other areas or to outside entities
• Mitigation—Reducing the impact to information assets should an attacker
successfully exploit a vulnerability
• Acceptance—Understanding the consequences of choosing to leave an
information asset’s vulnerability facing
• the current level of risk, but only after a formal evaluation and intentional
acknowledgment of this decision
• Termination—Removing or discontinuing the information asset from the
organization’s operating environment
Managing Risk