Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Lec 8

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

Cybersecurity Essentials course

Lec. 8
Security Management and Risk assessment

Dr. Eman zahran


Objectives

• Cyber security aim at understanding,


managing and mitigating risk to your
organization’s critical assets.

• Risk assessment provides the information


necessary to decide the best procedures,
administrative, and technical controls
Security Requirement Questions
• Three important questions:

– What are your critical assets?


– How these assets are threatened?
– What can we do to counter those threats?

• Assets may be (e.g., network, servers, applications,


data centers, tools, etc.) within the organization.
Security Management
Definition:
security management is the formal process of
answering security requirement questions,
ensuring that critical assets are sufficiently
protected in a cost-effective manner.
Tasks:
Determining security objectives and risk profile
Performing security risk assessment of assets
Selecting, implementing, monitoring of controls
• Numerous national and international
standards have been published.

• These standards represent a consensus on the


best practice in the field of security
management.

• The International Standards Organization (ISO)


has revised and established a number of these
standards into the ISO 27000 series.
ISO 27000 Security Standards
ISO27000 a proposed standard which will define the vocabulary and definitions used in
the 27000 family of standards.
ISO27001 defines the information security management system specification and
requirements against which organizations are formally certified. It replaces
the older Australian and British national standards AS7799.2 and BS7799.2.
ISO27002 currently published and better known as ISO17799, this standard specifies a
code of practice detailing a comprehensive set of information security control
(ISO17799) objectives and a menu of best-practice security controls. It replaces the older
Australian and British national standards AS7799.1 and BS7799.1.
ISO27003 a proposed standard containing implementation guidance on the use of the
27000 series of standards following the “Plan-Do-Check-Act” process quality
cycle. Publication is proposed for late 2008.
ISO27004 a draft standard on information security management measurement to help
organizations measure and report the effectiveness of their information
security management systems. It will address both the security management
processes and controls. Publication is proposed for 2007.
ISO27005 a proposed standard on information security risk management. It will replace
the recently released British national standard BS7799.3. Publication is
proposed for 2008/9.
ISO13335 provides guidance on the management of IT security. This standard
comprises a number of parts. Part 1 defines concepts and models for
information and communications technology security management. Part 2,
currently in draft, will provide operational guidance on ICT security. These
replace the older series of 5 technical reports ISO/IEC TR 13335 parts 1-5.
Steps of Security Management process
• determining the organization’s IT security objectives, strategies, and policies.

• performing an IT security risk assessment that analyzes security threats to IT


assets within the organization, and determines the resulting risks.

• selecting suitable controls to cost effectively protect the organization’s IT assets.

• writing plans and procedures to effectively implement the selected controls.

• implementing the selected controls, including provision of a security awareness


and training program.

• monitoring the operation, and maintaining the effectiveness, of the selected


controls.

• detecting and reacting to incidents.


Security Management Process
Plan - Do - Check – Act
take corrective and
preventative actions
(based on audits)

establish policy; define assess and measure


objectives and processes and report results

implement and operate


policy, controls, processes
Plan - Do - Check – Act
Plan: Establish security policy, objectives, processes, and
procedures; perform risk assessment; develop risk treatment
plan with appropriate selection of controls or acceptance of
risk.

Do: Implement the risk treatment plan.

Check: Monitor and maintain the risk treatment plan.

Act: Maintain and improve the information security risk


management process in response to incidents, review, or
identified Changes
Organizational Context and Security
Policy
• first examine organization’s IT security:
– objectives - wanted IT security outcomes
– strategies - how to meet objectives
– policies - identify what needs to be done
• These objectives, Strategies and Policies should
be maintained and updated regularly by:
using periodic security reviews
To:
reflect changing technical/risk environments
Security Risk Assessment
• Risk assessment is a critical component of the IT security
management process

 Without risk assessment:


• resources will not be efficiently deployed.
• some risks are not addressed, leaving the organization
vulnerable
• safeguards may be deployed without sufficient justification,
• wasting time and money
Security Risk Assessment
In Ideal risk assessment:
 Every asset is examined
 Every risk is evaluated

But this is not feasible in practice


Due to:
Rapid rate of change in both IT technologies
Wider threat environment
Security Risk Assessment
Due to the wide range of organizations, from
very small businesses to global multinationals
and national governments
choose one of possible alternative approaches:
1. Baseline
2. Informal
3. Formal
4. Combined
Security Risk Assessment
The choice among these approaches will be
determined by the resources available to the
organization and from an initial high-level risk
analysis
Baseline Approach
• implement a basic general level of security
controls on systems using “industry best practice”
Advantage:
– easy, cheap, can be replicated
Disadvantage:
– but gives no special consideration to organization risk
exposure
– may give too much or too little security
• implement safeguards against most common
threats
• Baseline alone only suitable for small
organizations
Informal Approach
• Conduct informal, pragmatic risk analysis on
organization’s IT systems
• exploits knowledge and expertise of internal
analyst or external consultant
• Advantage:
-fairly quick and cheap
• Disadvantage:
-does address some org specific issues
-some risks may be incorrectly assessed
-depend on analysts judgments
• suitable for small to medium sized organizations
Formal Approach
• Most comprehensive risk assessment approach
• assess risks using a formal structured process with a number of
stages including:
 identification of assets, threats and vulnerabilities to those
assets
 determination of the likelihood of the risk occurring and the
consequences to the organization
• Advantages:
 detailed examination of the security risks and strong
justification for of the needed controls
• Disadvantages:
costly and slow, requires expert analysts

Suitable for large organizations


Combined Approach
• Combines elements of other approaches
– starts with the initial baseline approach on all systems
– then informal analysis to identify critical risks
– then formal assessment on these systems
– iterated and extended over time
• Advantage:
better use of time and money resources
better security
• Disadvantages:
If initial analysis is inaccurate risks remain for some time

Suitable alternative for most organizations

You might also like