170 likes | 392 Views
Unit Outline Information Security Risk Assessment. Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary. Module 2 Definitions and Nomenclature.
E N D
Unit OutlineInformation Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary
Definitions and NomenclatureLearning Objectives • Students should be able to: • Define information security risk formally • Understand the nomenclature of risk • Be able to identify threats, vulnerabilities, and assets • Understand different types of risk.
Definitions and NomenclatureConcept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000
Definitions and NomenclatureBasic Definitions • Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat.1 Consequence of weaknesses in controls. • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets.1 A threat is a manifestation of vulnerability. • Controls- Implementations to reduce overall risk and vulnerability. • Security Risk- is the probability that a specific threat will successfully exploit a vulnerability causing a loss. 1 http://www.oit.nsw.gov/au/pdf/4.4.16.IS1.pdf
Definitions and NomenclatureInformation Security • Definition – protection of information systems and data from unauthorized (accidental or intentional) modification, destruction, or disclosure. • Protection includes confidentiality, integrity, authentication, access control and availability (CIA3) of these systems and data • Goals – identification, measurement, control, and minimization of security risks in information systems to a level commensurate with the value of the assets protected
Definitions and NomenclatureAssets • Assets– things that agency values wants to protect. Includes all information and supporting items that an agency requires to conduct business. Asset Categories and Threats to Assets • Data • Breach of confidentiality • Loss of data integrity • Denial of service • Corruption of Applications • Disclosure of Data • Organization • Loss of trust • Embarrassment • Management failure • Personnel • Injury and death • Sickness • Loss of morale
Definitions and NomenclatureAssets Cont’d • Operational • Interruption of services • Loss/Delay in Orders • Delay in Shipments • Infrastructure • Electrical grid failure • Loss of power • Chemical leaks • Facilities & equipment • Communications • Legal • Use or acceptance of unlicensed software • Disclosure of Client Secrets
Definitions and NomenclatureVulnerabilities • Vulnerabilities –flaws within an asset (e.g. operating system, router, network, or application), that allow an asset to be exploited by a threat. • Examples • Software design flaws • Software implementation errors • System misconfiguration (e.g. misconfigured firewalls) • Inadequate security policies • Poor system management • Lack of physical protections • Lack of employee training (e.g. passwords on post-it notes in drawers or under keyboards)
Definitions and NomenclatureThreats • Threats are potential causes of events which have a negative impact. • Threats exploit vulnerabilities causing impact to assets • Examples • Denial of Service (DOS) Attacks • Spoofing and Masquerading • Malicious Code • Human Error • Insider Attacks • Intrusion
Definitions and NomenclatureSecurity Risk • Risk –probability that a specific threat will successfully exploit a vulnerability causing a loss. • Evaluated by three distinguishing characteristics: • loss associated with an event, e.g., disclosure of confidential data, lost time, and lost revenues. • likelihood that event will occur, i.e. probability of event occurrence • Degree that risk outcome can be influenced, i.e. controls that will influence the event • Various forms of threats exist • Different stakeholders have various perception of risk • Several sources of threats exist simultaneously
Definitions and NomenclatureTypes of Risk • Physical Asset Risks • Relating to items with physical and tangible items that have an associated financial value • Mission Risks • Relating to functions, jobs or tasks that need to be performed • Security Risks • Integrates with both asset and mission risks
Definitions and NomenclatureWhy is security risk different? • Relatively new field • Constantly changing information systems & vulnerabilities • Human factors related to security • No standard of practice • Lack of formal models • Lack of data • Evolving threats
Definitions and NomenclatureSummary • Assets are valuables which an organization wants to protect. • Vulnerabilities are weaknesses in assets that can be exploited by threats. • Threats exploit vulnerabilities to impact threats • Risk is the potential impact of threats resulting in a loss • Risk can be minimized through use of controls.