90 likes | 286 Views
Unit Outline Qualitative Risk Analysis. Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary.
E N D
Unit OutlineQualitative Risk Analysis Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3:Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary
Determine Threats and ControlsLearning Objectives • Students should be able to: • Identify threats • Understand different types of controls • Recognize the different functions of controls
Determine Threats and ControlsIdentification of Threats • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerabilities • Malicious • Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) • Spoofing or Masquerading • Sequential or Dictionary Scanning • Snooping (electronic monitoring or “shoulder surfing”) • Scavenging (“dumpster diving” or automated scanning of data) • Spamming • Tunneling • Unintentional • Equipment or Software Malfunction • Human error (back door or user error) • Physical • Power loss, vandalism, fire/flood/lightning damage, destruction Source: http://www.caci.com/business/ia/threats.html
Determine Threats and ControlsFunctions of Controls • Security Controls- Implementations to reduce overall risk and vulnerability • Deter • Avoid or prevent the occurrence of an undesirable event • Protect • Safeguard the information assets from adverse events • Detect • Identify the occurrence of an undesirable event • Respond • React to or counter an adverse effect • Recover • Restore integrity, availability and confidentiality of information assets Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls
Determine Threats and ControlsControls • Organizational & Management Controls • Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits • Physical & Environmental Controls • Secure areas, equipment security, clear desk and screen policy, removal of property Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls
Determine Threats and ControlsOperational Controls • Operational Controls • Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls
Determine Threats and ControlsTechnical Controls • Technical Controls • Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls
Determine Threats and ControlsSummary • Threats exploit vulnerabilities to harm assets. • Controls are used to diminish or prevent the impact of threats. • Controls come in three types: • Organizational and Management Controls • Physical and Environmental Controls • Operational Controls