Information Systems Security
Download
Report
Transcript Information Systems Security
Information Systems
Security
Risk Management
Alignment
To provide a personalized
experience to our
customers
Glenmeade
Vision
To reach out to the
customers and know their
preferences, likes and
dislikes
Business
Objective(s)
Develop a
Tastemasters
program
Marketing
Objectives
Ops
Objectives
IT Objectives
Implement a
Customer
Relationship
Management
System. Buy a
state of the art
system
Get to the
customer
directly &
most
efficiently
Various marketing
Programs
-freebees
-sponsorships
Various Operations
Programs
-On time delivery
incentives
etc
Various IT
Programs
-New rollouts
-System Training
-IT Project Management
© G. Dhillon
All Rights Reserved
Aspiration
Vision
© G. Dhillon
All Rights Reserved
Aspiration
Vision
© G. Dhillon
All Rights Reserved
Aspiration
Vision
Vision
© G. Dhillon
All Rights Reserved
Security is a business enabler
Security allows me to do something I couldn’t do [safely]
otherwise/before
Added value, security is part of the product
Electronic Commerce
Online banking
Online brokerage
Help make sale because of security
Revenue generated as a result of security
Security is not the product – it allows me to do business
© G. Dhillon
All Rights Reserved
Business enabler
© G. Dhillon
All Rights Reserved
Reality
For a range of reasons
companies have always
been under pressure to cut
IT costs. Perhaps by
outsourcing. Justify
expenses. And when
choosing being keeping the
“shop running” versus
securing it, protection
mechanisms take a back
burner.
© G. Dhillon
All Rights Reserved
To provide a personalized
experience to our
customers
Glenmeade
Vision
Risks
Availability
Personal
Develop a Privacy
Tastemasters
program
Data
Ownership
Marketing
Objectives
Data flow
Business
Integrity
Objective(s)
To reach out to the
customers and know their
preferences, likes and
dislikes
…
Ops
Objectives
IT Objectives
Various Operations
Programs
-On time delivery
incentives
etc
Various IT
Programs
-New rollouts
-System
Training
…
System
-IT Project Management
Dev. risks
Implement a
Customer
Relationship
Management
System. Buy a
state of the art
system
Get to the
customer
directly &
most
efficiently
Various marketing
Programs
-freebees
Inherent risks
-sponsorships
(Doubleclick
Business
type)
continuity
risks
Project
risks
© G. Dhillon
All Rights Reserved
To provide a personalized
experience to our
customers
Glenmeade
Vision
Risk Management
What is the probability that personal
privacy will be compromised
when
Availability
Data
Data flow
Business
…
personally
identifiable
Ownership
Integrityinformation is
Personal
Develop a Privacy
Objective(s)
Tastemasters
accessed
in an unauthorized
program
manner?
To reach out to the
customers and know their
preferences, likes and
dislikes
Marketing
Objectives
Get to the
customer
directly &
most
efficiently
Various marketing
Programs
-freebees
Inherent risks
-sponsorships
(Doubleclick
Business
type)
continuity
risks
Ops
Objectives
IT Objectives
Implement a
Customer
Relationship
Management
System. Buy a
state of the art
system
What is the probability of
unauthorized access?
Various Operations
Programs
-On time delivery
incentives
etc
Various IT
Programs
-New rollouts
-System
Training
…
System
-IT Project Management
Dev. risks
Project
risks
© G. Dhillon
All Rights Reserved
Answer
Let’s calculate the probability of occurrence of a
negative event (privacy breach or unauthorized
access in this case)
What is going to be the cost to mend the privacy
breach?
BINGO!!
R=P*C
© G. Dhillon
All Rights Reserved
Communicating Risk
Asset
Threat
Vulnerability
Mitigation
What are you
trying to protect?
What are you
afraid of
happening?
How could the
threat occur?
What is currently
reducing the
risk?
Impact
What is the impact to the
business?
Probability
How likely is the threat given the
controls?
Well-Formed Risk Statement
© G. Dhillon
All Rights Reserved
Reference Documents
Publications to help you determine your organization’s risk
management maturity level include:
National Institute of
Standards and Technology
Security Self-Assessment Guide for
Information Technology Systems
(SP-800-26)
IT Governance Institute
Control Objectives for Information and
Related Technology (CobiT)
International Standards
Organization
ISO Code of Practice for Information
Security Management (ISO 17799)
© G. Dhillon
All Rights Reserved
What’s Risk Management?
Formally defined
“The total process to identify, control, and manage the impact
of uncertain harmful events, commensurate with the value
of the protected assets.”
© G. Dhillon
All Rights Reserved
More simply put…
“Determine what your risks are and then decide on a
course of action to deal with those risks.”
© G. Dhillon
All Rights Reserved
Even more colloquially…
What’s your threshold for pain?
Do you want failure to deal with this risk to end up on
the front page of the
Daily Progress?
© G. Dhillon
All Rights Reserved
Risk Management Maturity
Assessment
Level
State
0
Non-existent
1
Ad hoc
2
Repeatable
3
Defined process
4
Managed
5
Optimized
© G. Dhillon
All Rights Reserved
Classify
© G. Dhillon
All Rights Reserved
Risk management: classification
Strategic
High Potential
Inherent risks
Outcome: high
Operational: low
Process: low
What risk?
Planning needed
Outcome: low
Operational: high
Process: medium
Outcome: low
Operational: low
Process: high
Can be assessed
Key
Operational
and predicted
Support
© G. Dhillon
All Rights Reserved
Typical concerns
Strategic
High Potential
Outcome
risks
Opportunity &
financial
risks?
Operational
risks
Process
based risks
Key
Operational
Support
Lack of strategic framework: poor business
understanding
Conflicts of strategy and problems of coordination
IT supplier problems
Poor management of change
Senior management not involved
Large and complex projects; too many stakeholders
Rigid methodology and strict budgetary controls
Too much faith in the ‘technical fix’
Use of technology for its novelty value
Poor technical skills in the development team
Inexperienced staff
Large and complex projects; too many stakeholders
Poor testing procedures
Poor implementation
Lack of technical standards
© G. Dhillon
All Rights Reserved
Generic CSFs for different
applications
Strategic
High Potential
Time
R & D projects
Quality
Cost
Time
Quality
Cost
Key Operational
Time
Quality
Cost
Support
© G. Dhillon
All Rights Reserved
Risk management: core strategies
Strategic
High Potential
CONFIGURE
COMMUNICATE
CONTROL
CONSTRAIN
Key Operational
Support
© G. Dhillon
All Rights Reserved
High Potential
Business and
corporate risks
Opportunity &
financial
risks
Operational
risks
Process
based risks
Key Operational
Support
Uncontrollable
Strategic
Controllable
Risk management: directions - 1
Predictable
Unpredictable
No problem carry out plans
Practice quick
response to
manage as
events unfold
Emphasis
forecasting
and thus
“steer around”
these events
Develop a
contingency
planning system
© G. Dhillon
All Rights Reserved
Risk management: directions -2
History
Strategic
High Potential
Business and
corporate risks
Opportunity &
financial
risks
Context
(external)
Risk
Outcomes
Context
(internal)
Operational
risks
Process
based risks
Key Operational
Support
Content
Business
processes
Context oriented risk assessment
© G. Dhillon
All Rights Reserved
Risk Management Practices
Conduct a mission impact analysis and risk
assessment to:
1.
Identify various levels of sensitivity associated with
information resources
2.
Identify potential security threats to those resources
© G. Dhillon
All Rights Reserved
Risk Management Practices
(cont.)
Conduct a mission impact analysis and risk
assessment to:
3.
Determine the appropriate level of security to be
implemented to safeguard those resources
4.
Review, reassess and update as needed or at least
every 3 years
© G. Dhillon
All Rights Reserved
Step 1 - Identify
Critical IT Assets
Critical
Assets
List
ITS-RM Toolbox:
1. Criteria
2. Template
Step 2 – Assess Risks
ITS-RM Toolbox:
1. threat scenarios
2. response strategies
3. remediation plan
template & example
For each critical asset:
• Weigh likelihood & impact
of threats to each asset
• Prioritize threats
• Select response strategies
• Develop remediation plan
Remediation
Plan
Step 3 – Mission
Continuity Planning
ITS-RM Toolbox:
1. disaster recovery
plan example
2. interim manual
procedures
example
Create a response plan to
use in the event that
critical IT assets are lost,
unavailable, corrupted or
disclosed
Disaster
Recovery
Plan
Interim
Manual
Procedures
Step 4 – Evaluation and Reassessment
Required at least once every three years
© G. Dhillon
All Rights Reserved