Protecting Information Assets - Week 5 - Risk Evaluation. MIS 5206 Protecting Information Assets

Transcription

1 Protecting Information Assets - Week 5 - Risk Evaluation

2 MIS5206 Week 5 Brief intro to Team Project In the News Week 3 & 4 Material Highlights Risk Evaluation Test Taking Tip Quiz

3 Weeks 3&4: Data Classification Process and Models Why is data classification important? Focuses attention on the identification and valuation of information assets Is the basis for access control policy and processes 3

4 Weeks 3&4: Data classification process and models

5 Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact

6 Risk Evaluation - Key Components Collect Data Analyze Risk Maintain Risk Profile Identify relevant data to enable effective IT-related risk identification, analysis and reporting Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes

7 Risk Evaluation - Collect Data (RE-1) Goal: Ensure IT-related risks and opportunities are identified, analyzed and presented in business terms Metric: Cumulative business impact from ITrelated incidents and events not identified by risk evaluation processes

8 Risk Evaluation - Collect Data (RE-1) Process Goal: Identify relevant data to enable effective IT-related risk identification, analysis and reporting Process Metrics: # of loss events with key characteristics not captured or measured Degree to which collected data support Analyzing scenarios and reporting trends Visibility and understanding of the control state Visibility and understanding of the threat landscape

9 Risk Evaluation - Collect Data (RE1) Activity Goals: Establish and maintain a risk data collection model Identify risk factors Collect data on operating environment Collect data on risk events Process Metrics: Existence of a documented risk data collection model # of data sources # of data items with identified risk factors Completeness of Risk event data Affected assets Impact data Threats Controls Measures of the effectiveness of controls Historical data on risk factors

10 RE1: Collect Data summary of goals and metrics

11 RE-1: Collect Data Key Activities RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors

12 Risk Evaluation - Collect Data: Roles Board of directors Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Risk Officer (CRO) Enterprise Risk Committee Business Management Business Process Owner Risk Control Functions Human Resources Compliance and Audit

13 Risk Evaluation - Collect Data: Roles

14 Risk Evaluation - Key Components Collect Data Analyze Risk Maintain Risk Profile Identify relevant data to enable effective IT-related risk identification, analysis and reporting Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes

15 Risk Evaluation - Analyze Risk (RE2)

16

17

18 Annualized loss expectancy (ALE) = Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)

19

20 FIPS 199: Risk event impact ratings

21 FIPS 199: Composite IS risk event impact ratings Example with multiple information types:

22 Security Categorization of Different Types of Information and Information Systems

23

24

25

26

27

28

29 How to prioritize an enterprise s data for protection?

30 How to prioritize an enterprise s data for protection?

31 Analyzing risk to prioritize protection NIST SP Information Security Handbook: A Guide for Managers, page 99 Transforming ordinal risk rankings to interval risk measures

32 Analyzing risk example

33 Analyze Risk

34

35 Maintain Risk Profile

36 Maintain Risk Profile

37 Projected Growth of Data

38 Projected Growth of Data What is a Zetta Byte? A zettabyte is a quantity of information or information storage capacity equal to bytes Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.

39 Projected Growth of Data

40 Projected Growth of Data

41 Projected Growth of Data

42 Data Retention Why have a formal data retention policy? a) Applicable Laws and Regulations b) Resource Limits c) Privacy d) Access e) Security f) Plagiarism and Copyright g) Enforcement

43 Data Retention Why companies need to have a formal data retention policy Practical Concerns Regulatory Concerns Privacy Concerns

44 Data Retention Why companies need to have a formal data retention policy Practical Concerns

45 Data Retention Why companies need to have a formal data retention policy Practical Concerns Regulatory Concerns

46 Data Retention Why companies need to have a formal data retention policy Practical Concerns Regulatory Concerns Privacy Concerns

47 Data Retention Establishing a Data Retention Policy Establish data classes Classify data Establish retention periods Select archive methods Paper-based Electronic forms

48 Data Retention Establishing a Data Retention Policy Establish data classes Classify data Establish retention periods Select archive methods Paper-based Electronic forms Create end-of-life processes Create policies for destruction of media

49 Data Retention Establishing a Data Retention Policy Establish data classes Classify data Establish retention periods Select archive methods Paper-based Electronic forms Create end-of-life processes data quality and management Create policies for destruction of media Identify roles and responsibilities Create enforcement mechanisms Owner Steward Custodian Manages the business function that generates and/or uses the data Has business and/or regulatory responsibility for Focuses on managing data content and the business logic behind all data transformations. Oversees the safe transport and storage of data Focuses on the underlying infrastructure and activities required to keep the data intact

50 Data Retention Establishing a Data Retention Policy Establish data classes Classify data Establish retention periods Select archive methods Paper-based Electronic forms Create end-of-life processes Create policies for destruction of media Identify roles and responsibilities Create enforcement mechanisms

51 Data Retention Handling Customer Data Conduct an enterprise application compliance review Implement Payment Application Data Security Standard (PA-DSS)

52 Data Retention Handling Customer Data Conduct an enterprise application compliance review Implement Payment Application Data Security Standard (PA-DSS) Pilot data tokenization solutions Implement end-to-end encryption Restrict Internal access to customer data

53 Test Taking Tip - Eliminate any probably wrong answers first - Focus on the highest likelihood answers for test taking efficiency Here s why: Some of the answers use unfamiliar terms and stand out as unlikely and can therefore be discarded immediately Some answers are clearly wrong and you can recognize them based on your familiarity with the subject The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice 53

54 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C 54

55 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Nothing seems mandatory about this scenario 55

56 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Maybe. 56

57 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Nothing about roles other than manager in the question 57

58 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Distributed is not relevant to the information in the question 58

59 Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C 59

60 Quiz 60

61

62