Risk Assessment Plan

profileNIK-raj
Chapter9_ISOL533.pdf

Page 50Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Chapter 9 Slides

Chapter 9: “Identifying and Analyzing Risk Mitigation Security Controls”

Page 51Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

In-Place Controls § Installed in an operational system

§ Replace in-place controls that don’t meet goals

§ Three primary objectives of controls:

• Prevent

• Recover

• Detect

Page 52Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Planned Controls § Those that have been approved but not yet

installed

§ Identify planned controls before approving others

§ Vulnerabilities that planned controls mitigate still exist

§ Evaluate effectiveness of a planned control through research

Page 53Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

NIST SP 800-53 Control Families § Access Control (AC) § Audit and Accountability (AU) § Awareness and Training (AT) § Configuration Management (CM) § Contingency Planning (CP) § Identification and Authentication (IA) § Incident Response (IR) § Maintenance (MA) § Media Protection (MP) § Personnel Security (PS)

Page 54Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

NIST SP 800-53 Control Families (Cont.) § Physical and Environment Protection (PE) § Planning (PL) § Program Management (PM) § Risk Assessment (RA) § Security Assessment and Authorization (CA) § System and Communications Protection (SC) § System and Information Integrity (SI) § System and Services Acquisition (SA)

Page 55Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Functional Controls Controls Based on Function Being Performed

Preventive • Hardening • Patching

Detective • Audit trails • IDS

Corrective • Backups • File

Recovery

Page 56Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Procedural Control Examples

Policies and procedures

Security plans

Insurance and bonding

Background and financial checks

Page 57Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Procedural Control Examples (Cont.)

Data loss prevention program

Awareness training

Rules of behavior

Software testing

Page 58Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Technical Control Examples Login identifier

Session timeout

System logs and audit trails

Data range and reasonableness checks

Firewalls and routers

Encryption

Public key infrastructure (PKI)

Page 59Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Firewalls and Routers § Filters traffic • Access control lists (ACLs)

Page 60Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Using Digital Signatures

Page 61Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Physical Control Examples Locked doors, guards, CCTV

Fire detection and suppression

Water detection

Temperature and humidity detection

Electrical grounding and circuit breakers

Page 62Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

HVAC § Temperature and humidity control

Page 63Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Risk Mitigation Security Controls

Ensure the control is effective

Review controls in all areas

Review NIST SP 800-53 families

Redo a risk assessment if a control is changed

Page 64Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Summary § Identification of key activities and assets § Recognize value of data § Basic planning steps of a BIA § Techniques used to identify relevant

threats, vulnerabilities, and exploits § Identify and compare procedural,

technical, physical, and functional controls