Risk Assessment Plan
Page 50Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Chapter 9 Slides
Chapter 9: “Identifying and Analyzing Risk Mitigation Security Controls”
Page 51Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
In-Place Controls § Installed in an operational system
§ Replace in-place controls that don’t meet goals
§ Three primary objectives of controls:
• Prevent
• Recover
• Detect
Page 52Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Planned Controls § Those that have been approved but not yet
installed
§ Identify planned controls before approving others
§ Vulnerabilities that planned controls mitigate still exist
§ Evaluate effectiveness of a planned control through research
Page 53Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
NIST SP 800-53 Control Families § Access Control (AC) § Audit and Accountability (AU) § Awareness and Training (AT) § Configuration Management (CM) § Contingency Planning (CP) § Identification and Authentication (IA) § Incident Response (IR) § Maintenance (MA) § Media Protection (MP) § Personnel Security (PS)
Page 54Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
NIST SP 800-53 Control Families (Cont.) § Physical and Environment Protection (PE) § Planning (PL) § Program Management (PM) § Risk Assessment (RA) § Security Assessment and Authorization (CA) § System and Communications Protection (SC) § System and Information Integrity (SI) § System and Services Acquisition (SA)
Page 55Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Functional Controls Controls Based on Function Being Performed
Preventive • Hardening • Patching
Detective • Audit trails • IDS
Corrective • Backups • File
Recovery
Page 56Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Procedural Control Examples
Policies and procedures
Security plans
Insurance and bonding
Background and financial checks
Page 57Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Procedural Control Examples (Cont.)
Data loss prevention program
Awareness training
Rules of behavior
Software testing
Page 58Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Technical Control Examples Login identifier
Session timeout
System logs and audit trails
Data range and reasonableness checks
Firewalls and routers
Encryption
Public key infrastructure (PKI)
Page 59Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Firewalls and Routers § Filters traffic • Access control lists (ACLs)
Page 60Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Using Digital Signatures
Page 61Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Physical Control Examples Locked doors, guards, CCTV
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
Page 62Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
HVAC § Temperature and humidity control
Page 63Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Risk Mitigation Security Controls
Ensure the control is effective
Review controls in all areas
Review NIST SP 800-53 families
Redo a risk assessment if a control is changed
Page 64Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Summary § Identification of key activities and assets § Recognize value of data § Basic planning steps of a BIA § Techniques used to identify relevant
threats, vulnerabilities, and exploits § Identify and compare procedural,
technical, physical, and functional controls