Assignment
kirankumar
risk_ppt15_l09.pptxManaging Risk in Information Systems
Lesson 9
Identifying and Analyzing Risk Mitigation Security Controls
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objective
Identify and analyze risk mitigation security controls.
Key Concepts
Identify procedural controls
Identify technical controls
Identify physical controls
Compare functional controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In-Place Controls
Installed in an operational system
Replace in-place controls that don’t meet goals
Three primary objectives of controls:
Prevent
Recover
Detect
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Planned Controls
Those that have been approved but not yet installed
Identify planned controls before approving others
Vulnerabilities that planned controls mitigate still exist
Evaluate effectiveness of a planned control through research
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST SP 800-53 Control Families
Access Control (AC)
Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST SP 800-53 Control Families (Cont.)
Physical and Environment Protection (PE)
Planning (PL)
Program Management (PM)
Risk Assessment (RA)
Security Assessment and Authorization (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
System and Services Acquisition (SA)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Functional Controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Preventive Controls
attempt to prevent a risk from occurring. For example, many actions taken to harden a server are preventative. This includes disabling unneeded services and removing unneeded protocols.
Detective controls
attempt to detect when a vulnerability is being exploited. Audit logs and audit trails are examples of passive detective controls. When the logs are reviewed, the incident is discovered. An intrusion detection system (IDS) is an example of an active detective control. An IDS can review logs in real time.
Corrective controls
attempt to reverse the effects of a problem. File recovery and data correction are examples of corrective controls. For example, reliable backups allow you to restore data if it becomes corrupt. Many corrective controls are also considered recovery console.
7
Controls Based on Function Being Performed
Preventive
Detective
Hardening
Patching
Audit trails
IDS
Corrective
Backups
File Recovery
Procedural Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Policies and procedures
Security plans
Insurance and bonding
Background and financial checks
Procedural Control Examples (Cont.)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Data loss prevention program
Awareness training
Rules of behavior
Software testing
Technical Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Login identifier
Session timeout
System logs and audit trails
Data range and reasonableness checks
Firewalls and routers
Encryption
Public key infrastructure (PKI)
Firewalls and Routers
Filters traffic
Access control lists (ACLs)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Using Digital Signatures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Physical Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Locked doors, guards, CCTV
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
HVAC
Temperature and humidity control
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Summary
Identify procedural controls
Identify technical controls
Identify physical controls
Compare functional controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Risk Mitigation Security Controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Ensure the control is effective
Review controls in all areas
Review NIST SP 800-53 families
Redo a risk assessment if a control is changed
OPTIONAL SLIDES
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/16/2014
17
Controls Perform Different Roles
Procedural
Technical
Physical
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Suggested Steps for Implementing Security Controls
Selection of security control
Documentation of each control
Implementation of each control
Insurance
Avoidance
Reduction
Retention
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All organizations will have slightly different processes to implement these controls, some may have a formal review board, or change review board, before this gets adopted.
19
Controls Mitigate Risk
Controls reduce impact of threats
Controls reduce vulnerabilities to an acceptable level
Hundreds of controls
Best to evaluate based on categories
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
20
Variety of Controls Needed
What is missed if only technical controls are used?
What is missed if only administrative controls are used?
What is missed if only physical controls are used?
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
21
