Information Technology Risk Management
Reading(s), from Gibson
- Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls
Book:
Information systems security & assurance series
Jones & Barlett Learning
Managing Risk in Information Systems – Darril Gibson-second edition
“Risk Mitigation Security Controls” Please respond to the following:
- Read the subsections of the risk mitigation security control of the Federal Financial Institution Examination Council (FFIEC) located at http://ithandbook.ffiec.gov/it-booklets/operations/risk-mitigation-and-control-implementation.aspx. Next, infer on the five (5) controls likely to be found in small community financial institutions such as credit unions. Justify your choices
- List all references.
- Cover page is not needed.
- Number of pages needed: 4 + 1 full page summary-Total 5 pages
- Please use additional info (slides script) on this attachment when elaborating on this subject.
SLIDES SCRIPT
| CIS527 Week #5_ P1 IT Risk Management – Identifying and Analyzing Risk Mitigation Security Controls | ||
| Slide # | Slide Title | Slide Narration |
| Slide 1 | Introduction | Welcome to IT Risk Management.
In this lesson we will discuss Identifying and Analyzing Risk Mitigation Security Controls. Next slide |
| Slide 2 | Topics | The following topics will be covered in this lesson:
In-place and planned controls; Different categories of controls defined by NIST; Administrative controls; Technical controls; Physical controls; and Best practices for risk mitigation security controls Next slide |
| Slide 3 | In-Place Controls | Controls mitigate risk, meaning that they reduce or neutralize threats or vulnerabilities to an acceptable level.
There are hundreds of controls that can be implemented in any environment. When identifying and analyzing risk mitigation security controls, the in-place controls need to be identified. An in-place control is installed in an operational system. There should be associated documentation identifying the control’s purpose. An example is antivirus (AV) software installed on systems in your network. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities. Controls have three primary objectives – to prevent, recover, and detect. Some controls focus on only one objective. Other controls focus on more than one. However, if a control can’t meet one of these objectives adequately, it should be replaced. Next slide |
| Slide 4 | Planned Controls | Planned controls are those that have been approved but not installed. Planning documents identify what the controls have been purchased for, providing the supporting documentation needed for planned control.
In some situations, there may be reasons why a control might not be implemented, such as the control has been purchased or installed. In actuality, the reason why a control may not have been implemented isn’t as important as realizing that it will be implemented, because it is important to identify any planned controls before approving others. The vulnerabilities these controls will mitigate may still exist. The point is that there does not need to be a purchase of two different controls for closing the same vulnerability. Next slide |
| Slide 5 | In-Place vs. Planned Controls | Please take a moment to complete the following exercise before moving on. Drag the definitions and characteristics on this slide into the correct envelope based on whether they describe in-place controls or planned controls. When you are finished click the Submit button.
Next slide. |
| Slide 6 | Control Categories | There are hundreds, if not thousands, of types of security controls. Risk mitigation security controls are divided into categories in order to make these types easier to understand. The categories are grouped differently depending on who does the categorizing.
The controls may be categorized using one of the following methods:
Next slide |
| Slide 7 | Control Categories (continued) | The Technical class of controls includes four families. These families include over seventy-five individual controls. The following is a list of each of the families in the Technical class, with the family identifier in parentheses on the slide:
Access control; Audit and Accountability (AU); Identification and Authentication (AI); and System and Communication Protection (SC) Next slide |
| Slide 8 | Control Categories (continued) | The Management class of controls includes five families. These families include over forty individual controls. The following is a list of each of the families in the Management class, with the family identifier in parentheses on the slide:
Certification, Accreditation, and Security Assessment (CA); Planning (PL) ; Risk Assessment (RA); System and Services Acquisition (SA); and Program Management (PM) Next slide |
| Slide 9 | Control Categories (continued) | The Operational class of controls includes nine families. These families include over eighty individual controls. The following list covers each of the families in the Operational class, with the family identifier in parentheses on the slide:
Awareness and Training (AT); Configuration Management (CM); Contingency Planning (CP); Incident Response (IR); Maintenance (MA); Media Protection (MP); Physical and Environment Protection (PS); Personnel Security (PS); and System and Information Integrity (SI). Next slide |
| Slide 10 | Administrative Control Examples | Administrative controls refer to the written documents an organization uses for security. These are directives from senior management that provide direction on how to address security within an organization.
Examples of some common administrative controls in these categories include: •Policies and procedures; •Security plans; •Insurance; •Background checks; •Data loss prevention program; •Awareness and training; •Rules of behavior; and •Software testing Next slide |
| Slide 11 | Check Your Understanding | |
| Slide 12 | Administrative Control Examples (continued) | Policies and procedures are written documents that provide guidelines and rules for an organization. There will typically be multiple policies and procedures within any given organization.
A policy is a high-level document that provides overall direction without details, and a procedure provides the detailed steps needed to implement a policy. Policies have widespread application because they identify the direction management wants to take on a specific topic. Policies also provide authority that can be used to purchase resources in support of a policy. Examples of policies include acceptable use policy (AUP), vulnerability scanning policy, and removable media policy. Examples of procedures include AUP procedure, vulnerability scanning procedures, and removable media enforcement. Next slide |
| Slide 13 | Administrative Control Examples (continued) | Organizations create different security plans to address different scenarios. These plans include a business continuity plan, disaster recovery plan, backup plan, and incident response plan.
A business continuity plan (BCP) is a comprehensive plan which helps an organization prepare for different types of emergencies. The BCP ensures that mission-critical functions continue to operate even after a disaster strikes. The disaster recovery plan (DRP) provides the details to recover one or more systems from a disaster. The difference in the BCP from the DRP is that it keeps the critical functions running during a disaster. The DRP has a narrower focus and identifies how to recover a system. The backup plan is often included as part of a DRP. The backup policy identifies data valuable to the organization and specifies storage and retention requirements. The backup plan includes procedures identifying how data can be backed up, as all data is not backed up in the same way. An incident response plan documents how an organization should respond to a security incident. The organization could have multiple incident response plans, depending on the complexity of the organization. A security incident is any incident that affects the confidentiality, integrity, or availability of systems or data. Security incidents occur when a threat exploits a vulnerability. Next slide |
| Slide 14 | Administrative Control Examples (continued) | The primary way for an organization to transfer risk is by purchasing insurance. The goal, of course, is to protect the company from loss, but if the risk occurs, the insurance helps pay for the loss and can keep the risk from bankrupting the company.
Types of insurance that can be purchased include fire and flood insurance, business interruption insurance, and errors and omissions insurance. Sometimes, the company may find it beneficial to hire a consultant to help create a backup plan that includes offsite storage. Bonding is a type of insurance that covers against losses by theft, fraud, or dishonesty. Next slide |
| Slide 15 | Administrative Control Examples (continued) | Many organizations perform background checks and financial checks on potential employees. These checks are completed prior to the employee being hired. Background checks commonly include police and FBI checks. These checks identify any criminal behavior on the part of a prospective employee.
Most companies also complete financial checks for prospective employees. A person with a poor credit rating may be viewed suspiciously. Internet resources are also commonly included in background investigations, and can include simple Google or Facebook searches. A data loss prevention program helps an organization prevent data loss, which can be viewed two ways – as loss of confidentiality and as loss due to corruption. Access controls and authentication methods help to identify and authenticate a person’s identity. Protection against loss of confidentiality of data is encryption. A data loss prevention program identifies the data that is valuable to the organization, which is classified as Public, Private or Proprietary. Next slide |
| Slide 16 | Administrative Control Examples (continued) | Awareness and training controls ensure that employees are aware of an organization’s security standards.
Rules of Behavior lets users know what they can and cannot do within the systems. Users read this document before being granted access to a system. Rules of Behavior require users to sign a document indicating that they have read and understand the rules. Common elements in a Rules of Behavior document include privacy, list of restricted activities, e-mail usage, protection of credentials and consequences or penalties for noncompliance. Software testing is mandated by policy because software must be tested to reduce the number of undiscovered bugs in the software. The types of software testing performed are technical controls. Technical controls are software tools that automate protection which is enforced by using the technology. Next slide |
| Slide 17 | Technical Control Examples | Technical controls includes the logon identifier, session timeout, system logs and audit trails, data range and reasonableness checks, firewalls and router tables, encryption, and public key infrastructure.
A logon identifier is another name for a user account. The account is uniquely identified and matched to the user. Every time the user logs in, this account is used. This helps enforce several other controls. Most systems include session timeout controls. Session timeouts help ensure that an unauthorized user doesn’t have access to a session without providing credentials. System logs and audit trails are used to investigate security events and to troubleshoot problems. System logging tracks different types of events on the operating system. Application developers use data range and reasonableness checks to help ensure valid data is being received. A developer cannot ensure that data is accurate, but the developer can ensure the data is valid. Firewalls and router software are used as technical controls in a network. They control the traffic by allowing some traffic and blocking other traffic. Encryption changes plain text data into ciphered data. For example, the word “password” is in plain text, but encrypted, it may look like the jumbled characters in the example on the slide. Two types of encryption are symmetric and asymmetric. A public key infrastructure (PKI) is created to provide support for certificates. The PKI has several elements. However, the purpose of all the elements is centered on certificates. Some of the elements of a PKI include certification authority, certificate, and public and private keys. Next slide |
| Slide 18 | Physical Control Examples | Physical controls protect the physical environment. These controls include locks to protect access to secure areas, as well as environmental controls.
The simplest method to secure the physical environment is simply by using locked doors. The locks can be simple locks with keys, or cipher locks, where an employee enters a combination of numbers to gain access. Locked doors can also require proximity cards that are issued to employees, which may require proximity users to enter a PIN. Fire detection and suppression systems provide protection against fires. Fires can start and spread rapidly, so the goal is to have a system that can detect them as quickly as possible. Once the fire is detected, the suppression system attempts to put the fire out. Fire suppression systems vary depending on the type of fire. Water detection systems detect when water is seeping into an area. The detection system automatically starts the pumps. The pumps continue to operate until all of the water is no longer detected. High temperatures and humidity levels can damage electrical equipment. When the temperature rises, electrical components can overheat and burn up. If the humidity is too high, moisture can condense on the equipment. The water causes electrical shorts that damage the equipment. Extreme cooling of server rooms with pumped chilled air under a raised floor helps reduce this risk. Electrical grounding and circuit breakers protect equipment from electrical damage if a failure occurs. If a short occurs in an electrical system, it’s possible for a dangerous voltage to exist on the case of the system. An electrical ground is a wire driven into the ground, often with a stake. Access to this ground wire is available throughout a building. Any electrical systems are wired so they can connect to this ground. If a failure occurs, dangerous voltages are sent to the electrical ground. This helps ensure that dangerous voltages don’t present a risk to personnel. Circuit breakers also detect changes in heat, and open and break the circuit when overheating begins to occur. Next slide |
| Slide 19 | Best Practices for Risk Mitigation Security Controls | There are several recommended best practices to follow when identifying risk mitigation security controls.
First, you should ensure the control is effective – that it is capable of reducing or eliminating the threat or vulnerability in question. Second, you should review controls in all areas – administrative, technical, and physical. Third, you should review NIST SP eight hundred dash fifty-three classes in order to determine if controls are implemented throughout the IT infrastructure. And fourth, you should redo a risk assessment if a control is changed. Perform the second risk assessment using the new control. Next slide. |
| Slide 20 | Check Your Understanding | |
| Slide 21 | Summary | We have reached the end of this lesson. Let’s take a look at what we’ve covered.
First we discussed in-place and planned controls. We considered the differences between the two types of controls, which are used to identify and analyze risk mitigation security controls. We learned that an in-place control is installed in an operational system, while a planned control is approved but not yet installed. Next we looked at the different categories of controls that are defined by NIST. We looked at three methods of categorization – NIST SP eight hundred fifty-three; the Implementation Method, and COBIT. We also looked at the three classes of controls and their corresponding families in this section. The first category of controls we examined was dministrative controls. We learned that these are the written documents an organization uses for security, and looked at several examples. The second category was technical controls. We found that these include the logon identifier, session timeout, system logs and audit trails, data range and reasonableness checks, firewalls and router tables, encryption, and public key infrastructure. The final category of controls was physical controls. We learned that this type protects the physical environment, and includes locked doors, guards, access logs, closed-circuit television, fire detection and suppression systems, water detection systems, electrical grounding, and circuit breakers. Finally we reviewed the best practices for risk mitigation security controls. This completes this lesson. |
