protecting information assets - temple mis · 2017. 9. 30. · mis 5206 protecting information...

MIS 5206 Protecting Information Assets

Protecting Information Assets- Week 5 -

Risk Evaluation


MIS5206 Week 5

• Brief intro to Team Project

• In the News

• Week 3 & 4 Material Highlights

• Risk Evaluation

• Test Taking Tip

• Quiz


Weeks 3&4: Data Classification Process and Models

3

Why is data classification important?

• Focuses attention on the identification and valuation of information assets

• Is the basis for access control policy and processes


Weeks 3&4: Data classification process and models


Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact


Risk Evaluation - Key Components

Collect Data

Identify relevant data to enable effective IT-related risk identification, analysis and reporting

Analyze Risk

Develop useful information to support risk decisions that take into account the business impact of risk factors

Maintain RiskProfile

Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes


Risk Evaluation - Collect Data (RE-1)

• Goal: Ensure IT-related risks and opportunities are identified, analyzed and presented in business terms

• Metric: Cumulative business impact from IT-related incidents and events not identified by risk evaluation processes


Risk Evaluation - Collect Data (RE-1)

• Process Goal: Identify relevant data to enable effective IT-related risk identification, analysis and reporting

• Process Metrics:– # of loss events with key characteristics not captured or

measured

– Degree to which collected data support • Analyzing scenarios and reporting trends

• Visibility and understanding of the control state

• Visibility and understanding of the threat landscape


Risk Evaluation - Collect Data (RE1)• Activity Goals:

– Establish and maintain a risk data collection model

– Identify risk factors

– Collect data on operating environment

– Collect data on risk events

• Process Metrics:– Existence of a documented risk data collection model

– # of data sources

– # of data items with identified risk factors

– Completeness of • Risk event data

– Affected assets

– Impact data

– Threats

– Controls

– Measures of the effectiveness of controls

• Historical data on risk factors


RE1: Collect Data summary of goals and metrics


RE-1: Collect Data – Key Activities

RE1.1 Establish and maintain a model for data collection

RE1.2 Collect data on the operating environment

RE1.3 Collect data on risk events

RE1.4 Identify risk factors


Risk Evaluation - Collect Data: Roles

• Board of directors• Chief Executive Officer (CEO)• Chief Financial Officer (CFO)• Chief Risk Officer (CRO)• Enterprise Risk Committee• Business Management• Business Process Owner • Risk Control Functions• Human Resources• Compliance and Audit


Risk Evaluation - Collect Data: Roles


Risk Evaluation - Key Components

Collect Data

Identify relevant data to enable effective IT-related risk identification, analysis and reporting

Analyze Risk

Develop useful information to support risk decisions that take into account the business impact of risk factors

Maintain RiskProfile

Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes


Risk Evaluation - Analyze Risk (RE2)


Annualized loss expectancy (ALE) =

Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)


FIPS 199: Risk event impact ratings


FIPS 199: Composite IS risk event impact ratings

Example with multiple information types:


Security Categorization of Different Types of Information and Information Systems


http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf


How to prioritize an enterprise’s data for protection ?


Analyzing risk to prioritize protection

NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99

Transforming ordinal risk rankings to interval risk measures


Analyzing risk example


Analyze Risk


Maintain Risk Profile


…Projected Growth of Data


Projected Growth of Data

What is a Zetta Byte?

A zettabyte is a quantity of information or information storage capacity equal to 1021

bytes

Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.


Projected Growth of Data


Data Retention

Why have a formal data retention policy?

a) Applicable Laws and Regulationsb) Resource Limits c) Privacy d) Access e) Security f) Plagiarism and Copyright g) Enforcement


Data Retention

Why companies need to have a formal data retention policy…

• Practical Concerns• Regulatory Concerns• Privacy Concerns


Data Retention

Why companies need to have a formal data retention policy…

• Practical Concerns


Data RetentionWhy companies need to have a formal data retention policy…

Practical Concerns• Regulatory Concerns


Data RetentionWhy companies need to have a formal data retention policy…

Practical Concerns Regulatory Concerns• Privacy Concerns


Data RetentionEstablishing a Data Retention Policy

• Establish data classes• Classify data• Establish retention periods• Select archive methods

• Paper-based• Electronic forms



Establish data classes Classify data Establish retention periods Select archive methods


• Create end-of-life processes• Create policies for destruction of media





Create end-of-life processes Create policies for destruction of media• Identify roles and responsibilities• Create enforcement mechanisms

Owner Steward Custodian

Manages the business function that generates and/or uses the data

Has business and/or regulatory responsibility for data quality and management

Focuses on managing data content and the business logic behind all data transformations.

Oversees the safe transport and storage of data

Focuses on the underlying infrastructure and activities required to keep the data intact




Paper-based Electronic forms

Create end-of-life processes Create policies for destruction of media Identify roles and responsibilities Create enforcement mechanisms


Data RetentionHandling Customer Data

• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard

(PA-DSS)


Data RetentionHandling Customer Data

• Conduct an enterprise application compliance review• Implement Payment Application Data Security Standard

(PA-DSS)• Pilot data tokenization solutions• Implement end-to-end encryption• Restrict Internal access to customer data


Test Taking Tip

53

Focus on the “highest likelihood” answers for test taking efficiency

Here’s why:• Some of the answers use unfamiliar terms and stand out as unlikely and

can therefore be discarded immediately

- Eliminate any “probably wrong” answers first -

• Some answers are clearly wrong and you can recognize them based on your familiarity with the subject

• The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice


Test Taking Tip

54

Example:

The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?

A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed

Answer: C


Test Taking Tip

55

Example:



Answer: C

Nothing seems mandatory about this scenario


Test Taking Tip

56

Example:



Answer: C

Maybe ….


Test Taking Tip

57

Example:



Answer: C

Nothing about roles other than manager in the question


Test Taking Tip

58

Example:



Answer: C

Distributed is not relevant to the information in the question


Test Taking Tip

59

Example:



Answer: C


Quiz

60

protecting information assets - temple mis · 2017. 9. 30. · mis 5206 protecting information...

Documents