Professional Documents
Culture Documents
Links to Text
Chapter 8
Parts of Chapter 5
Parts of Chapter 1
Security Involves:
Technical controls Administrative controls Physical controls
Security Plan
Written document that
threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will be handled (timetable)
OCTAVE
Operationally Critical Threat, Asset,
and Vulnerability Evaluation Developed at Carnegie Mellon CERT Coordination Center First published in 1999
practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc. Participation by both business and IT personnel
Best
Different Scales
OCTAVE large organizations
OCTAVE-S small organizations
OCTAVE Steps
1. 2. 3. 4. 5. 6. 7. 8.
Identify enterprise knowledge Identify operational area knowledge Identify staff knowledge Create threat profiles Identify key components Evaluate selected components Conduct a risk analysis Develop a protection strategy
are Catastrophic Long-lasting A single such incident can put a company out of business (even if handled well) Identify essential assets and functions
incidents May not be catastrophic May not be long-lasting Many incidents will have minor impact on operations
Risk Analysis
Risks closely related to threats
Risk analysis attempts to quantify
and measure problems associated with threats Many approaches to risk analysis have been developed
Quantifying Risk
Risk probability
How likely is the risk? Risk impact How much do we lose? Risk control Can the risk be avoided?
Risk Exposure
Probability of Risk X Risk Impact
Risk Impact $100,000 Risk Probability 0.5 Risk Exposure $50,000
Risk Leverage
(Exposure Before Exposure After)/ Risk Control Cost
Original Risk Exposure $ 50,000 Cost of Control $100 Revised Risk Exposure $20,000 Risk Leverage 300 (note: dimensionless)
No dominant approach
Security Policy
A written document describing goals
for and constraints on a system Who can access what resources in what manner? High level management document Should not change often
Policy Considerations
Stakeholders (beneficiaries)
Users
Owners
Resources
Security Procedures/Guidelines
Describe how security policy will
Physical Security
Protection that does not involve the
Possible Problems
Natural disasters Floods Fires
Power loss Human vandals Interception of sensitive information
Backups
Backups
Backups!!!
Natural Disasters
Careful building design
System placement
Fire extinguishers
Power Loss
Uninterruptible power supply
Surge suppressor
Human Vandals
Guards
Locks
Authentication
Reduced portability
Theft detection
Information Interception
Shredding
Overwriting magnetic data
Contingency Plans
Backup
Offsite backup
Networked storage
Cold site Hot site