• No results found

lec 2-Risk Assessment

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "lec 2-Risk Assessment"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Risk Management

Lecture 2

(2)

Accessing risk

(3)

◻ Risk assessment can be performed using

five steps:

1. Check existing security policies

2. Analyze , prioritize and categorize

resources

3. Consider business concerns

4. Evaluate existing security controls

5. Leverage existing management and

(4)

Security Policy

◻ Security policy is a document that

(5)

◻ Security policy of an organization should

cover the following:

Physical security to protect the people, equipment, facilities and computer assets. ⬜ User ID and rights managements to

ensure only authorized users have access to organization’s network devices.

Network Security to protect the network devices.

(6)

Authorized security tools and

testing required for particular computer environment.

Auditing procedures to periodically

(7)

Benefits of security policy

◻ Communicates a common vision for

security throughout a company.

◻ Represents a single easy to use source

of security requirement.

◻ Exists as a flexible document that should

(8)

SECURITY POLICY TEMPLATE-II

A security policy is the essential basis on which an effective and comprehensive security program can be developed. This critical component is the primary way in which the agency security plan is translated into specific, measurable, and testable goals and objectives.

The security policies developed must establish a consistent notion of what is and what is not permitted with respect to control of access to your information resources. They must bond with the business, technical, legal, and regulatory environment of your agency.

The following is a recommended outline of the components and characteristics of a security policy template. A sample Acceptable Use Policy using this outline is attached for your reference as Appendix A.

Section 1 – Introduction:

A purpose should be stated in the introduction section. This should provide the reader with a brief description of what this policy will state and why it is needed. The security stance of your agency should be stated here.

Section 2 – Roles and Responsibilities:

(9)

SECURITY POLICY

TEMPLATE-II

Section 3 – Policy Directives:

This section describes the specifics of the security policy. It should provide sufficient information to guide the development and implementation of guidelines and specific security procedures.

Section 4 – Enforcement, Auditing, Reporting:

This section states what is considered a violation and the penalties for non-compliance. The violation of a policy usually implies an adverse action which needs to be enforced.

Section 5 – References:

This section lists all references mentioned in the policy, including agency standards, procedures, government code, and State Administrative Manual sections.

Section 6 – Control and Maintenance:

(10)

Categories of security

control

◻ These five security processes are

explained in terms of three categories of security control:

Preventive controls: prevent malicious

activity from occurring.

Detective controls: uncover evidence

of malicious activity.

Corrective controls: fix problems that

(11)

Security processes

◻ Each organization must perform

following security processes for building a sound security infrastructure.

⬜ Education

⬜ Vulnerability management

⬜ Issue management

⬜ Risk management

(12)

Security education

◻ Security education plan is preventive

control.

◻ Security education give users

knowledge, how to prevent potential security breaches by abusers.

◻ Security education defines employees

(13)

Vulnerability Management

Process

Security advisory

◻ Software bugs introduced during

development produce security exposures.

◻ To combat these exposures, most

manufacturers release additional software code called patches to fix bugs and publish advisories that notify the IT community of software problems.

◻ Every software consumer must have a

process to receive these security

(14)

Vulnerability life cycle

◻ Every software vulnerability life cycle

has four major stages:

◻ Discovery

◻ Repair

◻ Notification

(15)

Discovery

◻ Discovery stage begins when someone

encounters a software vulnerability

◻ The optimal action for someone who

(16)

Repair

◻ The manufacturer researches the

vulnerability and develops a software patch to address the issue.

◻ When problem can not be fixed using

software patch, the manufacturer may

recommend configuration changes

within the software that may fix the problem. This type of solution is usually

(17)

Notification

◻ After the patch or workaround has been

developed , the manufacturer notifies the public about the problem and

(18)

Deployment

◻ The deployment stage consists of

deploying the manufacturer's fix.

◻ The notification and deployment stage

pose the greatest risk to all IT

environments. The entire public know about the vulnerability, advanced

(19)

Vulnerability management

process

◻ Once an organization is receiving the

(20)

◻ In the context of security control security

advisory process is considered

(21)

◻ http://technet.microsoft.com/en-us/security/dn48

1339

Microsoft Security Bulletins – Updates & News.ht m

◻ Further readings

◻ Chapter No 4. Managing IT Risk : Book :

References

Download now ( PPTX - 21 Page - 233.34 KB )

Related documents

Effectiveness of intimate partner violence treatment in drug-addicted patients

Los resultados mostraron cómo los pacientes que reciben una intervención integrada focalizada a ambos problemas (adicción y violencia de pareja) obtuvieron mejores resultados y

Measuring Reliability in the Wartime Transport of Provisions : The Case of Mao Yuanyi (1594–1641)

As we come to the closing passages of Mao ’s essay on human transport in Daring to Speak, we cannot help but wonder about the human toll of his method of transporting provisions

KS_BULL_08.pdf

Critics may point to the stagflaticn that Japan faced after appl/ng Keynesian fiscal policy as a counter- argumenttothe above example. After all, in this case,

Toxic Plants

Arrowgrass Early growth in spring, this plant contains prussic acid highly toxic after frost, also toxic when dried in hay.. Black Locust Pea like leaves and pods, sweet smelling

Breast Pain. National Cancer Helpline

Cyclical breast pain is very common – most women will experience this type of pain at some point in their lives?. Non-cyclical breast pain is not related to your menstrual cycle

Managing mouth problems after head and neck cancer treatment

Contents • Coping with thick, sticky saliva • Coping with a dry mouth • Table of artificial saliva products for a dry mouth • Mouth care and preventing tooth decay

Case reuse in textual case-based reasoning.

In this thesis, we proposed text reuse (the reuse stage in TCBR applications with textual solutions) as the identification of reusable terms (keywords, phrases, sentences etc.) in

VMware and the Need for Cyber Supply Chain Security Assurance

To minimize risk, many enterprise organizations are addressing cyber supply chain security by auditing IT vendors’ security processes and making purchasing decisions based upon