At the end of this lecture, you should be to
understand the followings
Planning, organizing, and the roles of
individuals in identifying and securing an
organization's information assets
Development and use of policies stating
managements views and position, and use of
guidelines and standards
Procedures to support the polices

3
What is information?

Information is an asset which, like other
important business assets, has value to an
organization and consequently needs to be
suitably protected.
quoted at ISO 17799-12000

4
Information Lifecycle

Information can be

5
What is Information Security

The CIA triad, the big three
Confidentiality
Ensuring that information is accessible only to
those authorized to have access
Integrity
Safeguarding the accuracy and completeness of
information and processing methods
Availability
Ensuring that authorized users have access to
information and associated assets when required

6
Confidentiality

Confidentiality is the prevention of the
intentional or unintentional unauthorized
disclosure of contents.
Loss of confidentiality can occur in many ways
the intentional release of private company
information or though a misapplication of network
rights.
Some of the elements of telecommunications used
to ensure confidentiality are
Network security protocols (e.g. IPSec, L2TP)
Network authentication services (Radius, TACAS,
CHAP etc)
Data encryption services (DES, 3DES, AES)

7
Integrity

Integrity is the guarantee that the message sent
is the message received, and that the message was
not intentionally or unintentionally altered.
Loss of integrity can occur
either through an intentional attack to change
information for example, a web site defacement,
or, by the most common type data is altered
accidentally by an operator.
Integrity also contains of non-repudiation of a
message source, which we will describe later.
Some of the elements used to ensure integrity
are
Firewall services
Communications Security Management (e.g. RAS,
VPN)
Intrusion detection services (IDS)

8
Availability - 1

This concept refers to the elements that create
reliability and stability in networks and systems
It is the guarantee that security services for
the security practitioner are usable when they
are needed
assures that connectivity is accessible when
needed
allowing authorized users to access the network
or systems

9
Availability - 2

The concept of availability also tends to include
areas in the Information Systems that are
traditionally not thought of as pure security
(such as guarantee of service, performance, and
up-time), yet are obviously affected by an attack
like a Denial of Service (DoS).
Some of the elements that are used to ensure
availability are
Fault tolerance for data availability, such as
backups and redundant disk system
Acceptable log-ins and operating process
performances
Reliable and interoperable security processes and
network security mechanisms

10
Other concepts in ISMS - 1

Identification
User claims his identity to a system
Authentication
Proof A is A
Authorization
The right and permissions granted to an
individual (or process)
Accountability
Determine the actions and behaviors of a single
individual within a system

11
Other concepts in ISMS - 2

Privacy
Guarantees the fundamental tenet of
confidentiality of companys data, but also the
data privacy
Non-repudiation
a receiver must be able to prove the received
message come from a specific sender. The sender
must not be able to deny sending a message. This
is the corner-stone for e-commerce.

12
Information asset and classifications
13
How much security is enough?

When it comes to information security, how much
security is enough?
There are several factors to consider
The type of business in which the company engages
The type of data stored on the network
The management philosophy of the organization

14
Assets

An asset is something to which an organization
directly assigns value and hence for which the
organization requires protection
Examples
Information assets data files, user manuals
Paper documents contracts, guidelines
Software assets application system software,
source code
Physical assets computer, magnetic media
Services communications, technical etc
Non-tangible
Reputation and goodwill
Company image
People experience

15
Asset Values

An organization should identify the value of
their information assets
Determining the value of each asset is the first
step towards determining an effective security
strategy
appropriate controls can be applied
Two methods
Qualitative method 0 to 5 or low to VH
Quantitative methods in monetary term Annual
loss expectancy (ALE) in

16
Information classifications

Reasons to classify information
Not all data has the same value
Advantages to classify information asset
Demonstrate an organization's commitment to
security protections
Helps identify which information is most
sensitive
Support the tenets of CIA as it pertains to data
Helps identify which protections apply to which
information
May be required for regulatory, compliance, or
legal reasons

17
Information classifications

Advantages (continue)
Data confidentiality, integrity availability
are improved since appropriate controls are used
throughout the enterprise
Protection mechanisms are maximized
A process exists to review the values of company
business data
Decision quality is increased since the quality
of the data upon which the decision is being made
has been improved

18
Classification terms

Common classification
Unclassified
Sensitive but unclassified
Confidential
Secret
Top secret
Others (by numeric representative)
1 general
2 Internal use only
3 confidential
4 secret
5 Top secret

19
How to classify information asset

Classification criteria can be based on
Value
Age
Useful life
Personal association

Update sequence (life)
Classification criteria
age
20
Information Classification roles

Owner
Responsible for the asset of information
Has the final corporate responsibility of data
protection
Liable for negligence because of the failure to
protect this data
Custodian
Delegated with the responsibility of protecting
the information by its owner
Run regular backup and routine test
Perform data restoration
Maintain the records
User
End-user that routinely uses the information as
part of their job

21
Information Security Policies
22
Information Security Policy

A broad statement of managements view and
position regarding a particular topics
The basis for a sound security implementation
It is an essential and fundamental element of
sound security practice
Provide protection from liability due to an
employees action
Provide the basis for the control of trade secrets

23
Information Security Policies

Organizational security policy
the approach of enforcing information security
simple document that is jargon free/non-technical
language, people independent / related to job
position
details implementations should be in another
document
Staff Responsibility
Users must understand the magnitude and
significance of the policy
Problem(s) in implementation
Eg. How to make sure all staff understand
Information Security Policies?

24
Policy types

Senior Management statement of policy
Vision and Mission
Address the WHY
statement with a few lines
Functional policies
Procedures to provide main cores areas
information management
Address the WHAT, Where, Who
Guidelines and details instructions
Provides details controls
Address HOW

25
Contents in Information security policies

Typical examples of an effective policy
Title
Purpose
Authorizing individual
Author/sponsor
Reference to other policies
Scope
Measurement expectations
Exception process
Accountability
Effective/expiration dates
Definitions

26
Information Security Management System
27
ISMS requirements

Information Security Policy is not enough, there
is a requirement to setup Information Security
Management System (ISMS)
The organization shall establish and maintain a
documented ISMS. This shall address
the assets to be protected,
the organization's approach to risk assessment
Control objectives and actual implementation
Degree of assurance required

28
Establishing a management framework

Information security policy
Scope of ISMS
What does it apply
Undertake an appropriate risk assessment
Establish the degree of assurance required
Manage the degree of risk
Select and implement appropriate controls
Prepare a statement of applicability
Regularly review all of the above

29
Objective and controls in BS7799

A best-practice commonly adopted by IT industries
originally developed by UK corporations such as
Marks Spencer, Shell, HSBC etc
BS7799 (part-1 clauses part-2 guidelines)
Part-1
10 clauses
36 Control Objectives
127 Controls
Not all the controls described will be relevant
to every situation, nor can they take account of
local environmental or technological constraints,
or be present in a form that suits every
potential user in an organization

30
The 10 clauses in BS7799 - 1

1. Security Policy
To provide management direction and support for
information security.
2. Security Organization
To manage information security within the
organization
3. Asset Classification and Control
To maintain appropriate protection of
organizational assets
4. Personnel Security
To reduce the risks of human error, theft, fraud
or misuse of facilities

31
The 10 clauses in BS7799 - 2

5. Physical and Environmental Security
To prevent unauthorized access, damage and
interference to business premises and information
6. Communications and Operations Management
To ensure the correct and secure operation of
information processing facilities
7. Access Control
To control access to information

32
The 10 clauses in BS7799 - 3

8. Systems Development and Maintenance
To ensure that security is built into information
systems
9. Business Continuity Management
To counteract interruptions to business
activities and to protect critical business
processes from the effects of major failures or
disasters
10. Compliance
To avoid breaches of any criminal and civil law,
and statutory, regulatory or contractual
obligations, and of any security requirements

33
Implementation of BS7799

The 10 clauses provide the direction and
requirement
36 Control objectives and 127 controls provide
the details
Effectiveness of such controls shall be reviewed
regularly
Technical compliance of HR is important
Security policy needed to be reviewed to reflect
the nature of technology and business practices

34
Effective implementation

Management commitment
Resource
Organization (i.e. process oriented and system
approach)
Focus on prevention (prevention is easier than
correction)
User awareness Training
Communications
Participation (user involvement)
System review (I.e. continuous improvement)

Compare to the 8 management principles in ISO9000
Top management commitment
Involvement of all staff
Continuous improvement
Customer Satisfaction
Systematic approach
Measurable
Process approach
Mutual benefit with contractors

35
Documentation

Functions of documentation
Evidence of the management framework
Summary of the management framework
Security policy, control objectives and control
implementation
Procedures adopted to implement controls (mostly
on core processes)
Responsibilities
Procedure to manage the ISMS
Document control
Security forum to review
Learn from mistake

36
ISMS documentation

Level 1 Security policy manual
Summary of the management framework including the
information security policy and the control
objective and implemented control given in the
statement of applicability.
Level 2 Procedures
Procedures adopted to implement the controls
required.
Describe the who, what, when and where the
security process and inter-departmental control
may be processed.

37
ISMS documentation (2)

Level 3 Work instructions / guidelines
Explains details of specific tasks or activities
Describe how to perform a specific task
Include detailed work instruction, form,
flowcharts, service standards, system manuals
Level 4 Record of works
Records objective evidence of activities carried
out in compliance with level 1, 2 and 3
documentation. Examples are records of visitors
book, audit records and authorization access

38
Document Pyramid
Mission and Vision
One to two statements
Target
Why
2 to 10 pages
Policies
Who, where, When what
A manual with a few sections
Procedures to control
Work instructions
How
With many details table, charts, form
Guideline details steps to follow
Records
39
Records

Evidence generated as a consequence of the
operation of the ISMS to identify the path
through a process and to demonstrate compliance
Procedures shall be maintained to manage records
(identification, maintenance, retention,
disposal)
Legible, identifiable and traceable to activities
involved
Readily retrievable
Stored to prevent damage, deterioration and loss
Can be in different media hard copy or
electronic

40
Organization to support information security

Information Security Committee
provide overall security management direction and
ensure security activities are consistent with
business objectives
Information Security Office
develops, manages and coordinate Information
Security related activities. It is led by IT
Security Officer
Information Technology Department
General provision of IT support and resources.

41
Roles and responsibilities - 1

Senior Management
Executive or senior-level management assigned the
overall responsibility for the security of
information
Information System security professional
Delegated with the responsibility for
implementing and maintaining security
Duties design, implement, manage and review of
ISMS documentation
Data owner
Responsible for determining the datas
sensitivity or classification levels
Responsible for maintaining the information
accuracy and integrity

42
Roles and responsibilities - 2

Custodian
preserves the informations CIA, e.g. data entry
operators, media librarian etc
User
Responsible to follow the procedures set out in
the organization's security policy
IS auditor
Responsible for providing reports to the senior
management on the effectiveness of the security
controls by conducting regular, independent
audits

43
Discussions

How should policies be disseminated?
New employees should get hard copies at
orientation
Rehires should go through orientation
Hard copies distributed to all staff
Web/corporate intranet
Brochures
Videos
Posters
e-mail/voice-mail

44
Summary

Overview of information
CIA concepts
Confidentiality
Integrity
Availability
DAD reverse of CIA
Disclosure, Alternation, Destruction
Benefits of information classification
Demonstrate commitment
Identify information that are most
sensitive/vital
Support CIA
Compliance to regulations

45
Summary (2)

Classification
U lt SBU lt C lt S lt TS
Classification criteria
Value, Age, Useful life, Personal association
Responsibility
Senior manager has the ultimate responsibility
for security
Information Security Officer has the functional
responsibility for security
Owner determine the data classification
Custodian preserves the informations CIA
User / Operator perform IAW (in according with)
stated policies
Auditor examine security

46
Summary (3)

Objective and controls
Information classifications
Information Security Policies
Level 1 Security policy manual
Level 2 Procedures
Level 3 Work instructions / guidelines
Level 4 Record of works
Organization to support information security
Steering committee, Security Forum
Information Security Officer, Security manager
Internal security auditors
Data / process owners, Departmental
Representatives

47
Part 2Overview

Risk Management
Threat and Vulnerability
Risk analysis (qualitative and quantitative)
Risk control
Training awareness

48
Objectives of this lecture

At the end of this lecture, you should be able to
understand the followings
Risk management practices and tools to carry out
risk analysis
Security awareness training to make employees
aware of the importance of information security

49
Risk Management
50
Principles of Risk Management

Risk management
Risk assessment Identification, analysis of
threat vulnerability
Rick control Control and minimization of loss
that is associated with events Reduce the risk
until it reaches a level that is acceptable to an
organization lt Ultimate purpose is to mitigate
risk
PDCA cycle in risk management
Plan Perform a risk assessment and analysis
Do implement controls
Check review
Act maintain and improvement

51
Question

Which of the following should come first?
Information security policies
Risk assessments
Ans
Information security policies should come first.
It provides the overall directions of the
organization

52
Threats Vulnerability - 1

Threats
An event, the occurrence of which could have
caused an undesired impact.
Three categories of threats are
human (it is always the source of problem)
malicious theft, hacker attack, sabotage,
fraud,
non-malicious mistake, misuse of information,
disobedience
natural fire, earth-quake, flooding
technological blackout, hardware failure,
network failure

53
Threats Vulnerability - 2

Vulnerability
is a weakness / hole in an organization's
information security
A vulnerability in itself does not cause harm, it
is merely a condition (or a set of conditions)
that may allow a threat to affect an asset
if vulnerability is not managed, it will allow a
threat to materialize
examples Absence of key personnel, Unstable
power grid, Unprotected cabling, Lack of security
awareness, Lack of fire precaution, Improper
allocation of password, Insufficient security
training, Lack of fire drill, No firewall
installed

54
Risk analysis (qualitative and quantitative)
55
Risk Assessment Process

Steps
Identifying assets and assigned values
Identifying threats to these assets and assessing
their likelihood (either in absolute term or in
rate)
for example 0.1, once in 10 years, VH, H, M, L
Identifying the protection provided by the
controls in place
Assessing the overall risk resulting from the
above

56
Risk Assessment

There are two different risk management metrics
qualitative and quantitative
Quantitative, or a quasi-subjective
Assign numeric values to all risks and potential
losses
risk management attempts to establish and
maintain an independent set of risk metrics
statistics
Cost-benefit analysis is performed.
Need to understand the properties of threats and
its likelihood (number of times a year a
particular threat can occur), the value of asset
in

57
Quantitative Risk Assessment - 1

Quantitative - Advantages
Assessment results are based mostly on
independently objective processes metrics.
Thus, meaningful statistical analysis is
supported
The value of information (availability,
confidentiality integrity) as expressed in
monetary terms with supporting rationale, is
better understood. Thus, the basis for expected
loss is better understood.
A credible basis for cost/benefit assessment of
risk mitigation measures is provided. Thus,
information security budget decision-making is
supported

58
Quantitative Risk Assessment - 2

Quantitative - Disadvantages
Calculations are complex. If they are not
understood or effectively explained, management
may mistrust the results of black-box testing
A large amount of information about the target
information and its IT environment must be
gathered
There is not yet a standard. Thus, users must
rely on the credibility of the vendors who
develop support the automated tools or perform
the research.

59
Quantitative Risk Assessment - 3

Quantitative analysis (in unit of )
ALE SLE ( per year) x ARO (annual occurrence)
ALE Annualized loss expectancy
SLE Single loss expectancy
ARO annualized rate of occurrence the
frequency with which a threat is expected to
occur annually
where
SLE Asset Value() x EF ()
EF exposure factor, estimated percentage of
damage
Asset Value value of the asset

60
Quantitative Risk Assessment - 4

A tornado is estimated to damage 50 of a
facility, and the value of the facility is
200,000. If the probability a tornado occurring
is one in ten years. Determine the SLE and ALE of
the facility.
ALE 200,000 x 0.5 100,000
SLE ALE x 0.1 10,000

61
Example of Quantitative analysis
62
Qualitative Risk analysis

Qualitative
Assign a rating to each risk and counter measure
and is derived from opinions of people who are
experts.
Risk evaluation is based on subjective rating of
a group of experienced team members.
Usually, rating is given to a specific event in
term of rate (e.g. from 1 to 10, or other such as
VH, H, M, L, VL).
Factors used includes severity, likelihood,
impact
Qualitative analysis (in unit of level)
Risk severity x likelihood x impact (unit is
dimensionless)
Severity severity of vulnerability (in H,M,L)
Likelihood probability of threat (in H,M,L)
Impact value (in H,M,L)

63
Ranking of Risk by measuring in 2 factors (3
factors in some other examples)
64
Quiz

Label the sequence of step in handling risk
management
A Threat identification
B Asset identification
C Vulnerability identification
see ans in notes page

65
Controlling the Risk
66
Controlling the Risk - 1

There are one of the FOUR ways that you can do to
control risk
Avoidance the elimination or reduction or
risks.
Based on the priority of the risk analysis,
select the appropriate controls to reduce the
vulnerabilities.
Eliminating the cause eliminates the risk. While
you can never eliminate all risks, certain
specific risk events can be eliminated.
Transference includes insurance or warranties,
both of which are means of deflecting or sharing
risks.
Mitigation a reduction of risk.
Reduce the expected monetary value by reducing
the probability of occurrence. For example, float
can mitigate potential schedule risks.

67
Controlling the Risk - 2

Acceptance accepts or retains consequences.
In active acceptance, you develop a contingency
plan. In passive acceptance, you dont act and
accept lower profits if activities run over
schedule.
If control cannot be implemented due to various
reasons (e.g cost too high, physically
impractical), it requires senior management to
accept the residual risk.)
Based on ROI and cost-benefit analysis -
financial constraints

68
Quiz

Identify three categories of threats that should
be managed within the ISMS. Which one is the most
difficult to control?

69
Quiz

Identify three vulnerabilities that are commonly
found in company lack of ISMS

70
Security Awareness

Often an overlook element
Not as high profile as others risk management
risk assessment, risk control are high profile
job
People is the weakest link in a security chain
Not trained
Not aware of what security is all about
Not understand how their actions can create
significant impact to an organization
see government website
http//www.infosec.gov.hk

71
Ways to improve awareness

Live presentation
Lectures, video and computer based training
Publishing and distribution
Posters, newsletters, bulletins and intranets
Incentives
Award and recognition for security-related
achievement
Reminders
Login banners messages, marketing paraphernalia
Mugs, pens, sticky notes, and mouse pads

72
Training and education

Different levels of training
Security training for senior managers, functions
managers and unit managers
Technical training for IT support personnel and
system administrators
Awareness training for specific departments or
personnel
Job-related training for operators and specific
users
Information security officers, Internal security
auditors, computer operators

73
Security management planning

Identify potential losses if security is not
properly implemented
Trade secrets
confidential information
personal e-mail
adverse publicity
viruses, worms, malicious Java and ActiveX
applications
denial of service
hard drive reformats, router reconfigurations
hacked web pages
breach of Human Resources information

Identify costs
Initial investment
ongoing costs
Identify benefits
Help Desk reduction
Common data locations
Reduced Remote Access costs
Improve Business Partner access
Enhanced public perception

74
Summary

Risk management consists of 2 parts
risk assessment
A risk assessment answers 3 fundamental
questions
Identify assets - What I am trying to protect?
Identify threats - What do I need to protect
against?
Calculating risks - How much time, effort money
am I willing to expend to obtain adequate
protection?
risk control
risk assessment is commonly followed by risk
control
4 things that you can do Avoidance,
Transference, Mitigation and Acceptance