Risk Assessment - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Risk Assessment

Description:

PATRIOT Act amends this act further. CFAA's main provisions relate to the following: ... USA PATRIOT Act ... USA PATRIOT Act of 2001. Ethical aspects of ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 27
Provided by: Sri672
Category:

less

Transcript and Presenter's Notes

Title: Risk Assessment


1
Risk Assessment
2
InfoSec and Legal Aspects
  • Risk assessment
  • Laws governing InfoSec
  • Privacy

3
Risk Assessment
  • Assigns a risk rating for each asset
  • Likelihood refers to the probability of a known
    vulnerability being attacked
  • Likelihood of fire forecast from actuarial data
  • Likelihood of virus estimated from volume of
    email handled and number of servers in use
  • Likelihood of a network attack estimated from the
    number of network addresses in use

4
Risk Assessment
  • How to assign value to information assets?
  • NIST SP 800-30 contains parameters to check
  • Critical assets are assigned the value 100
  • Non-critical but essential asset gets the value
    50
  • Least critical assets get the value 1
  • What factors to look for in valuation?
  • Which threats present a danger?
  • Which threats present a significant danger?
  • Cost to recover from an attack
  • Threats that require maximum cost to prevent

5
Risk Assessment
  • Risk determination
  • Risk likelihood value risk percentage
  • uncertainty
  • Example
  • Asset A has vulnerability score 50
  • Number of vulnerabilities 1
  • Likelihood value 1 with no controls
  • Data are 90 accurate
  • Hence, Risk 1 50 0 10
  • 50 10 of (1 50) 50 5 55

6
Risk Assessment
  • Example
  • Asset B has vulnerability score 100
  • Number of vulnerabilities 2
  • Likelihood value 0.5 for 1st vulnerability which
    addresses 50 of risk
  • Data are 80 accurate
  • Hence, Risk 0.5 100 50 20
  • 50 (50 of 50) (20 of 50)
  • 50 25 10
  • 35

7
Risk Assessment
  • Example
  • Asset B has vulnerability score 100
  • Number of vulnerabilities 2
  • Likelihood value 0.1 for 2nd vulnerability with
    no controls
  • Data are 80 accurate
  • Hence, Risk 0.1 100 0 20
  • 10 0 (20 of 10)
  • 10 2
  • 12

8
Risk Assessment
  • The generic risks to the business are
  • Loss of key assets
  • Information
  • the network
  • skilled people
  • Disruption of key processes
  • Revenue
  • regulatory reporting

9
Risk Factors
  • Assess risk based on these factors
  • Impact Size
  • Rate of Change
  • Business Impact
  • Complexity
  • Recoverability
  • Value
  • Management Team Focus

10
Definitions
  • Civil law addresses violations of rules that
    result in monetary loss as well as other forms of
    damage caused to individuals or organizations
  • Criminal law addresses violations that are
    harmful to society
  • Tort law addresses violations by individuals that
    result in personal, physical, or financial injury
    to an individual
  • Private law regulates relationships between an
    individual and an organization
  • Public law regulates relationships between
    citizens

11
Definitions
  • Ethics is defined as socially acceptable behavior
  • Code of conduct is a set of rules that an
    organization defines as acceptable

12
Laws governing Information Security
  • Computer Security Act
  • Communications Assistance to Law Enforcement Act
  • Computer Fraud and Abuse Act
  • USA PATRIOT Act

13
Computer Security Act
  • Passed in 1987. Official designation PL100-235
  • Law gave NIST the authority over unclassified
    non-military government computer systems
  • NSA originally had this power
  • Main goals
  • Develop policies for federal agencies concerning
    computer security
  • Develop procedures to identify vulnerabilities in
    computer security

14
Computer Security Act
  • Provide mandatory security awareness training to
    all federal employees dealing with sensitive
    information
  • Identify all computer systems that contain
    sensitive information

15
CALEA
  • Passed in 1994
  • Works in conjunction with FCC regulations
  • Telephone companies to include hardware to their
    switches that will facilitate tapping of
    conversations by law enforcement agencies
  • Telcos are not responsible for decrypting any
    intercepted communication
  • Telcos will be provided reasonable compensation
    for the addition of interception hardware to
    switches

16
Computer Fraud and Abuse Act
  • Originally passed in 1994 and amended in 1996
  • PATRIOT Act amends this act further
  • CFAAs main provisions relate to the following
  • having knowingly accessed a computer without
    authorization
  • intentionally accesses a computer without
    authorization
  • knowingly and with intent to defraud, accesses a
    protected computer without authorization
  • Prison time of up to 10 years is possible for any
    violation
  • If damage caused is below 5,000 then only
    criminal penalties apply and no civil penalties
    apply

17
USA PATRIOT Act
  • Uniting and Strengthening America by Providing
    Appropriate Tools Required to Intercept and
    Obstruct Terrorism
  • Passed in October 2001
  • Gives extensive powers to the federal government
    to suspend notification provisions of existing
    laws
  • Provides authorization for information search
    without knowledge of the individual
  • Law expires in December 2004, unless renewed by
    Congress

18
Privacy and Ethics
  • Information privacy
  • Information privacy laws
  • Federal Privacy Act of 1974
  • Electronic Communications Privacy Act of 1986
  • Communications Act of 1996
  • HIPAA of 1996
  • Computer Security Act of 1987
  • USA PATRIOT Act of 2001
  • Ethical aspects of information handling

19
Information Privacy
  • Privacy refers to personally identifiable
    information about an individual or an
    organization
  • Privacy does not mean absolute freedom from
    observation
  • Privacy means state of being free from
    unsanctioned intrusion
  • Financial and medical institutions treat privacy
    as part of their compliance requirements
  • Information is collected by cookies and points of
    sale

20
Information Privacy
  • Privacy is a risk management issue
  • Ability to collect information from multiple
    sources and combine them in different ways have
    resulted in powerful databases that can shed more
    light than previously possible

21
Information Privacy Laws
  • Federal Privacy Act of 1974
  • Requires all government agencies from protecting
    the privacy information of individuals and
    businesses
  • Certain agencies have exemption to release
    aggregate data
  • Census Bureau
  • National Archives
  • Congress
  • Comptroller General
  • Credit agencies

22
Information Privacy Laws
  • Electronic Communications Privacy Act of 1986
  • Regulates interception of wire, electronic, and
    oral communications
  • Works in conjunction with the Fourth Amendment
    providing protection against unlawful search and
    seizure

23
Information Privacy Laws
  • Communications Act of 1996
  • Regulates interstate and international
    communications
  • Communications decency was part of this Act

24
Information Privacy Laws
  • Health Insurance Portability and Accountability
    Act (HIPAA) of 1996
  • Protect confidentiality and security of health
    care data
  • Electronic signatures are allowed
  • Patients have a right to know who have access to
    their information and who accessed it

25
References
  • NIST Risk Assessment Guide for Information
    Technology Systems, SP 800-30
  • Mike Godwin, When copying isnt theft,
    www.eff.org/IP/phrack_riggs_neidorf_godwin.article
  • Michael Whitman, Enemy at the Gates Threats to
    Information Security, Communications of ACM, 2003

26
References
  • Financial institutions http//www.fdic.gov/news/n
    ews/financial/1999/FIL9968a.HTML
  • Risk Assessment Process http//www.mc2consulting.
    com/riskart1.htm
  • ISACA http//www.isaca.org/
  • Risk Assessment Guidelines http//www.gao.gov/spec
    ial.pubs/ai99139.pdf
  • Risk Assessment http//www.ffiec.gov/ffiecinfobas
    e/booklets/information_security/02_info_security_
    20risk_asst.htm
Write a Comment
User Comments (0)
About PowerShow.com