Legal, Ethical and

Professional Issues in
Information Security

1
 Law and Ethics

• Laws: rules that mandate or prohibit certain societal

behavior (drawn from ethics)
• Ethics: define socially acceptable behavior (based
on cultural mores)
• Cultural mores: fixed moral attitudes or customs of a
particular group
• Laws carry sanctions of a governing authority
but ethics do not

2
 Organizational Liability and the Need
for Counsel
What if the organization does not behave ethically ?
• If an employee with/without the authorization of the
organization performs an illegal or unethical action
that causes some harm, the organization can be
held financially liable for that action

3
 Measures to reduce liability
• Due care: Ensuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
• Due diligence: making a valid effort to protect
others; continually maintaining level of effort

4
 Organizational Laws (Policies)

• Policies function as laws within an organization

• They must be crafted carefully to ensure they are
complete, appropriate, fairly applied to everyone
• Policies describe acceptable and unacceptable
employee behaviors in the workplace

5
 Criteria for policy enforcement
1. Dissemination (distribution) – hard copy/electronic
means
2. Review (reading) – Multiple languages
3. Comprehension (understanding) – Quiz/Assessment
4. Compliance (agreement) – Signed document
5. Uniform enforcement

6
 Types of Law
Society
• Civil: manages relationships/conflicts between
organizational entities and people
• Criminal: addresses violations harmful to society

Workplace
• Private: regulates relationships between individuals
and organizations(labour law, contract law)
• Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
7
 Relevant U.S. Laws for Information
Security
• Why required?
– Implementation of information security legislation
contributes to a more reliable business environment
and a stable economy
• United States has been a leader in the development
and implementation of information security legislation

8
 General Computer Crime Laws
1. Computer Fraud and Abuse Act of 1986: cornerstone of
many computer-related federal laws and enforcement
efforts
2. Computer Security Act of 1987( first attempt to establish
minimum acceptable security practices)
3. National Information Infrastructure Protection Act of 1996:
Modified several sections of the CFA act and increased the
penalties for selected crimes(fine to imprisonment upto 2
years)
4. USA Patriot Act of 2001 (included clauses to combat
terrorism-related activities)
5. USA Patriot Improvement and Reauthorization Act of 2006
(for investigating criminal and terrorist activity) 9
 General Computer Crime Laws
(cont’d.)
6. In 2006, this act was amended by the USA PATRIOT
Improvement and Reauthorization Act (Gave powers to the
Department of Homeland Security and the FBI in investigating
terrorist activity)
7. PATRIOT Sunset Extension Act of 2011 ( permitted
wiretaps, searching of business records, and the surveillance
of people with suspected ties to terrorism)
8. USA FREEDOM(Uniting and Strengthening America by
Fulfilling Rights and Ending Eavesdropping, Dragnet
collection and Online Monitoring) Act in 2015

10
 Privacy Laws
• Privacy has become one of the hottest topics in
information security at the beginning of the 21st
century
• The ability to collect information, combine facts from
separate sources, and merge it all with other
information has resulted in databases that were
previously impossible to create
• As a result it became necessary for governments to
protect their privacy from such organizations
• Privacy laws evolved when many organizations start
collecting, swapping and selling personal information
as a commodity
11
 Privacy Laws (cont’d.)
• US Regulations
1. ‘Privacy of Customer Information Section’ of the
common carrier regulation(Organizations should not use
customer information for marketing purposes )
2. Federal Privacy Act of 1974 ( For Government Agencies)
3. Electronic Communications Privacy Act of 1986 (
Regulate the interception of wire, electronic and oral communications )
4. Health Insurance Portability and Accountability Act of
1996 (HIPAA), aka Kennedy-Kassebaum Act( Health
Care Data)
5. Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999 (Banks and Insurance Companies)
12
 Privacy Laws (cont’d.)
6. Fraud And Related Activity In Connection With
Identification Documents, Authentication
Features, And Information ( Legislation for Identity
Theft)

13
 Export and Espionage Laws
• To protect trade secrets being exported from US
1. Economic Espionage Act of 1996 (EEA) - prevents
illegal sharing of trade secrets
2. Security And Freedom Through Encryption Act of
1999 (SAFE) - provides guidance on use of
encryption techniques

14
 Financial Reporting (SoX)
• Financial reporting refers to standard practices to
give stakeholders an accurate depiction of a
company's finances ( revenues, expenses, profits, capital, and
cash flow) as formal records

• Sarbanes-Oxley Act of 2002 (to protect investors by

preventing fraudulent accounting and financial
practices at publicly traded companies)
• Auditors, accountants and corporate officers are
made accountable
• Penalties for noncompliance range from fines to jail
terms
Principles of Information Security, 4th Edition 15
 Freedom of Information Act of 1966
(FOIA)
• Allows any person to request access to federal
agency records or information not determined to be
matter of national security
• U.S. government agencies required to disclose any
requested information upon receipt of written
request
• Some information protected from disclosure

16
 Payment Card Industry Data Security
Standards (PCI DSS)
• Applies for organizations that process payment cards,
such as credit cards, debit cards, ATM cards, store-
value cards, gift cards
• The Payment Card Industry (PCI) Security Standards
Council offers a standard of performance to which
participating organizations must comply
• These regulations are designed to enhance the security
of customers’ account data.
• The regulations include requirements for information
security policies, procedures, and management, as well
as technical software and networking specifications.
17
 U.S. Copyright Law

• Intellectual property is a protected asset in the U.S

• Copyright law extends to published word, electronic
formats
• With proper acknowledgment, permits to include
portions of others’ work as reference

18
 Digital Millennium Copyright Act
(DMCA)
• U.S. contribution to reduce the impact of copyright,
trademark, and privacy infringement
• In UK known as Database Right
• Provides protection to individuals for possessing of
personal data and its use and movement

19
Summary of information security
related laws

20
Summary of information security
related laws

21
Summary of information security
related laws

22
Summary of information security
related laws

23
Summary of information security
related laws

24
Summary of information security
related laws

25
 State and Local Regulations

• Restrictions on organizational use of computer

technology at state, local levels
• Georgia Computer Systems Protection Act

26
 International Laws and Legal Bodies

• When organizations do business on the Internet,

they do business globally
• Professionals must be sensitive to laws and ethical
values of many different cultures, societies, and
countries
• Because of political complexities of relationships
among nations and differences in culture, there are
few international laws relating to privacy and
information security
• These international laws are important but are
limited in their enforceability
27
 U.K. Computer Security Laws
• The following laws are in force in the United Kingdom
and are similar to those described earlier for the United
States:
1. Computer Misuse Act 1990
• Unauthorized access to computer material,
• Unauthorized access with intent to commit or facilitate
commission of further offenses
• Unauthorized acts with intent to impair, or with
recklessness as to impairing, operation of computer
2. Privacy and Electronic Communications Regulations
2003:
• Revoked the Data Protection and Privacy Regulations
of 1999, and focuses on protection against unwanted or
harassing phone, e-mail, and SMS messages.
28
 U.K. Computer Security Laws

3. Police and Justice Act 2006:

• Updated the Computer Misuse Act, modified the
penalties, and created new crimes defined as the
“unauthorized acts with intent to impair operation of
computer and the manufacture or provision of
materials used in computer misuse offenses.
4. Personal Internet Safety 2007:
• A report published by the House of Lords Science
and Technology Committee provided a public
service, and criticized the U.K. government’s lack of
action in protecting personal Internet safety.

29
 Australian Computer Security Laws
• Privacy Act 1988:
• Regulates the collection, storage, use, and disclosure of
personal information.
• Applies both to private and public sectors.
• Telecommunications Act 1997:
• Updated as of October 2013;
• contains regulation related to the collection and storage of
privacy data held by telecommunications service providers.
• Corporations Act 2001:
• Updated by the Corporations Regulations of 2001 and 2002;
• focuses on business relationships, but similar to SOX,
contains provisions related to financial reporting and audits.
30
 Australian Computer Security Laws

• Spam Act 2003:

• Legislation designed to regulate the amount of
unwanted commercial marketing materials, especially
via e-mail.
• Requires businesses to obtain consent of recipients,
and provide a mechanism by which the recipients may
unsubscribe from commercial messages.
• Cybercrime Legislation Amendment Bill 2011:
• Designed to align Australian laws with the European
Convention on Cybercrime
• the bill specifies information that communications
carriers and Internet service providers must retain and
surrender when requested by law enforcement. 31
 European Council Cyber-Crime
Convention
• Established international task force overseeing
Internet security functions for standardized
international technology laws
• Signed by 34 countries
• Attempts to improve effectiveness of international
investigations in dealing with international crimes

32
Agreement on Trade-Related Aspects
of Intellectual Property Rights
• Created by World Trade Organization (WTO)
• First significant international effort to protect
intellectual property rights
• Outlines requirements for governmental oversight
and legislation providing minimum levels of
protection for intellectual property

33
 United Nations Charter
• Makes provision for information security during
information warfare
• Information Warfare is any action to Deny, Exploit,
Corrupt or Destroy the enemy's information and its
functions for protecting ourselves against those actions

34
 Ethics and Information Security

• Many Professional groups have explicit rules

governing ethical behavior in the workplace
• Professional associations such as ACM and ISSA,
and certification agencies such as (ISC)2 and
ISACA work to establish codes of ethics in the case
of IT field for their respective memberships

35
36
 Ethical Differences Across Cultures
• Cultural differences create difficulty in determining
what is and is not ethical
• Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
– For eg: To Western cultures, many of the ways in which Asian
cultures use computer technology amount to software piracy
• Scenarios are grouped into:
– Software License Infringement
– Illicit Use ( Spreading virus, Hacking etc)
– Misuse of Corporate Resources( using company devices
for personal purpose)
• Cultures have different views on the scenarios
37
 Ethics and Education

• Employees must be trained in expected behaviors

of an ethical employee, especially in areas of
information security
• Proper ethical training is vital to creating informed,
well prepared, and low-risk system user

38
 Unethical and Illegal Behavior -
Causes and Countermeasures
• Three general causes of unethical and illegal
behavior: ignorance, accident, intent
• Best methods for preventing an illegal or unethical
activity is use laws, policies, technical controls and
education
• Laws and policies are effective only if there is:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered

39
 Codes of Ethics of Professional
Organizations
• Several professional organizations have established
codes of conduct/ethics
1. Association of Computing Machinery (ACM)
2. International Information Systems Security
Certification Consortium, Inc. (ISC)2
3. System Administration, Networking, and Security
Institute (SANS)
4. Information Systems Audit and Control Association
(ISACA)
5. Information Systems Security Association (ISSA)
6. Global Information Assurance Certification (GIAC)
40
 Association of Computing Machinery
(ACM)
• The ACM is a respected professional society that
was established in 1947 as “the world’s first
educational and scientific computing society.
• The ACM’s code of ethics contains specific
references
– to protecting the confidentiality of information,
– causing no harm (with specific references to
viruses),
– protecting the privacy of others, and
– respecting the intellectual property and copyrights of
others
41
International Information Systems Security
Certification Consortium, Inc. (ISC)2
• Focuses on the development and implementation of
information security certifications and credentials
• Administers and evaluates examinations for information
security certifications
• The (ISC)2 code of ethics is for the information security
professionals who have earned an (ISC)2 certification
• It has four mandatory canons:
• “Protect society, the commonwealth, and the infrastructure;
• act honorably, honestly, justly, responsibly, and legally;
• provide diligent and competent service to principals;
• advance and protect the profession.”
42
 ISSA Code of Ethics
• ISSA promotes practices that ensure the confidentiality,
integrity, and availability of organizational information
resources.
• ISSA requires the observance of its code of ethics as a
prerequisite for continued membership and affiliation with
the Association
• ISSA Code of Ethics includes an agreement as below:
• As an ISSA member, guest and/or applicant for
membership, I have in the past and will in the future:
– Perform all professional activities and duties in accordance
with all applicable laws and the highest ethical principles;
– Promote generally accepted information security current
best practices and standards;
43
 ISSA Code of Ethics (Cont..)
• Maintain appropriate confidentiality of proprietary or
otherwise sensitive information encountered in the course of
professional activities;
• Discharge professional responsibilities with diligence and
honesty;
• Refrain from any activities which might constitute a conflict
of interest or otherwise damage the reputation of or is
detrimental to employers, the information security
profession, or the Association; and
• Not intentionally injure or impugn the professional reputation
or practice of colleagues, clients, or employers.

44
Planning for Security
 The Role of Planning
 Planning is creating action steps toward goals, and then
controlling them
 Planning involves
• Employees
• Management
• Stockholders
• Other outsiders
• The physical and technological environment
• The political and legal environment
• The competitive environment
Information Security Planning
 Planning Levels

• Strategic planning sets the long-term direction to be taken

by the organization and each of its component parts.
• Tactical planning focuses on short-term undertakings that
will be completed within one or two years (breaks each
strategic goal into a series of incremental objectives)
• An operational plan includes the necessary tasks for all
relevant departments (communication and reporting
requirements, weekly meetings, progress reports, and other
associated tasks)
 Strategic Planning
• Strategic planning includes
1. Vision statement
2. Mission statement
3. Strategy
4. Coordinated plans for sub units
• It is the basis for long-term direction
• Includes decisions and actions that shape and
guide
1. what an organization is
2. what it does
3. why it does it, with a focus on the future
 Elements of a strategic plan

• Executive summary
• Organizational profile and history
• Strategic issues and core values
• Mission statement and vision statement
• Program goals and objectives
• Appendices (optional)

 Objectives should be specific, measurable, achievable, reasonably high and time-

bound (SMART)
 Strategic goals are translated into tasks
 Creating a Strategic Plan
Top-down Strategic Planning
• An organization develops a general strategy
• Then creates specific strategic plans for major divisions
• Each level or division translates those objectives into more
specific objectives for the level below
 Tactical Planning
• Has a shorter focus than strategic planning
• Usually one to three years
• Applicable strategic goals are broken into a series of
incremental objectives
 Operational Planning
• Used by managers and employees to organize the
ongoing, day-to-day performance of tasks
• Includes clearly identified coordination activities
across department boundaries such as:
1. Communications requirements
2. Weekly meetings
3. Summaries
4. Progress reports
 Information Security Governance
as a Strategic Plan
• Information Security Governance is a subset of
enterprise governance
• It is the responsibility of the board and senior
management
• It helps to
1. initially identify and rank the most critical risks to business
2. monitor information-related access controls and data
integrity violations.
• It ensures that
1. Objectives are achieved,
2. Risk is managed,
3. Organizational resources are used responsibly, and
4. The success or failure of the enterprise security program
is properly monitored
General Governance Framework
The IDEAL Model Governance Framework
Information Security Governance
Responsibilities
Outcomes/Goals of Information Security
Governance
 Strategic alignment of information security with
business strategy to support organizational objectives
 Risk management to reduce potential impacts on
information resources
 Resource management with efficient use of information
security knowledge and infrastructure
 Performance measurement to ensure that
organizational objectives are achieved
 Value delivery by optimizing information security
investments in support of organizational objectives
Information Security Policy,
Standards and Practices
 Policies
• Policies are organizational laws that dictate acceptable
and unacceptable behavior within the organization
• Policies define what is right and wrong, the penalties for
violating policy, and the appeal process
• Policies direct how issues should be addressed and how
technologies should be used
• Policies do not specify the proper operation of equipment
or software
• Objectives of writing Policies(IS) include
– Reduced risk
– Compliance with laws and regulations
– Assurance of operational continuity, information integrity, and
confidentiality
 Usage of Policies
• Policy documents act as a clear statement of management's
intent
• Policies are important reference documents for
1. internal audits
2. the resolution of legal disputes about management's due
diligence

Basic rules for shaping a policy

• Policy should never conflict with law
• Policy must be able to stand up in court if challenged
• Policy must be properly supported and administered
Types of Information Security Policy
• The types of information security policies include:

1. Enterprise information security policies(EISP)

2. Issue-specific information security policies(ISSP)
3. System-specific security policies(SysSP)
1. Enterprise Information Security Policy
• An executive level document that sets the strategic direction,
scope for the organization’s security efforts
• It is drafted by or in cooperation with the chief information
officer of the organization
• The EISP is based on the mission, vision of the organization
• It guides the development, implementation, and management
of the information security program
• Assigns responsibilities for various areas of information
security
• Addresses the legal compliance
• Also called the General SP/ Organizational SP/ IT SP/ ISP
 Components of EISP
1. Statement of purpose (What the policy is for?)
2. Defines information security
3. Justifies the need / importance of information security in
the organization(legal/ethical)
4. Specifies the Information technology security
responsibilities and roles
5. Reference to other information technology standards and
guidelines
 2. Issue Specific Security
Policy(ISSP)
• ISSP provides detailed, targeted guidance to all members of
the organization in the use of a resources (technologies /
processes)
• ISSP
1. protects organization from inefficiency and ambiguity
2. documents how the technology-based system is controlled
3. Indemnifies the organization against liability for an employee’s
inappropriate or illegal system use
4. requires frequent updates
 Topics Addressed by ISSP
• Email and internet use
• Minimum system configurations to defend against malware
• Prohibitions against hacking
• Home use of company-owned computer equipment
• Use of personal equipment on company networks
• Use of telecommunications technologies
• Use of photocopy equipment
• Use of portable storage devices such as USB memory sticks,
backpack drives, game players, music players
• Use of cloud-based storage services that are not self-hosted by
the organization or engaged under contract(Google Drive,
Dropbox, and Microsoft Live)
 Components of ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of Equipment
– User access
– Fair and responsible use
– Protection of privacy
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual property
– Other restrictions
 Components of ISSP
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and procedures for modification
• Limitations of liability
– Statements of liability or disclaimers
 Implementing the ISSP
• Common approaches
– Several independent ISSP documents
– A single comprehensive ISSP document( centrally modified and
controlled)
– A modular ISSP document that unifies policy creation and
administration
• The recommended approach is the modular policy
– Provides a balance between issue orientation and policy management
 3. System Specific Security
Policy(SysSP)
• System-specific security policies function as standards or
procedures to be used when configuring or maintaining
systems
• System-specific security policies can be separated into
1. Management guidance
2. Technical specifications
 Managerial Guidance SysSP

• Created by management to guide the implementation and

configuration of technology
• Applies to any technology that affects the confidentiality,
integrity or availability of information
• Informs technologists of management intent
 Technical Specification SysSP
• System administrators’ directions on implementing
managerial policy
• Each type of equipment has its own type of policies
• General methods of implementing technical controls
– Access control lists
– Configuration rules for Firewalls, IDS etc.
 Access control lists
• Access control lists govern the rights and privileges to
users
• They regulate
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system from
– How authorized users can access the system
• Enable administration to restrict access according to
user, computer, time, duration, or even a particular file
• Administrators set user privileges
– Read, write, create, modify, delete, compare, copy
 Configuration rules
• Configuration rules are specific configuration codes
entered into security systems
• Guide the execution of the system when information is
passing through it
o Examples include Firewall configuration rules, IPSec
configuration rules etc.
 Standards, Procedures and Guidelines
• Standards are more detailed statements of what must be
done to comply with policy.
• Standards may be informal or part of an organizational
culture, as in de facto standards
• Standards may be published, scrutinized, and ratified by a
group, as in formal or de jure standards

• Practices/procedures, and guidelines effectively explain how

to comply with policy.
 Information Security Blueprint
• Security Blueprint is a comprehensive plan to meet the
organization’s current and future information security needs
• It is the basis for the design, selection, and implementation of
all security program elements
• Includes policy implementation, ongoing policy management,
risk management programs, education and training programs,
technological controls, and maintenance of the security
program
• The blueprint specifies the tasks and the order in which they
are to be accomplished
 Developing the
Information Security Blueprint
• To select a methodology in which to develop an information
security blueprint, we can use a published information security
model or framework
• This framework can outline steps to take to design and
implement information security in the organization
• There are a number of published information security
frameworks, including ones from government sources
1. ISO 27000 Series
2. NIST Special Publication SP 800-12 SP
3. IETF Security Architecture
4. Baselining and Best Business Practices
Security Education, Training
and Awareness (SETA)
 Security Education, Training and Awareness

• Designed to reduce accidental security breaches

• Consists of three elements: security education, security training,
and security awareness
• By building in-depth knowledge, to design, implement, or
operate security programs for organizations and systems
• By developing skills so that computer users can perform their
jobs while using IT systems more securely
• By improving awareness of the need to protect system resources
• Major benefits:
1. Improving employee behavior
2. Enables the organization to hold employees accountable for
their actions
Framework of Security Education, Training
and Awareness
 Security Education
• Employees within information security may be encouraged to
seek a formal education if not prepared by their background or
experience
• A number of institutions of higher learning, including colleges
and universities, provide formal coursework in information
security
• A Security knowledge map can be used to identify the skills
required
• Depth of knowledge can be indicated by a level of mastery
understanding → accomplishment → proficiency → mastery
Information Security Knowledge
Map
 Security Training
• Involves providing detailed information and hands-on
instruction
• Management can either develop customized
training or outsource
• Customizing training for users
1. By functional background
• General user
• Managerial user
• Technical user
2. By skill level
• Novice
• Intermediate
• Advanced
 Selection of the Training Delivery Method
• Types of delivery methods
1. One-on-one
2. Formal class
3. Computer-based training (CBT)
4. Distance learning/web seminars
5. User support group
6. On-the-job training
7. Self-study (non-computerized)
8. Use a local training program
9. Use a continuing education department
10. Use another external training agency
11. Hire a professional trainer, a consultant, or someone from an
accredited institution to conduct on-site training
12. Organize and conduct training in-house using organization’s own
employees
 Security Awareness
• Security awareness programs
– Helps to realize the importance of security and the adverse
consequences of its failure
– Remind users of the procedures to be followed
• Best practices
– Focus on people
– Use every available venue
– Define learning objectives, state them clearly, and provide sufficient detail and
coverage
– Keep things light, Don’t overload the users
– Help users understand their roles in InfoSec
– Take advantage of in-house communications media
– Make the awareness program formal, Plan and document all actions
– Provide good information early, rather than perfect information late
 Security Awareness Techniques
• A security awareness program can use many methods to
deliver its message
• Examples of security awareness components
1. Videos
2. Posters and banners
3. Lectures and conferences
4. Computer-based training
5. Newsletters
6. Brochures and flyers
7. Trinkets (coffee cups, pens, pencils, T-shirts)
8. Bulletin boards
 Security Newsletter
1. A cost-effective way to disseminate security
information
2. Newsletters can be in the form of hard copy, e-mail, or
intranet
3. Topics can include
• threats to the organization’s information assets,
• the addition of new security personnel
• Summaries of key policies
• A calendar of security events, including training sessions, presentations, and
other activities
• Announcements relevant to information security
• How-to’s
SETA Awareness Components:
Newsletters
 Security Poster Series

• Professional posters can be quite expensive, so in-house

development may be the best solution
• Keys to a good poster series:
• Varying the content and keeping posters updated
• Keeping them simple, but visually interesting
• Making the message clear
• Providing information on reporting violations
SETA Awareness Components: Posters
 Trinket Programs
• Inexpensive on a per-unit basis
• They can be expensive to distribute
• Types of trinkets
1. Pens and pencils, mouse pads
2. Coffee mugs, plastic cups
3. Hats, T-shirts
 Web Pages or Sites
• Dedicated to promoting information security awareness
– The challenge lies in updating the messages frequently
enough to keep them fresh
• Tips on creating and maintaining an educational
Web site
1. See what’s already out there
2. Plan ahead
3. Keep page loading time to a minimum
4. Seek feedback
5. Assume nothing and check everything
6. Spend time promoting your site
Risk Management
 Risk management
 It is the process of identifying risks, assessing
its relative magnitude and taking steps to
reduce it to an acceptable level
 It involves:
 Risk identification
 Risk assessment
 Risk control
 Risk Appetite and Residual Risk
 Risk appetite (risk tolerance): defines the
quantity and nature of risk that organizations
are willing to accept
 Residual Risk: the risk that is left over after the
risk management process has concluded
 The goal of the RM team should be to bring the
residual risk within the risk appetite level
Components of Risk
Management
 Risk Identification
 Risk identification
 begins with the process of self-examination
 Managers
 identify the organization’s information assets,
 classify them into useful groups, and
 prioritize them by their overall importance
Stages in Risk Identification and
Risk Assessment
Plan and Organize
 Form the team
 Plan the timeline for the periodic
deliverables, reviews, and presentations
Identify, Inventory and Categorize Assets

 This is an iterative process

 All assets are identified
 An inventory of assets is created
 The assets are categorized
 This helps to identify the relative priority of
assets
Identify Information Assets
 Identify information assets, including
 people
 procedures
 data and information
 software
 hardware
 networking elements
 Attributes for People
 People
 Position name/number/ID
 Supervisor name/number/ID
 Security clearance level
 Special skills
Attributes for Procedures
 Procedures
 Description
 Intended purpose
 Software/hardware/networking elements to which
it is tied
 Location where it is stored for reference
 Location where it is stored for update purposes
Attributes for Data
 Classification
 Owner/creator/manager
 Data structure used(sequential/relational)
 Size of data structure
 Online or offline
 Location
 Backup procedures used
 Attributes for Hardware, Software
and Networking Components
 Name
 IP address
 MAC address
 Asset type (server, desktop, networking device)
 Manufacturer name, Serial number
 Manufacturer’s model or part number
 Software version, update revision
 Physical location
 Logical location
 Controlling entity (central team, remote staff)
Information Asset Inventory
 The inventory process is critical in
determining where the information is located
 Spreadsheets and database tools can be used
for record keeping
Categorize Assets
 Assets can be categorized into groups
 People (employees, non employees)
 Devices (general, networking, security)
 Software (application, OS)
 Procedures (general, sensitive)
Categorized Organizational Assets
 Classify Assets
 Data classification scheme can be applied based
on the asset sensitivity
 unclassified, sensitive, confidential, secret, top secret
 confidential, internal, external
 Security clearances for personnel can also be
taken into consideration
 Information Asset Valuation
 A relative value is assigned to each asset
 This valuations helps to rank the information assets
according to their priority
 The criteria to be considered are:
 Which asset is the most critical to the success of the organization?
 Which generates the most revenue?
 Which generates the highest profitability?
 Which is the most expensive to replace?
 Which is the most expensive to protect?
 Whose loss or compromise would be the most embarrassing or cause
the greatest liability?
Additional information to be
considered in asset valuation
 Cost of creating the asset
 Past maintenance cost
 Cost for replacing the asset
 Cost of protecting the asset
 Value to its owners
 Value to the adversaries
Sample Inventory Worksheet
 Asset Prioritization
 After the inventory of assets are categorized,
classified, and assigned values, prioritization is done
 A weighted factor analysis is done
 For each information asset, a set of critical factors/criterion
are identified
 Each critical factor/criterion is assigned a weight (1 to 100)
 Each asset is assigned a score(0.1 to 1.0) for each critical
factor/criterion
 The deliverable at this stage is called as the weighted factor
analysis worksheet
Weighted Factor Analysis Worksheet
(NIST SP 800-30)
= Impact *
score

Most
critical
 Threat Identification
 Any organization typically faces a wide variety of threats
 Each threat presents a unique challenge to information
security
 If we assume that every threat can and will attack every
information asset, then the project scope becomes too
complex
 Examining to assess a threats potential to endanger an
organization is called threat assessment.
Threats to Information
Security
Prioritizing Threats
 Which threats present a danger in the given
situation?
 Which is the most dangerous threat?
 How much would it cost to recover from a successful
attack?
 Which threat requires the greatest expenditure to
prevent an attack?
 Specifying Asset Vulnerability
 Vulnerabilities
 specific avenues that threat agents can exploit to attack an
information asset
 Flaw/ weakness in an asset/security procedure/design or control
 For each asset, the list of vulnerabilities are identified
 The listing depends on the experience and knowledge of
the people creating the list
Vulnerability Assessment of a
DMZ Router
 The threats-vulnerabilities-
assets(TVA) Worksheet
Document that shows a comparative ranking of prioritized assets against prioritized
threats, with an indication of any vulnerabilities in the asset/threat pairings.
 Risk Assessment
 Assigns a risk rating/score to each asset
 Risk Score Calculation- Method 1
 Risk score is calculated using the formula
as
Risk = (The likelihood of the occurrence of a
vulnerability* The value of the information asset) - The
percentage of risk mitigated by current controls + The
uncertainty of current knowledge of the vulnerability
 Example
 Asset A has a value of 50 and has vulnerability #1,
 likelihood of 1.0 with no current controls
 assumptions and data are 90% accurate
 Asset B has a value of 100 and has two
vulnerabilities
 Vulnerability #2
 likelihood of 0.5 with a current control that addresses 50% of its
risk
 Vulnerability # 3
 likelihood of 0.1 with no current controls
 assumptions and data are 80% accurate
 Example
 Resulting ranked list of risk ratings for the
three vulnerabilities is as follows:
 Asset A: Vulnerability 1 rated as 55 =
 (50 × 1.0) – 0% + 10%
 Asset B: Vulnerability 2 rated as 35 =
 (100 × 0.5) – 50% + 20%
 Asset B: Vulnerability 3 rated as 12 =
 (100 × 0.1) – 0 % + 20%
 Risk Score Calculation- Method 2
 This involves computing the likelihood,
loss frequency, attack success probability,
loss event frequency and the loss
magnitude
 Likelihood and Loss Frequency
 Likelihood
 It is the probability that a specific vulnerability will be the
object of a successful attack
 Is given a overall rating often a numerical value between 0.0
to 1.0

 Loss Frequency/Annualized rate of Occurrence

 likelihood of an attack coupled with the attack frequency to
determine the expected number of losses within a specified
time range
 Attack Success Probability and
Loss Event Frequency
 Attack Success Probability
 An attack can be successful only if it gets by the current level of
protection
 Creating estimates for the probability of a successful attack is very
difficult
 The organization may assign a qualitative value. Eg.“very unlikely”,
unlikely, highly likely etc.
 Loss Event Frequency
 Combines the likelihood and attack success probability results
 Evaluating Loss Magnitude
 Determines the amount of information asset that
could be lost in a successful attack
 This quantity is also known as asset exposure
 Its evaluation can be quantitative or qualitative
 Risk Computation - Example
 Information asset A is an online e-commerce database.
 Industry reports indicate a 10 percent chance of an attack this year,
based on an estimate of one attack every 10 years
 If the organization is attacked, the attack has a 50 percent chance of
success
 The asset is valued at a score of 50 on a scale of 0 to 100
 100 percent of the asset would be lost or compromised by a successful
attack.
 The assumptions and data are 90 percent accurate

Loss Event Frequency Loss Impact uncertainty

 Assessing Risk Acceptability
 For each asset, a ranking of the relative risk level (for
each threat/vulnerability) is prepared
 A comparison between the risk appetite and the
residual risk for each asset is done
 If the risk appetite is less than an asset’s residual risk,
additional strategies to reduce the risk are to be
identified
 Documenting the Results
of Risk Assessment
 The final summarized document is the ranked vulnerability
risk worksheet
Risk Identification and
Assessment Deliverables
 Risk Control
 Risk control involves three basic steps:
 selection of control strategies
 justification of these strategies to upper management,
 the implementation, monitoring, and ongoing assessment of the
adopted controls
 The general strategies used are:
 Defend
 Transfer
 Mitigate
 Accept
 Risk Control Strategies
1. Avoid/Defend:
 applying security controls (policy/technology /training/ education)
that eliminate or reduce the uncontrolled risks for the vulnerability
2. Transfer:
 shifting the risk to other assets/processes/areas or to outside
entities(purchase insurance, outsource, service contracts)
3. Mitigate:
 reducing the impact of the attack by planning and preparation (IR,
DRP, BCP)
4. Accept:
 understanding the consequences and accept the risk without
control or mitigation
 Avoidance
 Attempts to prevent the exploitation of
the vulnerability
 Accomplished through:
 Application of policy
 Application of training and education
 Countering threats
 Implementation of technical security
controls and safeguards
 Transference
 Attempts to shift the risk to other assets,
other processes, or other organizations
 May be accomplished by
 Rethinking how services are offered
 Revising deployment models
 Outsourcing to other organizations
 Purchasing insurance
 Implementing service contracts with providers
 Mitigation
 Attempts to reduce the damage caused by the
exploitation of vulnerability
 by means of planning and preparation,
 Includes three types of plans:
 Disaster recovery plan (DRP)
 Incident response plan (IRP)
 Business continuity plan (BCP)
 Depends upon
 the ability to detect and respond to an attack as
quickly as possible
 Acceptance
 Acceptance is the choice to do nothing to protect
an information asset and to accept the loss when
it occurs
 This control/lack of control is implemented when
the organization has
 Estimated the potential damage that could occur from attacks
 Performed a thorough cost-benefit analysis
 Evaluated alternate controls using each appropriate type of
feasibility
 Decided that the particular function, service, information, or
asset did not justify the cost of protection
 Risk Control Strategy Selection
 Risk control involves
 selecting one of the 4 risk control strategies
 Acceptance of risk is chosen
 if the loss is within the range of losses the
organization can absorb,
 if the attacker’s gain is less than expected costs of
the attack,
 Otherwise, one of the other 3 control strategies
need to be selected
 Risk Handling Decision Points

Start
 Justifying Controls
(Economic Feasibility Analysis)

 Organizations must gauge the cost of protecting an asset against

the value of that asset
 Factors that affect the cost of a safeguard
 Cost of development or acquisition of hardware, software, and

services
 Training fees

 Cost of implementation

 Service and maintenance costs

 Benefit
 The value(asset) at risk, losses associated, cost of recovery
 Quantitative Risk Assessment

Single loss expectancy (SLE)

• The value associated with the most likely loss from an attack
• SLE is calculated based on the value of the asset and the expected
percentage of loss that would occur from a particular attack
• SLE = asset value (AV) x exposure factor (EF), Where EF is the
percentage loss that would occur from a given vulnerability being
exploited
• Probability of loss from an attack within a given time frame is
commonly referred to as the annualized rate of occurrence (ARO)
 Cost-Benefit Analysis
(Economic Feasibility Analysis)

The annual loss expectancy is given by

ALE = SLE * ARO
The CBA formula is given by
CBA = ALE(prior) – ALE(post) – ACS where
• Single Loss Expectancy= asset value x exposure factor
• Annualized rate of occurrence (ARO)
• ALE (prior to control) is the annualized loss expectancy of the risk
before the implementation of the control
• ALE (post-control) is the ALE examined after the control has been in
place for a period of time
• ACS is the annual cost of the safeguard
 Evaluation, Assessment, And
Maintenance of Risk Controls

 Once a control strategy has been selected

and implemented
 Monitor and measure the effectiveness of
controls on an ongoing basis
 Measure the risk that will remain after all
planned controls are in place
The Risk Control Cycle
 Quantitative Versus Qualitative Risk
Management Practices
 Risk computation when done using actual values
or estimates is known as a quantitative
assessment
 Alternatively the qualitative risk assessment
process does not use numerical measures
 Linguistic values of low, medium, high, and very high are used to
represent the risk score
 Organizations may also prefer scales: A–Z, 0–10, 1–5, or 0–20
 Instead of estimating that a particular piece of information is worth
$1 million, it can be valued on a scale of 1–20
 Benchmarking
• Studying practices of other organizations that
produce desired results
• An organization typically uses one of two types of
measures to compare practices:
• metrics-based measures
• process-based measures
 Metrics-based measures
• Numbers of successful attacks
• Staff-hours spent on systems protection
• Dollars spent on protection
• Numbers of security personnel
• Estimated value in dollars of the information lost in
successful attacks
• Loss in productivity hours associated with successful
attacks
 Process-based measures
 The primary focus is the method the organization uses to
accomplish a particular process, rather than the outcome
Problems with applying
Benchmarking

 Organizations don’t talk to each other

 No two organizations are identical
 Best Practices (Home Users)
 Microsoft focuses on the following seven
key areas for home users:
 1. Use antivirus software.
 2. Use strong passwords.
 3. Verify your software security settings
 4. Update product security
 5. Build personal firewalls
 6. Back up early and often
 7. Protect against power surges and loss
 Best Practices (Small Business)
 1. Protect desktops and laptops—Keep software up to date, protect against
viruses, and set up a firewall.
 2. Keep data safe—Implement a regular backup procedure to safeguard critical
business
 data, set permissions, and use encryption.
 3. Use the Internet safely—Unscrupulous Web sites, popups, and animations
can be dangerous.
 4. Protect the network—Remote network access is a security risk you should
closely monitor.
 5. Protect servers—Servers are the network’s command center.
 6. Secure line-of-business applications—Make sure that critical business
software is fully secure around the clock.
 7. Manage computers from servers—Without stringent administrative
procedures in place, security measures may be unintentionally jeopardized by
users
 Baselining
 Baselining can provide the foundation for internal
benchmarking
 Baselining is the comparison of security activities and
events against the organization’s future performance
 The information gathered for an organization’s first risk
assessment becomes the baseline for future
comparisons
 Standards for Risk Management
(Guide for Baselining)

• The NIST Risk Management Framework

• The Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) Method
• Microsoft Corporation risk management approach
• The Factor Analysis of Information Risk (FAIR)
framework
• ISO 27000 series standard for Information Security Risk
Management
 Risk Appetite and Residual Risk
 Risk appetite: defines the quantity and nature of
risk that organizations are willing to accept
 Residual Risk: there is often remaining risk that
has not been completely accounted for
 The goal of information security
 is not to bring residual risk to zero,

 but to bring it in line with an organization’s risk

appetite
 Documenting Results
 When the risk management program has been
completed, series of proposed controls are
prepared
 Each information asset-threat pair should have a
documented control strategy that
 Clearly identifies any residual risk remaining after the
proposed strategy has been executed