Chapter 6

Management Issues in CNS

2/2/2025 1
 Outline
• IT security management and risk assessment
• IT security controls, plans and procedures
• Physical and infrastructure security
• Human resource security
• Security auditing
• Legal and ethical aspects

2/2/2025 2
 IT Security Management and Risk Assessment
• 3 fundamental questions to select and implement measures used to
manage and improve security:
• What assets do we need to protect?
• How are those assets threatened?
• What can we do to counter those threats?
• IT security management:
• is the formal process of answering these questions, ensuring that critical assets
are sufficiently protected in a cost-effective manner.
• Consists of:
• determining a clear view of an organization’s IT security objectives and general risk profile
• Risk assessment for each asset in the organization that requires protection

2/2/2025 3
 IT Security Management – ISO’s conceptual framework
• DoS Attacks:

2/2/2025 4
 IT Security Management
• A model process for managing information security comprises:

2/2/2025 5
 IT Security Management and Risk Assessment
• Due to inconsistent implementation of security and a loss of central
monitoring and control, standards recommend responsibility to be
assigned to single person; with the following responsibilities:

2/2/2025 6
 IT security controls, plans and procedures
• IT security management
implementation – includes
selecting controls, developing an
implementation plan, and the
follow-up monitoring of the plan’s
implementation.

2/2/2025 7
 IT Security Management and Risk Assessment
• Security controls or safeguards – help to reduce risks
• Definition:
• control: An action, device, procedure, or other measure that reduces risk by
eliminating or preventing a security violation, by minimizing the harm it can cause, or
by discovering and reporting it to enable corrective action.
• Classes:
• Management controls - Focus on security policies, planning, guidelines, and standards
that influence the selection of operational and technical controls to reduce the risk of
loss and to protect the organization’s mission. These controls refer to issues that
management needs to address.
• Operational controls: Address the correct implementation and use of security policies
and standards, ensuring consistency in security operations and correcting identified
operational deficiencies. These controls relate to mechanisms and procedures that are
primarily implemented by people rather than systems. They are used to improve the
security of a system or group of systems.
• Technical controls: Involve the correct use of hardware and software security
capabilities in systems. These range from simple to complex measures that work
together to secure critical and sensitive data, information, and IT systems functions.

2/2/2025 8
 IT Security Management and Risk Assessment
• List of controls
(from standards):

2/2/2025 9
 Physical and infrastructure security
• Physical security focuses on preventing damage to infrastructure including HW,
phys. & support facilities, personnel.

Physical security threats Description Prevention & mitigation

measures
Environmental Conditions that Using cloud, control
damage/interrupt service equipment, maintenance
Technical threats related to electrical UPS, filters, shields
power and EM emission
Human caused designed to overcome Physical access control
prevention measures

• Recovery from physical security breaches: includes redundancy (from loss),

cleanup hazardous material before normal operation

2/2/2025 10
 Human resource security
• Encompasses the following:
• Security awareness, training, education:
• Motivation – to improve behavior, awareness for attention, training for skill
• Employment practices and policies
• deals with personnel security: hiring, training, monitoring behavior, and handling
departure.
• Essential elements: policy document, awareness training
• Principles for personnel security: least privilege, separation of duties, limited reliance
on key employees
• E-mail and Internet use policies
• Policy issues – e.g. business use only, content ownership, privacy, conduct, …
• Incident response teams
• responsible for rapidly detecting incidents, minimizing loss and destruction, mitigating
the weaknesses that were exploited, and restoring computing services.

2/2/2025 11
 Security auditing
• It is a form of auditing that focuses on the security of an organization’s IS
assets which can:
• Provide a level of assurance concerning the proper operation of the computer with
respect to security.
• Generate data that can be used in after-the-fact analysis of an attack, whether
successful or unsuccessful.
• Provide a means of assessing inadequacies in the security service.
• Provide data that can be used to define anomalous behavior.
• Maintain a record useful in computer forensics.
• Security audit trails – maintain a record of system activity
• Logging – is the initial capture of the audit data. This requires that the
software include hooks, or capture points, that trigger the collection and
storage of data as preselected events occur.
• Audit trail analysis – approaches include basic alerting, baselining,
correlation (relationship among events)
2/2/2025 12
 Legal and ethical aspects
• Many types of computer attacks can be considered crimes and, as such,
carry criminal sanctions
• Computer crimes – Computer as: targets, storage, communication tools
• Law enforcement – criminal arrest and prosecution.
• Intellectual property
• three main types of intellectual property for which legal protection is available:
copyrights, trademarks, and patents.
• Privacy
• the extent to which government agencies, businesses, and even Internet users have
access to their personal information and private details about their lives and activities.
• personal privacy has been and may be compromised have led to a variety of legal and
technical approaches to reinforcing privacy rights.
• Ethical issues - refer to a system of moral principles that relates to the
benefits and harms of particular actions, and to the rightness and
wrongness of motives and ends of those actions.

2/2/2025 13
Course Summary
• Topics covered:
• Fundamentals: definitions, threats, vulnerabilities, goals – CIA
• Cryptography: Sym/asymmetric encryption, hashing, and digital signatures
• System security: OS, Software, Network
• Cybersecurity policies, legal issues, and ethical considerations.
• Key Takeaways:
• Security is a continuous process requiring layered defense.
• Cryptographic techniques play a critical role in securing data.
• Strong authentication and access control mitigate insider threats.
• Regular security updates and patches are essential.
• Ethical and legal aspects must be considered in security decisions.

2/2/2025 14
 Be nation builders, not destructors!

The End

Thank You!

2/2/2025 15
Quiz 2
1. Identify the one that is not an IT security management function:
• Determining IT security requirements
• Designing and implementing secure IT systems
• Specifying appropriate safeguards
2. Why do standards recommend responsibility of IT security
management to be assigned to single person?
3. Select prevention and mitigation measure(s) for technical physical
security threats:
Equipment, maintenance, UPS, EM shields

2/2/2025 16