Information Security Management: Computer Security Lectures 2014/15 S1

This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.

The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.

Topics covered in this lecture include:
Visualisation
http://map.ipviking.com/
Information security management
Security managers
Security managers need to...
There is no perfect solution suited to everyone
Technical controls can help mitigate certain risks, but do not provide a be-all and end-all solution
Maslow's hierarchy of needs
Security breaches can cost an organisation either directly financially, or indirectly
According to Symantec, in 2011 the average organisation incurred $470,000 in losses from IT security attacks
http://www.symantec.com/content/en/us...
Indirect costs
Studies have found correlations between security compromises and decreases in stock prices
Direct costs of a security compromise typically include:
Staff time spent dealing with the incident
This has is an opportunity cost: they could be working on something else
Staff pay: may include overtime
Extra bandwidth/quota network use
Lost sales (typically makes a certain turnover each day – lost if offline)
And so on
Attacks on the physical world via technology
“Cyberwar”
Cost center
Return on investment (ROI)
Business ventures typically need to demonstrate a positive ROI to get approved
Security ROI = Savings / Cost
An information security management system (ISMS) is a set of policies for information security management
Developing an ISMS involves
Defining scope
Creating security policies
Risk assessment and risk management
Selecting security controls
Defined in ISO 27001
Teams: Risk management specialists, Incident response team (IRT), Product security team (development), Security specialists (network, sys admin), Tiger teams (pen testing and vuln. analysis), Physical security teams
Risk management overview
Avoidance: “don't do that then”
Acceptance: “we can live with that”
Mitigation: “lets try to stop that from being a problem”
Transfer: “someone else can deal with the costs” or “lets get insurance against that”
Organisations need to continually:
Protect, detect, react
Types of controls
Administrative policies and controls
Technical controls
Physical controls
Contingency planning
Incident response (IR) planning: Detect and mitigate events that could compromise information security
Business continuity planning (BCP): Recover and continue operations under adverse conditions (large scope for various events)
Disaster recovery planning: Recover IT after a natural or human disaster
Assessing and measuring security
Management is often more effective if you can measure what you are managing
Accuracy of ROI and risk management calculations
Without accuracy calculations can become meaningless or deceptive
Unfortunately “security” can be particularly hard to measure
Assessing and measuring security
Quantitative measures:
Hard numbers: for example, facts such as the previous number of incidents and their costs
Qualitative measures:
Less clear-cut: for example, the impact on PR
Not measured in terms of numbers
Formal assessment of security systems:
TCSEC (AKA the orange book): USA DoD standard
Common Criteria (CC)
Other less-formal self-tests can help to get a general idea of an organisation's security stance
Standards for information security
Information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
ISO/IEC 27000-series of standards
ISO/IEC 17799:2005, renamed to ISO/IEC 27001:2005
ISO/IEC 27001:2005
PCI compliance
Other laws and regulations:
UK Data Protection Act 1998
Classification of information
In business: Public, Sensitive, Private, Confidential
Military: Unclassified, Sensitive, Restricted, Confidential, Secret, Top Secret
In some cases the data may be labelled (security classification attached), for technical security controls
Defence in depth
Change management
Certified Information Systems Security Professional (CISSP)
Senior security management positions within organisations