Академический Документы
Профессиональный Документы
Культура Документы
Risk Management
Organized By :
Tjahjo Adiprabowo Ir, M. Eng.
OUTLINE
I.
II.
III.
IV.
V.
Introduction
Generally Accepted System Security
Principles
Common IT Security Practices
Risk Management
Common IT Security Practices
(continuation)
I. Introduction
1.
2.
3.
Principles
Practices
Relationship of Principles and Practices
2.
3.
4.
6.
7.
8.
Policy
2.
Program Management.
3.
Program Policy
Issue-Specific Policy
System-Specific Policy
All Policies
Central Security Program
System-Level Program
Risk Management.
Risk Assessment
Risk Mitigation
Evaluation and Assessment
Risk Assessment
2.
Risk Mitigation
3.
9 Steps Methodology
4.
5.
Security Plan
Initiation Phase
Development/Acquisition Phase
Implementation Phase
Operation/Maintenance Phase
Disposal Phase
Personnel/User Issues.
Staffing
User Administration
6.
7.
8.
9.
10.
Business Plan
Identify Resources
Develop Scenarios
Develop Strategies
Test and Revise Plan
Uses of a Capability
Characteristics
11.
12.
13.
Access Criteria
Access Control Mechanism
Audit Trails
14.
Identification
Authentication
Passwords
Advanced Authentication
Cryptography
References
1.
2.
I. Introduction
1.1 Principles
Accountability
Cost effectiveness
Integration
1.2 Practices
o
o
o
o
o
o
Guide organizations on
the type of controls,
objectives and
procedures
that comprise an effective IT security program.
Show what should be done
to enhance an existing computer security program
to measure an existing computer security program
to aid in the development of a new program
Provide a common ground for determining the security of an
organization
Build confidence when conducting multi-organizational business.
Information
Hardware
Software
Physical resources
Financial resources
Reputation
Legal position
Employees
Other tangible and intangible assets.
For example :
Money
Physical assets
Employees
For example :
Thwart hackers.
Reduce the frequency of viruses.
Direct costs
Indirect costs
Security measures :
Indirect costs :
In some cases, these additional costs may well exceed the initial
cost of the control.
Solutions to security problems should not be chosen if they cost
more, in monetary or non monetary terms, directly or indirectly,
than simply tolerating the problem.
Owners of IT systems
Providers of IT systems
Users of IT systems
Other parties
Obligations
Expected behavior
Executive management
Programmers
Maintenance providers
Information system managers : software managers,
operation managers, and network managers
Software development managers
Managers charged with security of information systems
Internal and external information system auditors.
1 of 3
Managerial controls
Operational controls
Technical controls
Can work together synergistically.
2 of 3
System management
Legal issues
Quality assurance
Internal controls
Management controls
3 of 3
Physical security
Personnel security
Technological developments
Connection to external networks
A change in the value or use of information
The emergence of a new threat.
The access
Flow of data
Information
By providing more accurate and reliable information and
greater availability of systems.
3.1 Policy
1 of 2
3.1 Policy
2 of 2
Program
Issue Specific
System Specific
Directives
Procedures
Plans
Facilities
Hardware
Software
Information
personnel
Critical databases
Reduction in errors
Data loss
Data corruption
Recovery
Might be specifically stressed.
Assign Responsibilities :
Be Updated Frequently :
Position statement
Applicability
Roles and responsibilities
Compliance
Point of contact
Of the organization should be clear
Focus on Decisions.
The decisions taken by management to protect a particular
system, such as defining the extent to which individuals will be
held accountable for their actions on the systems, should be
explicitly stated.
Be expressed as Rules :
Who
Can do what
Modify
delete
To which specific
By job category
By organization placement
By name
Classes
Records of data
Supplemented :
Because policy may be written at a broad level,
organizations also develop :
that offer
Users
Managers
Others
a clearer approach to
Standards
Guidelines
Procedures
Implementing policy
Meeting organizational goals
Visible.
Supported by Management.
Consistent.
Other directives
Laws
Organizational culture
Guidelines
Procedures
Organizational mission
Should be considered.
Expertise
Authority
resources
Existence of Policy.
Compliance Program.
Intraorganizational Liaison.
Computer security often overlaps with other offices,
such as :
Safety
Reliability and quality assurance
Internal control
Physical security
Office of Inspector General
Risk Assessment
2.
Risk Mitigation
3.
9 Steps Methodology
Good Luck