The document discusses information security and risk management. It covers the CIA triad of confidentiality, integrity and availability. It describes how to determine control and protection levels for each part of the CIA triad. It also discusses risk assessment, information security frameworks, privacy issues, availability through disaster recovery levels, and the Baseline Information Security for the Dutch Government (BIR).
1. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: 1 Date: 1/27/2017
Information Security
And
Risk Management
Hans Oosterling
July 2016
2. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Triad
How to determine Control/protection level?
Confidentiality
– Access Control
– Encryption (data at rest (databases) and in transition (network)
Integrity
– Data
– Systems
– Process
Availability
– Redundancy
– Roll back
– Fail-over
– Back-up
3. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Rating
How to determine Control/protection level?
Integrity levels
– Ensure that the Data, System and Process acts as intended without unintentional changes
(integrity is the opposite of corrupted or incorrect functioning)
– Challenges are software bugs, design flaws, human errors
Availability levels based on
– MOT (maximum outage time in hours)
– RTO (recovery time objective: getting IT systems back at operational performance level,
excluding decision time, process recovery etc)
– RPO (recovery point objective: data loss after incident occurs)
4. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Rate Determination: Confidentiality
Per criteria specific set of Questions
5. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Rate Determination: Integrity
Per criteria specific set of Questions
6. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Rate Determination: Availability
Per criteria specific set of Questions
7. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
CIA Triad
How to determine Control/protection level?
Confidentiality
– Access Control
– Encryption (data at rest (databases) and in transition (network)
Integrity
– Data
– Systems
– Process
Availability
– Redundancy
– Roll back
– Fail-over
– Back-up
8. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Countermeasures / Controls
Examples (1)
C3: access control with multi-factor authentication
C2: access logged and traceable
I3: every release must be regression tested
I4: software inspection on malicious components
A4: hot fail-over and mirroring
I2: database logging
C4: accounts checking and 4eyes on account creation process
C4: (suspicious) event monitoring
A3: roll-back mechanism in place
9. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Countermeasures / Controls
Examples (2)
xx3 applications: tracking on change process
xx2: production support logged and traceable
xx3: if outsourced twice a year external audit performed (SAS70)
C4: people with access rights background check once a year
A4: twice a year actual recovery test
----------------------
Measures and Controls:
– Proof of Design
– Proof of Operational Effectiveness
– Integrated approach: People, Process and IT
10. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Risk Assessment (2)
Qualitative Risk Matrix: likelihood versus consequences (=Impact)
Values are business or industry specific
11. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Risk Assessment (3)
Total Risk is full risk amount before control is put in place
Residual Risk is the risk remaining after implementing control
Threats X Vulnerability X Asset Value = Total Risk
Total Risk - countermeasures = Residual Risk
Asset Value X Exposure Factor = SLE: Single Loss Expectancy
SLE X Annualized Rate of Occurrence (ARO) = ALO: Annual Loss Expectancy
12. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Information Security Framework (1)
British Standard 7799 (BS7799)
ISO 27000 series
– Outline Control Objectives
– Security measures to meet these Control Objectives (Deming cycle)
PLAN
ACT DO
CHECK
13. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Information Security Framework (2)
Important is to set up a integrated security program covering a wide
range of topics (IEC/ISO 27002):
– Information Security Policy (map to business objectives, management support etc)
– Creation of Information Security Infrastructure (organisation, roles, responsibilities,
reviews)
– Personnel security (employment life-cycle)
– Asset classification
– Access Control (RBAC, authentication methods, monitoring etc)
– Encryption
– Physical and environmental security (restricted areas, server room locked etc)
– Operations management (incident handling, change control, communications etc)
– Communications Security (network, information transfer)
– System acquisition and maintenance (implement security measures throughout the
system lifecycle, cryptography, integrity protection, SW vendor auditing etc)
– Supplier relationships
– Information security incident management
– Business Continuity (counter disruptive incidents)
– Compliance (comply with regulatory, statutory, contractual requirements)
14. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
IT Audit External Service Providers
SAS70
Succeeded by ISAE3402
Topics in scope:
– Service Level Management
– Configuration management
– Change management
– Incident Management
– Problem Management
– Security
– Availability
15. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Privacy (1)
“Right to be let alone”
– Physical privacy, maintain their own physical space or solitude
– Information privacy, ability of a person to control, edit, manage and delete
information about themselves and decide how and to what extend such information
is communicated to others
Privacy risks
– Inaccurate, insufficient or out of date
– Excessive or irrelevant
– Kept for too long
– Inappropriately used
– Not kept securely
16. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Privacy (2)
Privacy Impact Analysis (PIA)
– New ICT projects or alongside the IT development process
– Apply to existing information flows
– PIA steps to be taken:
1. Identify the need for a PIA
2. Describing the information flows in scope
3. Identifying the privacy and related risks (corporate reputational risk etc)
4. Identifying and evaluating privacy solutions
5. Signing off and recording the outcome of the PIA
6. Integrating the outcome back into the project or IT developments
Acceptance versus privacy risk mitigation
Regulations on revealing and mandatory communicating data leaks
17. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Availability:
Disaster Recovery Levels
Data Centre Recovery Stages
0 No Off-site data (possibly no recovery)
1 Data back-up (physical transport to
secondary site) no applications at secondary
site
2 Data back-up (physical transport to
secondary site) applications at secondary site
available (hot site)
3 Electronic vaulting (back-up data by
network in batches (probably at midnight)
4 Point in time copies (real-time back-ups)
5 Transaction integrity
6 Zero (or near zero) data loss
7 Highly automated, business integrated
solution
Data Recovery Testing levels
0 No testing
1 Desk testing (paper based)
2 Simulation test in isolated environment
3 Exercise without production data
4 Production exercise light with production
data (outside business hours)
5 Production exercise full at single platform
(during business hours)
6 Production exercise full at multiple
platforms
7 Data centre down scenario
18. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Availability:
Disaster Recovery Testing
Primary Site Secondary Site
Incident
Recovery
Way back
Data Recovery
o Transactional
o Referential (static data)
o Keep integrity and consistency
Business Continuity
o Process, People and IT
o Security measures
• Proof of Design
• Proof of Operational Effectiveness
19. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Baseline Informatiebeveiliging Rijksoverheid (1)
(BIR)
Taking into account Dutch law and regulations
– Wet Bescherming Persoonsgegevens (WBP)
– Wet Particuliere Beveiligingsorganisaties en Recherchebureaus (WBPR)
– Wet Veiligheidsonderzoeken (WVO)
– Wet Politiegegevens (WPG)
– Ambtenarenwet
– Voorschrift Informatiebeveiliging Rijksdienst (VIR 2007)
– Voorschrift Informatiebeveiliging Rijksdienst – Bijzondere informatie (VIRBI2012)
– Beveiligingsvoorschrift 2005 (BVR)
– Algemeen Rijksambtenarenreglement (ARAR)
– Uitgangspunten online communicatie rijksambtenaren
– Programma van Eisen PKI Overheid
– Code voor Informatiebeveiliging
– Telecommunication Infrastructure Standard for Data Centers (TIA-942)
20. Information Security and Risk Management
Draft version
WWW.IRP-MANAGEMENT.COM
page: ‹#› Date: 27-1-2017
Baseline Informatiebeveiliging Rijksoverheid (2)
(BIR)
Based on IEC/ISO 27002
– Principles and policies
– Structure and Organisation
– Asset management
– HR and personnel
– Physical and environmental security
– Operations Security
– Access Control
– Acquisition
– Encryption
– Security Incident and Event Management
– Continuity
– Compliance