Homework: Send Alex a private message asking what section of - - PowerPoint PPT Presentation
Homework: Send Alex a private message asking what section of HiTrust to look at 1 pa page resp sponse onse about out a HiTrus ust Objec ecti tive Su Submit mit PDF F to home mewor ork k eng ngine HiTrus ust PDF
■ Send Alex a private message asking what section of HiTrust to look at – 1 pa page resp sponse
ust Objec ecti tive – Su Submit mit PDF F to home mewor
k eng ngine – HiTrus ust PDF on n home mework eng ngine e + ■ Submit your UPDATED resume to be reviewed by SecDev by Sunday 11:59pm (October 28, 2018)
BY ALE LEXAND NDER ER BITAR
■ B.S.
usine ness ss Admini inist stra rati tion
ing 2017 – Concentration: MIS – IS & T Auditor Internship – Sodexo – 2017 ■ Master er of Scien ence ce in MIS – Spring ng 2019 – Security Development Track – Certificate in Information Assurance – TA for MGS 351 – Information Risk Assurance Internship - Blue Cross Blue Shield of WNY – 2018 – President of ISACA Student Group UB
Year Skydiving Fatalities in U.S. Estimated Annual Jumps Fatalities Per 1,000 Jumps 2017 24 3.2 million 0.0075 2016 21 3.2 million 0.0065 2015 21 3.5 million 0.0061 2014 24 3.2 million 0.0075
■ What is risk? ■ What do we do with Risks? – Personally – An organization
■ The pot poten entia ial l of losin ing g something of value. ■ Informati rmation
ecurit urity y ris isks – are risks as they apply to data assets.
■ Information Security Policies ■ Organization of Information Security ■ Human Resources Security ■ Asset Management ■ Access Control ■ Encryption ■ Physical and Environmental Security ■ Operations Security
■ Communications Security ■ System Acquisition, Development, and Maintenance ■ Supplier Relationships ■ Information Security Incident Management ■ Information Security Aspects of Business Continuity Management ■ Compliance ■ Career and Workforce Development ■ Security Awareness
■ Financial ■ Vendor Driven ■ Accidental ■ Internal ■ Civil ■ Legal ■ Natural Disasters or Environmental
■ Impa mpact ct - If a threat were to materialize, how could it affect our business? ■ Likel eliho hood d –what is the probability of a threat materializing? ■ Risk = Likel eliho ihood
mpact ct – Likelihood - chanc nce of a risk event occurring – Impact - Fina nanc ncial ial impact of the risk event
■ Take the risk ■ Avoid the risk ■ Accept the risk ■ Ignore the risk ■ Transfer the risk ■ Exploit the risk
■ Threat eat Agents ents- Malicious hacker, Employees, Other Organizations, etc. ■ Threats eats – something that can cause harm to an organization. Can be internal or External – DDOS Attack – Snow storm ■ Owners ers- People within the organization that are responsible for an asset or process – Director of Payroll ■ Asset ets – anything of value to an organization – Web Servers – Payroll Applications ■ Count nter er Measure sures – Any controls that are put in place to reduce the threat – MFA – Privileged Access Management process
■ Coun unter r Measures res – Any contr ntrols s that are put in place to reduce the threat – MFA – Privileged Access Management process ■ Contr ntrols
igat ate risk
■ What risk do we deal with when driving a car? ■ How to deal with those risks? – What controls are in place to mitigate those risks?
■ Your team (4 people) have been hired by SUNY UB to implement a security framework for various compliance. ■ First things first, you will need to setup a risk management plan. ■ SUNY UB is a large organization, one of the largest university of the SUNY
~12 Schools, ~40 Departments. ■ Let’s discuss
■ Scope & boundary – What are we working within? ■ Resources – What resources do we have at our disposal? – 1 vs 100 ■ Criteria – What constitutes a risk to the organization? Is it being measured consistently? ■ Policy – Do we have policy in place? ■ Enforcement – Who will enforce this? ■ Information Classification and Handling – Do we know what we need to protect?
Invent entor
Own wnership hip Ac Accep cepta tabl ble Use Imp mpact ct to the busine usiness ss
Physical Access Network User Software Hardware Operational Procedural and Policy Information and Data
Active Directory (User Management) Students’ Computers Exchange (Email) Wifi File Servers UBLearns Print Servers Research Assets VoIP System Hypervisor (Virtualization) Network (Switches & Routers) Classrooms Workstations Software Server Rooms Sensitive Data/Information Offices UBHub
Asset Asset Invent ntor
y & Us & Use UBHub
Exchange (Email)
Server Rooms
■ Internal ernal to our organization
■ Ex Externa ernal to our organization
■ Similar to Threats, But within our control ■ Weaknesses or gap ■ Not just techn hnical cal controls ■ Usually specific ■ What t is the e Likel eliho ihood
loita tati tion
■ How w can it be exploit loited ed?
Asset et Asset et Invent ntor
Thre reats ats Vulnera erabiliti ties UBHub
Legal Exchang ange (Email)
Legal
behind
Server r Ro Rooms
■ Follow consistent criteria and measurements ■ Prioritize and plan (risk treatment) ■ Risk Register & Matrix ■ Impact ■ Likelihood ■ Security Frameworks
■ Qualitative - Impact + Likelihood ■ Quantitative – Using #’s
Asset Threat ats Vulnerab erabil iliti ties es Impa mpact ct Likelihood ihood Risk UBHub Hub
Legal
Medium Low Medium um Exch chan ange ge (Email) il)
Legal
behind
Medium Low Medium um Server er Rooms
High Medium High
Asset et Thre reats ats Vulnera erabiliti ties Imp mpact ct Likeli elihoo hood Risk sk UBHub
Legal
$1.5M 3 $4.5M Exchange (Email)
Legal
behind
$1M 2 $2M Server Rooms
$3M 6 $18M
Avoid Mitigate Transfer/Share Accept
Asset et Vulnera erabiliti ties Risk sk POA&M or Risk sk Treatme tment nt UBHub
Medium
Privilege Principle)
Exchange (Email)
behind
Medium
Privilege Principle)
Server Rooms
High
equipment
Asset Vul ulne nerabiliti rabilities es Risk sk POA&M &M or Risk sk Treatme atment nt UBHub
Medium
(Least Privilege Principle)
Medium
High
Documentation with screenshots
○
Governance
○
Risk
○
Compliance
controls work on an annual basis
Asset Vulnerab erabil iliti ties es Risk POA&M or Risk sk Treatme tment nt Yearly y Check eck
UBHub
access Medium
(Least Privilege Principle)
DATO needed
Documentation
Knowledge Medium
testing environment
High
Documentation with screenshots
Risk Mitigated
d to Know
Least ast Pri rivi vilege ege
■ What regulations affect our
■ HIPAA ■ FERPA ■ FISMA ■ State Laws – NY DFS ■ International Laws - GDPR ■ What Industry Standards affect our
■ PCI – DSS
■ COBIT ■ ISO 27000 Series – 27001 ■ NIST SP 800 Series – NIST 800-53 ■ HiTrust CSF (Current version is 9.1) – Health Care
■ Frameworks tell organizations what controls should be in place ■ Standards + Regulations affect the organization – Frameworks pr prescribe escribe controls to “Treat eat” those Industry Standards + Regulations
■ Recomm commen ende ded d by Risk management ■ As Assu sured red by Internal Audit
Securit ity y Operat atio ions ns IT Risk k Manageme agement nt IT Audit it Interna ernal Audit
○
Scope, Boundaries
○
Auditing and Reviews
○
Asset Risk Level
○
Threat Risks
○
Vulnerability Risks
■ https://uspa.org/Find/FAQs/Safety