Risk is defined as

The possibility of loss or injury; someone or something Risk that creates or suggests a hazard; and the degree of probability of such loss The probability of an adverse outcome Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information Security management is a process of defining the security controls in order to protect the information assets.

Security Program
The first action of a management program to implement information security is to have a security program in place Security Program Objectives

rotect the company and its assets. !anage Risks by "dentifying assets, discovering threats and estimating the risk rovide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines "nformation #lassification $ecurity %rganization and $ecurity &ducation

Security Management Responsibilities

'etermining objectives, scope, policies, priorities, standards, and strategies. 'etermine actual goals that are e(pected to be accomplished from a security program &valuate business objectives, security risks, user productivity, and functionality re)uirements. 'efine steps to ensure that all the above are accounted for and properly addressed

Security ontrols
$ecurity #ontrols can be classified into three categories !dministrative ontrols *hich include

'eveloping and publishing of policies, standards, procedures, and guidelines. $creening of personnel.

#onducting security+a*areness training and "mplementing change control procedures.

Tec"nical or #ogical ontrols *hich include

"mplementing and maintaining access control mechanisms. ass*ord and resource management. "dentification and authentication methods $ecurity devices and #onfiguration of the infrastructure.

P"ysical ontrols *hich include

#ontrolling individual access into the facility and different departments ,ocking systems and removing unnecessary floppy or #'+R%! drives rotecting the perimeter of the facility !onitoring for intrusion and &nvironmental controls.

T"e $lements of Security

%ulnerability

"t is a soft*are, hard*are, or procedural *eakness that may provide an attacker the open door he is looking for to enter a computer or net*ork and have unauthorized access to resources *ithin the environment. -ulnerability characterizes the absence or *eakness of a safeguard that could be e(ploited. &g. a service running on a server, unpatched applications or operating system soft*are, unrestricted modem dial+in access, an open port on a fire*all, lack of physical security etc.

T"reat

/ny potential danger to information or systems. / threat is a possibility that someone 0person, s1*2 *ould identify and e(ploit the vulnerability. The entity that takes advantage of vulnerability is referred to as a threat agent. &g. / threat agent could be an intruder accessing the net*ork through a port on the fire*all

Risk

Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact. Reducing vulnerability and1or threat reduces the risk.

&g. "f a fire*all has several ports open, there is a higher likelihood that an intruder *ill use one to access the net*ork in an unauthorized method.

$&posure

/n e(posure is an instance of being e(posed to losses from a threat agent. -ulnerability e(poses an organization to possible damages. &g."f pass*ord management is *eak and pass*ord rules are not enforced, the company is e(posed to the possibility of having users3 pass*ords captured and used in an unauthorized manner.

ountermeasure or Safeguard

"t is an application or a s1* configuration or h1* or a procedure that mitigates the risk. &g. strong pass*ord management, a security guard, access control mechanisms *ithin an operating system, the implementation of basic input1output system 04"%$2 pass*ords, and security+a*areness training.

ore 'nformation Security Principles

The three fundamental principles of security are availability, integrity, and confidentiality and are commonly referred to as #"/ or /"# triad *hich also form the main objective of any security program. The level of security re)uired to accomplish these principles differs per company, because each has its o*n uni)ue combination of business and security goals and re)uirements. /ll security controls, mechanisms, and safeguards are implemented to provide one or more of these principles. /ll risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the /"# principles

onfidentiality

&nsures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail *hile data resides on systems and devices *ithin the net*ork, as it is transmitted and once it reaches its destination. Threat sources o 5et*ork !onitoring o $houlder $urfing+ monitoring key strokes or screen o $tealing pass*ord files

$ocial &ngineering+ one person posing as the actual #ountermeasures o &ncrypting data as it is stored and transmitted. o 4y using net*ork padding o "mplementing strict access control mechanisms and data classification o Training personnel on proper procedures.
o

'ntegrity

"ntegrity of data is protected *hen the assurance of accuracy and reliability of information and system is provided, and unauthorized modification is prevented. Threat sources o -iruses o ,ogic 4ombs o 4ackdoors #ountermeasures o $trict /ccess #ontrol o "ntrusion 'etection o 6ashing

!vailability

/vailability ensures reliability and timely access to data and resources to authorized individuals. Threat sources o 'evice or soft*are failure. o &nvironmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability. o 'enial+of+service 0'o$2 attacks #ountermeasures o !aintaining backups to replace the failed system o "'$ to monitor the net*ork traffic and host system activities o 7se of certain fire*all and router configurations

Security (overnance Security Policies) Procedures) Standards) (uidelines) and *aselines

Policies / security policy is an overall general statement produced by senior management 0or a selected policy board or committee2 that dictates *hat role security plays *ithin the organization. / *ell designed policy addresses. 8. . 9hat is being secured: + Typically an asset. ;. . 9ho is e(pected to comply *ith the policy: + Typically employees. <. . 9here is the vulnerability, threat or risk: + Typically an issue of integrity or responsibility. Types of Policies

Regulatory. This type of policy ensures that the organization is follo*ing standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government+regulated industries. &g. TR/". Advisory. This type of policy strongly advises employees regarding *hich types of behaviors and activities should and should not take place *ithin the organization. "t also outlines possible ramifications if employees do not comply *ith the established behaviors and activities. This policy type can be used, for e(ample, to describe ho* to handle medical information, handle financial transactions, or process confidential information. Informative. This type of policy informs employees of certain topics. "t is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. "t could e(plain ho* the company interacts *ith partners, the company=s goals and mission, and a general reporting structure in different situations.

Oragani+ational Security Models

$ome of the best practices that facilitate the implementation of security controls include #ontrol %bjectives for "nformation and Related Technology 0#%4"T2, "$%1"&# 8>>??14$ >>??, "nformation Technology "nfrastructure ,ibrary 0"T",2, and %perationally #ritical Threat, /sset and -ulnerability &valuation 0%#T/-&2.

OSO #ommittee of $ponsoring %rganizations of the Tread*ay #ommission 0#%$%2, is a 7.$. private+sector initiative, formed in 8?@A. "ts major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. #%$% has established a common definition of internal controls, standards, and criteria against *hich companies and organizations can assess their control systems. ,ey concepts of t"e OSO frame-ork

"nternal control is a process. "t is a means to an end, not an end in itself. "nternal control is affected by people. "t=s not merely policy manuals and forms, but people at every level of an organization. "nternal control can be e(pected to provide only reasonable assurance, not absolute assurance, to an entity=s management and board. "nternal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The #%$% frame*ork defines internal control as a process, effected by an entity=s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the follo*ing categories.

&ffectiveness and efficiency of operations Reliability of financial reporting ompliance *ith applicable la*s and regulations.

'T'# The "nformation Technology "nfrastructure ,ibrary 0"T",2 is a set of concepts and techni)ues for managing information technology 0"T2 infrastructure, development, and operations.

O*'T The #ontrol %bjectives for "nformation and related Technology 0#%4"T2 is a set of best practices 0frame*ork2 for information technology 0"T2 management created by the "nformation $ystems /udit and #ontrol /ssociation 0"$/#/2, and the "T Bovernance "nstitute 0"TB"2 in 8??;. #%4"T provides managers, auditors, and "T users *ith a set of generally accepted measures, indicators, processes and best practices to assist them in ma(imizing the benefits derived through the use of information technology and developing appropriate "T governance and control in a company. Overvie-

#%4"T has <C high level processes that cover ;8D control objectives categorized in four domains. o lanning and %rganization o /c)uisition and "mplementation o 'elivery and $upport o !onitoring

'nformation Risk Management

"nformation risk management 0"R!2 is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.

Risk Management oncepts

ategories of Risks

Physical damage+ Eire, *ater, vandalism, po*er loss, and natural disasters Human interaction+ /ccidental or intentional action or inaction that can disrupt productivity Equipment malfunction+ Eailure of systems and peripheral devices Inside and outside attacks+ 6acking, cracking, and attacking isuse of data+ $haring trade secrets, fraud, espionage, and theft !oss of data+ "ntentional or unintentional loss of information through destructive means Application error+ #omputation errors, input errors, and buffer overflo*s Social Status+ ,oss of #ustomer base and reputation

Security Tip: The threats need to be identified, classified by category, and evaluated to calculate their actual magnitude of potential loss. Real risk is hard to measure, but prioritizing the potential risks in order of which risk needs to be addressed first is attainable

.efining a Risk Managment Policy

The "R! policy provides the infrastructure for the organization3s risk management processes and procedures. #haracteristics of an "R! policy o "t should address all issues of information security, from personnel screening and the insider threat to physical security and fire*alls. o "t should provide direction on ho* the "R! team relates information on company risks to senior management and ho* to properly e(ecute management3s decisions on risk mitigation tasks.

The "R! policy should be a subset of the organization3s overall risk management policy and should be mapped to the organizational security policies. The "R! policy should address the follo*ing items. o 'efine the objectives of "R! team o ,evel of risk the company *ill accept and *hat is considered an acceptable risk o Eormal processes of risk identification o #onnection bet*een the "R! policy and the organization3s strategic planning processes o Responsibilities that fall under "R! and the roles that are to fulfill them o !apping of risk to internal controls o /pproach for changing staff behaviors and resource allocation in response to risk analysis o !apping of risks to performance targets and budgets o Fey indicators to monitor the effectiveness of controls
o

T"e Risk !nalysis !ctivities

"dentifying assets and their values "dentifying the vulnerabilities and threats /nalyze the risk+ T*o approaches o Guantitative /pproach o Gualitative /ppraoch $electing and "mplementing a countermeasure

'dentify t"e %ulnerabilities and T"reats There are many types of threat agents that can take advantage of several types of vulnerabilities, resulting in a variety of specific threats T"reat !gent -irus 6acker 7sers an $&ploit T"is %ulnerability ,ack of antivirus soft*are o*erful services running on a server !isconfigured parameter in the operating system Resulting in T"is T"reat -irus infection 7nauthorized access to confidential information $ystem malfunction

Eire

,ack of fire e(tinguishers H ,ack of training or standards enforcement H ,ack of auditing ,a( access control mechanisms H oorly *ritten application H ,ack of stringent fire*all settings ,ack of security guard

Eacility and computer damage, and possibly loss of life H $haring mission+critical information H /ltering data inputs and outputs from data processing applications $tealing trade secrets H #onducting a buffer overflo* H #onducting a denial+of+service attack 4reaking *indo*s and stealing computers and devices

&mployee

#ontractor

/ttacker

"ntruder

$t"ics
&thics is the field of study concerned *ith )uestions of value, that is,judgments about *hat type of human behavior is good or bad in any given situation. &thics are the standards, values, morals, principles, etc.,on *hich to base one=s decisions or actions; often, there is no clear right or *rong ans*er.

*asic oncepts
omputer $t"ics The term Icomputer ethicsI is open to interpretations both broad and narro*.

%n the narro* side, computer ethics might be understood as the efforts of professional philosophers to apply traditional ethical theories like utilitarianism, Fantianism, or virtue ethics to issues regarding the use of computer technology. %n the broad side, it can be understood as a standards of professional practice, codes of conduct, aspects of computer la*, public policy, corporate ethics++even certain topics in the sociology and psychology of computing