Info Sec & Risk Management Your lesson discussed several compliance laws, standards, and best practices (see the Lesson 2 activities, under the Ratio -

Info Sec & Risk Management
Your lesson discussed several compliance laws, standards, and best practices (see the Lesson 2 activities, under the Rationale tab). The Department of Health and Human Services (the agency responsible for managing HIPAA compliance among healthcare providers) lists recent breaches at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf – think of it as their “Wall of Shame.” Find an article online that discusses a breach or violation of a regulation, such as HIPAA, or of a standard such as PCI-DSS, GLBA, or FERPA. You can also look at Federal Agencies and discuss those that have not had sufficient controls in place (think of the breach that the Office of Personnel Management had). Summarize the article in your own words and address the controls that the organization should have had in place, but didn’t, that facilitated the breach. What were the ramifications to the organization and the individuals involved?
Do NOT post the article or include word document of your write-up – post only your summary discussion directly and a link to the article. Please follow proper APA style with a minimum of two references.

Managing Risk in Information Systems

Don't use plagiarized sources. Get Your Custom Assignment on

Info Sec & Risk Management Your lesson discussed several compliance laws, standards, and best practices (see the Lesson 2 activities, under the Ratio

From as Little as $13/Page

Lesson 2
Risk Management Planning

2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Learning Objectives
Explain methods of mitigating risk by managing threats, vulnerabilities, and exploits.
Describe the components of an effective organizational risk management program.

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
Risk, threats, vulnerabilities, and exploits
Public resources for risk management
Use of threat/vulnerability pairs in managing risk
Fundamental components of a risk management plan
Objectives of a risk management plan
Objectives and scope of a risk management plan
Importance of assigning responsibilities
Significance of planning, scheduling, and documentation

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Chapter 2 Slides

Chapter 2: Managing Risk: Threats, Vulnerabilities, and Exploits

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

The Uncontrollable Nature of Threats
Threats cant be eliminated.
Threats are always present.
You can take action to reduce the potential for a threat to occur.
You can take action to reduce the impact of a threat.
You cannot affect the threat itself.

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Unintentional Threats

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Environmental

Human

Accidents

Failures

Intentional Threats

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Greed

Anger

Desire to Damage

Unintentional Threats Intentional Threats

Environmental:
Fire, wind
Lighting, flooding
Accident
Equipment failures
Individuals or Organizations:
Hackers
Criminals
Disgruntled employees

Human:
Keystroke errors
Procedural errors
Programming bugs

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Common Attackers
Criminals
Advanced persistent threats (APTs)
Vandals
Saboteurs
Disgruntled employees
Activists
Other nations
Hackers

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Best Practices for Managing Threats

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Create a security policy.

Purchase insurance.

Use access controls.

Use automation.

Best Practices for Managing Threats (Cont.)

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Include input validation.

Provide training.

Use antivirus software.

Protect the boundary.

Understanding and Managing Vulnerabilities
Countermeasures reduce risk and loss
Reduce vulnerabilities
Reduce impact of loss

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Threat/Vulnerability Pair
Occurs when a threat exploits a vulnerability
A vulnerability provides a path for the threat that results in a harmful event or a loss
Both the threat and the vulnerability must come together to result in a loss

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Threat/Vulnerability Pair and Threat Action

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Threat

Ex-employee

Vulnerability

Ex-employee who still has access to the system

Threat Action

Accessing proprietary data

Threat/Vulnerability Pair Example 1
Threat Source
Fire or negligent person
Vulnerability
Sprinklers used to suppress fire damage
Protective tarpaulins not in place
Threat Action
Sprinkler system turned on

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Threat/Vulnerability Pair Example 2
Threat Source
Unauthorized users (e.g., hackers)
Vulnerability
Identified flaws in system design
New patches not applied
Threat Action
Unauthorized access to files

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Vulnerability Mitigation Techniques

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Policies and procedures

Documentation

Training

Separation of duties

Vulnerability Mitigation Techniques (Cont).

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Configuration management

Version control

Patch management

Intrusion detection

Vulnerability Mitigation Techniques (Cont).

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Incident response

Continuous monitoring

Technical controls

Physical controls

Best Practices for Managing Vulnerabilities

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Identify vulnerabilities.

Match the threat/vulnerability pairs.

Use as many of the mitigation techniques as feasible.

Perform vulnerability assessments.

Understanding and Managing Exploits
An exploit is the act of taking advantage of a vulnerability
Executes a command or program against an IT system to take advantage of a weakness
Results in a compromise to the system, an application, or data

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Understanding and Managing Exploits (Cont.)
Attacks executed by code primarily affect public-facing servers:
Web servers
Simple Mail Transfer Protocol (SMTP) e-mail servers
File Transfer Protocol (FTP) servers

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Attack public-facing servers
Buffer overflow
SQL injection
DoS attack
DDoS attack

Exploits

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Risk Mitigation Techniques for Protecting Public-Facing Servers

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Remove or change defaults.

Reduce the attack surface.

Keep systems up to date.

Enable firewalls.

Risk Mitigation Techniques for Protecting Public-Facing Servers

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Enable intrusion detection systems (IDSs)

Enable intrusion prevention systems (IPSs)

Install antivirus software

Best Practices for Managing Exploits

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Harden servers.

Use configuration management.

Perform risk assessments.

Perform vulnerability assessments.

U.S. Government
Risk Management Initiatives
The National Institute of Standards and Technology (NIST)
The Department of Homeland Security
The National Cybersecurity and Communications Integration Center (NCCIC)
U.S. Computer Emergency Readiness Team
(US-CERT)
The MITRE Corporation Common Vulnerabilities Exposure (CVE) List

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Relationships Among Organizations

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

28 Managing Risk in Information Systems

Lesson 3
Maintaining Compliance

2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Learning Objective and Key Concepts
Learning Objective
Identify compliance laws, standards, best practices, and policies of risk management.

Key Concepts
Compliance laws and regulations
U.S. risk management initiatives
Standards and guidelines used for compliance

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

U.S. Compliance Laws
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
Family Educational Rights and Privacy Act (FERPA)
Childrens Internet Protection Act (CIPA)

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Federal Information Security Management Act (FISMA)
AU.S. federal lawenacted in 2002 that requires eachfederal agencyto develop an agency-wide program to provideinformation security.

Health Insurance Portability and Accountability Act (HIPAA)
Provides patients with access to their medical records and provides more control over how their personal health information is used and disclosed.

Gramm-Leach-Bliley Act (GLBA)
Also known as theFinancial Services Modernization Act of 1999, opening up the market amongbanking companies,securitiescompanies, andinsurancecompanies.

Repealed part of the Glass-Steagall Act of 1933, which prohibited any one institution from acting as any combination of aninvestment bank, acommercial bank, and an insurance company.

Sarbanes-Oxley Act (SOX)
SarbanesOxley contains 11 titles that describe specific mandates and requirements for financial reporting.Each title consists of several sections.

Family Educational Rights and Privacy Act (FERPA)
Regulations protect the privacy of student records. FERPA applies to all schools that receive any funding from the U.S. Department of Education.

Childrens Internet Protection Act (CIPA)
CIPA is one of many bills that theUnited States Congressproposed to limit children’s exposure topornographyand explicit content online.
3

Law Applicability

FISMA Federal agencies

HIPAA Any organization handling medical data

GLBA Banks, brokerage companies, and insurance companies

FERPA Educational institutions

CIPA Schools and libraries using
E-Ratediscounts

U.S. Compliance Laws and their Applicability

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

FISMA
Federal agencies
The act recognizes the importance ofinformation securityto the economic and national security interests of the United States.

HIPAA
Medical organizations
Provides privacy standards to protect patients’ medical records and other health information.

GLBA
Banks, brokerage companies, and insurance companies
Companies must securely store personal financial information.
Companies must advise consumers of their policies on sharing of personal financial information.
Companies must give consumers the option to opt-out of some sharing of personal financial information.

FERPA
Educational institutions
The right to access educational records kept by the school.
The right to demand educational records be disclosed only with student consent.
The right to amend educational records.
The right to file complaints against the school for disclosing educational records in violation of FERPA.

CIPA
Schools and libraries usingE-Ratediscounts
To operate “a technology protection measure with respect to any of its computers with Internet access that protects against access through such computers to visual depictions that are obscene, child pornography, or harmful to minors…”.
This technology protection measure must be employed during any use of computers by minors.
The law also provides that the school or library “may disable the technology protection measure concerned, during use by an adult.
Schools and libraries that do not receive E-Rate discounts do not have any obligation to filter under CIPA.

HIPAA Compliance Process
HIPAA covers any organization that handles health data
Medical facilities
Insurance companies
Any company with a health plan if employees handle health data

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

U.S. Compliance Regulatory Agencies

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Page #
Managing Risk in Information Systems
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Securities and Exchange Commission (SEC)
Oversees the exchange of securities to protect investors.
Holds primary responsibility for enforcing the federal securities laws and regulating thesecuritiesindustry, the nation’s stocks and options exchanges, and other electronic securities markets in theUnited States.

Federal Trade Commission (FTC)
Created in 1914, its purpose was to prevent unfair methods of competition in commerce.
Deals with issues that touch the economic life of every American.

U.S. Compliance Regulatory Agencies
Federal Deposit Insurance Corporation (FDIC)
Department of Homeland Security (DHS)
State Attorney General (AG)
U.S. Attorney General (U.S. AG)

State Regulations
Each state has its own regulations and regulatory agencies.
Attorney General – the main legal advisor at the state level in most common law jurisdictions.
7

Organizational Policies for Compliance: Fiduciary Responsibility
Fiduciary
Refers to a relationship of trust
Could be a person who is trusted to hold someone elses assets
Trusted person has the responsibility to act in the other persons best interests and avoid conflicts of interest

Organizational Policies for Compliance: Fiduciary Responsibility (Cont.)
Examples of trust relationships:
An attorney and a client
A CEO and a board of directors
Shareholders and a board of directors
Fiduciary is expected to take extra steps:
Due diligence
Due care

PCI
DSS
NIST
GAISP
COBIT
ISO
IEC
ITIL
CMMI

RMF
DoD

Standards and Guidelines

10
PCI DSS
Payment Card Industry Data Security Standard
A worldwideinformation securitystandard defined by the Payment Card Industry Security Standards Council.

NIST
National Institute of Standards and Technology
Ameasurement standards laboratorywhich is a non-regulatory agency of theUnited States Department of Commerce.

GAISP
Generally Accepted Information Security Principles
Industry-wide guidelines for information security.

COBIT
Control Objectives for Information and Related Technology
A set of best practices (framework) forinformation technology(IT) management created by theInformation Systems Audit and Control Association(ISACA), and the IT Governance Institute.

ISO
International Organization for Standards
ISO is the world’slargest developer and publisher ofInternational Standards, including those in the IT industry.

IEC
International Electrotechnical Commission
The IEC is the world’s leading organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

ITIL
Information Technology Infrastructure Library
A set of concepts and practices forITservices management, IT development, and IT operations.

CMMI
Capability Maturity Model Integration
A process improvement approach to management that helps organizations improve their performance.

RMF for DoD IT (as of March 2014)
Risk Management Framework (RF) for Department of Defense Information Technology (IT), formerly Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP)
Defines DoD-wide formal and standard sets of activities, general tasks, and a management process for lifecycle cybersecurity risk to DoD IT.
10

PCI DSS Compliance
Created by Payment Card Industry Security Standards Council
American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Modernized by the Security Standards Council
Effort to obstruct and prevent further theft of personal information

PCI DSS Standards
Use of personal identification numbers (PIN)
Installation of software used to store, process, and/or transmit cardholder data
PCI DSS standards serve as PCI DSS goals
Merchants who store, process, and/or transmit cardholder data must comply
Merchants should establish processes that work toward PCI DSS goals

Goals Process Steps

Build and maintain a secure network that is PCI compliant Install a firewall system
Perform testing when configurations change
Identify all connections to cardholder information
Review configuration rules every six months
Change all default passwords

Goals and Process Steps to PCI DSS

Goals Process Steps

Protect cardholder data Display the maximum of the first six and last four digits of the primary account number
Encrypt all online information

Maintain a vulnerability management program
Install anti-virus software
Install vendor-provided security patches

Goals and Process Steps to PCI DSS

Goals Process Steps

Implement strong access control measures Limit the accessibility of cardholder information
Assign an unreadable password
Monitor the physical access to cardholder data
Maintain a visitor log and save the log for at least three months

Goals and Process Steps to PCI DSS

Goals Process Steps

Regularly monitor and test networks Use a wireless analyzer to check for wireless access points
Scan internal and external networks
Install software to recognize any modification by unauthorized personnel

Goals and Process Steps to PCI DSS

Goals Process Steps

Maintain an information security policy
Include annual and day-to-day security procedures and policies to recognize security breaches
Perform background checks on potential employees
Educate employees on compliance regulations

Goals and Process Steps to PCI DSS

PCI DSS Process
Build and maintain a secure network that is PCI compliant
Protect cardholder data
Maintain a vulnerability management program
Implement strong access
control measures
Regularly monitor and test networks
Maintain an information security policy

Seven COBIT Enablers

ITIL Lifecycle
Phases

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

CMMI
Primary areas of interest

Product and service development

Service establishment, management, and delivery

Product and service acquisition

Risk Management Framework (RMF) for Department of Defense Information Technology (IT)
Government transitioned from DIACAP to RMF for DoD IT in March 2014
Six steps of RMF:
Step 1: Categorize system
Step 2: Select security controls
Step 3: Implement security controls
Step 4: Assess security controls
Step 5: Authorize system
Step 6: Monitor security controls

Summary
Defining risk
Balancing risk
Seven domains of a typical IT infrastructure
Addressing confidentiality, integrity, and availability
Compliance laws and regulations
U.S. risk management initiatives
Standards and guidelines used for compliance

Related Questions:

Related questions

Leave a Comment Cancel Reply