DOC PREVIEW
Pitt IS 2150 - Physical Security

This preview shows page 1-2-3-4-30-31-32-33-34-61-62-63-64 out of 64 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 64 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64IS 2150 / TEL 2810Risk Management, Legal Issues, Physical Security, CC Evaluation October 1, 2006AgendaRisk Management ExamplesLegal & Ethical issuesPhysical SecurityCommon CriteriaRisk ManagementThe process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected (NIST)Implement RiskManagementActionsImplement RiskManagementActionsRe-evaluatethe RisksRe-evaluatethe RisksIdentifythe Risk AreasIdentifythe Risk AreasAssess the RisksAssess the RisksDevelop RiskManagementPlanDevelop RiskManagementPlanRisk ManagementCycleRisk AssessmentRisk MitigationRiskThe likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence (NIST)likelihood of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable eventRisk Assessment/AnalysisA process of analyzing threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have List the threats and vulnerabilitiesList possible control and their costDo cost-benefit analysis Is cost of control more than the expected cost of loss?The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measuresLeads to proper security planRisk Assessment stepsIdentify assetsHardware, software, data, people, suppliesDetermine vulnerabilitiesIntentional errors, malicious attacks, natural disastersEstimate likelihood of exploitationConsiderations includePresence of threatsTenacity/strength of threatsEffectiveness of safeguardsDelphi approachRaters provide estimates that are distributed and re-estimatedRisk Assessment steps (2)Compute expected annual lossPhysical assets can be estimatedData protection for legal reasonsSurvey applicable (new) controlsIf the risks of unauthorized access is too high, access control hardware, software and procedures need to be re-evaluatedProject annual savings of controlExample 1Risks: disclosure of company confidential information,computation based on incorrect dataCost to correct data: $1,000,000@10%liklihood per year: $100,000Effectiveness of access control sw:60%: -$60,000Cost of access control software: +$25,000Expected annual costs due to loss and controls:$100,000 - $60,000 + $25,000 = $65,000Savings: $100,000 - $65,000 = $35,000Example 2Risk: Access to unauthorized data and programs100,000 @ 2% likelihood per year: $2,000Unauthorized use of computing facility100,000 @ 40% likelihood per year: $4,000Expected annual loss: $6,000Effectiveness of network control: 100% -$6,000Example 2 (2)Control costHardware +$10,000Software +$4,000Support personnel +$40,000Annual cost $54,000Expected annual cost (6000-6000+54000) $54,000Savings (6000 – 54,000) -$48,000Some Arguments against Risk AnalysisNot preciseLikelihood of occurrenceCost per occurrenceFalse sense of precisionQuantification of cost provides false sense of securityImmutabilityFiled and forgotten!Needs annual updatesNo scientific foundation (not true)Probability and statisticsLaws and SecurityFederal and state laws affect privacy and secrecyRights of individuals to keep information privateLaws regulate the use, development and ownership of data and programsPatent laws, trade secretsLaws affect actions that can be taken to protect secrecy, integrity and availabilityCopyrightsDesigned to protect expression of ideasGives an author exclusive rights to make copies of the expression and sell them to publicIntellectual property (copyright law of 1978)Copyright must apply to an original workIt must be done in a tangible medium of expressionOriginality of workIdeas may be public domain Copyrighted object is subjected to fair useCopyright infringementInvolves copyingNot independent work Two people can have copyright for identically the same thingCopyrights for computer programsCopyright law was amended in 1980 to include explicit definition of softwareProgram code is protected not the algorithmControls rights to copy and distributePatentProtects innovationsApplies to results of science, technology and engineeringProtects new innovationsDevice or process to carry out an idea, not idea itselfExcludes newly discovered laws of nature 2+2 = 4PatentRequirements of noveltyIf two build the same innovations, patent is granted to the first inventor, regardless of who filed firstInvention should be truly novel and uniqueObject patented must be non-obviousPatent Office registers patentsEven if someone independently invents the same thing, without knowledge of the existing patentPatent on computer objects PO has not encouraged patents for software – as they are seen as representation of an algorithmTrade SecretInformation must be kept secretIf someone discovers the secret independently, then there is no infringement – trade secret rights are goneReverse-engineering can be used to attack trade secretsComputer trade secretDesign idea kept secretExecutable distributed but program design remain hiddenComparisonSource codeHardwareObject code, documentationExamplesSue if secret improperly obtainedSue if invention copiedSue if copy soldLegal protectionIndefinite19 yearsLife of human originator or 75 years of companyDurationNo filingVery complicated; specialist lawyer suggestedVery easy, do-it-yourselfEase of filingNoNoYesRequirement to distributeNoDesign filed at patent officeYes: intention is to promoteObject made publicSecret informationInventionExpression of ideaProtectsTrade secretPatentCopyrightComputer


View Full Document

Pitt IS 2150 - Physical Security

Documents in this Course
QUIZ

QUIZ

8 pages

Assurance

Assurance

40 pages

Load more
Download Physical Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Physical Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Physical Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?