Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64IS 2150 / TEL 2810Risk Management, Legal Issues, Physical Security, CC Evaluation October 1, 2006AgendaRisk Management ExamplesLegal & Ethical issuesPhysical SecurityCommon CriteriaRisk ManagementThe process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected (NIST)Implement RiskManagementActionsImplement RiskManagementActionsRe-evaluatethe RisksRe-evaluatethe RisksIdentifythe Risk AreasIdentifythe Risk AreasAssess the RisksAssess the RisksDevelop RiskManagementPlanDevelop RiskManagementPlanRisk ManagementCycleRisk AssessmentRisk MitigationRiskThe likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence (NIST)likelihood of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable eventRisk Assessment/AnalysisA process of analyzing threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have List the threats and vulnerabilitiesList possible control and their costDo cost-benefit analysis Is cost of control more than the expected cost of loss?The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measuresLeads to proper security planRisk Assessment stepsIdentify assetsHardware, software, data, people, suppliesDetermine vulnerabilitiesIntentional errors, malicious attacks, natural disastersEstimate likelihood of exploitationConsiderations includePresence of threatsTenacity/strength of threatsEffectiveness of safeguardsDelphi approachRaters provide estimates that are distributed and re-estimatedRisk Assessment steps (2)Compute expected annual lossPhysical assets can be estimatedData protection for legal reasonsSurvey applicable (new) controlsIf the risks of unauthorized access is too high, access control hardware, software and procedures need to be re-evaluatedProject annual savings of controlExample 1Risks: disclosure of company confidential information,computation based on incorrect dataCost to correct data: $1,000,000@10%liklihood per year: $100,000Effectiveness of access control sw:60%: -$60,000Cost of access control software: +$25,000Expected annual costs due to loss and controls:$100,000 - $60,000 + $25,000 = $65,000Savings: $100,000 - $65,000 = $35,000Example 2Risk: Access to unauthorized data and programs100,000 @ 2% likelihood per year: $2,000Unauthorized use of computing facility100,000 @ 40% likelihood per year: $4,000Expected annual loss: $6,000Effectiveness of network control: 100% -$6,000Example 2 (2)Control costHardware +$10,000Software +$4,000Support personnel +$40,000Annual cost $54,000Expected annual cost (6000-6000+54000) $54,000Savings (6000 – 54,000) -$48,000Some Arguments against Risk AnalysisNot preciseLikelihood of occurrenceCost per occurrenceFalse sense of precisionQuantification of cost provides false sense of securityImmutabilityFiled and forgotten!Needs annual updatesNo scientific foundation (not true)Probability and statisticsLaws and SecurityFederal and state laws affect privacy and secrecyRights of individuals to keep information privateLaws regulate the use, development and ownership of data and programsPatent laws, trade secretsLaws affect actions that can be taken to protect secrecy, integrity and availabilityCopyrightsDesigned to protect expression of ideasGives an author exclusive rights to make copies of the expression and sell them to publicIntellectual property (copyright law of 1978)Copyright must apply to an original workIt must be done in a tangible medium of expressionOriginality of workIdeas may be public domain Copyrighted object is subjected to fair useCopyright infringementInvolves copyingNot independent work Two people can have copyright for identically the same thingCopyrights for computer programsCopyright law was amended in 1980 to include explicit definition of softwareProgram code is protected not the algorithmControls rights to copy and distributePatentProtects innovationsApplies to results of science, technology and engineeringProtects new innovationsDevice or process to carry out an idea, not idea itselfExcludes newly discovered laws of nature 2+2 = 4PatentRequirements of noveltyIf two build the same innovations, patent is granted to the first inventor, regardless of who filed firstInvention should be truly novel and uniqueObject patented must be non-obviousPatent Office registers patentsEven if someone independently invents the same thing, without knowledge of the existing patentPatent on computer objects PO has not encouraged patents for software – as they are seen as representation of an algorithmTrade SecretInformation must be kept secretIf someone discovers the secret independently, then there is no infringement – trade secret rights are goneReverse-engineering can be used to attack trade secretsComputer trade secretDesign idea kept secretExecutable distributed but program design remain hiddenComparisonSource codeHardwareObject code, documentationExamplesSue if secret improperly obtainedSue if invention copiedSue if copy soldLegal protectionIndefinite19 yearsLife of human originator or 75 years of companyDurationNo filingVery complicated; specialist lawyer suggestedVery easy, do-it-yourselfEase of filingNoNoYesRequirement to distributeNoDesign filed at patent officeYes: intention is to promoteObject made publicSecret informationInventionExpression of ideaProtectsTrade secretPatentCopyrightComputer
View Full Document