IS 2150 / TEL 2810 Risk Management, Legal Issues, Physical Security, CC EvaluationAgendaRisk ManagementRiskRisk Assessment/AnalysisRisk Assessment stepsRisk Assessment steps (2)Example 1Example 2Example 2 (2)Some Arguments against Risk AnalysisLaws and SecurityCopyrightsCopyright infringementPatentSlide 16Trade SecretComparisonComputer crimeComputer Crime related lawsEthicsLaw vs EthicsEthics ExampleCodes of ethicsSlide 25Physical SecurityPhysical security in security planDisaster RecoveryPhysical security planContingency planningDisposal of Sensitive MediaTEMPEST: Emanations protectionsWhat is Formal Evaluation?Formal Evaluation: Why?Mutual Recognition ArrangementAn Evolutionary ProcessCommon Criteria: OriginTCSECTCSEC: The OriginalTCSEC Class AssurancesTCSEC Class Assurances (continued)How is Evaluation Done?TCSEC: Evaluation PhaseTCSEC: ProblemsLater StandardsITSEC: LevelsITSEC Problems:Slide 48PP/ST FrameworkSlide 50Slide 51DocumentationClass DecompositionCC Evaluation 1: Protection ProfileCC Evaluation 2: Security TargetCommon Criteria: Functional RequirementsClass Example: CommunicationClass Example: PrivacyCommon Criteria: Assurance RequirementsCommon Criteria: Evaluation Assurance LevelsCommon Criteria: Evaluation ProcessDefining RequirementsIndustry RespondsDemonstrating ConformanceValidating Test ResultsCommon Criteria: StatusIS 2150 / TEL 2810Risk Management, Legal Issues, Physical Security, CC Evaluation October 31, 2007AgendaRisk Management ExamplesLegal & Ethical issuesPhysical SecurityCommon CriteriaRisk ManagementThe process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected (NIST)Implement RiskManagementActionsImplement RiskManagementActionsRe-evaluatethe RisksRe-evaluatethe RisksIdentifythe Risk AreasIdentifythe Risk AreasAssess the RisksAssess the RisksDevelop RiskManagementPlanDevelop RiskManagementPlanRisk ManagementCycleRisk AssessmentRisk MitigationRiskThe likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence (NIST)likelihood of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable eventRisk Assessment/AnalysisA process of analyzing threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have List the threats and vulnerabilitiesList possible control and their costDo cost-benefit analysis Is cost of control more than the expected cost of loss?The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measuresLeads to proper security planRisk Assessment stepsIdentify assetsHardware, software, data, people, suppliesDetermine vulnerabilitiesIntentional errors, malicious attacks, natural disastersEstimate likelihood of exploitationConsiderations includePresence of threatsTenacity/strength of threatsEffectiveness of safeguardsDelphi approachRaters provide estimates that are distributed and re-estimatedRisk Assessment steps (2)Compute expected annual lossPhysical assets can be estimatedData protection for legal reasonsSurvey applicable (new) controlsIf the risks of unauthorized access is too high, access control hardware, software and procedures need to be re-evaluatedProject annual savings of controlExample 1Risks: disclosure of company confidential information,computation based on incorrect dataCost to correct data: $1,000,000@10%liklihood per year: $100,000Effectiveness of access control sw:60%: -$60,000Cost of access control software: +$25,000Expected annual costs due to loss and controls:$100,000 - $60,000 + $25,000 = $65,000Savings: $100,000 - $65,000 = $35,000Example 2Risk: Access to unauthorized data and programs100,000 @ 2% likelihood per year: $2,000Unauthorized use of computing facility100,000 @ 40% likelihood per year: $4,000Expected annual loss: $6,000Effectiveness of network control: 100% -$6,000Example 2 (2)Control costHardware +$10,000Software +$4,000Support personnel +$40,000Annual cost $54,000Expected annual cost (6000-6000+54000)$54,000Savings (6000 – 54,000) -$48,000Some Arguments against Risk AnalysisNot preciseLikelihood of occurrenceCost per occurrenceFalse sense of precisionQuantification of cost provides false sense of securityImmutabilityFiled and forgotten!Needs annual updatesNo scientific foundation (not true)Probability and statisticsLaws and SecurityFederal and state laws affect privacy and secrecyRights of individuals to keep information privateLaws regulate the use, development and ownership of data and programsPatent laws, trade secretsLaws affect actions that can be taken to protect secrecy, integrity and availabilityCopyrightsDesigned to protect expression of ideasGives an author exclusive rights to make copies of the expression and sell them to publicIntellectual property (copyright law of 1978)Copyright must apply to an original workIt must be done in a tangible medium of expressionOriginality of workIdeas may be public domain Copyrighted object is subjected to fair useCopyright infringementInvolves copyingNot independent work Two people can have copyright for identically the same thingCopyrights for computer programsCopyright law was amended in 1980 to include explicit definition of softwareProgram code is protected not the algorithmControls rights to copy and distributePatentProtects innovationsApplies to results of science, technology and engineeringProtects new innovationsDevice or process to carry out an idea, not idea itselfExcludes newly discovered laws of nature 2+2 = 4PatentRequirements of noveltyIf two build the same innovations, patent is granted to the first inventor, regardless of who filed firstInvention should be truly novel and uniqueObject patented must be non-obviousPatent Office registers patentsEven if someone independently invents the same thing, without knowledge of the existing patentPatent on computer objects PO has not encouraged patents for software – as they are seen as
View Full Document