Week 8 Risk Assessment for identification and TVA (Threats-Vulnerabilities-Assets) Work Sheet.

Week 8. Risk Assessment.

Risk identification begins with the process of self-examination. At this stage, managers identify the organizations's information assets, classify and categorize them into useful groups, and prioritize them by their overall importance.
This can be a daunting task, but it must be done to identify weaknesses and the threats they present.
The below list are Risk identification process. 

-         Plan and Organize Process

-         Create system component categories

-         Develop Inventory of Assets-Identify Threats

-         Specify Vulnerable Assets

-         Assign Value or Impact Rating to Assets

-         Assess Likelihood for Vulnerabilities

-         Calculate Relative Risk Factor for Assets

-         Preliminary Review of Possible Controls

-         Document Findings.

1

If someone need audit for the security risk assessment, they have to check the below list and make sure all items list has the asset items ID, impact ratio value, vulnerability, and risk rate for the mitigation. 

That information has to include people, procedures, data, software, hardware and networking elements for classifying and categorizing assets to the organization’s risk management program.
The classification worksheet is useful to refer to the information collected to help assess a value for an asset.
Also, she needs the weighted factor analysis worksheet for the list the assets in order of importance.

Another source of worksheet is TVA (Threats-Vulnerabilities-Assets) that preparation for the addition of vulnerability and control information during risk assessment.

Reference.
Risk Assessment, http://www.ready.gov/risk-assessment

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Week 7 Security Architecture Models

Week 7 Blog.
Security Architecture Models.
 Security architecture models illustrate information security implementations and can help organizations to quickly make improvements through adaptation.
Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are implemented in both.
some models focus on the confidentiality of information, while others focus on the integrity of the information as it is being processed.
Bell-LaPadula Confidentiality Model.
BLP confidentiality model is a state machine model that helps ensure the confidentiality of an information system by means of MACs, data classification, and security clearances. A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification.
Biba integrity Model.
The Biba integrity model is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.
Clark-Wilson Integrity Model.
The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The change control principles upon which it operates are: No changes by unauthorized subjects, No unauthorized changes by authorized subject, and the maintenance of internal and external consistency.
Graham-Denning Access Control Model.
The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. The set of rights governs how subjects may manipulate the passive objects.

Harrison-Ruzzo-Ullman Model.
The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not.

Brewer-Nash Model (Chinese Wall)
The Brewer-Nash model-commonly known as Chinese Wall-is designed to prevent a conflict of interest between two parties. Imagines that a low firm represents two individuals who are involved in a car accidents. One sues the others, and the firm has to represent both. To prevent a conflict of interest, the individual attorneys should not be able to access the private information of these two litigants.

Reference.

Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.

Week6 Blog for Security Education, Training, and Awareness.

Week6 Blog

Blogging is fun, right?! This week you can talk about Security Education, Training, and Awareness if you'd like

The security Training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.  Management of information security can develop customized in-house training or outsource all or part of the training program.

Alternatively, organizations can subsidize or underwrite industry training conferences and programs offered through professional agencies such as SANS (www.sans.org), ISC2(www.isc2.org), ISSA (www.issa.org), and CSI (www.gocsi.com). Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.

Number of resources can help organizations put together SETA programs. The Computer Security Resource Center at NIST, for example, provides several very useful documents free of charge in its special publications area (http://csrc.nist.gov).

Training for General Users: These general users also require training on the technical details of how to do their job securely, including good security practices, password management, specialized access controls, and violation reporting.

Training for Managerial Users: This is another area in which a champion can exert influence. Support at the executive level can convince managers to attend training events, which in turn reinforces the entire training program.

Training for Technical Users: The use consultants or outside training organizations. There are three methods for selecting or developing advanced technical training:
*  By job category- for example, technical users versus managers.

·         By job function- for example, accounting versus marketing versus operations functional areas.

·         By technology product- for example, e-mail client, database.

Implementing  Training.
Step1: Identify program scope, goals, and objectives.

Step2: Identify training staff.

Step3: Identify target audiences.
Step4: Motivate management and employees.

Step5: Administer the program.

Step6: Maintain the program.

Step7: Evaluate the program.

Identify Target Audiences.

·         By level of awareness: Separating individuals into groups according to level of awareness may require research to determine how well employees follow computer security procedures or understand how computer security fits into their jobs.

·         By general job task or function: Individuals may be grouped as data providers, data processors, or data users.

·         By specific job category: Many organizations assign individuals to job categories.

·         By level of computer knowledge: Computer experts may find a program containing highly technical information more valuable than one covering management, technology management, applications development, and security.

·         By types of technology or systems used: Security techniques used for each off-the-shelf product or application system usually vary.

Reference.
Michael E. Whitman, Herbert J.Mattord "Management of Information Security", (2010) Third Edition, Boston, Course Technology, Cengage Learning.

We  have to prepare the disaster plan, what about the Doomsday?

The iconic Doomsday Clock remains poised at five minutes until midnight, the Science and Security Board of the Bulletin of Atomic Scientists announced today (Jan. 14).

The clock is no doomsday device — rather, it's a visual metaphor for the danger of a "civilization-threatening technological catastrophe." Every year, the board analyzes international threats, particularly nuclear arsenals and climate change, and decides where the minute hand on the Doomsday Clock should rest. The closer it is to midnight, the closer the world is to doom.

"As always, new technologies hold the promise of doing great good, supplying new sources of clean energy, curing disease, and otherwise enhancing our lives. From experience, however, we also know that new technologies can be used to diminish humanity and destroy societies," the board wrote. "We can manage our technology, or become victims of it. The choice is ours, and the Clock is ticking." [How the Doomsday Clock Has Changed (Infographic)]

It's the end of the world as we know it

The Doomsday Clock is the invention of the Bulletin of Atomic Scientists, a publication started by some of the researchers who worked on the atomic bomb. The wife of one of these researchers, Martyl Langsdorf, was a painter. In 1947, she illustrated the first Bulletin cover to feature the Doomsday Clock — set at that point at 11:53 p.m.

Langsdorf died in March 2013, but her creation lives on. In January 2012, the Bulletin's board set the minute hand of the clock at 11:55 p.m., one minute closer to midnight than the previous year. The decision was made based on the current state of nuclear arsenals around the globe as well as accidents such as the Fukushima nuclear meltdown that occurred in 2011 after a major earthquake and tsunami in Japan. Biosecurity is also taken into account, with the creation of an airborne strain of H5N1 flu worrying scientists in 2012.

View gallery

Tick, tock ... The Doomsday Clock is a metaphor for threats to humanity from technology.

This year, the board chose not to ease up on their warnings of doomsday, because of stalled relations between the United States and Russia, two countries with massive nuclear arsenals. After Russia offered political asylum to former National Security Agency contractor Edward Snowden, who leaked classified documents about U.S. surveillance, President Barack Obama cancelled a summit with Russia's Vladimir Putin, meaning there has been little to no progress on plans to shrink nuclear arsenals, according to the Bulletin.Meanwhile, efforts to combat climate change are struggling as well, the Bulletin board warned. The United States, European Union and Australia all show wavering commitment to renewable energy, and Japan has backed off promises to voluntarily reduce greenhouse gas emissions.

Hope for humanity?

The Bulletin board listed some steps humanity should take to secure its future, including demanding that the United States and Russia reopen dialogues on nuclear weapons. The board also urged political leadership on climate change and advocated for new rules to manage leaps forward in information technology.

The closest the Doomsday Clock has ever come to midnight was in 1953, when the minute hand ticked to 11:58 p.m. after the first test of the hydrogen bomb. It was at its most optimistic in 1991, when the Bulletin board set the time at 17 minutes to midnight as the Cold War ended.

Since 1991, however, the clock has been ticking gradually toward doom, as it became clear that total nuclear disarmament would not be happening.

Follow Stephanie Pappas on Twitter and Google+. Follow us @livescience, Facebook & Google+. Original article on LiveScience.

• Doomsday: 9 Real Ways Earth Could End
• Super-Intelligent Machines: 7 Robotic Futures
• Oops! 11 Failed Doomsday Predictions

Copyright 2014 LiveScience, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

This is very interesting post message from FBI.


Credit card scam: In February, 18 individuals were charged for allegedly creating thousands of phony identities to steal at least $200 million in one of the largest credit card fraud schemes ever charged by the federal government. Details

Week 5. Post "Information Security Policy"

 The creation of the company security policy is make stressful to employee and management.
But, the organization need the standard foundation rule for the controlling system.
The high tech information data can simple lose the data by incident or hacker and miss handing process by weak knowledge from internal employee.
When they make strong violations of policy and make penalties to user or audience that might be keep safety data but hardly use the database or processing information data.

For the implementing the security policy.
They have to use the Issue-Specific Security Policy.
A number of approaches for creating and managing ISSPs are possible.
Three of the most common are described here:
- Create a number of independent ISSP documents, each tailored to a specific issue.
- Create a single comprehensive ISSP document that covers all issues.
- Create a modular ISSP document that unifies policy creation and administration, while maintaining each specific issue’s requirements.
This approach results in a modular document with a standard template for structure and appearance, in which certain aspects are standardized, while others- including much of the content-are customized for each issue.
The end result is several independent ISSP documents, all derived from a common template and physically well managed and easy to use.

For the end-user for using system.
They need the access control lists policy.
Access control lists (ACLs) include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ACLs can control access to file storage systems, object brokers, or other network communications device.
A capability table specifies which subjects and objects that users or groups can access.

Reference.
Michael E. Whitman & Herbert J. Mattord "Management of Information security" 3e,
(2010), Boston Course Technology, Cengage Learning.