Scribd
Upload
64 views18 pages

Lec 6

The document outlines various information security systems policies related to risk management, including business risks, risk assessment, business impact analysis (BIA), and disaster recovery planning (DRP). It distinguishes between public and private organizations in terms of risk management and emphasizes the importance of data classification and handling policies. Additionally, it details the roles and responsibilities of key personnel involved in managing risk and implementing data handling procedures.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views18 pages

Lec 6

The document outlines various information security systems policies related to risk management, including business risks, risk assessment, business impact analysis (BIA), and disaster recovery planning (DRP). It distinguishes between public and private organizations in terms of risk management and emphasizes the importance of data classification and handling policies. Additionally, it details the roles and responsibilities of key personnel involved in managing risk and implementing data handling procedures.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security Policies and

Implementation Issues

Lesson 6
Risk Management

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


www.jblearning.com
All rights reserved.
Learning Objective

• Describe the different information


security systems (ISS) policies associated
with risk management.
Key concepts

• Business risks related to information systems


• Risks associated with the selected business model
• Policies specific to risk assessment, business impact
analysis (BIA), and business continuity planning (BCP)
• Policies connected with disaster recovery planning
(DRP)
• Differences between public and private risk
management policies
Purpose of Data Classification
Military Classification Scheme
• The U.S. military classification scheme is defined in
National Security Information document Executive
Order (EO) 12356
• Top Secret—Data that the unauthorized disclosure
would reasonably expect to cause grave damage to
the national security
• Secret-Data that the unauthorized disclosure would
reasonably expect to cause serious damage to the
national security
• Confidential-Data that the unauthorized disclosure
would reasonably expect to cause damage to the
national security
Military Classification Scheme

• Unclassified data has two classification levels:


• Sensitive but unclassified-Confidential data not
subject to release under the Freedom of
Information Act
• Unclassified-Data available to the public
Risk Management Policies

• Risk avoidance is primarily a business decision,


however differences between public and
private are clear:
• Public organizations cannot avoid high risk,
such as police departments
• Private organizations can avoid risk with
strategic decisions as to where to place their
data centers, out of storm paths
Risk Management Policies

• The power to choose what risk to accept


is the main difference between public and
private organizations
Developing a Customized Classification
Scheme

• Determine number of classification levels


• Define each classification level
• Name each classification level
• Align classification to specific handling
requirements
• Define audit and reporting requirements
Classifying Data
Risk Management Process
Roles and Responsibilities

• Risk Manager
• Manages risk, creates the BIA
• Auditor
• Conducts Assurance functions relating to data
classification policies, assists in the BIA
• Data Owners
• Own the data responsible for data creation, access,
use, transmission, classification process, develops
data retention, disposal policies
Roles and Responsibilities (Continued)

• Information Technology (IT) Management


• Develops BCP, DRP, works with data owners to
determine what data needs to be backed-up based
on data classification process, storage
• Security Manager
• Supports BCP, DRP process allocates full-time
employees (FTEs) to be part of teams set up to
confer BCP, DRP realities
• Senior Management
• Supports policy creation functions, BCP and DRP
effort, and allocates funding
Data Handling Policies

• Policies, Standards, and Procedures must be defined regarding


data during:
• Creation-During creation, data must be classified. That
could be simply placing the data within a common storage
area
• Access-Access to data is governed by security policies.
Special guidance is provided on separation of duties (SoD)
• Use-Use of data includes protecting and labeling
information properly after its access
• Transmission—Data must be transmitted in accordance
with policies and standards
Data Handling Policies

• Storage - Storage devices of data must be approved.


This ensures that access to the device is secured and
properly controlled
• Physical Transport - Transport of data must be
approved. This ensures that the data leaves the
confines of the private network and is protected and
tracked
• Destruction - Destruction of data is sometimes called
"disposal." When an asset reaches its end of life, it
must be destroyed in a controlled procedure
Database Encryption Attack Scenarios
Data Classification of Volume versus
Time to Recover
BIA, BCP and DRP Policies

• BIA policies —The BIA is used to develop business


continuity plans to minimize losses
• BCP policies —The BCP policies outline the guidance
for building a plan such as key assumptions,
accountabilities, and frequency of testing
• DRP policies —The policies and documentation
needed for an organization to recover their IT assets
such as software, data, and hardware during a
disaster

You might also like