ZeePedia buy college essays online


Information Systems

<<< Previous Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat Next >>>
 
img
VU
Information System (CS507)
LESSON 30
Threat Identification
"A threat is some action or event that can lead to a loss."
Various types of threats may exist that could, if they occur result in information assets being exposed,
removed either temporarily or permanently, lost, damaged, destroyed, or used for un-authorized purposes
are identified. Susceptibility to threats, whether logical or physical are a major risk factor for the data base
and information system of an organization. These risks are to be identified and steps that include physical
and logical controls need to be instituted and monitored on a regular basis. Security measures can be
designed only if we know what kind of threats or risks are to be guarded against. Obviously, we would also
have to determine the frequency of the known and the unknown risks or threats.
Threats and risks are usually used synonymously. These are always there and cannot be avoided but should
be managed to minimize losses and maximize returns. Each level of management and each operational
area perceives risk differently and communicates these perceptions in different terms.
29.1 Types of Threats
Physical threat ­ This refers to the damage caused to the physical infrastructure of the information
systems, e.g.
 Fire
 Water
 Energy Variations
 Structural damage
 Pollution
 Intrusion
Logical ­ This refers to damage caused to the software and data without physical presence.
 Viruses and worms
 Logical intrusion
Likelihood of occurrence of Threat:
Having identified the threats, they need to be ranked on the basis of their probability of occurrence.
Sometimes analysis on occurrence of threat is easily available. For example, the insurance company might
be having a study of occurrence of fire incidents in a city for the purposes of fire insurance; however, the
extent of threat resulting from a new virus may not yet have been identified or become known to the users,
etc. In such a situation where no past data or reliable source of probability occurrence is available, users can
be asked to give the best estimate of how frequently the threat is possible to occur. Usually, higher the value
of the information asset identified, higher are the chances for it being susceptible to vulnerability, for
example, an ERP software built up to a high integration level, may need to be provided with high level of
security against potential threats.
29.2 Control Analysis
The goal of this step is to analyze the controls that have been implemented or are planned for
implementation by the organizations to minimize or eliminate the likelihood of occurrence of threat. To
derive an overall likelihood rating that indicates the probability that a potential vulnerability may be
exercised within the construct of the associated threat environment. Security controls encompass the use of
133
img
VU
Information System (CS507)
technical and non-technical methods. Technical methods are safeguards that are incorporated into
computer hardware, software and firmware such as controls mechanisms, identification and authentication
mechanisms, encryption methods, intrusion detection software, etc. Non technical controls are management
and operational controls such as security policies and operational procedures and personnel, physical and
environmental security. The control categories for both technical and non technical control methods can be
further classified as either preventive or detective. These two sub-categories are explained as follows
Preventive controls inhibit attempts to violate security policy and include controls as access control
enforcement, encryption and authentication
Detective controls warn of violations or attempted violations of security policy which include such
controls as audit trails, intrusion detection methods.
Likelihood Determination
To derive an overall likelihood rating that indicates the probability that a potential value may be exercised
within the construct of the associated threat environment, the following governing factors must be
considered.
o  Threat-source motivation and capability
o  Nature of the vulnerability
o  Existence of effectiveness of current controls
29.3 Impact analysis
The next major step in measuring level of risk is to determine the adverse impact resulting into a successful
exercise of vulnerability. Before beginning the impact analysis, it is necessary to obtain the following
necessary information.
 System mission
 System and data criticality
 System and data sensitivity
The information can be obtained from existing organizational documentation, such as the mission impact
analysis report or asset criticality assessment report. A business impact analysis report or asset criticality
assessment report. The adverse impact of a security event can be described in terms of loss or delay of
any or all of the three security goals.
 Loss of integrity: System and data integrity refers to the requirement that information should be
protected from improper modification. Integrity is lost if unauthorized changes are made to the
data or IT system by either intentional or accidental loss of system or data. Violation of integrity
may be the first step in a successful attack against availability or confidentiality. For all these
reasons, loss of integrity reduces assurance of an IT system.
 Loss of availability: If a mission-critical IT system is unavailable to its end user, the organization's
missions may be affected. Loss of system functionality and operational effectiveness.
 Loss of confidentiality: System and data confidentiality refers to the protection of information from
unauthorized disclosure. The impact of unauthorized disclosure of confidential information can
range from the jeopardizing of national security. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence embarrassment or legal action against the
organization.
29.4 Risk Determination/Exposure Analysis
This phase relates to analyzing how much the information assets are exposed to various threats identified
and thus quantifying the loss caused to the asset through this threat. This phase relates to analysis of both
physical and logical threats and comprises of four steps. Four steps are usually followed while analyzing the
134
img
VU
Information System (CS507)
exposure.
Figure out whether there are any physical or logical controls in place
 Employees are interviewed
 Walk trough's are conducted
How reliable are these controls
 Check whether the firewall stops a virus from entering the organization's system
 Check whether the antivirus installed stops the virus from execution
 We cannot start an earthquake to see if the building can absorb shocks or not
What is the probability that occurrence of threat can be successful against these controls
 Compare assets identified with threats identified to see if controls exists
 Estimate  the  probability  of  occurrence  based  on  past  experience  and
future
apprehensions/expectations
How much loss can occur due to the threat being successful
 scenarios are written to see how an identified potential threat can compromise control
Risk identification is often confused with risk mitigation. Risk mitigation is a process that takes place after
the process of risk assessment has been completed. Let's take a look at various risk mitigation options.
Risk assumption: To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level.
Risk Avoidance: To avoid the risk by eliminating the risk cause and e.g. forgo certain functions of
the system or shut down the system when risks are identified.
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a
threat's exercising a vulnerability e.g. use of supporting preventive and detective controls.
Risk Planning: To manage risk by developing a risk mitigation plant that predicts implements and
maintains controls.
Research and acknowledgement: To lower the risk of loss by acknowledging vulnerability or flaw
and researching controls to correct the vulnerability.
Risk Transference: To transfer the risk by using other options to compensate loss such as
purchasing insurance.
29.5 Occurrence of threat
When a threat occurs, there can be following consequences.
1. Controls against the threat exists
 Controls can help stop the occurrence of the threat.
 Threat occurs but damage is avoided by the controls
 Threat circumvents controls and causes damage
2. Controls against threat do not exist.
 Threat has not yet been identified
 Threat has been identified but the consequent loss is considered as minor
 Threat occurs, whether identified or not and causes damage to the system.
135
img
VU
Information System (CS507)
Threat can cause damage whether controls exist or not.
Cumulative amount of loss can be a major threat to the system. There is no international standard on
acceptable level of losses. Materiality of every loss, howsoever determined by management must be written
and backed up by the approval of those who are in charge of the IT Governance. Review of these matters
will be undertaken when a security audit is done in order to ascertain the comfort level the can draw from
the security policy of the organization.
29.6 Computing Expected Loss
In fourth step of the exposure analysis, the amount of expected loss is computed through following formula
A=BxCxD
1.
A = Expected Loss
2.
B = Chances (in %) of threat occurrence
3.
C = Chances (in %) of Threat being successful
4.
D = Loss which can occur once the threat is successful
Control Adjustment
This phase involves determining whether any controls can be designed, implemented, operated. The cost of
devising controls should not exceed the expected potential benefit being en-cashed and the potential loss
being avoided. The controls that could mitigate or eliminate the identified risk appropriate to the
organization's operations are provided. The goal of the recommended controls is to reduce the level of risk
to the IT system and its data to an acceptable level. Following factors should be considered in
recommending controls and alternative solutions to minimize or eliminate identified risks.
 Effectiveness of recommended options
 Legislation and regulation
 Organizational policy
 Operational Impact
 Safety and reliability
The control recommendations are the results of the risk assessment process and provide the risk mitigation
process during which the recommended procedural and technical security controls are evaluated, prioritized
and implemented.
It should be noted that not all possible recommended controls can be implemented to reach and to
determine which ones are required and appropriate for a specific organization, a cost analysis, should be
conducted for the proposed recommendations of controls to demonstrate that the costs of implementing
the controls can be justified by the reduction in the level of risk. In addition, the operational impact and
feasibility of introducing recommended option should be evaluated carefully during the risk mitigation
process.
The above decision takes into account consideration of following factors:
5. Personal judgment of the situation
6. Any information gained on desired/non-existing controls during the previous phases
7. Seek demands of users for an ideal control environment.
Existing controls should not be totally discarded while adjusting controls. They can either be terminated
totally, due to the threats not being there any more or existence of better controls or modification for
betterment, this phase should consider the security to be cost effective, and integrated.
136
Table of Contents:
  1. Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
  2. Data vs. Information, Information Quality Checklist
  3. Size of the Organization and Information Requirements
  4. Hierarchical organization, Organizational Structure, Culture of the Organization
  5. Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
  6. Manual Vs Computerised Information Systems, Emerging Digital Firms
  7. Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
  8. Components of a system, Types of Systems, Attributes of an IS/CBIS
  9. Infrastructure: Transaction Processing System, Management Information System
  10. Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
  11. Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
  12. Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
  13. Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
  14. Accounting & Financial Information Systems, Human Resource Information Systems
  15. Decision Making: Types of Problems, Type of Decisions
  16. Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
  17. Planning for System Development: Models Used for and Types of System Development Life-Cycle
  18. Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
  19. Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
  20. Incremental Model: Evaluation, Incremental vs. Iterative
  21. Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
  22. System Analysis: Systems Analyst, System Design, Designing user interface
  23. System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
  24. Symbols used for flow charts: Good Practices, Data Flow Diagram
  25. Rules for DFDs: Entity Relationship Diagram
  26. Symbols: Object-Orientation, Object Oriented Analysis
  27. Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
  28. Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
  29. Security of Information System: Security Issues, Objective, Scope, Policy, Program
  30. Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
  31. Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
  32. Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
  33. Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
  34. Types of Controls: Access Controls, Cryptography, Biometrics
  35. Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
  36. Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
  37. Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
  38. Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
  39. Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
  40. Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
  41. Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
  42. Supply Chain Management: Integrating systems, Methods, Using SCM Software
  43. Using ERP Software, Evolution of ERP, Business Objectives and IT
  44. ERP & E-commerce, ERP & CRM, ERP Ownership and sponsor ship
  45. Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring