Unit-II Subject: Information Security

UNIT-II

Syllabus:
Legal, Ethical and Professional Issues: Law and ethics in information security,
relevant U.S laws-international laws and legal bodies, Ethics, and information
security.
Risk Management: Overview, Risk Identification, risk assessment, Risk Control
strategies, selecting a risk control strategy, Quantitative versus qualitative risk
control practices, Risk management discussion points, recommended risk control
practices.
Objective: 1. Describe the functions of and relationships among laws, regulations, and
professional organizations in information security.
2. Define risk management, risk identification, and risk control, assess risk based on
probability of occurrence and likely impact, Describe the various risk mitigation strategy
options.
Outcome: Identify legal, ethical, and professional issues in information security
and drafts policies for risk management in information security implementations.
LEGAL, ETHICAL, AND PROFESSIONAL ISSUES
As a future information security professional, you must understand the scope of an
organization’s legal and ethical responsibilities.
• Managing liability for privacy and security risks are taken care by information
security professionals.
• To minimize liability and reduce risks from electronic and physical threats,
and to reduce all losses from legal action, information security practitioners
have good knowledge on the current legal environment, laws and regulations,
and watch for new and emerging issues.
• Educate the management and employees on their legal and ethical obligations
and the proper use of information technology and information security.

Law and Ethics in Information Security

Rules designed by the members of a society to create a balance among the individual
rights and self-determination against the needs of the society as a whole are called
laws.
Laws: These are rules that mandate or prohibit certain behavior.
• Laws are drawn from ethics.
• Laws carry the authority of a governing body
Ethics: Define socially acceptable behaviour.
• These are based on cultural mores: the fixed moral attitudes or
customs of a particular group
• Some ethical standards are universal
If an organization does not demand or encourage strong ethical behavior from its
employees (or) If an organization does not behave ethically (or) even if there is no
breach of criminal law still, they are liable.
The key difference between laws and ethics is that laws carry the sanctions of a
governing authority and ethics do not. Ethics in turn are based on Cultural mores.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Organizational Liability and the Need for Counsel

Liability is the legal obligation of an entity that extends beyond criminal or contract
law. It includes the legal obligation to make restitution, or to compensate for wrongs
committed.
So, if an employee (with or without the authorization of the employer) performs an
illegal or unethical act that causes some degree of harm, the employer can be held
financially liable for that action.
An organization increases its liability if it refuses to take counter measures. This is
known as due care.
Due care: It is a standard achieved by an organization, when it makes sure that
every employee knows what is acceptable or unacceptable behaviour and knows the
consequences of illegal or unethical actions.
Due diligence: It requires that an organization make a valid effort to protect others
and continually maintains this level of effort.

Types of Law
➢ Civil law
➢ Criminal law
➢ Tort law
➢ Private law
➢ Public law

Relevant U.S. Laws – General

➢ Computer Fraud and Abuse Act of 1986
➢ National Information Infrastructure Protection Act of 1996 USA Patriot Act of
2001
➢ Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act (CDA)
➢ Computer Security Act of 1987
Privacy
➢ The issue of privacy has become one of the hottest topics in information
➢ The ability to collect information on an individual, combine facts from separate
sources, and merge it with other information has resulted in databases of
information that were previously impossible to set up
➢ The aggregation of data from multiple sources permits unethical organizations
to build databases of facts with frightening capabilities

Privacy of Customer Information

➢ Privacy of Customer Information Section of Common Carrier Regulations
Federal Privacy Act of 1974
➢ The Electronic Communications Privacy Act of 1986
➢ The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also
known as the Kennedy-Kassebaum Act
➢ The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

ACT SUBJECT DATE DESCRIPTION

Communications Act of Telecommunications 1934 Regulates interstate
1934, updatedby and foreign telecommunications.
Telecommunications
Deregulation &
Competition Act
Computer Fraud & Abuse Threats to computers 1986 Defines and formalizes laws to
Act counter threats from computer
related acts and offenses.
Computer Security Act of Federal Agency 1987 Requires all federal computer
1987 Information Security systems that contain classified
information to have surety plans
in place and requires periodic
security training for all
individuals who operate, design,
or manage such systems.
Economic Espionage Act of Trade secrets. 1996 Designed to prevent abuse of
1996 information gained by an
individual working in one
company and employed by
another.
Electronic Communications Cryptography 1986 Also referred to as the Federal
Privacy Act of 1986 Wiretapping Act; regulates
interception and disclosure of
electronic information.
Federal Privacy Act of 1974 Privacy 1974 Governs federal agency use of
personal information.
Gramm-Leach- Bliley Act Banking 1999 Focuses on facilitating affiliation
of 1999 among banks, insurance, and
securities firms; it has significant
impact on the privacy of personal
information used by these
industries.
Health Insurance Health care privacy 1996 Regulates collection, storage,
Portability and and transmission of
Accountability Act sensitive personal health
care information.
National Information Criminal intent 1996 Categorized crimes based on
Infrastructure protection defendant’s authority to access
act of 1996 computer and criminal
intent.
Sarbanes-Oxley Act of 2002 Financial Reporting 2002 Affects how public organizations
and accounting firms deal with
corporate governance, financial
disclosure, and the practice of
public accounting.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Security and Freedom Use and sale of 1999 Clarifies use of encryption for
through Encryption Act of software that uses or people in the United States and
1999 enables encryption. permits all persons in the U.S. to
buy or sell any encryption product
and states that the government
cannot require the use of any kind
of key escrow system for
encryption products.
U.S.A. Patriot Act of 2001 Terrorism 2001 Defines stiffer penalties for
prosecution of terrorist crimes.

Export and Espionage Laws

➢ Economic Espionage Act ( EEA) of 1996
➢ Security and Freedom Through Encryption Act of 1997 ( SAFE )

US Copyright Law

➢ Intellectual property is recognized as a protected asset in the US

➢ US copyright law extends this right to the published word, including
electronic formats Fair use of copyrighted materials includes
- the use to support news reporting, teaching, scholarship, and a number of
other related permissions
- the purpose of the use has to be for educational or library purposes, not
for profit, and should not be excessive

Freedom of Information Act of 1966 (FOIA)

The Freedom of Information Act provides any person with the right to request access
to federal agency records or information, not determined to be of national security.

- US Government agencies are required to disclose any requested information on

receipt of a written request

There are exceptions for information that is protected from disclosure, and the Act
does not apply to state or local government agencies or to private businesses or
individuals, although many states have their own version of the FOIA

State & Local Regulations

In addition to the national and international restrictions placed on an organization in
the use of computer technology, each state or locality may have a number of laws and
regulations that impact operations
It is the responsibility of the information security professional to understand state
laws and regulations and insure the organization’s security policies and procedures
comply with those laws and regulations

International Laws and Legal Bodies

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

• Recently the Council of Europe drafted the European Council Cyber-Crime

Convention, designed
o to create an international task force to oversee a range of security
functions associated with Internet activities,
o to standardize technology laws across international borders
• It also attempts to improve the effectiveness of international investigations into
breaches of technology law
• This convention is well received by advocates of intellectual property rights with
its emphasis on copyright infringement prosecution

Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act

(DMCA)
• The Digital Millennium Copyright Act (DMCA) is the US version of an
international effort to reduce the impact of copyright, trademark, and privacy
infringement
• The European Union Directive 95/46/EC increases protection of individuals
with regard to the processing of personal data and limits the free movement of
such data
• The United Kingdom has already implemented a version of this directive called
the Database Right
United Nations Charter
• To some degree the United Nations Charter provides provisions for information
security during Information Warfare
• Information Warfare (IW) involves the use of information technology to conduct
offensive operations as part of an organized and lawful military operation by a
sovereign state
• IW is a relatively new application of warfare, although the military has been
conducting electronic warfare and counter-warfare operations for decades,
jamming, intercepting, and spoofing enemy communications
Policy Versus Law
• Most organizations develop and formalize a body of expectations called policy
Policies function in an organization like laws.
• Policies: body of expectations that describe acceptable and unacceptable
employee behaviors in the workplace
• Policies function as laws within an organization must be crafted carefully to
ensure they are complete, appropriate, fairly applied to everyone
• Difference between policy and law: ignorance of a policy is an acceptable
defense

Policy vs Law
In an organization, information security professionals maintains security by
establishing and enforcing policies.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

• Policies describe acceptable and unacceptable behavior of employee in

the workplace.
• These polices functions as organizational laws, complete with penalties,
judicial practices, and sanctions to require compliance.
So, policies must be crafted and implemented with the same care to ensure that they
are complete, appropriate, and fairly applied to everyone in the workplace.

To enforce a policy, it must meet the following criteria’s:

• Dissemination (distribution)
• Review (reading)
• Comprehension (understanding)
• Compliance (agreement)
• Uniform enforcement
Only when all these conditions are met, then any organization penalize employees
who violate the policy without fear of legal retribution.

For a policy to become enforceable, it must be:

➢ Dissemination (distribution): The organization must be able to demonstrate
that the relevant policy has been made readily available for review by the
employee. Common dissemination techniques include hard copy and electronic
distribution.
➢ Review (reading): The organization must be able to demonstrate that it
disseminated the document in an intelligible form, including versions for
illiterate, non-English reading, and reading-impaired employees. Common
techniques include recordings of the policy in English and alternate languages.
➢ Comprehension (understanding): The organization must be able to
demonstrate that the employee understood the requirements and content of
the policy. Common techniques include quizzes and other assessments.
➢ Compliance (agreement): The organization must be able to demonstrate that
the employee agreed to comply with the policy through act or affirmation.
Common techniques include logon banners, which require a specific action
(mouse click or keystroke) to acknowledge agreement, or a signed document
clearly indicating the employee has read, understood, and agreed to comply
with the policy.
➢ Uniform enforcement: The organization must be able to demonstrate that the
policy has been uniformly enforced, regardless of employee status or
assignment.

Only when all conditions are met, does the organization have a reasonable
expectation of effective policy.

Ethical Concepts in Information Security

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Professional associations—such as the Association for Computing Machinery (ACM)

and the Information Systems Security Association—and certification agencies—such
as the International Information Systems Security Certification Consortium, Inc., or
(ISC)2—work to establish the profession’s ethical codes of conduct for information
security field.

The Ten Commandments of Computer Ethics: From The Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or
proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or
the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect
for your fellow humans.

Cultural Differences in Ethical Concepts

• Differences in cultures cause problems in determining what is ethical and what
is not ethical
• Studies of ethical sensitivity to computer use reveal different nationalities have
different perspectives
• Difficulties arise when one nationality’s ethical behavior contradicts that of
another national group
Ethics and Education
• Employees must be trained and kept aware of a number of topics related to
information security, not the least of which is the expected behaviors of an
ethical employee
• This is especially important in areas of information security, as many
employees may not have the formal technical training to understand that their
behavior is unethical or even illegal
• Proper ethical and legal training is vital to creating an informed, well prepared,
and low risk system user

Deterrence to Unethical and Illegal Behavior

Deterrence - preventing an illegal or unethical activity
There are three general causes of unethical and illegal behaviour:
Ignorance: It is an excuse. The first method of deterrence is education accomplished
by means of designing, publishing, and disseminating organization policies and

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

relevant laws, obtaining agreement to comply with these policies and laws from all
members of the organization.
Accident: Individuals with authorization and privileges are most likely to cause harm
or damage by accident. Careful planning and control help prevent accidental
modification to systems and data.
Intent: Criminal or unethical intent is the state of mind. It is often necessary to
establish criminal intent to successfully prosecute offenders. Protecting a system
against those people do harm or damage is best accomplished by means of technical
controls, and vigorous litigation or prosecution if these controls fail.
Whatever the cause of illegal, immoral, or unethical behaviour. It is the responsibility
of information security personnel to do everything in their power to deter these acts
and to use policy, education and training, and technology to protect information and
systems.

Laws, policies, and technical controls are all examples of deterrents Laws and policies
only deter if three conditions are present:
- Fear of penalty
- Probability of being caught
- Probability of penalty being administered

RISK MANAGEMENT
Definition: The formal process of identifying and controlling the risks facing an
organization is called risk management. It is the probability of an undesired event
causing damage to an asset.

There are three steps

1. Risk Identification- It is the process of examining and documenting the security
posture of an organization’s information technology and the risk it faces
2. Risk Assessment- It is the documentation of the results of risk identification.
3. Risk Control- It is the process of applying controls to reduce the risks to an
organization’s data and information systems.
To keep up with the competition, organizations must design and create safe
environments in which business process and procedures can function.

These environments must maintain Confidentiality & Privacy and assure the integrity
of organizational data-objectives that are met through the application of the principles
of risk management.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Components of Risk Management

An Overview of Risk Management

Over 2 ,400 years ago by Chinese General Sun Tzu said
1. If you know the enemy & know yourself, you need not fear the result of a
hundred battles.
2. If you know yourself but not the enemy, for every victory gained you will also
suffer a defeat.
3. If you know neither the enemy nor yourself, you will succumb in every battle”

Know Yourself
Identify, Examine & Understand the information systems.
To protect assets, you must understand what they are. How they add value to the
organization, and to which vulnerabilities they are susceptible.

The policies, Education and training programs, and technologies that protect
information must be carefully maintained and administered to ensure that they are
still effective.

Know the Enemy

Identifying, Examining & Understanding the threats facing the organization.

The Roles of the Communities of Interest

It is the responsibility of each community of interest to manage the risks that
organization encounters.
Information Security project team
Understand the threats and attacks that introduce risk into the organization. Take a
leadership role in addressing risk.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Management & Users

Management must ensure that sufficient resource are allocated to the information
security & Information technology groups to meet the security needs of the
organization. Users work with the systems and the data and are therefore well
positioned to understand the value of the information assets.
Information Technology
Must build secure systems and operate them safely. IT community must serve the
information technology needs of the entire organization.

Members of the information security community best understand the threats and
attacks that introduce risk into the organization, they often take a leadership role in
addressing risk. Management and users, when properly trained and kept aware of
the threats the organization faces will helps in early detection and response process.
All the communities must work together to address all levels of risk.

Communities of interest are responsible for:

• Evaluating the risk controls
• Determining which control options are cost effective for the organization
• Acquiring or installing the needed controls
• Ensuring that the controls remain effective

Important Risk Factors of information Security are

1. Understand the threats and attacks that introduce risk into the organization.
2. Taking asset inventory.
3. Verify the threats and vulnerabilities that have been identified as dangerous to the
asset inventory, as well as the current controls and mitigation strategies.
4. Review the cost effectiveness of various risk control measures.

RISK IDENTIFICATION
➢ A risk management strategy requires that information security professionals
must identify, classify, and prioritize their organizations’ information assets.
➢ Assets are the targets of various threats and threat agents, and the goal is to
protect the assets from the threats.
➢ Once the organizational assets have been identified, a threat identification
process is undertaken.
➢ The circumstances and settings of each information asset are examined to
identify vulnerabilities.
➢ When vulnerabilities are found, controls are identified and assessed as to their
capability to limit possible losses in the eventuality of attack.

The process of Risk Identification begins with the identification of the

organization’s information assets and an assessment of their value. The
Components of this process are shown in below figure.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Asset Identification & Valuation Includes all the elements of an organization’s system,
such as people, procedures, data and information, software, hardware, and
networking elements. Then, you classify and categorize the assets by adding the
details of each asset.

Categorizing the Components of an Information System in the below table:

Traditional SesSDLC Components Risk Management System
and System Components
Components
People Employees Trusted Employees, Other staff
Non-Employees People at trusted organizations,
Strangers
Procedures Procedures IT and Business standard procedures
IT and Business sensitive procedures
Data Information Transmission
Processing
Storage
Software Software Operating Systems
Applications
Security Components
Hardware & System Devices and Systems and Peripherals
Networking Peripherals Security Devices
Networking Components Intranet Components
Internet and DMZ Components

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

People include employees and nonemployees. There are two categories of employees:
those who hold trusted roles and have correspondingly greater authority and
accountability, and other staff who have assignments without special privileges.
Nonemployees include contractors and consultants, members of other organizations
with which the organization has a trust relationship, and strangers.

Procedures fall into two categories: IT and business standard procedures, and IT and
business sensitive procedures. The business sensitive procedures are those that may
assist a threat agent in crafting an attack against the organization or that have some
other content or feature that may introduce risk to the organization.

Data Components have been expanded to account for the management of information
in all stages: Transmission, Processing, and Storage.

Software Components can be assigned to one of three categories: Applications,

Operating Systems, or security components. Software Components that provide
security controls may span the range of operating systems and applications
categories but are differentiated by the fact that they are the part of the information
security control environment and must be protected more thoroughly than other
system components.

Hardware is assigned to one of two categories: the usual systems devices and their
peripherals, and the devices that are part of information security control systems.
The latter must be protected more thoroughly than the former.

People, Procedures,& Data Asset Identification

Identifying human resources, documentation, and data assets is more difficult than
identifying hardware and software assets.

People: Position name/number/ID: Supervisor; Security clearance level; special

skills.
Procedures: Description/intended purpose/relationship to software/hardware and
networking elements; storage location for update; storage location for reference.
Data: Classification; owner; Creator; Manager; Size of data structure; data structure
used; online/offline/location/backup procedures employed.

Hardware, Software, and Network Asset Identification

Depends on the needs of the organization and its risk management efforts.
Name: Should adopt naming standards that do not convey information to potential
system attackers.
IP address: Useful for network devices & Servers. Many organizations use the
dynamic host control protocol (DHCP) within TCP/IP that reassigns IP numbers to
devices as needed, making the use of IP numbers as part of the asset identification
process problematic. IP address use in inventory is usually limited to those devices
that use static IP addresses.
Media Access Control (MAC) address: Electronic serial numbers or hardware
addresses. All network interface hardware devices have a unique number. The MAC

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

address number is used by the network operating system as a means to identify a

specific network device. It is used by the client’s network software to recognize traffic
that it must process.

Element Type: Document the function of each Element by listing its type. For
hardware, a list of possible element types, such as servers, desktops, networking
devices or test equipment.
One server might be listed as
- Device class= S (Server)
- Device OS= W2K ( Windows 2000)
- Device Capacity = AS ( Advanced Server )

Serial Number: For hardware devices, the serial number can uniquely identify a
specific device.

Manufacturer Name: Record the manufacturer of the device or software component.

This can be useful when responding to incidents that involve these devices or when
certain manufacturers announce specific vulnerabilities.

Manufacturer’s Model No or Part No: Record the model or part number of the element.
This record of exactly what the element is can be very useful in later analysis of
vulnerabilities because some vulnerability instances only apply to specific models of
certain devices and software components.

Software Version, Update revision, or FCO number: Document the specific software
or firmware revision number and, for hardware devices, the current field change order
(FCO) number. An FCO is an authorization issued by an organization for the repair,
modification, or update of a piece of equipment. Documenting the revision number
and FCO is particularly important for networking devices that function mainly
through the software running on them. For example, firewall devices often have three
versions: an operating system (OS) version, a software version, and a basic
input/output system ( BIOS) firmware version.

Physical location: Note where this element is located physically (Hardware)

Logical Location: Note where this element can be found on the organization’s network.
The logical location is most useful for networking devices and indicates the logical
network where the device is connected.
Controlling Entity: Identify which organizational unit controls the element.

Automated Asset Inventory Tools

Automated tools can identify the system elements that make up the hardware,
software, & network components. Many organizations use automated asset inventory
systems. The inventory listing is usually available in a data base. Once stored, the
inventory listing must be kept current, often by means of a tool that periodically
refreshes the data.

Information Asset Classification

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

In addition to the categories, it is advisable to add another dimension to represent

the sensitivity & Security priority of the data and the devices that store, transmit &
process the data.
Eg: Kinds of classifications are confidential data, internal data and public data.

Information Asset Valuation

As each asset is assigned to its category, posing a number of questions assists in
developing the weighting criteria to be used for information asset valuation or impact
evaluation. Before beginning the inventory process, the organization should
determine which criteria can best be used to establish the value of the information
assets. Among the criteria to be considered are:

• Which information Asset is the most critical to the success of the organization.
• Which information asset generates the most revenue?
• Which information asset generates the most probability?
• Which Information asset would be the expensive to replace?

Sample Inventory Worksheet

Data Classification and Management: The typical information classification scheme

has three categories: confidential, internal, and external. Information owners are
responsible for classifying the information assets for which they are responsible.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Confidential: Access to information with this classification is strictly on a need-to-

know basis or as required by the terms of a contract.
Internal: Used for all internal information that does not meet the criteria for the
confidential category and is to be viewed only by authorized contractors, and other
third parties.
External: All information that has been approved by management for public release.

The military uses five level classifications

1. Unclassified data
2. Sensitive but Unclassified data (SBU)
3. Confidential data
4. Secret data
5. Top Secret data

1. Unclassified data: Information that can generally be distributed to the public

without any threat to U.S. National interests.
2. Sensitive but Unclassified data (SBU): Any information of which the loss, misuse,
or unauthorized access to, or modification of might adversely affect U.S. national
interests, the conduct of Department of Defense(DoD) programs, or the privacy of
DoD personnel.
3. Confidential data: Any information or material the unauthorized disclosure of
which reasonably could be expected to cause damage to the national security.
4. Secret: Any information or material the unauthorized disclosure of which
reasonably could be cause serious damage to the national security.
5. Top Secret Data: Any information or material the unauthorized disclosure of which
reasonably could be expected to cause exceptionally grave damage to the national
security.

Organization may have

1. Research data
2. Personnel data
3. Customer data
4. General Internal Communications

Some organization may use

1. Public data
2. For office use only
3. Sensitive data
4. Classified data

Public: Information for general public dissemination, such as an advertisement or

public release.
For Official Use Only: Information that is not particularly sensitive, but not for
public release, such as internal communications.
Sensitive: Information important to the business that could embarrass the company
or cause loss of market share if revealed.
Classified: Information of the utmost secrecy to the organization, disclosure of which
could severely impact the well-being of the organization.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Security Clearances
The other side of the data classification scheme is the personnel security clearance
structure.
Each user of data must be assigned a single authorization level that indicates the
level of classification he or she is authorized to view.
-Eg: Data entry clerk, development Programmer, Information Security Analyst, or
even CIO.
Most organizations have a set of roles and the accompanying security clearances
associated with each role.
Overriding an employee’s security clearance is the fundamental principle of “need-to-
know”.

Management of classified data

Includes its storage, distribution, portability, and destruction.
Military uses color coordinated cover sheets to protect classified information from the
casual observer.
Each classified document should contain the appropriate designation at the top and
bottom of each page.

A clean desk policy requires that employees secure all information in appropriate
storage containers at the end of each day. When Information are no longer valuable,
proper care should be taken to destroy them by means of shredding, burning, or
transferring to a service offering authorized document destruction.
• Dumpster diving to retrieve information that could embarrass a company or
compromise information security.

Classifying and Prioritizing Information Assets

Some organizations further subdivide information system components into
categories. “Internet components” can be subdivided into servers, networking devices
(routers, hubs, switches), protection devices (firewalls, proxies), and cabling. Each of
the other categories can be similarly subdivided as needed by the organization.

Include a dimension to represent the sensitivity and security priority of the data and
the devices that store, transmit, and process the data—that is, a data classification
scheme. Data classification categories are confidential, internal, and external.

Any system component classification method must be specific enough to enable

determination of priority levels.

Categories must be comprehensive and mutually exclusive. Comprehensive means

that all information assets must fit in the list somewhere, and mutually exclusive
means that an information asset should fit in only one category.

Information Asset Valuation

Discuss the questions that need posing as each asset of the organization is assigned
to a category. These questions assist in developing the weighting criteria to be used
for asset valuation. These questions include:
• Which information asset is the most critical to the success of the organization?
• Which information asset generates the most revenue?
• Which information asset generates the most profitability?

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

• Which information asset would be the most expensive to replace?

• Which information asset would be the most expensive to protect?
• Which information asset would be the most embarrassing or cause the greatest
liability if revealed?

Discuss what is necessary to calculate, estimate or derive values for information

assets, consideration might be given to the following:
• Value retained from the cost of creating the information asset
• Value retained from past maintenance of the information asset
• Value implied by the cost of replacing the information
• Value from providing the information
• Value incurred from the cost of protecting the information
• Value to owners
• Value of intellectual property
• Value to adversaries

Information Asset Prioritization

Each asset is prioritize using a straightforward process known as weighted factor
analysis. In this process, each information asset is assigned a score for each of a set
of assigned critical factor. Scores range from 0.1 to 1.0, which is the range of values
recommended by NIST SP800-30. In addition, each of the critical factors is also
assigned a weight (ranging from 1 to 100) to show that criteria’s assigned importance
for the organization.

Identifying and Prioritizing Threats

After identifying and performing the preliminary classification of an organization’s
information assets, the analysis phase moves on to an examination of the threats
facing the organization. The realistic threats must be investigated further while the
unimportant threats are set aside.

14 different threats which are danger to any organization must be examined. This
examination is known as a threat assessment. You can begin a threat assessment by
answering a few basic questions, as follows:
• Which threats present a danger to an organization’s assets in the given
environment?
• Which threats represent the most danger to the organization’s information?
• How much would it cost to recover from a successful attack?
• Which of the threats would require the greatest expenditure to prevent?
By answering these questions, you establish a framework for the discussion of threat
assessment. Above list of questions may not cover everything that affects the
information security threat assessment. If an organization has specific guidelines or
policies, based on those some additional questions can be considered.

Vulnerability Identification
Once the organization’s information assets are identified, documented some criteria
to assess the threats it faces, then review each information asset with each threat it
faces and create a list of vulnerabilities.

Vulnerabilities: Specific avenues from which threat agents can exploit to attack an
information asset are called vulnerabilities.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

They are chinks in the armor: a flaw or weakness in an information asset, security
procedure, design, or control that could be exploited accidentally or on purpose to
breach security

Examine how each threat could be perpetrated and list organization’s assets and
vulnerabilities
Process works best when people with diverse backgrounds within organization work
iteratively in a series of brainstorming sessions

At end of risk identification process, list of assets and their vulnerabilities is identified
and prioritized. This list is called as the TVA Worksheet (Threats-Vulnerabilities-
Assets)

T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1

T1V2A1—Vulnerability 2 that exists between Threat 1 and Asset 1
T2V1A1—Vulnerability 1 that exists between Threat 2 and Asset 1

Risk Assessment
After identifying the organization’s information assets and the threats and
vulnerabilities, you can evaluate the relative risk for each of the vulnerabilities.
This process is called risk assessment. It assigns a risk rating or score to each
information asset.
• Risk assessment evaluates the relative risk for each vulnerability
• Assigns a risk rating or score to each information asset.
• This number is helpful in gauging the relative risk to each vulnerable asset and
used to find risk rating.
Steps in Risk Assessment
1. Introduction to Risk Assessment
2. Likelihood
3. Risk Determination
4. Identify Possible Controls
5. Documenting the Results of Risk Assessment

Figure: Major Stages of Risk Assessments

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Introduction to Risk Assessment

Risk assessment is to create a method for evaluating the relative risk of each of the
listed vulnerabilities. The factors that are used in risk-rating estimate for each of the
vulnerabilities are:

Risk = (It is the likelihood of the occurrence of a vulnerability * the value of the
information asset) – (The percentage of risk mitigated by current controls + The
uncertainty of current knowledge of the vulnerability.

Likelihood
It is the probability that a specific vulnerability will be the object of a successful
attack.
• Assign numeric value to likelihood: number between 0.1 (low) and 1.0 (high),
or a number between 1 and 100 (as per NIST recommendations).
• Zero not used since vulnerabilities with zero likelihood are removed from
asset/vulnerability list.
• Choose a rating system based on professionalism, experience and judgement.
• Use selected rating system consistently.
• Use external references for values that have been reviewed/adjusted for your
circumstances.
For example:
• The likelihood of a fire has been estimated mathematically or statistically for
each type of structure.
• The likelihood that any given e-mail contains a virus or worm has been
researched.
• The number of network attacks can be forecast based on how many assigned
network addresses the organization has.

Risk Determination
To determine the relative risk assessment:
Risk EQUALS Likelihood of vulnerability occurrence TIMES value (or impact) MINUS
percentage risk already controlled PLUS an element of uncertainty

Example: 1) Information asset A has a value score of 50 and has one vulnerability.
Vulnerability 1 has a likelihood of 1.0 with no current controls. You estimate that
assumptions and data are 90 percent accurate.
Risk rating factor of Asset A: Vulnerability 1
Risk =(50 X 1.0)- 0% +10% where
Risk =(50 X 1. 0) –((50 X 1.0)X 0.0)+ ((50X1.0)X0.1)
Risk =55
2) Information asset B has a value score of 100 and has two vulnerabilities:
Vulnerability 2 has a likelihood of 0.5 with a current control that addresses 50
percent of its risk; vulnerability 3 has a likelihood of 0.1 with no current controls.
You estimate that assumptions and data are 80 percent accurate.
Risk rating factor of Asset B: Vulnerability 2
Risk = (100X0.5) – 50%+ 20%
Risk = (100X0.5) –((100X0.5)X0.5)+ ((100X0.5)X0.2)
Risk = 35
Asset B Vulnerability 3: Risk = (100X0.1) – 0%+ (100X0.1)20% =12

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Identify possible controls

For each threat and associated vulnerabilities that have residual risk, create
preliminary list of control ideas.
Residual risk is risk that remains to information asset even after the control has
been applied.
Controls, safeguards and countermeasures are security mechanisms, polices and
procedures
There are three general categories of controls:
• Policies
• Programs
• Technologies
Policies are documents that specify an organization’s approach to security. There are
four types of security policies: general security policies, program security policies,
issue-specific policies, and systems-specific policies.
Programs are activities performed within the organization to improve security. These
include security education, training, and awareness programs.
Security technologies are the technical implementations of the policies defined by
the organization.

Documenting the Results of Risk Assessment

Final summary comprised in ranked vulnerability risk worksheet.
Worksheet details
1. Asset
2. Asset impact (1 to 100)
3. Vulnerability
4. Vulnerability likelihood (0.1 to 1.0)
5. Risk-rating factor (1 to 100)
Ranked vulnerability risk worksheet is initial working document for next step in risk
management process: assessing and controlling risk

Ranked Vulnerability Risk Worksheet

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Risk Control Strategies

Once the project team for information security development has created the ranked
vulnerability worksheet, the team must choose one of five basic strategies to control
each of the risks that result from these vulnerabilities are defend, transfer, mitigate,
accept, and terminate.
1. Defend:
It attempts to prevent the exploitation of the vulnerability.
Accomplished by means of countering threats, removing vulnerabilities from assets,
limiting access to assets, and adding protective safeguards.
There are three common methods used to defend:
• Application of policy
• Education and training
• Application of technology
Organizations can mitigate risk to an asset by countering the threats it faces or by
eliminating its exposure. It is difficult, but possible, to eliminate a threat.
Another defend strategy is the implementation of security controls and safeguards to
deflect attacks on systems and therefore minimize the probability that an attack will
be successful.

2. Transfer:
The transfer control strategy attempts to shift risk to other assets, other processes,
or other organizations.
Accomplished by rethinking how services are offered, revising deployment models,
outsourcing to other organizations, purchasing insurance, or implementing service
contracts with providers.
One of the eight characteristics of excellent organizations is that they “stick to their
knitting … i.e., stay reasonably close to the business they know.”

This principle should be considered whenever an organization begins to expand its

operations, including information and systems management and even information
security.

3. Mitigate
The mitigate control strategy attempts to reduce the impact caused by the
exploitation of vulnerability through planning and preparation. It requires the
creation of three types of plans
1. the incident response plan,
2. the disaster recovery plan, and
3. the business continuity plan.

Incident Response plan (IR)

What actions are to be taken while an incident is in progress should be specified in a
document called the incident response (IR) plan.
The IR plan supplies the answers to questions such as “what do i do now?” What
should the administrator do first? Whom should he or she contact? What should he
or she document?
Disaster Recovery plan (DR)
The DR plan can include strategies to limit losses before and during the disaster.
These strategies are fully deployed once the disaster has stopped.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

DR plan includes the entire set of activities used to recover from an incident.
To limit losses before and during the disaster.

The DR plan focuses more on preparations before the incident and actions to be taken
after the incident.
Business Continuity plan (BC)
This plan is the most strategic and long term of the three plans.
It concentrates on the continuation of business activities if a catastrophic event
occurs, such as the loss of an entire database, building, or operations center.

The BC plan includes planning the steps necessary to ensure the continuation of the
organization when the scope or scale of a disaster exceeds the ability of the DR plan
to restore operations. This can include preparation steps for activation of secondary
data centers, hot sites, or business recovery sites.

4. Accept:
The accept control strategy is the choice to do nothing to protect a vulnerability and
to accept the outcome of its exploitation.
Organization can accept any risk after performing the following:
• Determined the level of risk
• Assessed the probability of attack
• Estimated the potential damage that could occur from attacks
• Performed a thorough cost benefit analysis
• Evaluated controls using each appropriate type of feasibility
• Decided that the function, service, information, or asset did not justify the Cost
of protection.
5. Terminate:
The terminate control strategy directs the organization to avoid those business
activities that introduce uncontrollable risks.
Organization may seek an alternate mechanism to meet customer needs
Each of these plans depends on the ability to detect and respond to an attack as
quickly as possible and relies on the quality of the other plans.

Selecting a Risk Control Strategy

To reduce risk, select one of the five risk control strategies for each vulnerability.
Level of threat and value of asset play major role in selection of strategy
Rules of thumb on strategy selection can be applied:
When a vulnerability (flaw or weakness) exists: Implement security controls to
reduce the likelihood of a vulnerability being exercised.
When a vulnerability can be exploited: Apply layered protections, architectural
designs, and administrative controls to minimize the risk or prevent occurrence.
When the attacker’s cost is less than his or her potential gain: Apply protections
to increase the attacker’s cost (e.g., use system controls to limit what a system user
can access and do, thereby significantly reducing an attacker’s gain).
When potential loss is substantial: Apply design principles, architectural designs,
and technical and nontechnical protections to limit the extent of the attack, thereby
reducing the potential for loss.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Risk Handling Decision Points

Feasibility Study
Before deciding on control strategy, all information about economic/noneconomic
consequences of vulnerability of information asset must be explored to answer the
below question.
• “What are the actual and perceived advantages of implementing a control as
opposed to the actual and perceived disadvantages of implementing the
control?”
Several ways exist to determine advantage of a specific control and many methods
exist to identify the disadvantage of a specific control.
Cost avoidance is the process of preventing the financial impact of an incident by
implementing a control.

Cost Benefit Analysis (CBA)

It begin by evaluating worth of assets to be protected and the loss in value if they are
compromised.
The formal process to document this is called cost benefit analysis or economic
feasibility study
Items that affect cost of a control or safeguard include:
• Cost of development or acquisition;
• Training fees;
• implementation cost;
• Service costs;
• Cost of maintenance
Benefit: Value an organization realizes using controls to prevent losses from a
vulnerability.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Asset valuation: Process of assigning financial value or worth to each information

asset.
Potential loss per risk: Loss occurred due to exploiting a vulnerability

Single Loss Expectancy is the value associated with the most likely loss from an
attack
SLE = asset value × exposure factor (EF)
EF = Percentage of loss that would occur from a given vulnerability being exploited
Expected loss per risk stated in the following equation:
Annualized loss expectancy (ALE) = single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
CBA determines whether implementing a control is worth of its cost
CBA most easily calculated using ALE from earlier assessments, before
implementation of proposed control:
CBA = ALE(prior) – ALE(post) – ACS
• ALE(prior) is annualized loss expectancy of risk before implementation of
control
• ALE(post) is estimated ALE based on control is in place for a period
• ACS is the annualized cost of the safeguard

Evaluation, Assessment and Maintenance of Risk Controls

• Selection and implementation of control strategy is not end of process.
• Strategy and accompanying controls must be monitored/reevaluated on
ongoing basis to determine effectiveness and to calculate more accurately the
estimated residual risk.
• Process continues as long as organization continues to function.

Risk Control Cycle

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Quantitative Versus Qualitative

Performing risk management using actual values or estimates is known as

quantitative assessment.
It also Possible to complete risk management steps using an evaluation process based
on characteristics using nonnumerical measures is called qualitative assessment.
Utilizing scales rather than specific estimates relieves organization from difficulty of
determining exact values.
• Scales like
• None, Low, Medium, High, Very high

Benchmarking and Best Practices

An alternative approach to risk management.

Benchmarking: It is the process of seeking out and studying practices followed in
other organizations which are producing good results and using them in your own
organization.
It is also used to measure the difference between two organization in doing business.
In benchmarking, organizations typically uses two types of measures to compare best
practices:
• Metrics-based measures
• Process-based measures
Metrics-base measures: Comparison based on numerical standards
1. Number of successful attacks
2. Staff-hours spent on system protection
3. Dollars spent on protection
4. Number of security personnel
5. Estimated value in dollars of the information lost in successful attacks
6. Loss in productivity hours associated with successful attacks
Performance gap: difference between measures among two organizations

Process–based measures: Based on strategies applied by an organization to achieve

security goal, never bother about the output
Standard of due care: when adopting levels of security for a legal defense,
organization shows it has done what any prudent organization would do in similar
circumstances
Due diligence: demonstration that organization is diligent in ensuring that
implemented standards continue to provide required level of protection
Failure to support standard of due care or due diligence can leave organization open
to legal liability
Best business practices: security efforts that provide a superior level of information
protection are called as best practices or recommended practices.
Some organization requires the best of best security practices, this is called as gold
standards.
The gold standard is a defining level of performance that demonstrates one
company’s industrial leadership, quality, and concern for the protection of
information.

Applying Best Practices

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Appling best practices:

When considering best practices for adoption in an organization,
Consider the following things:
• Does organization resemble identified target with best practice?
• Are the resources at hand like the organization you considered?
• Is your organization in a similar threat environment?
Best practices suggested by Microsoft are:
Microsoft focuses on the following seven key areas for home users:
• Use antivirus,
• Strong password,
• Verify security settings,
• Update product security,
• Build personal firewalls,
• Backup often,
• Protection against power surges and loss.

For Small business, Microsoft recommends the following:

1. Protect desktops and laptops—Keep software up to date, protect against
viruses, and set up a firewall.
2. Keep data safe—Implement a regular backup procedure to safeguard critical
business data, set permissions, and use encryption.
3. Use the Internet safely—Unscrupulous Web sites, popups, and animations
can be dangerous. Set rules about Internet usage.
4. Protect the network—Remote network access is a security risk you should
closely monitor. Use strong passwords and be especially cautious about
wireless networks.
5. Protect servers—Servers are the network’s command center—protect your
servers.
6. Secure business applications—Make sure that software critical to your
business operations is fully secure around the clock.
7. Manage desktops and laptops from the server—Without stringent
administrative procedures in place, security measures may be unintentionally
jeopardized by users

Baselining

Problems with the Application of Benchmarking and Best Practices

• Organizations don’t talk to each other (biggest problem)
• No two organizations are identical
• Best practices are a moving target
• Knowing what was going on in information security industry in recent
years through benchmarking doesn’t necessarily prepare for what’s next
Baselining:
Baseline: It is a value or profile of a performance metric against which changes in
the performance metric can be usefully compared.
Baselining:
• Analysis of measures against established standards
• In information security, baselining is comparison of security activities
and events against an organization’s future performance.
• Useful during baselining to have a guide to the overall process

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Other Feasibility Studies

Organizational Feasibility: It examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness, and overall operation of an
organization.
Operational Feasibility: It examines user acceptance and support, management
acceptance and support, and the overall requirements of the organization’s
stakeholders. It measures the behavior of users.
• Communicate with system users by letting them know that changes are
coming.
• Educate employees
• Involve users by asking them what they want from the new systems.
These three can reduce resistance to change and build resilience for change.
Technical Feasibility: Information Security project team must also consider the
technical feasibilities of their design, implementation, and management.
Technical feasibility analysis examines whether or not the organization has or can
acquire the technology necessary to implement and support the proposed control.
Political Feasibility: determines what can and cannot occur based on the consensus
and relationships among the communities of interest.
1. Availability of staff resources.
2. Sometime resources are allocated to Information security community, then
they allocate the resources to projects based on their own design

Risk Management Discussion Points

Many organization may not have required budget to manage each vulnerability by
applying Controls. Therefore, each organization must define the level of risk it is
willing to live with.
Risk Appetite: It defines the quantity and nature of risk that organizations are willing
to accept as they evaluate the trade-offs between perfect security and unlimited
accessibility.
Residual Risk: Even all the vulnerabilities have been controlled as much as possible,
there is often still some risk is not removed, shifted, or planned for. This remainder
is called residual risk.
Documenting Results
The results of risk assessment activities can be delivered in a number of ways.
1) A report on a systematic approach to risk control.
2) A project-based risk assessment.
3) A topic-specific risk assessment.

Dept. of CSE, MEC 2022-2023

Unit-II Subject: Information Security

Residual risk

Recommended Risk Control Practices

Developing strong justifications for specific action plans and providing concrete
estimates to implement a control strategy by convince the budget authorities to spend
up to a value to protect the asset from an identified threat.

Another factor to consider is that each control or safeguard affects more than one
asset-threat pair.

Look for a way to implement controls that doesn’t involve such complex, inexact, and
dynamic calculations.

Dept. of CSE, MEC 2022-2023