an impediment preventing the achievement of an objective
Examples: Financial, Fraud, IT
Risk = Asset value x Threat value x Vulnerability value
Threat (systems definition)
Any circumstance or event with the potential to cause harm to a system in theform of:
Threats are ACTIVE and exploit vulnerabilities.
A method used to exploit a vulnerability in an information system
Human - Intentional / Unintentional
Environmental - Natural / Fabricated
3 Attributes of threats
1. Source - country, location, sponsorship
2. Capabilities - wanting to damage and being able to damage. Resources/Training/Methods/Reach/Sustainable.
3. Intentions - Most problematic -Motivation? /Targets/Timing - Attack once or aften.
Industrial Espionage in Canada (sectors)
1. Oil and Gas
Difference between Security Awareness and Security Training.
1. Awareness programs seeks to inform and focus employees on issues related to security within the organization
2. Training programs are designed to teach people the skills to perform the IS-related tasks more. Teaches the WHAT and HOW.
4 stages of Information Life Cycle
1. Initiation of a company record.
2. Use of the Record.
3. Storage of the Record.
The 4 Business / Security Services
Confidentiality – Information made only available to authorized individuals.
Integrity – Accuracy of Information and assets
Availability – Accessibility of Systems and services when required.
Accountability – Actions of person or process may be traced uniquely to that entity
Threat Assessment – To provide senior management information about an impending danger to their business system in time to make an informed decision.
4 Step Cycle for credible assessments. (Used by Government & Industry)
a. Direction – Get from management approval and type of info required.
b. Collection – Gather info from appropriate sources
c. Process – (1)Collation, (2)Evaluation, (3)Analysis (4)Integration (5)Interpretation
d. Dissemination - Timely distribution of an Assessment
What are the 9 OECD Principals
Really Awesome Economics Does Reduce My Really Radical Decisions
1. Responsibility – Participants should be Responsible for Security
2. Awareness – Aware of the need for security
3. Ethics – Respect the interests of others
4. Design + Implementation – Incorporate security into the networks
5. Risk Assessment – Conduct assessments proportional to the risks
6. Management – Comprehensive approach to security
7. Response – Reaction in a timely manner to incidents
8. Reassessment – Review any changes to policy and procedures
9. Democracy – Meet essential values of democratic society
Information Systems Security
A subset of information security that ensures the integrity and availability of information system assets
IT Security (IT Sec)
An integrated set of technological security measures designed to ensure the confidentiality, integrity and availability of information electronically stored, processed or transmitted by an information system
Difference between IT Sec and ISS
ISS/Information Security straddles the security issues associated with technology and people.
IT Security (ITSec) focuses on system technology.
IT Sec Sub components
Computer Security (Compusec)
Cryptographic Security (Cryptosec)*
Transmission Security (Transsec)*
Emissions Security (Emsec)*
Network Security (Netsec)
3 *'s defines Communication Security (COMSEC)
operating system, applications and hardware remain intact to prevent modification or loss of information (deliberate or inadvertent)
Protection resulting from the use of crypto systems or products to encode data making it unreadable to unauthorised persons
A measure designed to protect transmissions from interception and exploitation
to confine information so to deny unauthorised access or analysis of the information, by the interception of electromagnetic emissions.
Protection of the integrity of an information system network configuration to prevent unauthorised rerouting or modification