Upload
preetha-hariharan
View
220
Download
0
Embed Size (px)
Citation preview
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 1/39
A QUANTITATIVE MODELFOR
INFORMATION SECURITY RISK ASSESSMENT
BITS ZG629T: Dissertation
ByHARIHARAN M
(2007HZ12033)
Dissertation work carried out atSAMTEL GROUP, New Delhi
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 2/39
ISO Standard on Information
SecurityI n f o r m
a t i o n s e c u
r i t y m a n a g e m
e n t s y s t e m s —
R e q u i r e m
e n t s
C o d e o f p
r a c
t i c e f o
r i n f o r m
a t i o
n s e
c
u r i t y m a n a g
e m e n t
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 3/39
Information Security Risk
Assessment
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 4/39
Risk Analysis
ISO/IEC 27001:2005. Information security management systems -- Requirements, 2000, from: www.iso.org.
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 5/39
Quantitative Risk Assessment
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 6/39
Qualitative Risk Assessment
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 7/39
CURRENT RESEARCH
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 8/39
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 9/39
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 10/39
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 11/39
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 12/39
PROPOSED QUANTITATIVE MODEL
Basic Building Blocks
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 13/39
Information Security Triad
ISO/IEC 27001:2005. Information security management systems -- Requirements, 2000, from: www.iso.org.
t h a t t h e
a s s e t s o f
t h e s y s t
e m a r e
o n l y
a c c e
s s e d
b y a u t h o
r i z
e d p a r t i e
s
t h a t t h e a s s e t s o f t h e s y s t e m
c a n b e
m o d i f i e d b y a u t
h o r i z e d p a r t i e s o n l y , a n d
i n a u t h o r i z e d w
a y s
that the assets of a system are alwaysavailable to the authorized parties
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 14/39
Based on Principles of Software
Architecture
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 15/39
IT Infrastructure Library V3 –
Service Oriented Approach
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 16/39
PROPOSED QUANTITATIVE MODEL
Availability Risk Assessment
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 17/39
Service Oriented Approach
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 18/39
Service Catalogue thru Use
Case
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 19/39
Components of a Service
Internet
Data Centre LAN
Mail Storage Server inHigh Availability Mode
Mail Transport Server
Directory Service
(User Management)
Mail Gateway Server
Incoming &OutgoingmessageDelivery
Message Delivery
Operating
System
E-mail Client
Client -
Computer
Server – Directory
Server
Transport
Server Operating
System
Operating
System
LDAP Server
Server – Mail
HUB Server
Mail Store
Server
Operating
System
Server – MailDatabase
Server in HA
Cluster
Operating
System
SMTP Server
Server – Mail Gateway
Server
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 20/39
MTBF
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 21/39
Component-wise MTBF
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 22/39
MTTR
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 23/39
What determines Availability
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 24/39
How to Measure
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 25/39
Maturity Model for Measurement
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 26/39
System Maturity Levels
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 27/39
MTBF Matrix
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 28/39
Support Maturity Level
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 29/39
MTBF and MTTR matrix
System Architecture Maturity MTBF 1 2 3 4 5
Ad Hoc (Single System) 1 4380 48.00 24.00 16.00 8.00 4.00
Repeatable (Standby can be arranged) 2 4380 24.00 16.00 8.00 4.00 2.00
Defined (Standby part of Landscape) 3 4380 8.00 4.00 2.00 1.00 1.00
Managed (High Availability Environment) 4 26280 0.10 0.10 0.10 0.10 0.10
Optimised (could not be defined) 5
Support Architecture Maturity
(values in hrs) MTTR
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 30/39
Service-wise Maturity
Assessment
Service CatalogueSystem
Maturity Level
Support
Maturity Level
e-mail Access via Outlook 3 4
Blackberry Service 2 2
Video Conferencing 1 1
Internet Browsing 2 3
Corporate Intranet 2 3
Outlook Web Access 2 3
Customer Subscription (CRM) 3 3
Payroll and PF Trust Accounting 3 2
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 31/39
Availability Risk Assessment
Service Catalogue SystemMaturity
Level
SupportMaturity Level
MTBF MTTR Availability%
e-mail Access via Outlook 3 4 4380 1.00 99.977
Blackberry Service 2 2 4380 16.00 99.636
Video Conferencing 1 1 4380 48.00 98.916
Internet Browsing 2 3 4380 8.00 99.818
Corporate Intranet 2 3 4380 8.00 99.818
Outlook Web Access 2 3 4380 8.00 99.818
Customer Subscription (CRM) 3 3 4380 2.00 99.954
Payroll and PF Trust Accounting 3 2 4380 4.00 99.909
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 32/39
CASE STUDY
IT Performance Reporting
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 33/39
IT Performance MIS
Peoplesoft
95.50
96.00
96.50
97.00
97.50
98.00
98.50
99.00
99.50
100.00
100.50
Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb
COMMITTED SLA PeopleSoft CRM PeopleSoft SCM
SCM down time
Date Duration15.06.09 – 1 hr 4 m16.06.09 – 16 hr 10 m
SCM usersexperienced slowdown/outages for 10 hrs
CRM usersexperienced slowdown/outages for 7hrs
SCM users
experienced slowdown/outages for 13
hrs
Service Availability Measures
# of Single
Point
Failure MTBF (hrs) MTTR(hrs) Capability Index
Support
Maturity
Infrastructure
Maturity
Availability
Risk Level
PeopleSoft ERP 1 4380.00 16.00 99.64 3 1 MEDIUM
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 34/39
IT Performance MIS
Service Availability Measures
# of Single
Point
Failure MTBF (hrs) MTTR(hrs) Capability Index
Support
Maturity
Infrastructure
Maturity
Availability
Risk Level
Internet Bandwidth (Browsing) 2 2190.00 24 98.92 2 1 HIGH
Internet Bandwidth
81.00
83.00
85.00
87.00
89.0091.00
93.00
95.00
97.00
99.00
Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb
COMMITTED SLA Internet Bandwidth (Browsing)
92.26Outages recorded for 2 days 5 hrs
(Browsing)
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 35/39
IT Performance MIS
Service Availability Measures
# of Single
Point
Failure MTBF (hrs) MTTR(hrs) Capabil ity Index
Support
Maturity
Infrastructure
Maturity
Availability
Risk Level
DMS 4380.00 4.00 99.91 2 3 LOW
DMS
95.50
96.50
97.50
98.50
99.50
100.50
Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb
COMMITTED SLA Archival Syndication (DMS, Quark)
Outages7 incidence due toh/w fault
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 36/39
IT Performance MIS
Risk Index = Inverse (System Maturity Level) x Inverse ( Support Maturity Level)
Risk Value = Between 1 to 10 -> No Risk,Between 11 to 15 -> Low Risk Between 16 to 20 - > Medium Risk More than 20 -> High Risk
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 37/39
CONCLUSION
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 38/39
A Quantitative Model without relying on Financial Valuation.
Provides Prescriptive Inputs for Risk Mitigation.
Creates Baseline for Measurement of IT Performance.
Can be used for new/proposed system.
Conclusion
8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation
http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 39/39
THANK YOU