Information Security Management
COMP4690, HKBU 1
Concept of Information Security Management
Information Classification Process
Security Policy Implementation
The roles and responsibilities of Security
Risk Management Assessment
Security Awareness Training
COMP4690, HKBU 2
Information Security is to protect an
organizations’ valuable resources.
It ensures that all resources are protected,
and available to an organization, at all times,
when needed. This leads to information
classification, and security policy.
However, security issues cannot be
eliminated completely. This leads to the Risk
COMP4690, HKBU 3
Purposes of Information
Three basic requirements
Assure that a computer system is accessible by
authorized users whenever needed.
To protect the system information from intentional or
accidental unauthorized changes.
Assure that unauthorized people cannot access the
COMP4690, HKBU 4
Other Concepts in Security
The means in which users claim their identities to a system.
Used for access control.
The testing or reconciliation of evidence of a user’s identity.
Audit trails and logs.
The rights and permissions granted to an individual.
The level of confidentiality and privacy protection.
COMP4690, HKBU 5
Why do we need information classification?
Not all data has the same value to an
Should focus the protection and control on the
information that need it the most.
Can be used to comply with privacy laws, or to
enable regulatory compliance.
COMP4690, HKBU 6
In governmental data classification
Unclassified: can be released to public
Sensitive but unclassified: minor secret, no
serious damage if disclosed
Confidential: unauthorized disclosure could cause
Secret: unauthorized disclosure could cause
Top secret: unauthorized disclosure could cause
exceptionally grave damage to national security
COMP4690, HKBU 7
In private sector
Public: similar to unclassified
Sensitive: requires a high level of classification
than normal data
Private: intended for company use only, such as
Confidential: very sensitive data, unauthorized
disclosure could seriously and negatively impact a
COMP4690, HKBU 8
The following steps are listed in priority order
1. Identify the administrator/custodian
2. Specify the criteria of how the information will be classified and
3. Classify the data by its owner, who is subject to review by a
4. Specify and document any exceptions to the classification
5. Specify the controls that will be applied to each classification
6. Specify the termination procedures for declassifying the
information or for transferring custody of the information to
7. Create an enterprise awareness program about the
COMP4690, HKBU 9
Information owner may be an executive or manager of an
organization. He is responsible for the asset of information
that must be protected. He makes the original
determination to decide what level of classification the
information requires. He delegates the responsibility of
data protection duties to the custodian.
Information custodian is delegated the responsibility of
protecting the information by its owner. This role is
commonly executed by IT systems personnel.
End user can be anyone (operator, employee, or external
party) that routinely uses the information as part of their job.
COMP4690, HKBU 10
Security policies are the basis for a sound
What are policies, standards, guidelines, and
Why do we use policies, standards, guidelines,
What are the common policy types?
COMP4690, HKBU 11
Polices are considered the first and highest
level of documentation, from which the lower
level elements of standards, procedures, and
Usually are general statements.
COMP4690, HKBU 12
Senior Management Statement of Policy
General organizational Policies
Mandatory Standards Baselines
COMP4690, HKBU 13
Senior Management Statement of Policy
The first policy of any policy creation process
A general, high-level statement which contains
An acknowledgement of the importance of the
computing resources to the business model
A statement of support for information security
throughout the enterprise
A commitment to authorize and manage the definition
of the lower level standards, procedures, and
COMP4690, HKBU 14
These are the three elements of policy
implementation, which contain the actual details of
They should be separate documents from the
Standards: specify the use of specific technologies
in a uniform way. It is compulsory.
Guidelines: similar to standards, but more flexible,
not compulsory, just recommendations.
Procedures: embody the detailed steps that are
followed to perform a specific task. The lowest level
in the policy chain.
COMP4690, HKBU 15
Roles and Responsibilities
Senior Manager Has the ultimate responsibility for security
InfoSec Officer Has the functional responsibility for security
Owner Determines the data classification
Custodian Preserves the information’s C.I.A.
User/Operator Performs the stated policies
Auditor Examines security
COMP4690, HKBU 16
Risk Analysis and Assessment
Identifying, analyzing and assessing, mitigating, or
What could happen (threat event) ?
If it happened, how bad could it be (threat impact) ?
How often could it happen (threat frequency, annualized) ?
How certain are the answers to the first three questions
(recognition of uncertainty) ?
COMP4690, HKBU 17
The process of analyzing a target environment and the
relationships of its risk-related attributes. It should identify
threat vulnerabilities, associate these vulnerabilities with
affected assets, identify the potential for and nature of an
undesirable result, and identify and evaluate risk-reducing
The assignment of value to assets, threat frequency,
consequence, and other elements of chance. It is used to
characterize both the process and the result of analyzing
and assessing risk.
COMP4690, HKBU 18
After risk analysis and assessment, three
What can be done (risk mitigation) ?
How much will it cost (annualized) ?
Is it cost-effective (cost/benefit analysis) ?
It’s essential that the process of analyzing
and assessing risk is well understood by all
parties and executed on a timely basis.
COMP4690, HKBU 19
Terms and definitions
Single Loss Expectancy or Exposure (SLE)
The monetary loss for each occurrence of a threatened
SLE = Asset Value x Exposure Factor
Exposure Factor (EF)
Represent a measure of the magnitude of loss or impact
on the value of an asset. Expressed as a percent, ranging
from 0 to100%, of asset value loss arising from a threat
A threat event could be a tornado, theft, or computer virus
COMP4690, HKBU 20
Annualized Rate of Occurrence (ARO)
The frequency with which a threat is expected to
occur. E.g., a threat occurring 50 times in a given
year has an ARO of 50, and a threat occurring 1
time in 10 years has an ARO of 0.1.
Annualized Loss Expectancy (ALE)
ALE = SLE x ARO
COMP4690, HKBU 21
Asset Risk Asset Potential Annualized Annual
Value Loss (SLE) Frequency Loss
Facility Fire $560,000 $230,000 .25 $57,500
Trade Stolen $43,500 $40,000 .75 $30,000
File Server Failed $11,500 $11,500 .5 $5,750
Data Virus $8,900 $6,500 .8 $5,200
Customer Stolen $323,500 $300,000 .65 $195,000
COMP4690, HKBU 22
Establish Information Risk Management (IRM)
Establish and Fund an IRM Team
Establish IRM Methodology and Tools
Identify and Measure Risk
COMP4690, HKBU 23
Risk analysis process
Asset valuation process
Determine the value of an asset
Quantitative risk analysis
Assign independently objective numeric values to the
components of the risk assessment and to the assessment
of potential losses
Qualitative risk analysis
Address intangible values of data loss
Value of safeguard = (ALE before) – (ALE after) – annual
COMP4690, HKBU 24
Security Awareness and
People are often the weakest link in a
Employees must be aware of the need to
secure information and to protect the
information assets of an enterprise.
Operators need training in the skills to fulfill
their job functions securely.
COMP4690, HKBU 25
Business Continuity Planning
Disaster Recovery Planning
COMP4690, HKBU 26
Business Continuity Planning (BCP)
Make the plans and create the framework to ensure that
the business can continue in an emergency. It includes:
Scope and plan initiation
Business impact analysis (BIA)
Business continuity plan development
Disaster Recovery Planning (DRP)
Recover from an emergency with the minimum of impact to
the organization. It includes:
Disaster recovery planning processes
Testing the disaster recovery plan
Disaster recovery procedures
COMP4690, HKBU 27
Business Continuity Planning
To prevent interruptions to normal business activity
To protect critical business processes from natural or man-
made failures or disasters
To minimize the effect of disturbances and to allow for
resumption of business processes
To reduce the risk of financial loss and enhance a
company’s ability to recover from a disruptive event
To minimize the cost associated with the disruptive event
and mitigate the risk associated with it
COMP4690, HKBU 28
Fires, explosions, hazardous material spills of
Earthquakes, storms, floods, and fires due to acts of nature
Power outages or other utility failures
Bombings, sabotages, or other intentional attacks
Strikes and job actions
Employee or operator unavailability due to emergency
evacuation or other issues
Communications infrastructure failures
COMP4690, HKBU 29
Scope and Plan Initiation
The first step to create a BCP
Create the scope for the plan, and the other elements
needed to define the parameters of the plan
Examine the company’s operations and support services
Create a detailed account of the work required
List the resources to be used
Define the management practices to be employed
COMP4690, HKBU 30
roles and responsibilities
Who Does What
Executive management staff Initiates the project, gives final approval,
and gives ongoing support
Senior business unit management Identifies and prioritizes time-critical
BCP committee Directs the planning, implementation, and
Functional business units Participate in implementation and testing
COMP4690, HKBU 31
Business Impact Analysis (BIA)
To create a document to be used to help understand what
impact a disruptive event would have on the business
Three primary goals
Criticality prioritization: time-critical business process vs.
Non-time-critical business process
Downtime estimation: what is the longest period of time a
critical process can remain interrupted before the company
can never recover – maximum tolerable downtime (MTD)
Resource requirements: the most time-sensitive processes
may need the most resource allocation
COMP4690, HKBU 32
BCP (II): BIA Steps
Gathering assessment materials
Which business units are critical to continuing an acceptable level of operations
Organizational chart, functional interrelationships of the organization
Performing vulnerability assessment
Quantitative: financial assessment
Incurring financial losses from loss of revenue, capital expenditure, or personal liability
Additional operational expenses incurred due to the disruptive event
Incurring financial losses from violation of contract agreements, violation of regulatory or
Qualitative: operational assessment
Loss of competitive advantage or market share
Loss of public confidence or credibility, or public embarrassment
Define the Critical support areas that must be present to sustain continuity of the
Telecommunications, data communications, information technology areas
Physical infrastructure or plant facilities, transportation services
Accounting, payroll, transaction processing, customer service, purchasing
COMP4690, HKBU 33
BCP (II): BIA Steps
Analyzing the information
Documenting required processes, identifying interdependencies,
and determining what an acceptable interruption period would be
To describe what support the defined critical areas will require to
preserve the revenue stream and maintain pre-defined processes
Documentation and recommendation
Full documentation of all the processes, procedures, analysis,
and results, and the presentation of recommendations to the
appropriate senior management.
Contain the gathered material, list the identified critical support
areas, summarize the quantitative and qualitative impact
statements, and provide the recommended recovery priorities
generated from the analysis
COMP4690, HKBU 34
Business Continuity Plan Development
Use the information collected in BIA to create the recovery
strategy plan to support the critical business functions.
Defining the continuity strategy, should include the following
Computing: to preserve the elements of hardware, software,
communication lines, applications, and data
Facilities: to address to use of the main buildings or campus and any
People: operators, management, and technical support personnel will
have defined roles in implementing the continuity strategy
Supplies and equipment: paper, forms, or specialized security
equipment must be defined
Documenting the continuity strategy
COMP4690, HKBU 35
Plan Approval and Implementation
Senior management approval
Create an awareness of the pan enterprise-wide
Specific training may be required for certain personnel
to carry out their tasks
Maintenance of the plan
Use job descriptions that centralize responsibility for
Create audit procedures that can report regularly on
the state of the plan
Ensure multiple versions of the plan do not exist
COMP4690, HKBU 36
Disaster Recovery Planning
To provide an organized way to make decisions if a
disruptive event occurs
To reduce confusion and enhance the ability of the
organization to deal with the crisis
To protect an organization from major computer services
To minimize the risk to the organization from delays in
To guarantee the reliability of standby systems through
testing and simulation
To minimize the decision-making required by personnel
during a disaster
COMP4690, HKBU 37
I. DRP Process
This phase involves the development and creation
of the recovery plans.
Define the steps we will need to perform to protect
the business in the event of an actual disaster.
Data processing continuity planning
Planning for the disaster and creating the plans to cope with
Data recovery plan maintenance
Keeping the plans up-to-date and relevant
COMP4690, HKBU 38
Processing Backup Services
Processing backup services are very
important to the disaster recovery plan
Most common alternate processing types
Mutual aid agreements
Other data center backup alternatives
COMP4690, HKBU 39
Mutual aid agreements
An arrangement with another company that may have similar
Both parties agree to support each other in the case of a
disruptive event. Assume each organization’s operations area
will have the capacity to support the other’s in time of need.
Allow an organization to obtain a disaster processing site at very
little or no cost.
Difficult to have extra unused capacity to enable full operational
processing during the event.
What happens if both organizations are affected by a large
Should be considered only if there is a perfect partner, and there
is no other alternative to disaster recovery.
COMP4690, HKBU 40
Rely on third-party, commercial services
Three basic forms of subscription services
Fully configured computer facility with electrical power and HVAC (heating,
ventilation, air conditioning), and functioning servers and workstations.
24/7 availability, exclusivity of use, immediately available after the disruptive
The most expensive one, intensive administrative overhead
A room with electrical power and HVAC, communications links may be ready
It is ready for equipment to be brought in during an emergency, but no
computer hardware resides at the site.
A cross between hot site and cold site. Computer facilities are ready with
electrical power and HVAC. But the applications may not be installed or
configured. Without full complement of workstations.
Takes some time and effort to start production processing at the new site.
COMP4690, HKBU 41
The processing is spread over several
Could be owned and managed by the same
organization or used in conjunction with some
sort of reciprocal agreement.
Has the same disadvantage as for mutual aid.
COMP4690, HKBU 42
Contract with a service bureau to fully provide
all alternate backup processing services
Quick response and availability, possible
Resource contention during a large emergency
COMP4690, HKBU 43
The transfer of backup data to an off-site location
The parallel processing of transactions to an
alternate site. A communications line is used to
transmit live data as it occurs.
To create event more redundancy by duplicating
the database sets to multiple servers.
COMP4690, HKBU 44
Disaster Recovery Plan
Disaster recovery plans often get out of date.
Like BCP maintenance
To build maintenance procedures into the
To create audit procedures that can report
regularly on the state of the plan
COMP4690, HKBU 45
II. Testing the DRP
Regular disaster recovery drills and tests are
a cornerstone of any disaster recovery plan.
Reasons for testing
Verify the accuracy of the recovery procedures
and identify deficiencies
Prepare and train the personnel to execute their
Verify the processing capability of the alternate
COMP4690, HKBU 46
Five Test Types
Distribute copies of the plan to each business unit for review, to ensure the plan
addresses all procedures and critical areas of the organization. This is a preliminary
step to a real test.
Business unit management representatives meet to walk through the plan. To ensure
that the plan accurately reflects the organization’ ability to recover successfully.
All the operational and support personnel expected to perform during an actual
emergency meet in a practice session. To test the ability of the personnel to respond to
a simulated disaster.
A full test of the recovery plan, utilizing all personnel. Critical systems are run at an
A disaster is replicated even to the point of ceasing normal production operations. The
plan is totally implemented as if it were a real disaster.
COMP4690, HKBU 47
III. Disaster recovery
This part details
what roles various personnel will take on
what tasks must be implemented to recover and
salvage the site
how the company interfaces with external groups
COMP4690, HKBU 48
The recovery team
To implement the recovery procedures at the declaration of the
disaster. To get the pre-defined critical business functions
operating at the alternate backup processing site.
The salvage team
To return the primary site to normal processing environmental
conditions. To identify sources of expertise, equipment, and
supplies that can make the return to the site possible.
The normal operations resume
To return production processing from alternate site to the primary
site with the minimum of disruption and risk
Other recovery issues
Interfacing with external groups; employee relations; fraud and
crime; financial disbursement; media relations
COMP4690, HKBU 49