PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)

Risk related concepts I.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3


– Control types.

– Policies for reducing risk.

PACE-IT.

Page 4

Control types.Risk related concepts I.

Page 5

Control types.

– Management controls.» Any written policy, procedure, or guideline that is used

to help secure network resources against attack or abuse.

» Are often used to define and outline other control types.

» A very broad category of controls that can include security policies, hiring policies, security awareness training, etc.

– Technical controls.» The security measures used in controlling access to any

particular resources that is available on the network.• Can include physical controls used to limit physical

access to networking equipment (e.g., locked server rooms).

» Examples include encryption, firewalls, passwords, etc.

– Operational controls.» The procedures that are put in place to help ensure

that day-to-day operations can occur, even after a risk event has happened.

» Examples include network redundancies, hot and cold site maintenance, backup procedures, etc.


Page 6

Policies for reducing risk.Risk related concepts I.

Page 7

Policies for reducing risk.

Any policy that is used to help secure the workplace, and/or a company’s data and networks is, by default, a security policy.

Security policies document or outline what is allowed or not allowed to occur on the network from a security point of view. They are usually crafted at the upper layer of management with the help of knowledgeable IT personnel.Security policies give administrators the authority to put into place measures to protect the security of the network. In many cases, they also give administrators the authority to enforce the policies that lead to a hardened network.


Page 8


– Privacy policy.» A policy that is used to educate employees and

customers on information collection practices.• Why information is collected.• What information is collected.• When information is collected.• How information may be used.

» Many businesses now publish their privacy policies.• In some cases, privacy policies may be regulated

(e.g., HIPAA).

– Acceptable use policy (AUP).» A policy that documents what a company considers to

be acceptable use of its IT assets. It may contain several sub-policies.

• Acceptable use of Internet.• Acceptable use of email.• Acceptable use of laptops.• Acceptable use of mobile devices.


Page 9


While outside threats may be difficult to deal with, the inside threats may be more dangerous to a network.

It has been estimated that up to 80 percent of all data breaches can be traced back to a failure of security measures from within the network itself. Sometimes the breaches occur by mistake, but all too often, they are intentional.This implies that the greatest security threats are the people that have already been given access to the network. Policies and procedures can be put in place to reduce the risks that are associated with internal employees.


Page 10


– Least privilege.» Administrators only grant the minimum amount of

network privileges (access to network resources) that are required to get the job done.

• Helps to minimize risk when an account gets compromised, or in cases of malicious network users.

– Separation of duties.» Critical jobs are separated into different tasks, with

users only authorized to perform one of the tasks.• Helps to minimize the damage that can occur from

fraudulent employee activities (e.g., the person who writes the checks isn’t allowed to sign the checks, the person authorized to sign the checks isn’t authorized to balance the accounts, and a third person who can’t write or sign checks is responsible for balancing the accounts).


Page 11


– Mandatory vacations.» All employees should be required to take vacations.

• Can lead to a reduction in the threat level from fraudulent employee actions. Employees know that someone else will be performing their duties in their absence and may discover any irregularities.

– Job rotation.» Mandatory job rotation requires that employees change

job duties on a regular basis.• Can lead to a reduction in the risk of fraudulent

activities, and has the added benefit of cross training employees.


Page 12

What was covered.Risk related concepts I.

Management controls include any written policy or procedure used to help secure company assets; they are often used to outline other control types. Technical controls are measures taken to secure access to a particular network resource (e.g., encryption or firewalls); they may also include physical access (e.g., door locks). Operational controls are measures taken to ensure the continued operation of day-to-day activities after a risk event has occurred (e.g., backups or redundant equipment).

Topic

Control types.

Summary

Any policy that is used to reduce risk can be considered a security policy. Privacy policies are used to inform users and customers about data collection, use, and retention. In some cases, privacy policies are regulated by law. AUPs are used to inform employees about what the company considers to be acceptable use of company IT assets. Up to 80 percent of security breaches can be attributed to internal causes, Because of this, some policies are put in place to reduce the risk. These policies may include: least privilege, separation of duties, mandatory vacations, and job rotation.


Page 13

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.