Corporation (Case Study)

downtownbeeΜηχανική

18 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

102 εμφανίσεις

Topic: Information Security Risk Management
Framework: China Aerospace Systems Engineering
Corporation (Case Study)

Supervisor: Dr. Raymond
Choo

Student: Jing Zhang

Background

Research question

Literature founding

Case study


Threat landscape


Risk framework (Case study company)


Comparison and improvement

Conclusion

Presentation outline



C
ybercrime influence faced by company

75 billion USD
financial losing each year in United States

Target: E
-
commerce, sensitive information

Attack type: E
-
mail spoofing, phishing, malware installation, etc.

Reason: counterfeit software, employee security awareness
, etc.

Background



What
are the (cyber) threat landscape and the emerging trends and
challenges that would have an impact on the China Aerospace
Systems Engineering Corporation (Case Study Company)?

What are the limitations of existing information security risk
management frameworks and/or how can existing frameworks be
adapted in the Case Study Company?


Research questions



Three international risk management frameworks:

NIST sp800
-
30 (National
institute of Standard and Technology
) USA

ISO
31000

(International
Organization for
Standardization
)
Australia

ENISA (European Network and Information Security Agency
)
European country


Literature finding

Terminology and risk management phases



NIST sp800
-
30

ISO 31000

ENISA

First phase



Mandate and
commitment

Corporate risk
management
strategy

Design of framework
for managing risk

Second phase

Risk assessment

Implementing risk
management

Risk assessment

Risk treatment

Risk mitigation

Risk acceptance
(optional)

Third phase

Evaluation and
assessment

Monitoring and
review of the
framework

Monitoring and
review

Continual
improvement of the
framework

Literature finding (Cont’d)

NIST sp800
-
30

Literature finding (Cont’d)

ISO 31000

Literature finding (Cont’d)

ENISA

Literature finding (Cont’d)



Threat landscape


Phishing
: online shopping,
ticket selling, travelling agency, Internet
banking


Mobile device attacking: steal Email account, mobile banking information,
unauthorised

charging fee (premium SMS)


Advanced Persistent Threat (APT
): enterprise level attack, more specific
target, sensitive information.

Case study

Risk framework (Case study company
)

Risk management
process: risk identification,
risk analysis, risk treatment,
control implementation,
risk monitoring and control improvement,
communication


Risk
identification:

information assets (
system, software, hardware, employee and archived
data
)

Threat (Non
-
human, human)

vulnerability (technical, operational, management)


Risk analysis:

Likelihood (
attraction level of each information asset
)
and consequence
(
financial: both information value and recovery cost)



Case
study
(Cont’d)

Risk framework (Case study company
)


Risk treatment:

Control method: Risk avoidance,
Risk
transformation,
Risk
minimisation,
Risk acceptance

Control category: Technical control, Operation
control, Management control

Cost
benefit analysis: Purchase cost, Continuing cost, Employee training
cost


Control
implementation

Implementation
report:
timeline, responsibility


Risk monitoring and control
improvement

new risk treatment plan after review and monitoring


Communication


Case
study
(Cont’d)

Risk framework (Case study company
)

Implementation plan: Planning and preparation, Deployment and
implementation, Monitoring and
improvement


Planning and
preparation:

Achieve the support: senior management
team,
related
department

(human
, physical, financial and timing
support)

Main processor and
responsibility:
information security
team,
IT
group,
Human
resources,
Financial
department

S
ecurity
control selection and
implementation:
Economic
factor,

Timing
factor,

Technical
factor,
Control implementation plan

Case
study
(Cont’d)

Risk framework (Case study company
)


Deployment and implementation

Security
training:
User
training,
Manager
training,
Security staff
training


Monitoring and improvement


Mitigation plan:
Internal and external network data
exchange policy,
Security
auditing,
Accessing
control, etc.

Case
study
(Cont’d)

Comparison and
improvement:

What feature missed in company framework:


C
ontext establishment (ISO 31000 and ENISA),
system
characterization
(NIST),
risk criteria (
ISO)


M
otivation analysis (NIST),
organisation processor, stakeholder concern
and expertise decision, organisation risk attitude and
tolerance (ISO
31000, ENISA)


Cost
benefit (NIST):
implementing effect, non
-
implementing effect,
implementing
cost


Positive risk (ENISA)


Risk assessment and mitigation activity (NIST)


Residual risk (all three frameworks)

Case
study
(Cont’d)


Different perspective in some fields


Still could improvement


Risk management is vital in
organisation

activity

Conclusion


E. G. Amoroso, "Cyber attacks: awareness," Network Security, vol. 2011, pp. 10
-
16, 2011.

E. E. Anderson and J.
Choobineh
, "Enterprise information security strategies," Computers &
Security, vol. 27, pp. 22
-
29, 2008.

K. K. R.
Choo
, "Cyber threat landscape faced by financial and insurance industry." Trends and Issues in
Crime and Criminal Justice 408: 1
-
6, 2011.

B.
Kakoli
, P. Peter, K. M.
Mykytyn
, "A framework for integrated risk management in information
technology", Management Decision, vol. 37 no: 5, pp.437


445, 1999.

M. Burdon, B. Lane, and P. von
Nessen
, "The mandatory notification of data breaches: Issues arising for
Australian and EU legal developments," Computer Law & Security Review, vol. 26, pp. 115
-
129, 2010.

K.K. R.
Choo
, "The cyber threat landscape: Challenges and future research directions," Computers &
Security, vol. 30, pp. 719
-
731, 2011.

G. Locke, P. D. Gallagher, “Guide for applying the risk management framework to federal information
system: a security life cycle approach”, NIST Special Publication 800
-
37, 2010.

Standard. A and Standard. N. Z, “Risk management”, Standard Australia and Standard New Zealand,
AS/NZS 4360:2004, 2004.

N. I. S. A. European, “Risk Management: Implementation principles and Inventories for Risk
Management/Risk Assessment methods and tools”, European Network and Information Security Agency,
2006.

G.
Stoneburner
, A.
Goguen
, et al. "Risk management guide for information technology systems" NIST
special publication 800(30): 800

830, 2002.


Reference

Question?