theft of personalinformation,and itssubsequent usein identity theftcaused by thetheft of thelaptopinsurancePossibleMajorExtremeGiven the very high report rate of laptop theft (e.g. the 2006 CSI/FBI survey shows47% of respondents suffered from this), if the data stored on the laptop is notencrypted (as is still common), then the chances of it being accessed and used inidentity theft is possible – depending on the motivations and skills of the thief.Hence assume a rating of possible for this specific threat. A number of largegovernment departments and agencies have been embarrassed, and sufferedsignificant financial penalties, as a result of such a theft in recent years. Henceassume a consequence of major. Changing these assumptions will change theratings.
-19-16.7Some threats that a small public service agency is exposed too can include: From[NIST02] Table 3-1 human threats such as: Insiders – unauthorized system access,sale of personal information, fraud and theft, input of falsified or corrupted data,or system sabotage; Hackers and Computer Criminals – hacking, socialengineering, system intrusion, unauthorized system access; Terrorist –bomb/terrorism, system attack, penetration or tampering. As well the generalnatural threats (fire, flood, storm etc) and environmental threats (power failure,pollution etc) should be considered. Also many of the threats listed [HB231]Appendix A are applicable. In addition to those listed from [NIST02], could alsoinclude industrial action, failure of water supply, failure of air conditioning,hardware failures, operational staff error, software failure.16.8NIST02 Tables 3-4 to 3-7 use a 3 level scale of high/medium/low for each oflikelihood, consequence and risk, while our Tables 16.2 to 16.4 use 5, 6, and 4 levelsrespectively. This means that assessments using our ratings can use a finer level ofgranularity, and potentially better separate different asset/threat items, thanassessments done using the NIST tables. However having a greater number oflevels means that it can be harder to determine the most appropriate rating(although some small changes do not alter the final resultant risk level).
-20- AANSWERS TO NSWERS TO QQUESTIONSUESTIONS17.1Security controls orsafeguardsare practices, procedures or mechanisms that mayprotect against a threat, reduce a vulnerability, limit the impact of an unwantedincident, or detect unwanted incidents and facilitate recovery.17.2The three broad classes of controls are:management control:focus on securitypolicies, planning, guidelines and standards which then influence the selection ofoperational and technical controls to reduce the risk of loss and to protect theorganization’s mission; operational control:address the correct implementationand use of security policies and standards, ensuring consistency in securityoperations, and correcting identified operational deficiencies; and technicalcontrols:involve the correct use of hardware and software security capabilities insystems. In turn, each of these control classes may include: supportive controls:pervasive, generic, underlying technical IT security capabilities that areinterrelated with, and used by many other controls; preventative controls:focuson preventing security breaches from occurring, by inhibiting attempts to violatesecurity policies or exploit a vulnerability; and detection and recovery controls:focus on the response to a security breach, by warning of violations or attemptedviolations of security policies or the identified exploit of a vulnerability, and byproviding means to restore the resulting lost computing resources.17.3To list a specific example of each of three broad classes of controls from thosegiven in Table 17.3, first use Table 17.1 which classifies the control families into therelevant class, then select any suitable entry from a suitable control family in Table17.3 for each. If further details are wanted, consult [NIST05] for detailedinformation on each item.17.4The steps NIST02 specifies for selecting and implementing controls are shown inFigure 17.1 and include: prioritize actions, evaluate recommended control options,
You've reached the end of your free preview.
Want to read all 54 pages?
- Spring '10
- Computer Security, ........., security policy, audit trail