Performing Effective Risk Assessments Dos and Don ts
|
|
- Mitchell Paul
- 8 years ago
- Views:
Transcription
1 Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013
2 Introduction
3 Who am I?
4
5
6
7
8 Why Risk Management?
9 Because you have to
10 Because you can t be secure Copyright DC Comics All Rights Reserved
11 Because people are not awesome Copyright Universal Pictures All Rights Reserved
12 [not awesome] [not awesome]
13 Show Me This Thing You Call Risk Management
14 Risk Management 101 the total process of identifying, controlling and mitigating information system-related risks * * National Institute of Standards in Technology (NIST) SP800-30
15 Risk Management 101 Risk Assessment Risk Mitigation Evaluation and Assessment
16 Risk Management 101 Focuses on: Confidentiality Integrity Availability Qualitative or Quantitative Balances risk, effort and costs Don t build a $200 fence around a $20 horse
17 Take a Deep breath.
18 Risk Management 101 Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10
19 Must. Resist. Temptation.
20 Risk Assessment
21 Risk Assessment 1 st process in Risk Management Used to determine potential threats and associated risk Output of this process is used to determine appropriate controls to reduce risk
22 Step 1 System Characterization Characterize system boundaries, criticality and sensitivity based on: Hardware Software Interfaces and integrations People Mission System and data criticality System and data sensitivity
23 Step 2 Threat Identification Identify threats to organizational systems based on: Security violations Incident Management External intelligence Media Classify threats as: Natural Environmental Human
24 You
25 [not awesome]
26 Step 3 Vulnerability Identification Identify vulnerabilities based on: Vulnerability scans Penetration tests Audits Vulnerability lists and advisories Standards Generate list of Vulnerability/Threat pairs Exploits
27 Step 3 Vulnerability Identification Threat Vulnerability Exploit Terminated Employees Fire or Negligent Employees User accounts for terminated employees that are left enabled Fire suppression controls for data center left in uncontrolled areas Terminated employees gain access confidential information Data center fire suppression controls are activated accidentally or maliciously Unauthorized Users Unprotected confidential documents Confidential information is exfiltrated
28 QUIZ Pairing up Threats with Vulnerabilities leads to identifying.what? 1. Exploits
29 Step 4 Control Analysis Analyze the controls that have been implemented, or are planned for implementation that will minimize or eliminate the likelihood of a threat s exercising a system vulnerability Identify: Technical controls Non-technical controls Identify: Preventative controls Detective controls Corrective controls
30 FAIL
31 FAIL
32 FAIL
33 FAIL
34 Step 5 Likelihood Determination Determine the overall likelihood that a vulnerability will be exercised, based on: Threat-source motivation and capability Existence and effectiveness of controls All other factors
35
36 Step 5 Likelihood Determination Level High Medium Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
37 Determining Risk
38 Step 6 Impact Analysis Determine the adverse impact of the exercising of a vulnerability, based on: Loss of (C)onfidentiality Unauthorized, unintentional or unanticipated disclosure of confidential information could result in fines, degradation of reputation, loss of public confidence, embarrassment or legal action Loss of (I)ntegrity Unauthorized, unintentional or unanticipated changes to systems can result in errors, fraud or corruption Loss of (A)vailability Loss of system functionality can result in operational inefficiencies and loss of productive time Occurrences of all jeopardize the organization s mission
39 Step 6 Impact Analysis Level High Medium Low Definition Exercise of the vulnerability (1) may result in the highly costly loss of tangible assets or resources; (2) may significantly violate, harm or impede the organization s mission, reputation, or interest; or(3) may result in human death or serious injury Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm or impede the organization s mission, reputation or interest; or (3) may result in human injury Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources; (2) may noticeably affect the organization s mission, reputation or interest
40 QUIZ How do we completely eliminate risk? 1. We don t!
41 Step 7 Risk Determination Determine the risk for each threat/vulnerability pair, based on: The likelihood of a given threat-source s attempting to exercise a given vulnerability The magnitude of the impact should a threat-source exercise the vulnerability The adequacy of planned or existing security controls for reducing or eliminating risk
42 Step 7 Risk Determination R i = P i (I i ) R = P i (I i )
43 Step 7 Risk Determination Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10
44 Step 7 Risk Determination Risk levels are defined as the following: High There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible Medium Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time Low The system s DAA (Designated Approving Authority) must determine whether corrective actions are still required or decide to accept the risk
45 Step 8 Control Recommendations Recommend controls to reduce risk to an acceptable level, based on: Cost-benefit analysis Feasibility Legislation and regulation Organizational policy Operational impact Safety and reliability
46 RISK vs. REWARD
47 Step 9 Results Documentation Produce a management-level report that helps senior management make decisions on budget, process and control recommendations Control recommendations could include changes to: Policy Procedure Personnel Facilities
48 Risk Mitigation
49 Risk Mitigation prioritizing, evaluating and implementing the appropriate riskreducing controls recommended from the risk assessment process * * National Institute of Standards in Technology (NIST) SP800-30
50 Risk Mitigation
51 Risk Mitigation Controls categories include: People Process Technology Risk Mitigation options include: Limitation (fix, modification) Avoidance (remove, eliminate) Transference Assumption Planning (defer)
52 Risk Mitigation Step 1 Prioritize Actions Prioritize control implementation evaluations based on the risk levels presented in the Risk Assessment Resources and priority should be given to High-level risks Step 2 Evaluate Recommended Control Options Analyze the feasibility and effectiveness of the recommended controls Step 3 Conduct Cost-Benefit Analysis Step 4 Select Controls
53 Risk Mitigation Step 5 Assign Responsibility Assign implementation responsibility to resources with the appropriate expertise and experience Step 6 Develop Safeguard Implementation Plan Document the plan for implementing the selected controls, documenting all previously defined criteria, resources, actions, priorities, schedules and requirements Step 7 Implement Controls Implement selected controls and determine residual risk
54 Risk Management Demo
55 Evaluation and Assessment
56 Evaluation and Assessment emphasizes the good practice and need for ongoing risk evaluation and assessment and the factors that will lead to a successful Risk Management program * * National Institute of Standards in Technology (NIST) SP800-30
57 Evaluation and Assessment Risk Management is continuous process Risk Assessment should be considered whenever changes occur in: Hardware, software or technology infrastructure Executive leadership or other key personnel Organizational mission Competitors or market factors Physical facilities, locations Environmental factors Finances Risk appetite
58 QUIZ According to Capt. Kirk - what is our business? 1. RISK!!!
59 Final Thoughts
60 Focus on data
61 and all other assets
62 Leverage your metrics
63
NIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationProperty of NBC Universal
Property of NBC Universal NERC CIP 5 milestones. Source: EnergySec Standard CIP-002-5.1 CIP-003-5 CIP-004-5.1 CIP-005-5 CIP-006-5 CIP-007-5 CIP-008-5 CIP-009-5 CIP-010-1 CIP-011-1 CIP-014-1 Title
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationRiskManagement ESIEE 06/03/2012. Aloysius John March 2012
RiskManagement MOTIS ESIEE 06/03/2012 Aloysius John March 2012 Risk Management is a Introduction Process for Project manager to identify factors that may more or less affect the success or the achievement
More informationISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies
ISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies Research Article / Survey Paper / Case Study Available online
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationCMS Information Security Risk Assessment (RA) Methodology
DEPARTMENT OF HEALTH & HUMAN SERVICES Centers for Medicare & Medicaid Services 7500 Security Boulevard, Mail Stop N2-14-26 Baltimore, Maryland 21244-1850 CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS)
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationAutomated Risk Management Using SCAP Vulnerability Scanners
Automated Risk Management Using SCAP Vulnerability Scanners The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information
More informationARCHIVED PUBLICATION
ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-30 (dated July 2002), has been superseded and is provided here only for historical purposes. For the most current revision of
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationSecurity Risk Management - Approaches and Methodology
228 Informatica Economică vol. 15, no. 1/2011 Security Risk Management - Approaches and Methodology Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania ramona.stroie@gmail.com,
More informationRisk Assessment Guide
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
More informationRisk Management Guide for Information Technology Systems
Special Publication 800-30 Rev A Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, and Alexis
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
More informationRisk Management Guide for Information Technology Systems
Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, and Alexis Feringa
More informationAutomated Risk Management Using NIST Standards
Automated Risk Management Using NIST Standards The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information Security
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More informationHIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions
HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions Bob Chaput, MA, CHP, CHSS, MCSE 1 Table of Contents Table of Contents... 2 Introduction... 3 Regulatory Requirement...
More informationA Structured Comparison of Security Standards
A Structured Comparison of Security Standards Kristian Beckers 1, Isabelle Côté 3, Stefan Fenz 2, Denis Hatebur 1,3, and Maritta Heisel 1 1 paluno - The Ruhr Institute for Software Technology - University
More informationUoB Risk Assessment Methodology
[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment
More informationSecurity Risk Assessment Process for UAS in the NAS CNPC Architecture
NASA/TM 2013-216532 Security Risk Assessment Process for UAS in the NAS CNPC Architecture Dennis C. Iannicca Glenn Research Center, Cleveland, Ohio Daniel P. Young DB Consulting Group, Inc., Cleveland,
More informationE Governance Security Standards Framework:
Version: 1.0 January, 2010 E Governance Security Standards Framework: An Approach Paper Government of India Department of Information Technology Ministry of Communications and Information Technology New
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationInformation security risk management using ISO/IEC 27005:2008
Information security risk management using ISO/IEC 27005:2008 Hervé Cholez / Sébastien Pineau Centre de Recherche Public Henri Tudor herve.cholez@tudor.lu sebastien.pineau@tudor.lu March, 29 th 2011 1
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationITIL and Business Continuity (Service Perspective)
(Service Perspective) Hepix 2012 Conference Prague, 23-27 April 2012 Patricia Méndez Lorenzo, Mats Moller On behalf of the (IT&GS) Service Management team Outlook ITIL Principles Risk Management in ITIL
More informationSEC s Cybersecurity Risk Alert Part 2 of 3
SEC s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons,
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationRISK ASSESSMENT GUIDELINES
RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.
More informationHandbook for Information Technology Security Risk Assessment Procedures
ADMINISTRATIVE COMMUNICATIONS SYSTEM U.S. DEPARTMENT OF EDUCATION Handbook OCIO-07 Page 1 of 72 (01/13/2004) Distribution: Approved by: /s/ All Department of Education Employees William J. Leidinger Assistant
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationTom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh
Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment
More informationa Medical Device Privacy Consortium White Paper
a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationDETAILED RISK ASSESSMENT REPORT
DETAILED RISK ASSESSMENT REPORT Executive Summary During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle s Motor
More informationWhite Paper Strengthening Information Assurance in Healthcare
White Paper Strengthening Information Assurance in Healthcare Date: April, 2011 Provided by: Concurrent Technologies Corporation (CTC) 100 CTC Drive Johnstown, PA 15904-1935 wwwctccom Business Point of
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationMAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
More informationTABLE OF CONTENTS INTRODUCTION... 1
TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5
More informationPROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE0000191
Interim Techlogy Performance Report 1 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V2 Company Name: The Boeing Company December 10, 2012 1 Interim Techlogy Performance Report 1
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationQUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT
QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationDeveloping an Effective Enterprise Risk Management Program
Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationBreakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager
Breakthrough Cyber Security Strategies Introducing Honeywell Risk Manager About the Presenter Eric D. Knapp @ericdknapp Global Director of Cyber Security Solutions and Technology for Honeywell Process
More informationWhite Paper An Enterprise Security Program and Architecture to Support Business Drivers
White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security
More informationRisk Analysis and Risk Management
SECURITY MANAGEMENT PRACTICES Risk Analysis and Risk Thomas R. Peltier Risk management is the process that allows business managers to balance operational and economic costs of protective measures and
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationGuideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP 800-60 AP-2/03-1
Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP 800-60 FISMA Legislation Overview (Public Law 107-347) Framework for ensuring effectiveness of Federal
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationSECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL
SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationSecurity Update and Risk Assessment
Security Update and Risk Assessment Mingchao Ma STFC RAL, UK HEPSYSMAN Workshop 22 nd November 2010 Security Update Risk Assessment Discussion Overview Security Update Operational Security Procedures Security
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationSecurity Risk Assessment
Security Risk Assessment Applied Risk Management July 2002 What is Risk? Risk is: Something that creates a hazard A cost of doing business Risk can never be eliminated, merely reduced to an acceptable
More informationChapter 4 Information Security Program Development
Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.
More informationRisk Assessment & Enterprise Risk Management
Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less
More informationAssessing Risk for Fun and Profit. What is risk assessment? Vulnerability Scanning Penetration testing Security reviews. What is NOT risk assessment?
Assessing Risk for Fun and Profit Presented by: David Seidl, CISSP 1 What is risk assessment? In terms of this presentation, Risk assessment is the process of enumerating risks, determining their classifications,
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationRisk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.
Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1 Agenda Information Assurance
More informationREVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Inquiries about this report may be addressed
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More informationIFAD Policy on Enterprise Risk Management
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
More informationOverview 1. Coordination with GLBA Section 501(b) 1. Security Objectives 2. Regulatory Guidance, Resources, and Standards 2. Overview 3.
Table of Contents Introduction 1 Overview 1 Coordination with GLBA Section 501(b) 1 Security Objectives 2 Regulatory Guidance, Resources, and Standards 2 Security Process 3 Overview 3 Governance 4 Management
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.
More informationFundamentals of Laboratory Biosecurity and Biosafety Risk Assessments
Fundamentals of Laboratory Biosecurity and Biosafety Risk Assessments Conceptual Considerations ABSA 22 October 2008, Reno Dr. Morten Bremer Mærli, Ronald Barø, Alexander Flesjø Christiansen, Dr. Stephen
More informationRecall the Security Life Cycle
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena Recall the Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance So far what we have learnt
More informationNational Information Assurance Certification and Accreditation Process (NIACAP)
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationMinimum Security Requirements for Federal Information and Information Systems
FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationPRIORITIZING CYBERSECURITY
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
More informationUTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter
Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History
More informationSecurity Defense Strategy Basics
Security Defense Strategy Basics Joseph E. Cannon, PhD Professor of Computer and Information Sciences Harrisburg University of Science and Technology Only two things in the water after dark. Gators and
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationStrategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationFINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012. Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund
FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012 Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund There are different risk assessments prepared: Annual risk assessment
More informationSECURITY RISK ANALYSIS AND MANAGEMENT
SECURITY RISK ANALYSIS AND MANAGEMENT Copyright 1998 Countermeasures, Inc Risk Analysis helps establish a good security posture; Risk Management
More informationAviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements
Aviation Safety Policy ORDER VS 8000.367A Effective Date: 11/30/2012 SUBJ: Aviation Safety (AVS) Safety Management System Requirements 1. This order provides requirements to be met by AVS and AVS services/offices
More information