2 Introduction Risk management is the process of selecting and implementing countermeasures to achieve an acceptable level of risk at an acceptable cost. The analytical risk management (ARM) process outlined in the annex can be tailored and applied to any organization or assessment. The process includes the following activities: Process Assets Threat Vulnerabilities Risks Determine Countermeasure Options Make Decisions The process begins with an assessment of the value of the information, the degree of a specific threat, and extent of the vulnerability. These three factors determine risk. A decision is then made as to what level of risk can be accepted and which countermeasures should be applied. Such a decision involves a cost-benefit analysis, giving decision makers the ability to weigh varying risk levels against the cost of a specific countermeasure. - Quotation taken from: The Diplomatic Security Risk Management Policy This appendix describes in detail the analytical risk management process utilized by the IOVAD. The process consists of five steps that result in the identification of risk associated with a vulnerability and effective countermeasures that a commander can apply to mitigate the risk. Outline of Analytical Risk Management Steps Determine critical information requiring protection. Identify undesirable events and expected impacts Value/prioritize information based on consequence of loss
3 Step 1. Identify assets and loss impacts Step one starts in the planning phase and continues into the execution phase. Hopefully the critical information and undesirable events can be identified during planning most likely the commander and staff will identify them during the execution phase. Step 2. Identify and characterize the threat Identify threat categories and potential adversaries intent and motivation of adversary capability of adversary Determine frequency of threat-related incidents Estimate degree of threat relative to each item of critical information and undesirable event Step 2 begins in the planning phase with the formal request for a threat Identify potential vulnerabilities related to specific information and undesirable events Identify existing countermeasures and their level of effectiveness Estimate the degree of vulnerability relative to each asset and threat assessment through the LIWA IT&S Division. Many times detailed threat information is not available and a generalized threat definition and rating has to be used. Step 3. Identify and analyze vulnerabilities The data collected during the execution phase identifies the vulnerabilities associated with the units Information Operations. Step 4. risk
4 Estimate degree of impact relative to each critical asset Estimate likelihood of attack by a potential adversary/threat Estimate the likelihood that a specific vulnerability will be exploited. Determine your relative degree of risk Prioritize risks based in integrated assessment A preliminary assessment is completed in the execution phase and included in the commanders out-briefing. The assessment is then reviewed and finalized ad included in the final written report submitted to the assessed unit. Step 5. Identify countermeasure, costs, and tradeoffs Identify potential countermeasures to reduce vulnerabilities Identify countermeasure capability and effectiveness Identify countermeasure cost Conduct countermeasure cost-benefit and trade-off analysis Prioritize options and prepare recommendations for the commander The completed risk assessment submitted with the final report includes mitigation techniques for the unit to implement. Definition of Key Terms Assets Command & Control Systems Operational Activities Undesirable Impact Identifies the undesirable event and the expected impact to the information and overall operation. The narrative explanation clearly states what the undesirable event and defines the levels of impact.
5 Threat. Threat can be defined as any indication, circumstance, or event with the potential to cause loss, or damage to an asset. It can also be defined as the intention or capability of an adversary to undertake actions that would be detrimental to critical assets. Threat is an attribute of an adversary. The threat may be specifically identified or categorized in general such as; Foreign Intelligence Service, Terrorist, Insider, Criminal, Foreign Military, Political, or other. Environmental condition (Natural Disaster) is an example of other. The definition identifies the threat s existence, capability, intent, and probability of action against the asset. Adversary Is an individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities, detrimental to critical assets. These include intelligence services of the host nation or third party nations, political or terrorist groups, criminal and hacker groups, and private interests. Vulnerability. Vulnerability ratings describe the severity of the vulnerability. The vulnerability can be specifically identified or stated in general terms, i.e., No firewall established between Command Router and PBX Switch or poor access control procedures. Risk. Define the overall risk. The definition states in one sentence the overall risk to the asset with the identified threat and vulnerabilities. Countermeasure Is an action taken or a physical entity used to reduce or eliminate one or more vulnerabilities. The cost of a possible countermeasure may be monetary but may also include man-hours, or reduce operational efficiency.
6 Step 1. Identify Assets and Loss Impacts Assets Assets are identified during the initial coordination and are clearly identified by the supported commander s purpose, scope, and intent. IO assets are: Make Command & Control Threat Risks Decisions Systems. Automated Information and Communications systems that provide data for the commander that is available on demand, maintains integrity, and confidentiality during manipulation, transmission and storage. Vulnerabilities Determine Countermeasure Options Operational Activities other than Automated Information and Communications system that comprise IO. These are the pillars of IO; PSYOP, Deception, OPSEC, Electronic Warfare, Physical Destruction and Civil and Public Affairs. All of these activities communicate information in one form or another. These systems release information, intentionally or as a function of the activity. The accuracy and availability of this information must be controlled. Asset Survey You can gather information about critical assets from a variety of sources: Commander Senior Staff Officers IO Component Staff Officers, i.e. OPSEC Officer, PSYOP Planner, etc. Security Managers Information System Security Officers and System Administrators Existing Security Plans, SOPs, and Policies Open Source Information
7 Ask the following questions to clarify the assets: Clarification of Assets What critical mission activities/operations take place at this unit at this time? What units, other personnel, and visitors are involved in the activity/operation? What relationship do they have to the critical assets? What critical/sensitive information (classified and unclassified) is located at the unit? What critical/valuable equipment is located at the unit? Where are the assets located? Describe the expected impact if the event were to occur. Table 19. Clarification of Assets Identify specific undesirable events and the potential impacts if the events were to occur. For example, you need to protect the exact time and location of the main attack; the undesirable event would be the adversary obtaining this information. The impact could be mission failure. Answer the following questions to assess loss impacts for any asset: Impact ment How does obtaining this information help the adversary attain its goals? What would we lose? Is this asset still valuable to us once it has been compromised? What did it cost us to develop the asset? What is the impact on soldiers lives, the mission, and the National security? Table 20. Impact ment For every observation determine the impact of the undesirable event, the answers to the above questions should clarify the appropriate rating. The matrix below will assist in identifying the correct level.
8 Mission Failure, Loss of Life, Mass Casualties Loss Of Classified Data That Impairs Operations For An Indefinite Amount Of Time Undesirable Events Loss Of Data, Service, Or Systems That Impairs Operations For An Indefinite Amount Of Time Compromise Or Corruption Of Data Or Lose Of Resources That Impairs Operations For A Limited Amount Of Time Little To No Impact On Human Life Or Continued Operations Overall Impact Level YES Yes/No Yes/No Yes/No Yes/No Critical YES Yes/No Yes/No Yes/No High YES/No Yes/No Yes/No Yes/No High Table 21 Impact Matrix YES Yes/No Medium YES Low Impact Rating Criteria The following definitions and numerical ratings have been established. There is a degree of subjectivity within the rating scales. If the data clearly indicates a grave consequence then a high critical rating is justified. If the data is in the gray area could be a low critical of in the upper side of a high rating, error on the high side and select the low side of critical. Determine the appropriate rating and enter the definition and numerical rating in the Impact Rating column of worksheet 8 for every observation. Critical Grave Consequence. The intrusion, disruption and or destruction of any system(s) or activity ultimately result in the failure to accomplish the assigned mission, loss of life or mass casualties. (50-100) High -- Serious consequence. The compromise or corruption of classified or sensitive data, denial or loss of service of one or more information systems, the manipulation of data or degradation of logistical support or facilities that could impair operations for an indefinite amount of time (13-50) Medium Moderate Consequence. Actions resulting in the compromise or corruption of sensitive data, destruction or loss of costly equipment or degradation of any logistics capability that would impair operations for a limited period of time. (3-13) Low -- Indicates little or no impact on information operations, human life or the continuation of operations. (1-3)
9 Step 2. Threats Understanding threats requires an understanding of the adversaries intentions and motives, as well as risk. Step Two Assets Threat Vulnerabilities Risks Determine Countermeasure Options inten t and motivation of the adversary. Make Decisions their capability to compromise critical assets. Because access to this type of information is often limited, this is generally the weakest link in the overall risk assessment process. During this step you identify and list the potential threats and any known or potential adversaries, that could put critical assets at Intent is determined for the most part by inference. You can infer intent through a set of questions regarding the adversary. For example: Intent and Motivation Does the adversary have a current or projected need for the asset? Do they seek to deny us the use of the asset? Have they demonstrated an interest by targeting similar types of assets? Do they know that the asset exists and where it is located? What are the specific goals and objectives of the adversary? What does the adversary gain by achieving these goals? Can the adversary achieve these goals by exploiting the asset? Is the adversary s intent to obtain, damage, or destroy the asset? Are there any other means for the adversary to obtain its goals? Are the other means easier? What specific events might provoke the adversary to act? What might the adversary lose in attempting to exploit our asset? To what degree is the adversary motivated to use its capability? Table 22. Intent and Motivation
10 Write the answers to the questions from Table 22 in the note section of worksheet 1. List all of the adversaries in column one. Enter a yes or a no in columns 2, 3, and 4 based on the information you gathered using table 22. Enter the overall intent level in column 5 using one of the three combinations depicted below. Intent Worksheet Adversary Knowledge of Asset Need Demonstrated Interest Overall Intent Level # 1 Yes Yes Yes High # 2 Yes Yes No Medium # 3 Yes No No Low Worksheet 1. Intent Determine the capability of the Adversary. There are two distinct types of capability you will need to consider with respect to the adversary. The first is the capability to obtain, damage, or destroy the asset. The second is the adversary s capability to use the asset to achieve their objectives once the asset is obtained. Consider the following: Adversary Capabilities Is the adversary aware that the asset exists? Does he know where the asset is located? What do we know about the adversary s HUMINT collection capabilities? What do we know about the adversary s Technical (SIGINT, IMINT, MASINT) Capabilities? What do we know about the adversary s Open Source (OSINT) capabilities? What do we know about the adversary s methods of operation (Hacking networks, subversive activities, etc).
11 Table 23. Adversary Capabilities Write the answers to the questions in Table 4 in the note section of worksheet 2. List the adversaries in column 1. Enter a high, medium, or low rating for each collection category based on the information gathered using Table 4. Assign an overall level rating based on the majority of the individual ratings, i.e. if three out of five answers are high then the overall rating is high. Collection Capabilities Adversary HUMINT SIGINT IMINT MASINT OSINT Overall Level #1 High High Med Med High High #2 High Med Low Med High Med #3 Med Med Low Low Med Med #4 Med. Low Low Low Med. Low Worksheet 2. Collection Capabilities Determine the frequency of threat related incidents based on historical data. A high frequency of threat-related incidents can indicate an increased likelihood that a similar incident may take place in the future, especially if capability and intent are high. Answer the following questions to determine history. History What do you know about the adversary s track records? How many suspected incidents? How may attempted incidents? How many successful incidents? Table 24. History Write the answers to the questions in Table 24 in the note section of worksheet 3. List the adversaries in column 1. Enter the information gathered for each adversary in the appropriate columns, you do not need to put all of the data into these columns only enough to establish the bottom line history.
12 History Adversary Suspected Incidents Attempted Incidents # 1 Hacking XYZ Subversion of Network Government Employee # 2 Probe of ABC Theft of Network Equipment # 3 Theft of Denial of Service Documents attack Worksheet 3. History Successful Incidents Interception of communication s Imagery of facilities Purchase of classified documents ing threats. The threat level is a relative rating based on the best available information. Worksheet 4 is the compilation of the data entered in worksheets 1,2,and 3. List the adversaries in column 1 and enter the overall intent, Capability, and history for each adversary under the appropriate headings. Use the threat decision matrix to determine the correct level for the Rating column. Intent Capability ** History Level High High/Medium/Low Yes Critical High/Medium High/Medium/Low No Critical Medium Medium Yes High Medium/Low Medium/Low No Medium Low Low No Low Threat Decision Matrix ** Capability can be obtained or provided by a third party. Threat Rating Adversary Intent Capability History Rating # 1 High High Yes Critical # 2 Medium Medium Yes High # 3 Medium Medium No Medium # 4 Low Low No Low Worksheet 4. Threat Rating
13 Threat Rating Criteria The following definitions and numerical ratings have been established. There is a degree of subjectivity within the rating scales. If the data clearly indicates a grave consequence then a high critical rating is justified. If the data is in the gray area could be a low critical of in the upper side of a high rating, error on the high side and select the low side of critical. Determine the appropriate rating and enter the definition and numerical rating in the Threat Rating column of worksheet 8 for every observation. Critical -- A definite threat exists against the assets and the adversary has both the capability and intent to launch an attack, and the subject or similar assets are targeted on a frequent and recurring basis. (75-100%) High -- A credible threat exists against the assets based on our knowledge of the adversary s capability and intent to attack the assets and based on related incidents having taken place. (50-74%) Medium -- There is a possible threat to assets based on the adversary s desire to compromise the assets and the possibility that the adversary could obtain the capability through a third party who has demonstrated the capability in related incidents. (25 49%) Low -- Little to no credible evidence of capability, intent, with any history of actual or planned threats against the assets. (0 24%)
14 Step Three Assets Threat Vulnerabilities Step 3 Vulnerabilities Risks Determine Countermeasure Options Make Decisions Vulnerability assessments help identify weaknesses that could be exploited to gain access to the asset. A vulnerability provides a pathway for creating an undesirable event and thus adverse impact. Using an adversary s perspective causes an analyst to develop attack scenarios that facilitate the identification of vulnerabilities. To determine where a vulnerability exists, first determine the possible paths the adversary may take. Next, determine what countermeasures are already in place and their relative degree of effectiveness in countering the assessed threats. Finally, identify and characterize the specific vulnerabilities that still exist given the current mix of countermeasures. Determining vulnerabilities also requires an understanding of adversary capabilities and their methods of operation. Adversary Exploitation What typically do adversaries exploit? Intercept of unsecured telephone conversations and fax transmissions? Faulty access control procedures? Penetration of improperly secured information networks? Trash collection? Social engineering? Co-opting an insider, or use of cleared host nation personnel? Observation of activities and operations? Table 25. Adversary Exploitation There may be conditions that inhibit the effectiveness of existing countermeasures and the proper operation of the overall security. Some items to look for:
15 Existing Countermeasures Obsolete, faulty, or improperly configured equipment. Poor procedures or the lack of enforcement of good procedures. Poor training of the end-user. Human error. Poor maintenance of equipment. Insufficient manpower to effectively manage systems. What type of protection do existing countermeasures provide (Deter, delay, detect, destroy, defend, defeat)? What type of undesirable events do they guard against (Network penetration, surreptitious entry, technical implant, and unauthorized access to areas, or networks, theft of material)? When are they effective during which hours, activities, or phases of an operation? Where are they effective? What areas do they cover? What is the history of reported malfunctions? What is the correlation of countermeasure effectiveness to security incident reports that may indicate that the countermeasure was defeated? Table 26. Existing Countermeasures The likelihood (probability) that a targeted vulnerability will be successfully exploited is a function of the number and effectiveness of the security countermeasures put into place. The following worksheet can be used to track existing countermeasures and their effectiveness against undesirable events. A rating scale High, Medium, or Low is utilized to judge the effectiveness. Document the answers to Table 25 and 26 in the note section of worksheet 5, this will assist in determining the effectiveness of the existing countermeasures. List the existing countermeasures in column one if the countermeasure is designed to protect against the event, enter an effectiveness rating of the countermeasure for each undesirable event.
16 Intrusion of, Disruption, or destruction of information systems The compromise, corruption of classified or sensitive data, or the denial of service of an information system Impact Data manipulation, degradation of logistics support of facilities Destruction or loss of expensive equipment Exiting Counter-measure Doors, Lock, Bars Medium Medium0 Medium Alarms, Sensors Medium Medium Guards Medium Low Security Awareness Low Low Low Low Passwords Medium Medium Firewalls, Intrusion Detection Worksheet 5. Countermeasure Effectiveness Vulnerability data is linked directly to specific undesirable events. The following worksheet links vulnerabilities and their associated observations to undesirable events and the existing countermeasures. This is required to assess vulnerability levels associated with each undesirable event it will assist in the selection of countermeasures once the risk areas have been prioritized. For every vulnerability/observation found, determine the appropriate impact column and list the existing countermeasures and their effectiveness in every cell.
17 Intrusion of, Disruption, or destruction of information systems The compromise, corruption of classified or sensitive data, or the denial of service of an information system Impact Data manipulation, degradation of logistics support of facilities Destruction or loss of expensive equipment Observation Unauthorized Access to an information system Poor Physical Security Locks Guards Awareness Med. Low Low Worksheet 6. Vulnerability-to-Event Determine the vulnerability level. The likelihood that a targeted vulnerability will be successfully exploited is a function of the number and effectiveness of the security countermeasures put into place. If few, ineffective, or no countermeasures are put into place, the likelihood that the exploitation will be successful is very high. To determine the vulnerability level for a given asset, you should answer the following three questions: Vulnerability Level Is the asset made vulnerable by a single weakness in the protective system? Does the nature of the vulnerability make it difficult to exploit? Is the vulnerability of the asset lessened by multiple, effective layers of security countermeasures? Table 27. Vulnerability Level
18 Using the following decision worksheet to determine the relative vulnerability rating level. The data from Table 27 and Worksheets 5 & 6 support this matrix. Vulnerable through Weakness? Difficult to exploit weakness? Multiple Layers of countermeasures? Vulnerability Level Single Weakness Vulnerable Not Difficult Critical Vulnerable Difficult High Not Vulnerable Difficult Medium Multiple Weakness Vulnerable Not Difficult No Layers Critical Vulnerable Difficult Multiple Layers High Not Vulnerable Not Difficult Multiple Layers Medium Not Vulnerable Difficult Multiple Layers Low Worksheet 7. Vulnerability Rating Decision Matrix Vulnerability Rating Criteria The following definitions and numerical ratings have been established. There is a degree of subjectivity within the rating scales. If the data clearly indicates a grave consequence then a high critical rating is justified. If the data is in the gray area could be a low critical of in the upper side of a high rating, error on the high side and select the low side of critical. Determine the appropriate rating and enter the definition and numerical rating in the Vulnerability Rating column of worksheet 8 for every observation. Critical -- There are no effective countermeasures currently in place and all known adversaries would be capable of exploiting the asset. (75-100%) High -- Although there are some countermeasures in place, there are still multiple weaknesses through which many adversaries would be capable of exploiting the asset. (50-74%) Medium -- There are effective countermeasures in place, however some weakness does exist which a few known adversaries would be capable of exploiting. (25-49%)
19 Low -- Multiple layers of effective countermeasures exist and few or no known adversaries would be capable of exploiting the asset. (1-24%)
20 Step Three Assets Threat Vulnerabilities Risks Step 4 the Risks Determine Countermeasure Options Make Decisions damage or impact (I) on an asset. Thus the formula used is: An undesirable event has an expected impact (I), while threat (T) and Vulnerability (V) are considered together to determine the probability of the undesirable event occurring. Risk ment (R) is the process of determining the likelihood (probability) of an adversary (T) successfully exploiting a vulnerability (V) and the resulting degree of Risk = Impact x (Threat x Vulnerability) Where vulnerabilities are great and the threat is evident the risk of exploitation is greater. This worksheet is filled in during the first three steps. Use the risk formula to calculate the overall risk and enter the number (Round to the nearest whole number) in the last column. Impact Rating Threat Rating Vulnerability Rating Overall Risk (Definition) # (Definition) # (Definition) # # Worksheet 8. Risk Calculation The overall risk is defined with the following matrix. Locate the value calculated with the risk formula in the rating ranges, the resultant is the overall risk rating and definition.
21 Critical -- There is an exceptionally high risk of loss to the asset with resulting consequential impact High -- There is a very high risk of loss to the asset with resulting serious impact Medium -- There is some risk of loss to the asset with moderate impact Low -- There is little risk of loss to the asset with negligible impact.
22 Step 5. Identify Countermeasures Based on the information Step Five obtained and analyzed in the previous steps, you can now identify countermeasures that Assets reduce vulnerabilities linked to your Determine Threat Make Countermeasure unacceptable risks. You Risks Decisions Options can choose to employ a single countermeasure or several countermeasures Vulnerabilities used in combination. Two or more countermeasures may work together in a compensating fashion to guard against a vulnerability that neither would adequately protect individually. To identify potential countermeasures to reduce vulnerabilities consider the possible protection solutions for the risk scenarios. Identify the best solutions regardless of financial constraints. Countermeasures generally fit into one of the following three categories. Procedures Equipment Personnel OPSEC Procedures Locking Mechanism Appointed OPSEC Officer Training Programs Alarms/Sensors System Administrators Awareness Programs Hardware/Software ISSOs/ISSMs Security Inspections/ Access Control Devices, Guards ments Badges Contingency Planning Shredders Appointed Security Managers Security SOP Storage Containers IO Officer Network SOP Operating Systems Table 29. Countermeasure Categories Identify the cost of countermeasures. Consider not only the cost of tangible materials, but also the on going operational costs. Keep in mind that written procedures are usually the least expensive type of security. Hardware is generally more expensive than written procedures, manpower costs are usually the most expensive, especially if the solution requires extensive training or contracting to obtain the skills. Every
23 countermeasure has a cost associated with it that can be measured in terms of dollars, inconvenience, time, or personnel. The following chart will assist in identifying countermeasure packages. When determining the dollar cost of a countermeasure, include the purchase price as well as life cycle maintenance. This may include installation, preventive maintenance, repair, warranty, and replacement costs. When determining the cost of a countermeasure in terms of inconvenience consider whether the inconvenience caused is offset by the measure of risk reduction gained. When determining the cost of a countermeasure in terms of time, include the time to implement or oversee the countermeasure and the time to prepare for implementation as well as any time required for training and follow-up. When determining the cost of a countermeasure in terms of personnel required utilizing it, considering the number of staff needed as well as the skills, knowledge, and abilities of the personnel involved. Complete worksheet 9 to document improvements to existing countermeasures or the implementation of new countermeasures Undesirable Potential Countermeasures & Costs Event Procedures Equipment Personnel Intrusion of, Network Security SOP. Network Firewall. Qualified Systems Disruption, or Cost: Man-hours to Cost $20,000 Administrator develop the SOP, train destruction of operators and enforce information policies systems The compromise, corruption of classified or sensitive data, or the denial of service of an information system Procedures to secure the facility. Cost: Moderately Inconvenient Security SOP for safeguarding classified information. Cost: Man-hours to develop the SOP, train operators and enforce policies Photo Identification Badges for access control. Cost: $500 Worksheet 9. Cost-Benefit Analysis
24 To complete worksheet 10 the process has to be repeated. Once a countermeasure is improved or implemented it has a three-fold effect. The impact of the undesirable event is reduced because the threat no longer has the capability to collect against the asset and the vulnerability is reduced due to multiple layers of effective countermeasures. Enter the vulnerability/observation in column one, the existing risk level in column two, the recommended countermeasure in column three. Complete a new worksheet 8 based on the new figures and recalculates the overall risk. Enter this new figure in the Mitigated Risk Level column. Enter any clarifying comments in the last column. Vulnerability/ Observation Existing Risk Level Recommended Mitigation Technique Failure to protect information High Inadequate Perimeter Security Machines running vulnerable operating systems Critical Develop and implement AISSP IAW AR Establish and enforce an approved list of software for all machines Mitigated Risk Level Medium High Comments Worksheet 10. Risk Mitigation
25 Tab 1 (Intent Worksheet) to Risk ment Guide Adversary Intent Worksheet Knowledge of Need Asset Demonstrated Interest Overall Intent Level Notes:
27 Tab 3 (Adversary History Worksheet) to Risk ment Guide Adversary Suspected Incidents History Attempted Incidents Successful Incidents Notes:
28 Tab 4 (Threat Rating Worksheet) to Risk ment Guide Threat Rating Adversary Intent Capability History Rating Notes:
29 Tab 5 (Countermeasure Effectiveness Worksheet) to Risk ment Guide Impact Intrusion of, Disruption, or destruction of information systems The compromise, corruption of classified or sensitive data, or the denial of service of an information system Data manipulation, degradation of logistics support of facilities Destruction or loss of expensive equipment Exiting Counter-measure Notes:
30 Tab 6 (Vulnerability-to Event Worksheet) to Risk ment Guide Intrusion of, Disruption, or destruction of information systems The compromise, corruption of classified or sensitive data, or the denial of service of an information system Impact Data manipulation, degradation of logistics support of facilities Destruction or loss of expensive equipment Vulnerability/ Observation Unauthorized Access to an information system Poor Physical Security Locks Guards Awareness Med. Low Low Notes:
31 Tab 7 (Vulnerability Rating Worksheet) to Risk ment Guide Vulnerable through Weakness? Single Weakness Difficult to exploit weakness? Multiple Layers of countermeasures? Vulnerability Level Multiple Weakness Notes:
32 Tab 8 (Risk Calculation Worksheet) to Risk ment Guide Impact Rating Threat Rating Vulnerability Rating Overall Risk Notes:
National Infrastructure Protection Center Risk Management: An Essential Guide to Protecting Critical Assets November 2002 Summary As organizations increase security measures and attempt to identify vulnerabilities
1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system
Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension
Safeguards and Security Safeguards and Security Funding Profile by Subprogram (dollars in thousands) Protective Forces 35,059 37,147 Security Systems 11,896 10,435 Information Security 4,655 4,595 Cyber
Department of Defense MANUAL NUMBER 5205.02-M November 3, 2008 USD(I) SUBJECT: DoD Operations Security (OPSEC) Program Manual References: See Enclosure 1 1. PURPOSE. In accordance with the authority in
THE OFFICE OF SECURITY Operations Security (OPSEC) GOOD SECURITY IS A GROUP EFFORT Operations Security (OPSEC) "Even minutiae should have a place in our collection, for things of a seemingly trifling nature,
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
Office of Procurement and Property Management (OPPM) Richard C. Holman (202) 720-3901 INTRODUCTION Risk management is the technical procedure for identifying and evaluating security threats and vulnerabilities
Counterintelligence Awareness Glossary Access: The ability and opportunity to obtain knowledge of classified information. Anomaly: Activity r knowledge, outside the norm, that suggests a foreign entity
A Risk Assessment Methodology (RAM) for Physical Security Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
Image credits: Front cover: U.S. Army photo by Sgt. Brandon Little, Task Force XII PAO, MND-B Inside back cover: U.S Army photo by Staff Sgt. Mike Pryor, 2nd BCT, 82nd Abn. Div. Public Affairs Operations
Date 06/10/10 Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response 1.0 PURPOSE Implementing Procedure APPROVED: (Signature on File) EMCBC Director ISSUED
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
Enlisted Information Dominance Warefare Specialist (EIDWS) Common Core Fleet Weather Center Norfolk 1 References: Joint DoDIIS/Cryptologic SCI Information Systems Security Standards DCID 6/3 SECNAVINST
RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million
White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security
Department of Defense INSTRUCTION NUMBER 8560.01 October 9, 2007 ASD(NII)/DoD CIO SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing References: (a) DoD
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
Security Defense Strategy Basics Joseph E. Cannon, PhD Professor of Computer and Information Sciences Harrisburg University of Science and Technology Only two things in the water after dark. Gators and
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Oil & Gas Industry Towards Global Security This white paper discusses current
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information
RISK MANAGEMENT Capability Definition Risk Management is defined by the Government Accountability Office (GAO) as A continuous process of managing through a series of mitigating actions that permeate an
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. firstname.lastname@example.org, email@example.com
U.S. DoD Physical Security Market Technologies Used for DoD Applications June 2011 Table of Contents Executive Summary 7 Introduction 8 Definitions and Scope 9-11 Percentage of FY 2010 Total Budget Request
SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS by Paul Baybutt Primatech Inc. firstname.lastname@example.org 614-841-9800 www.primatech.com Abstract Many chemical companies have performed security vulnerability
VULNERABILITY ASSESSMENT Correctional Facilities Are Only as Secure as Their Weakest Point Today's correctional security system is a complex configuration of personnel, procedures, detection, delay and
Wireless Network Security Bhavik Doshi Privacy and Security Winter 2008-09 Instructor: Prof. Warren R. Carithers Due on: February 5, 2009 Table of Contents Sr. No. Topic Page No. 1. Introduction 3 2. An
Greater Lafayette Security Professionals, January 2011 Keith A. Watson, CISSP CISA CERIAS, Purdue University The need Policy Safe versus Security Design of Physical Protection Systems Assessments Penetration
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for U.S. Coast Guard Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General,
THREATS AND VULNERABILITIES FOR C 4 I IN COMMERCIAL TELECOMMUNICATIONS: A PARADIGM FOR MITIGATION Joan Fowler and Robert C. Seate III Data Systems Analysts, Inc. 10400 Eaton Place, Suite 400 Fairfax, VA
Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 email@example.com Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 firstname.lastname@example.org USING
Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 email@example.com firstname.lastname@example.org 1 Key Topics
DATASHEET PENETRATION TESTING SERVICE Sales Inquiries: email@example.com Visit us: http://www.spentera.com Protect Your Business. Get Your Service Quotations Today! Copyright 2011. PT. Spentera. All Rights
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
2015 Michigan NASCIO Award Nomination Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy Sponsor: David Behen, DTMB Director and Chief Information Officer Program Manager: Rod Davenport,
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
FIREWALL POLICY November 2006 TNS POL - 008 Introduction Network Security Services (NSS), a department of Technology and Network Services, operates a firewall to enhance security between the Internet and
CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING Ira S. Winkler National Computer Security Association 10 South Courthouse Avenue Carlisle, Pennsylvania 17013 firstname.lastname@example.org (717) 258-1816
Hacking Techniques & Intrusion Detection Winter Semester 2012/2013 Dr. Ali Al-Shemery aka: B!n@ry Physical Pentesting What good is your firewall or IDS/IPS if I can grab your box? Outline Physical Pentesting
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool User Guide Version Date: March 2014
The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal
Hacking Book 1: Attack Phases Chapter 1: Introduction to Ethical Hacking Objectives Understand the importance of information security in today s world Understand the elements of security Identify the phases
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.
UNITED STATES MARINE CORPS THE BASIC SCHOOL MARINE CORPS TRAINING COMMAND CAMP BARRETT, VIRGINIA 22134-5019 OPERATIONAL RISK MANAGEMENT B130786 STUDENT HANDOUT Basic Officer Course (ORM) Introduction Importance
Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta email@example.com / firstname.lastname@example.org Table of Contents Abstract... 1
IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber