NIST National Institute of Standards and Technology



Similar documents
Performing Effective Risk Assessments Dos and Don ts

Risk Management Guide for Information Technology Systems. NIST SP Overview

ITIL and Business Continuity (Service Perspective)

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

ARCHIVED PUBLICATION

Risk Management Guide for Information Technology Systems

Risk Management Guide for Information Technology Systems

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

What is required of a compliant Risk Assessment?

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

UF Risk IT Assessment Guidelines

Risk Assessment Guide

HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions

Guidelines 1 on Information Technology Security

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Information Security for Managers

FREQUENTLY ASKED QUESTIONS

Security Risk Management - Approaches and Methodology

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

APPLICATION THREAT MODELING

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

ISMS Implementation Guide

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

RISK ASSESSMENT GUIDELINES

Minimum Security Requirements for Federal Information and Information Systems

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

HIPAA: Compliance Essentials

Information Security Risk Assessment Methodology

DETAILED RISK ASSESSMENT REPORT

IT Risk Management: Guide to Software Risk Assessments and Audits

Software Risk Management and Mitigation Model

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

IT Security Management Risk Analysis and Controls

Get Confidence in Mission Security with IV&V Information Assurance

Legislative Language

Information Technology Risk Management

CMS Information Security Risk Assessment (RA) Methodology

Best Practices For Department Server and Enterprise System Checklist

The Influence of Software Vulnerabilities on Business Risks 1

Data Security Incident Response Plan. [Insert Organization Name]

Information Security for IT Administrators

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Road map for ISO implementation

UF IT Risk Assessment Standard

Office of Inspector General

DIVISION OF INFORMATION SECURITY (DIS)

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Manage Vulnerabilities (VULN) Capability Data Sheet

Information Security Office

Information Technology Security Review April 16, 2012

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Risk Analysis and Risk Management

Data Management Policies. Sage ERP Online

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

SECURITY RISK MANAGEMENT

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

FSIS DIRECTIVE

MEANINGFUL USE DESK AUDIT

OCC 98-3 OCC BULLETIN

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

HIPAA Security COMPLIANCE Checklist For Employers

Critical Controls for Cyber Security.

Security Control Standard

Dr. Ron Ross National Institute of Standards and Technology

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Handbook for Information Technology Security Risk Assessment Procedures

The Protection Mission a constant endeavor

From the Lab to the Boardroom:

Defending Against Data Beaches: Internal Controls for Cybersecurity

Looking at the SANS 20 Critical Security Controls

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Managing IT Security with Penetration Testing

ISO Information Security Management Systems Foundation

TABLE OF CONTENTS INTRODUCTION... 1

Information Blue Valley Schools FEBRUARY 2015

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

A Structured Comparison of Security Standards

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Transcription:

NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are available from the web Another NIST SP is: Managing Risk from Information Systems: An Organizational Perspective PS800-39 (March 2011) Source: http://csrc.nist.gov/publications/pubssps.html 1 CS448/548 Sequence 24 Risk Assessment Process Based on recommendations of the National Institute of Standards and Technology in Risk Management Guide for Information Technology Systems (special publication 800-30) Presented By www.regulatorypro.us 2

Goal of Risk Management Process! Protect the organization s ability to perform its mission (not just its IT assets)! An essential management function (not just an IT technical function) 3 NIST Guide Purpose! Provide a foundation for risk management program development! Provide information on costeffective security controls 4

Guide Structure! Risk Management Overview! Risk Assessment Methodology! Risk Mitigation Process! Ongoing Risk Evaluation 5 Risk Assessment a definition The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. 6

Risk Assessment! 1 st process in risk management methodology! Used to determine potential threats and associated risk! Output of this process helps to identify appropriate controls to reduce or eliminate risk 7 Definitions! Vulnerability weakness that can be accidentally triggered or intentionally exploited! Threat-Source Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.! Threat The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. 8

Definitions! Risk - a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.! Risk management process of identifying, assessing and reducing risk 9 Risk Assessment Methodology! Step 1: System Characterization " Input: system-related info including! Hardware! Software! System interfaces! Data and information! People! System mission A good picture of system boundary, functions, criticality and sensitivity 10

Risk Assessment Methodology! Step 2: Threat Identification " Input:! Security violation reports! Incident reports! Data from intelligence agencies and mass media Threat statement listing potential threat-sources (natural, human, environmental) applicable to the system being evaluated 11 Risk Assessment Methodology! Step 3: Vulnerability Identification " Input:! System security tests (e.g. penetration tests)! Audit results! Vulnerability lists/advisories! Security requirements checklist (contains basic security standards) List of system vulnerabilities (flaws or weaknesses) that could be exploited Vulnerability/Threat pairs 12

Vulnerability/Threat Pair Examples Vulnerability Threat-Source Threat Action Terminated employee ID s are not removed from the system Water sprinklers used for fire suppression and no protective coverings in place Vendor has identified security flaws in system and patches have not been applied Terminated employees Fire; negligent persons Unauthorized users (e.g. terminated employees, hackers) Dialing into the company s network and accessing proprietary info Water sprinklers being turned on Obtaining unauthorized access to sensitive files based on known vulnerabilities 13 Risk Assessment Methodology! Step 4: Control Analysis " Input: current controls, planned controls! Control Methods may be technical or nontechnical! Control Categories preventative or detective (e.g. audit trails) List of current and planned controls 14

Risk Assessment Methodology! Step 5: Likelihood Determination " Input:! Threat-source motivation & capability! Nature of the vulnerability! Existence & effectiveness of current controls Likelihood rating of High, or 15 Risk Assessment Methodology! Step 6: Impact Analysis " Input:! System mission! System and data criticality! System and data sensitivity " Analysis: Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability Impact Rating of High, or 16

Risk Assessment Methodology! Step 7: Risk Determination " Input:! Likelihood of threat! Magnitude of risk! Adequacy of planned or current controls! Risk Level Matrix (Risk Level = Threat Likelihood x Threat Impact)! Risk Scale and Necessary Actions 17 Risk-Level Matrix Threat Impact Likelihood High (10) (50) (100) High High (1.0) 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 (0.5) 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 (0.1) 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10 18

Risk Scale & Necessary Actions Risk Level Risk Description and Necessary Actions! Strong need for corrective measures High! Corrective action plan must be put in place as soon as possible! Corrective actions are needed! Plan must be developed within a reasonable period of time! Determine whether corrective actions are still required or decide to accept the risk 19 Risk Assessment Methodology! Step 8: Control Recommendations " Factors to consider! Effectiveness of recommended option! Legislation and regulation! Organizational policy! Operational impact! Safety and reliability Recommended controls and alternative solutions to mitigate risk 20

Risk Assessment Methodology! Step 9: Results Documentation Risk Assessment Report! Presented to senior management and mission owners! Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement! Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information