Performing Effective Risk Assessments Dos and Don ts

Similar documents
NIST National Institute of Standards and Technology

Property of NBC Universal

Risk Management Guide for Information Technology Systems. NIST SP Overview

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

Guidelines 1 on Information Technology Security

UF Risk IT Assessment Guidelines

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

CMS Information Security Risk Assessment (RA) Methodology

What is required of a compliant Risk Assessment?

Automated Risk Management Using SCAP Vulnerability Scanners

ARCHIVED PUBLICATION

ISMS Implementation Guide

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Security Risk Management - Approaches and Methodology

Risk Assessment Guide

Risk Management Guide for Information Technology Systems

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Risk Management Guide for Information Technology Systems

Automated Risk Management Using NIST Standards

APPLICATION THREAT MODELING

HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions

A Structured Comparison of Security Standards

UoB Risk Assessment Methodology

Security Risk Assessment Process for UAS in the NAS CNPC Architecture

E Governance Security Standards Framework:

Information Security for Managers

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Information security risk management using ISO/IEC 27005:2008

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

ITIL and Business Continuity (Service Perspective)

SEC s Cybersecurity Risk Alert Part 2 of 3

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

HIPAA Security Rule Changes and Impacts

RISK ASSESSMENT GUIDELINES

Handbook for Information Technology Security Risk Assessment Procedures

Legislative Language

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

a Medical Device Privacy Consortium White Paper

UF IT Risk Assessment Standard

DETAILED RISK ASSESSMENT REPORT

White Paper Strengthening Information Assurance in Healthcare

SECURITY RISK MANAGEMENT

ISO Information Security Management Systems Foundation

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

TABLE OF CONTENTS INTRODUCTION... 1

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

Computer Security Lecture 13

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Developing an Effective Enterprise Risk Management Program

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

Risk Analysis and Risk Management

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Enterprise Risk Management

INFORMATION SECURITY California Maritime Academy

Information Technology Risk Management

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Information Security Office

CTR System Report FISMA

Security Update and Risk Assessment

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Security Risk Assessment

Chapter 4 Information Security Program Development

Risk Assessment & Enterprise Risk Management

Assessing Risk for Fun and Profit. What is risk assessment? Vulnerability Scanning Penetration testing Security reviews. What is NOT risk assessment?

OCC 98-3 OCC BULLETIN

Business Associate Management Methodology

The Protection Mission a constant endeavor

State of Oregon. State of Oregon 1

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

DIVISION OF INFORMATION SECURITY (DIS)

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

IT Security Management Risk Analysis and Controls

IFAD Policy on Enterprise Risk Management

Overview 1. Coordination with GLBA Section 501(b) 1. Security Objectives 2. Regulatory Guidance, Resources, and Standards 2. Overview 3.

University of Sunderland Business Assurance Information Security Policy

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

Fundamentals of Laboratory Biosecurity and Biosafety Risk Assessments

Recall the Security Life Cycle

National Information Assurance Certification and Accreditation Process (NIACAP)

CORE Security and GLBA

Minimum Security Requirements for Federal Information and Information Systems

Information Security Awareness Training

PRIORITIZING CYBERSECURITY

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Security Defense Strategy Basics

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

ISO Controls and Objectives

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

SECURITY RISK ANALYSIS AND MANAGEMENT

Aviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements

Transcription:

Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013

Introduction

Who am I?

Why Risk Management?

Because you have to

Because you can t be secure Copyright DC Comics All Rights Reserved

Because people are not awesome Copyright Universal Pictures All Rights Reserved

[not awesome] [not awesome]

Show Me This Thing You Call Risk Management

Risk Management 101 the total process of identifying, controlling and mitigating information system-related risks * * National Institute of Standards in Technology (NIST) SP800-30

Risk Management 101 Risk Assessment Risk Mitigation Evaluation and Assessment

Risk Management 101 Focuses on: Confidentiality Integrity Availability Qualitative or Quantitative Balances risk, effort and costs Don t build a $200 fence around a $20 horse

Take a Deep breath.

Risk Management 101 Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10

Must. Resist. Temptation.

Risk Assessment

Risk Assessment 1 st process in Risk Management Used to determine potential threats and associated risk Output of this process is used to determine appropriate controls to reduce risk

Step 1 System Characterization Characterize system boundaries, criticality and sensitivity based on: Hardware Software Interfaces and integrations People Mission System and data criticality System and data sensitivity

Step 2 Threat Identification Identify threats to organizational systems based on: Security violations Incident Management External intelligence Media Classify threats as: Natural Environmental Human

You

[not awesome]

Step 3 Vulnerability Identification Identify vulnerabilities based on: Vulnerability scans Penetration tests Audits Vulnerability lists and advisories Standards Generate list of Vulnerability/Threat pairs Exploits

Step 3 Vulnerability Identification Threat Vulnerability Exploit Terminated Employees Fire or Negligent Employees User accounts for terminated employees that are left enabled Fire suppression controls for data center left in uncontrolled areas Terminated employees gain access confidential information Data center fire suppression controls are activated accidentally or maliciously Unauthorized Users Unprotected confidential documents Confidential information is exfiltrated

QUIZ Pairing up Threats with Vulnerabilities leads to identifying.what? 1. Exploits

Step 4 Control Analysis Analyze the controls that have been implemented, or are planned for implementation that will minimize or eliminate the likelihood of a threat s exercising a system vulnerability Identify: Technical controls Non-technical controls Identify: Preventative controls Detective controls Corrective controls

FAIL

FAIL

FAIL

FAIL

Step 5 Likelihood Determination Determine the overall likelihood that a vulnerability will be exercised, based on: Threat-source motivation and capability Existence and effectiveness of controls All other factors

Step 5 Likelihood Determination Level High Medium Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised

Determining Risk

Step 6 Impact Analysis Determine the adverse impact of the exercising of a vulnerability, based on: Loss of (C)onfidentiality Unauthorized, unintentional or unanticipated disclosure of confidential information could result in fines, degradation of reputation, loss of public confidence, embarrassment or legal action Loss of (I)ntegrity Unauthorized, unintentional or unanticipated changes to systems can result in errors, fraud or corruption Loss of (A)vailability Loss of system functionality can result in operational inefficiencies and loss of productive time Occurrences of all jeopardize the organization s mission

Step 6 Impact Analysis Level High Medium Low Definition Exercise of the vulnerability (1) may result in the highly costly loss of tangible assets or resources; (2) may significantly violate, harm or impede the organization s mission, reputation, or interest; or(3) may result in human death or serious injury Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm or impede the organization s mission, reputation or interest; or (3) may result in human injury Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources; (2) may noticeably affect the organization s mission, reputation or interest

QUIZ How do we completely eliminate risk? 1. We don t!

Step 7 Risk Determination Determine the risk for each threat/vulnerability pair, based on: The likelihood of a given threat-source s attempting to exercise a given vulnerability The magnitude of the impact should a threat-source exercise the vulnerability The adequacy of planned or existing security controls for reducing or eliminating risk

Step 7 Risk Determination R i = P i (I i ) R = P i (I i )

Step 7 Risk Determination Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10

Step 7 Risk Determination Risk levels are defined as the following: High There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible Medium Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time Low The system s DAA (Designated Approving Authority) must determine whether corrective actions are still required or decide to accept the risk

Step 8 Control Recommendations Recommend controls to reduce risk to an acceptable level, based on: Cost-benefit analysis Feasibility Legislation and regulation Organizational policy Operational impact Safety and reliability

RISK vs. REWARD

Step 9 Results Documentation Produce a management-level report that helps senior management make decisions on budget, process and control recommendations Control recommendations could include changes to: Policy Procedure Personnel Facilities

Risk Mitigation

Risk Mitigation prioritizing, evaluating and implementing the appropriate riskreducing controls recommended from the risk assessment process * * National Institute of Standards in Technology (NIST) SP800-30

Risk Mitigation

Risk Mitigation Controls categories include: People Process Technology Risk Mitigation options include: Limitation (fix, modification) Avoidance (remove, eliminate) Transference Assumption Planning (defer)

Risk Mitigation Step 1 Prioritize Actions Prioritize control implementation evaluations based on the risk levels presented in the Risk Assessment Resources and priority should be given to High-level risks Step 2 Evaluate Recommended Control Options Analyze the feasibility and effectiveness of the recommended controls Step 3 Conduct Cost-Benefit Analysis Step 4 Select Controls

Risk Mitigation Step 5 Assign Responsibility Assign implementation responsibility to resources with the appropriate expertise and experience Step 6 Develop Safeguard Implementation Plan Document the plan for implementing the selected controls, documenting all previously defined criteria, resources, actions, priorities, schedules and requirements Step 7 Implement Controls Implement selected controls and determine residual risk

Risk Management Demo

Evaluation and Assessment

Evaluation and Assessment emphasizes the good practice and need for ongoing risk evaluation and assessment and the factors that will lead to a successful Risk Management program * * National Institute of Standards in Technology (NIST) SP800-30

Evaluation and Assessment Risk Management is continuous process Risk Assessment should be considered whenever changes occur in: Hardware, software or technology infrastructure Executive leadership or other key personnel Organizational mission Competitors or market factors Physical facilities, locations Environmental factors Finances Risk appetite

QUIZ According to Capt. Kirk - what is our business? 1. RISK!!!

Final Thoughts

Focus on data

and all other assets

Leverage your metrics

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information