ITIL and Business Continuity (Service Perspective)

Similar documents
NIST National Institute of Standards and Technology

Risk Management Guide for Information Technology Systems. NIST SP Overview

Performing Effective Risk Assessments Dos and Don ts

Security Risk Assessment

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

Information security risk management using ISO/IEC 27005:2008

UF IT Risk Assessment Standard

UF Risk IT Assessment Guidelines

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

National Infrastructure Protection Center

How-To Guide: Cyber Security. Content Provided by

UoB Risk Assessment Methodology

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Guide to Vulnerability Management for Small Companies

RISK ASSESSMENT GUIDELINES

Security Standards Workshop: An Overview From Risk Assessment to Proposed Policies

Risk Management Guide for Information Technology Systems

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

What is required of a compliant Risk Assessment?

Best Practices For Department Server and Enterprise System Checklist

Information Technology Risk Management

The Influence of Software Vulnerabilities on Business Risks 1

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Identifying & Managing IT Risks to Your Business

ISMS Implementation Guide

Nine Steps to Smart Security for Small Businesses

Defending Against Data Beaches: Internal Controls for Cybersecurity

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Is the PCI Data Security Standard Enough?

HIPAA Security COMPLIANCE Checklist For Employers

Information Security Team

Guidelines 1 on Information Technology Security

Patch Management Procedure. e-governance

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Effective Software Security Management

Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz

Computer Security: Principles and Practice

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

Defensible Strategy To. Cyber Incident Response

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Network and Host-based Vulnerability Assessment

A Structured Comparison of Security Standards

CYBER SECURITY CONTROLS CHECKLIST

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

How To Protect Yourself From Cyber Threats

Risk Assessment Guide

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

External Supplier Control Requirements

IT Risk Management: Guide to Software Risk Assessments and Audits

Web Security School Entrance Exam

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Software Risk Management and Mitigation Model

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Better secure IT equipment and systems

The Four-Step Guide to Understanding Cyber Risk

Internet threats: steps to security for your small business

Risk Management Business Challenges

Network Security: A Critical Component to Any Business IT Plan.

Reining in the Effects of Uncontrolled Change

ARCHIVED PUBLICATION

PDSA Special Report. Is your Company s Security at Risk

Security Defense Strategy Basics

Network Security Audit. Vulnerability Assessment (VA)

Managing IT Security with Penetration Testing

Business Continuity Plan

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Toronto Public Library Disaster Recovery recommended safeguards and controls

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions

Penetration Testing Is A Bad Idea. Anton Aylward, CISSP, CISA System Integrity

DATA CENTER SERVICES

Temple university. Auditing a business continuity management BCM. November, 2015

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

Board Portal Security: How to keep one step ahead in an ever-evolving game

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Are you prepared to be next? Invensys Cyber Security

Managing business risk

8 Steps for Network Security Protection

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

8 Steps For Network Security Protection

Security for NG9-1-1 SYSTEMS

Transcription:

(Service Perspective) Hepix 2012 Conference Prague, 23-27 April 2012 Patricia Méndez Lorenzo, Mats Moller On behalf of the (IT&GS) Service Management team

Outlook ITIL Principles Risk Management in ITIL Elements of Risk Management Quantification of Risks: Risk Assessment Method Examples applied to CERN functions Summary and plans

ITIL Principles Business and Service Continuity Management require a formal analysis of the risks affecting the services or the business ITIL processes involved : Service Continuity Management and Availability Management o Establishment of a Continuity & Availability Plan through: SLM Risk Assessment Critical Services identification INC Mgt RISK Change Mgt

Risk Management in ITIL Purpose of the process o o Identification and quantification of risks To ensure the provision of CERN services To protect CERN business interests & assets To support and maintain CERN s reputation Essential management function, not just a technical process This means: Protect the organization s ability to perform its business Application of (cost-) justifiable countermeasures ensuring the availability of the services Assets Threats Vulnerabilities RISKS Countermeasures

Elements of Risk Management Risk equation: R = f (A, V, T), where: A = Asset (in some cases considered cost ) o Anything that can contribute to the delivery of a service; anything with a certain value o Example: People, data, applications V = Vulnerability o Weakness that can be accidentally triggered or intentionally exploited o Example: single points of failures (SPOF) T = Threat o Anything that might exploit a vulnerability o Example: Terminated employees, airport close to CERN There is not too much to do against threats. However we can have influence on the vulnerability

Quantification of Risks Aim of a formal approach: o Identification of the risks affecting the services o Application of countermeasures based on the impact in case of failure Reduction of the risk likelihood, severity and unpredictability Procedure: o Qualitative and quantitative evaluation of the risk function variables o Business Impact Analysis (BIA) procedures which identifies critical services o Definition of countermeasures based on: Cost-justifications Impact Acceptance threshold

Risk Assessment Method IDENTIFICATION Risk equation variables and available control analysis 1 CALCULATION Likelihood determination and Impact analysis 2 RISK DETERMINATION Risk-level matrix OR risk evaluations 3 COUNTERMEASURES Necessary actions and control recommendations 4 Results DOCUMENTATION 5

STEP1: Identification of variables SERVICE CATALOGUE ASSET THREAT VULNERABILITY Input: Hardware, software, people, data, application Critical Services Output: Understanding of the system boundary, criticality Input: Security reports INC reports Output: Understanding of threatsources Input: Security tests and checklists Audit results Output: List of weakness Vulnerability/th reat pairs

Our Source of information: Service Catalogue To define Assets o Specific value of each Service Element for the organization Identification of critical services Evaluation of the cost in case of a service lose To define Threats o Individual threats affecting the Functional Elements (hence the organization) To define Vulnerabilities o Known weak points against the defined threats Define Threats/Vulnerabilities pairs (relations) o In association to the assets Threats Assets 3 2 Vulnerabilities Countermeasure 5 RISKS 1 SE 4 A/B/C FE

STEP1: Vulnerability/Threat Identification of Vulnerability/Threat pairs o This identification is necessary to quantify the risk Vulnerability Threat-Source Description Terminated employee ID s are not removed from the system Guest ID is enabled on the servers Single points of failures: not redundant expertise Terminated employees Unauthorized users (hackers) Sickness Dialing into the company s network and accessing the systems Unauthorized users can access data Experiment cannot apply a specific patch

STEP 2: Risk calculation Previous elements needs to be evaluated in terms of likelihood and impact o o Likelihood depends on the threat-source and the vulnerability level (e.g., High, Medium, Low) L = f (T, V) Impact depends on the criticality and the asset (e.g., High, Medium, Low) I = f (C, A) Existing mitigating security controls should be considered Risk = Likelihood x Impact Impact Low (10) Medium (50) High (100) Example of basic Risk matrix Likelihood High (1.0) Low =10 Medium = 50 High = 100 Medium (0.5) Low = 5 Medium = 25 Medium = 50 Low (0.1) Low = 1 Low = 5 Low = 10

STEP 3: Risk Determination A complete risk determination will include both qualitative inputs and risk assessment based on the risk-matrix Vulnerability Terminated employee ID s are not removed from the system Guest ID is enabled on the servers Single points of failures: not redundant expertise Threat Source Terminated employees Unauthoriz ed users - hackers Sickness Description Controls Likelihood Impact Risk Level Dialing into the company s network and accessing the systems Unauthorized users can access data Experiment cannot apply a specific patch Account locked after 90 days L (0.1) H (100) L (10) None H (1) H (100) H (100) None M (0.5) M (50) M (25)

STEP 4: Countermeasures Formal establishment of actions based on the risk assessment towards risk mitigation o Effectiveness and costs Risk Level High Medium Low Countermeasures Strong need for measures to put in place ASAP Plan developed within reasonable period of time Can we accept the risk and do nothing?

Examples applied to CERN functions Assets: CERN facilities o Examples applied to: EDH, CERN Service Desk Criticalities: (defined as impact of application lost) Criticality Description Factor Levels Minor nil 1 Very few people affected; < 1KCHF Hardly visible 2 Several people affected; < 5KCHF Very limited 3 Small group affected; < 10KCHF Average Limited 4 People affected > 20; cost < 20KCHF Visible 5 People affected > 50; cost < 50 KCHF Significant 6 People affected > 100; cost < 100 KCHF Major Very important 7 People affected > 150; cost < 400 KCHF Important 8 People affected > 500; cost < 1MCHF Critical Disastrous 9 People affected > 1000; cost < 10MCHF Catastrophic 10 People affected > 1000, > 10MCHF, life danger

Examples applied to CERN functions Threats/Vulnerabilities Likelihood Calculations and mitigation plans Likelihood Factor Common Threat-Sources Natural Threats Floods, electrical storms, etc No (once > 10 years) Impossible 1 Almost impossible 2 Very unlikely 3 Human Threats network attacks, errors, malicious sw upload, etc Maybe (once in 5-10 years) Unlikely 4 Little plausible 5 Plausible 6 Environment Threats pollution, long-term power failure, etc Likely 7 Yes (once < year) Very likely 8 Almost certain 9 Certain 10

Examples applied to CERN functions Final calculation of risk and recommendations: Threat x Vulnerability = Probability Probability x Impact = RISK Threats Loss of data: 5 Viruses: 5 Hacking: 8 Strike: 7 Assets V Risk V Risk V Risk V Risk EDH 4 180 3 135 4 288 4 252 Service Desk 4 180 2 90 4 288 4 252 Mitigation plans over Risk > 200

Summary and Plans Risk Management is a crucial process to ensure the continuity of the services and the business o Formal approach in needed for consistency, scalability and predictability In the Service Management project, we have established some of the fundamental processes that will supply necessary inputs: o Service Catalogue, INC Mgt, Change Mgt and SLM (ongoing) Establishment of the process foreseen in 2012 following a formal ITIL approach that will require the involvement of both Service Owners and Users Your feedback and knowledge will be crucial to ensure a continuity plan for all our services

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information