Advanced Risk Analysis for High-Performing Organizations

Similar documents
Risk Management Framework

FFIEC Cybersecurity Assessment Tool

Building CSIRT Capabilities

A Framework for Categorizing Key Drivers of Risk

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Overview TECHIS Carry out risk assessment and management activities

Business Continuity Planning. Presentation and. Direction

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Business Continuity Position Description

IT Risk & Security Specialist Position Description

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

FREQUENTLY ASKED QUESTIONS

Waife & Associates, Inc. Change Management for Clinical Research

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

White paper. Creating an Effective Security Operations Function

Intelligence Driven Security

Guideline on Vulnerability and Patch Management

Incident Response Team Responsibilities

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Project Management for Process Improvement Efforts. Jeanette M Lynch CLSSBB Missouri Quality Award Examiner Certified Facilitator

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Enterprise Security Tactical Plan

Risk Management Primer

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

New Zealand Security Incident Management Guide for Computer Security Incident Response Teams (CSIRTs)

PROJECT RISK MANAGEMENT

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

ICBA Summary of FFIEC Cybersecurity Assessment Tool

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

State of Washington Supervisors Guide to Developing Operational Workforce Plans. Updated December 2008

The Value of Vulnerability Management*

Threat and Hazard Identification and Risk Assessment

Information Security Services

CDM Vulnerability Management (VUL) Capability

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Cisco Security Optimization Service

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

The Role of Internal Audit in Risk Governance

IT Service Provider and Consumer Support Engineer Position Description

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Reporting and Incident Management for Firewalls

Desktop Scenario Self Assessment Exercise Page 1

:: MANAGING YOUR AGENCY :: STAY COMPETITIVE WITH APPLIED DORIS

Objectives. Project Management Overview. Successful Project Fundamentals. Additional Training Resources

A shift in responsibility. More parties involved Integration with other systems. 2

Operationalizing Data Governance through Data Policy Management

Accenture Cyber Security Transformation. October 2015

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

CISM Certified Information Security Manager

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Reaching CMM Levels 2 and 3 with the Rational Unified Process

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

Paperless Office Solution Framework for Banking & Financial Services A Business Process Automation (BPA) Approach

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

The Importance of Cyber Threat Intelligence to a Strong Security Posture

3 keys to effective service availability management. Visibility. Proactivity. Collaboration.

Enterprise Cybersecurity: Building an Effective Defense

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Risk Profiling Toolkit DEVELOPING A CORPORATE RISK PROFILE FOR YOUR ORGANIZATION

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

CERT/CC Overview & CSIRT Development Team Activities

Information Security Risk Assessment Methodology

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

At the Heart of Connected Manufacturing

State of Washington. Guide to Developing Strategic Workforce Plans. Updated December 2008

Creating and Managing Computer Security Incident Response Teams (CSIRTs)

NICE and Framework Overview

Framework for Enterprise Risk Management

Threat Management Survey GLOBAL FINDINGS

Enhancing Law Enforcement Response to Victims:

Risk Assessment Worksheet and Management Plan

Bradford J. Willke, CISSP

Top Ten Technology Risks Facing Colleges and Universities

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Change Management: Automating the Audit Process

DevOps Engineer Position Description

Continuity of Operations Planning. A step by step guide for business

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Continuous Monitoring: Match Your Business Needs with the Right Technique

Supply Chain Risk Management: Managing Third Party and External Dependency Risk Transcript

Risk Management. Software SIG. Alfred (Al) Florence. The MITRE. February 26, MITRE Corporation

Transcription:

Pittsburgh, PA 15213-3890 Advanced Risk Analysis for High-Performing Organizations Christopher Alberts Audrey Dorofee Sponsored by the U.S. Department of Defense 2006 by Carnegie Mellon University page 1

Changing Operational Environment From Centralized management control of processes Dedicated, stand-alone technologies Permanent enterprise, defined by organizational chart One team, one mission Compartmentalized view of risk (e.g., project, security) To Distributed management control of processes Interoperable, networked technologies Virtual enterprise, defined by mission Many teams, one mission Integrated view of risk 2006 by Carnegie Mellon University page 2

Changing Risk Profiles Changes in operational environments are driving the need for advanced risk analysis techniques. The operational environment is becoming more complex (e.g., distributed processes). New types of risks have emerged from this complexity. - inherited risk - new sources of risk (e.g., cyber-security risks) - risk from combinatorial effects - risk from cascading consequences - risk from emergent threats 2006 by Carnegie Mellon University page 3

The Need for Advanced Techniques High-performing organizations are able to manage traditional risks. Risks arising from operational complexity are often subtle in nature, but bring the potential for catastrophic consequences. High-performing organizations have the basic skills needed to manage these new types of risk, but sufficient techniques are not readily available. 2006 by Carnegie Mellon University page 4

Key Requirements High performers need advanced risk management techniques that enable them to assume an integrated view of risk (one view that includes process, technology, security, and interoperability risks) address the interrelated nature of risk (combinatorial effects and cascading consequences) understand the amount of risk that is inherited from partners and collaborators characterize the risk arising from the emergent properties of a distributed process 2006 by Carnegie Mellon University page 5

What Is Risk? The possibility of suffering harm or loss Risk requires the following conditions: loss uncertainty choice 2006 by Carnegie Mellon University page 6

Nature of Risk Speculative (dynamic) a risk that has profit and loss associated with it Hazard (static) a risk that only has loss associated with it Profit Status Quo Loss Speculative Hazard Risk Risk 2006 by Carnegie Mellon University page 7

Operational Risk 1 The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events 1. Bank for International Settlements (BIS). International Convergence of Capital Measurement and Capital Standards: A Revised Framework. BIS, 2004. http://www.bis.org/publ/bcbs107.pdf. 2006 by Carnegie Mellon University page 8

Sources of Risk During Operations Mission Design Activity Categories of Threat Environment Event A broad range of threats must be considered when analyzing the potential for mission success. 2006 by Carnegie Mellon University page 9

Mission A mission threat is a fundamental flaw, or weaknesses, in the purpose and scope of a work process. 2006 by Carnegie Mellon University page 10

Process Design A design threat is an inherent weakness in the layout of a work process. 2006 by Carnegie Mellon University page 11

Activity Management An activity threat is a flaw, or weaknesses, arising from the manner in which activities are managed and performed. 2006 by Carnegie Mellon University page 12

Operational Environment Operational Environment An environment threat is an inherent constraint, weakness, or flaw in the overarching operational environment in which a process is conducted. 2006 by Carnegie Mellon University page 13

Event Management Event Event An event threat is a set of circumstances triggered by an unpredictable occurrence that introduces unexpected change into a process. 2006 by Carnegie Mellon University page 14

Mission Risk The possibility that a mission might not be successfully achieved 2006 by Carnegie Mellon University page 15

Mission Assurance Establishing a reasonable degree of confidence in mission success Mission assurance is achieved by ensuring that risk to the mission (i.e., mission risk) is within tolerance. A key aspect of mission assurance is its dual focus on outcome and execution. 2006 by Carnegie Mellon University page 16

Mission Assurance Strategy Mission Assurance Strategy Reduce mission risk to an acceptable level Resolve problems that occur process design and management techniques risk management techniques problem management techniques 2006 by Carnegie Mellon University page 17

What is MAAP? MAAP is a protocol, or heuristic, for determining the mission assurance of an operational process or system. 2006 by Carnegie Mellon University page 18

Key Characteristics of MAAP Applies an engineering approach to risk analysis Designed for highly complex environments (multiorganization, system of systems) Provides an in-depth analysis of processes, relationships, and dependencies Characterizes the risk of mission failures process performance risk security risk operational environment risk 2006 by Carnegie Mellon University page 19

Structured Analysis of Performance MAAP analyzes process performance in multiple operational states normal, or expected, operational conditions unusual circumstances, or occurrences, triggered by external events 2006 by Carnegie Mellon University page 20

Analyzing Multiple States State 1: Expected Operational Conditions Risk during expected operational conditions Event 1 State 2: When Stressed by Event 1 Risk resulting from event 1 Risk to the mission Event 2 State 3: When Stressed by Event 2 Risk resulting from event 2 2006 by Carnegie Mellon University page 21

Risk Causal Chain Risk during expected operational conditions Risk from event 1 Risk to the mission Risk from event 2 Combinations of threats, vulnerabilities and controls Risk resulting from different operational circumstances Mission risk 2006 by Carnegie Mellon University page 22

Bringing Risk within Tolerance Severe Mission Risk Exposure High Medium Low Minimal There is a significant gap between actual risk exposure and management s goal. Risk tolerance Current value of mission risk exposure Management s goal for mission risk exposure Time 2006 by Carnegie Mellon University page 23

Key Risk Drivers Risk during expected operational conditions Risk from event 1 Risk to the mission Risk from event 2 A critical path analysis identifies the key risk drivers. 2006 by Carnegie Mellon University page 24

Protocol Fundamentals - 1 Determine mission objectives. Characterize all operations conducted in pursuit of the mission. Define risk evaluation criteria in relation to the mission objectives. Identify potential failure modes. Perform a root cause analysis for each failure mode. 2006 by Carnegie Mellon University page 25

Protocol Fundamentals - 2 Develop a risk profile of the mission. Ensure that mission risk is within tolerance. 2006 by Carnegie Mellon University page 26

A Common Basis for Analysis 2006 by Carnegie Mellon University page 27

MAAP Pilot Analyzed an incident management process in a large government organization Analyzed risk to the mission under normal conditions quality of response timeliness of response customer satisfaction Examined risk to the mission under unusual circumstances two major incidents occur at the same time cyber security attack renders ticketing system unavailable for an extended period of time 2006 by Carnegie Mellon University page 28

Example: Process Workflow Detect, Triage, and Respond to Events Call Center Tier 2 Call Center Tier 1 Receive call Monitor queue If assigned to Tier 1 queue Receive If handled XOR email If assigned to Tier 2 queue Monitor queue if reassigned outside of IM process Reassigned Triage and outside IRC respond to XOR If resolved and no event action required Resolved event If resolved and field If escalated action required A if reassigned outside of IM process Reassigned Triage and outside IRC respond to XOR If resolved and no event action required Resolved event If resolved and field action required A To Field: Implement actions and close ticket To Field: Implement actions and close ticket Note: This workflow is a snapshot, based on available information Call Center Shift Leads If assigned to Call Center Tier 2 If escalated to Shift Leads Triage and respond to event XOR if reassigned outside of IM process If resolved and no action required If resolved and field action required Reassigned outside IRC Resolved event A To Field: Implement actions and close ticket Senior. Watch Officers Triage event XOR If escalated to IR Team If escalated to IR Team If escalated to other groups Watch Officers Monitor events and indicators If escalated to service groups (IR Team, IT Group) Other Groups From IR Team, Center mgmt, or government mgmt. This triggers other groups to respond to the event (e.g., IG, law enforcement) B Respond to event IT Group Respond to event Government Manager If not approved If not approved Approve release to field XOR If data call approved Note: Communications to the field include bulletins, advisories, and alerts, etc. IRC Manager Approve release to field XOR If approved If communication approved QA/Tech Writers Check document quality Incident Response Team Monitor open source information From Government Manager or Center (on Declare, Respond to, and Close Incidents) D Respond to event If comminication Obtain or data call approval to Resolved release event If resolved and no action required XOR If resolved and field action required If escalated to other groups B To Other Groups: Respond to event (e.g., IG, law If potential incident C enforcement, other center or government groups ) Conduct data call Send communication Monitor data call status Field Report events to CC From Call Center Tier 1, Tier 2, or Shift Leads A To IR Team: Recommend Incident (on Declare, Respond to, and Close Incidents) Implement actions and close ticket Implement actions Implement actions and report status 2006 by Carnegie Mellon University page 29

Example: Complex Risks Training is informal and based on mentoring. All security events go to IR Team. SET assumes responsibility for too many tasks relative to the number of staff. R4 Events could be unnecessarily escalated by the Call Center. IDS tools inherently provide false positives. R8 False positives could be forwarded by the Watch Office. IR Team is a bottleneck IDS tools provide false positives. There are insufficient tools and templates to support IR Team s tasks. It is difficult to find qualified technical staff. Inadequate staffing There is limited back-up capability for IDS tuning in IRC. Inadequate and inefficient tuning of IDS tools exacerbates false positives. R20 An understaffed mission could lead to problems with response time and quality. R8 False positives could be forwarded by the Watch Office. There is limited time and opportunity to stay current in field. The training program is inadequate. SOC staff have uneven skills for recognizing false positives. There is inadequate equipment to support Watch Office on-line training. There is a lack of a comprehensive and balanced training and cross-training program. There is no QA for training. There is a heavy reliance on on-the-job training. There is a heavy reliance on Pre-existing KSAs. IRC partnership determines who fills what position. The best person is not always selected. Sites do not always tell CIRC when they are performing internal scans. 2006 by Carnegie Mellon University page 30

Example: Mission Risk Severe Mission Risk Exposure High Medium Low Minimal Current value of mission risk exposure Time 2006 by Carnegie Mellon University page 31

Example: Mission Assurance Goal Management s goal is to build a world-class incident management capability. This goal translates to very high mission assurance (i.e., very low risk to the mission). 2006 by Carnegie Mellon University page 32

Example: Gap in Performance Severe Mission Risk Exposure High Medium Low Minimal There is a significant gap between actual performance and management s goal. Risk tolerance Current value of mission risk exposure Management s goal for mission risk exposure Time 2006 by Carnegie Mellon University page 33

Example: Mitigation Strategy Simplify the mission. - Determine which incident management services are essential. - Develop a plan for growing the incident management capability over time. Redesign the process based on the revised mission. Develop and test contingency plans. 2006 by Carnegie Mellon University page 34

Conclusions Many types of risk prevalent in today s operational environments (e.g., event risks, inherited risk) are not readily identified using traditional risk analysis techniques. High-performing organizations have the basic skills needed to identify and manage these new types of risk, but lack sufficient techniques. Average or poor performers will not have the skills needed to identify and manage new types of risk (and probably have bigger, more obvious risks to deal with). MAAP is one technique that high performers can use to identify and mitigate the risks arising from operational complexity. 2006 by Carnegie Mellon University page 35

Additional Research and Development Develop a technique for quickly estimating mission risk exposure. First pilot will focus on mission assurance in incident management. Second pilot will focus on mission assurance in system development. Refine and document MAAP based on pilot experience. Pilot MAAP in another domain. 2006 by Carnegie Mellon University page 36

Contact Information Telephone 412 / 268-5800 Fax 412 / 268-5758 WWW U.S. mail http://www.sei.cmu.edu/programs/ acquisition-support/ Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 2006 by Carnegie Mellon University page 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information