OSG Computer Security Plans

Slides:

Advertisements

Similar presentations

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

Advertisements

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

Control and Accounting Information Systems

Project Management.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Lecture 1: Overview modified from slides of Lawrie Brown.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Lecture 11 Reliability and Security in IT infrastructure.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Lecture 8: Risk Management Controlling Risk

Risk Assessment Frameworks

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

8 Managing Risk Teaching Strategies

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Application Threat Modeling Workshop

Introduction to Network Defense

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

PRM 702 Project Risk Management Lecture #28

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

HIPAA COMPLIANCE WITH DELL

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.

Lecture 32 Risk Management (Cont’d)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Tingxuan Liu Risk Management in Software engineering.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

1 TenStep Project Management Process ™ PM00.7 PM00.7 Project Management Preparation for Success * Manage Risk *

INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

The process of identifying and controlling the risks is called Risk Management.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Risks and Hazards to Consider Unit 3. Visual 3.1 Unit 3 Overview This unit describes:  The importance of identifying and analyzing possible hazards that.

Headquarters U.S. Air Force

Information Security Management Goes Global

Information Systems Security

Identifying and Assessing Risk

Risk management.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Chapter 8 – Administering Security

Compliance with hardening standards

8 Managing Risk (Premium).

TOPIC 3 RISK MANAGEMENT.

Introduction to the Federal Defense Acquisition Regulation

Involuntary Resettlement 0P 4.12: Planning Instruments

Cyber security Policy development and implementation

Chapter 1 Key Security Terms.

Awareness and Auditor training kit

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

Presentation transcript:

OSG Computer Security Plans Irwin Gaines, Don Petravick, Vikram Andem 20-Jun-2006

Security for the OSG OSG Facility Security Officer coordinates, monitors and supports the security of the OSG infrastructure. Two different kinds of OSG security plans: Core OSG and facility security templates. Risk Assessment Following NIST (http://csrc.nist.gov/) process leading to Controls Management Operational Technical

Two Types of Security Plans Core OSG: assets under complete control of OSG (eg, middleware software cache). OSG is responsible for security of these systems Facilities, VOs and software providers that are “part” of OSG. OSG can create examples and templates of security plans that can be incorporated into site and VO plans. Sites and VOs are responsible for security of these Starting with core OSG.

First the Risk Assessment What can go wrong ? What is the potential impact ? what to protect and what resources to commit to protective measures. Ensure that all possible risks are considered and categorized Security plan - security controls that mitigate identified risks. Contingency plans - procedures for dealing with residual unmitigated risks

What’s a Risk Assessment ? A statement of what could go wrong, Countermeasures to prevent some of these things from happening, and Statement that you will live with the risk of the rest - residual risks. Covers: Threat: who is knocking on the door Vulnerability: improperly secured door; you cannot have a risk without both a threat and a vulnerability Likelihood: probability of occurrence Impact: what is the damage if the risk occurs Security controls: mitigations against risks

Threat Agent Threat Risk Asset (OSG) Exposure Safeguard Gives rise to Threat Exploits Vulnerability Leads to Risk Directly affects Asset (OSG) Exposure Can damage And causes an Safeguard Can be counter measured by

Examples from Fermilab Threat those who walk in and use our resources, generally non malicious: worms, bots, squatters. Vulnerability Remote Access - living on an open network

Identifying important risks Likelihood/impact table: each risk is ranked low/medium/high in both likelihood and potential impact if unmitigated; then important risks are those that are >low in both Bulleted list of those risks considered to be more than minimal (=low) in likelihood and/or impact Currently low is defined as minimal impact to program; medium is limited but non minimal impact

Residual risks Residual risks are divided into categories based on expected frequency of occurrence after full implementation of all security controls. We consider an occurrence rate to be: low if it is expected to happen <10 times per year, very low if it is expected to happen less than once/year extremely low if it is expected to happen less than once every five years.

Risk Assessment document

Next a Security Plan Fully describe each control mentioned in your risk assessment Organize controls into management (policies), operational (things people do) and technical (things machines do) controls, and relate them to NIST control families Show how each control will be assessed (Interview, Examination, Test)

Next Steps Complete risk assessments and security plans for core OSG resources Start with overall OSG (common baseline for subsidiary assessments) Proceed per OSG core asset inventory Determine relationship between OSG core resources and those of its host organizations and VOs. Establish basis for trust relationships among OSG, sites and VOs - plans and agreements. Collaborate with sites and VOs on preparation of their plans.