GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

Department of Homeland Security Site Assistance Visit (SAV)
Risk Management Introduction Risk Management Fundamentals
FACILITY SAFETY: Creating a Safe and Secure Environment in the Community Health Center Presented by Steve Wilder, BA, CHSP, STS Sorensen, Wilder & Associates.
Service Design – Section 4.5 Service Continuity Management.
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
1 Telstra in Confidence Managing Security for our Mobile Technology.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Security Risk Assessment Applied Risk Management July 2002.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Maritime Security Services
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Securing Critical Chemical Assets: The Responsible Care ® Security Code Protection of Hazardous Installations from Intentional Adversary Acts European.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Project Management IV1021Fö5 Risk Management. Agenda Project Risk Project Risk Management The Risk Management Process Goal: get an understanding of basic.
Risk management and disaster preparedness
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Business Continuity Planning  What is it?  Why do we do it?  How do we do it?
Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering | Architecture | Design-Build | Surveying | Planning | GeoSpatial Solutions November 16, 2015 THE AWWA J100 - WHAT IT IS, WHY IT IS BEING UPDATED,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Risk. Step 1-Risk identification Analyze the project to identify the source of risk Step 2-Risk Asessment Assess risk interms of Severity of impact Likely.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Chapter 13 Risk Management. Chapter Objectives 1.Define risk and risk management 2.Outline key risk issues and types of risk 3.Identify concrete methods.
INMM Nuclear Security and Physical Protection Technical Division.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Risks and Hazards to Consider Unit 3. Visual 3.1 Unit 3 Overview This unit describes:  The importance of identifying and analyzing possible hazards that.
Headquarters U.S. Air Force
Information Systems Security
Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing June 6, 2008.
Community Health Centers of Arkansas Hazard Vulnerability Assessment Workshop August 11, 2017 Mark Fuller.
Headquarters U.S. Air Force
DISASTER VULNERABILITY, RISK AND CAPACITY
Chapter 8 – Administering Security
HIRA This is the lesson objective.
RISK ASSESSMENT TOOL PREVIEW
RISK MANAGEMENT An Overview: NIPC Model
Command Indoctrination Operations Security DD MMM YY
Chapter 7: RISK ASSESSMENT, SECURITY SURVEYS, AND PLANNING
Operations Security (OPSEC)
Overall Classification of this Briefing is UNCLASSIFIED
Securing Critical Chemical Assets: The Responsible Care® Security Code
HIRA This is the lesson objective.
Training at the Awareness Level Review
Yves Goulet Director, National Fisheries Intelligence Service
Command Indoctrination Operations Security DD MMM YY
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response and Recovery June 2009, GSA Expo

GSA EXPO 2009 Office of Emergency Response and Recovery 2 What is Risk Based Planning? The process of selecting and implementing countermeasures or mitigation strategies to achieve an acceptable level of risk at an acceptable cost –Risk Management and Continuity planning begins with the identification of critical assets (processes, functions, systems, information) that enable the execution of essential functions Once we ID these assets we then can work towards ensuring their resilency.

GSA EXPO 2009 Office of Emergency Response and Recovery 3 Purpose Provides a systematic approach to acquiring and analyzing the information necessary to support decision makers in the allocation of scarce continuity resources to ensure the protection of critical assets and capabilities. –Structured process –Not a exact science.

GSA EXPO 2009 Office of Emergency Response and Recovery 4 Continuity what's Changed ? Old Think: –Warning of Event –Single Use Assets –movement of people with data –Reliance on static plans –Not integrated into daily operations –Singular view of threat –Avoided Risk New Think: –No warning of attack or event –Dual Use Assets –Routine Geographic Dispersion of people, data and functions –Integrated into daily business operations Capabilities based –Acknowledgment of diverse threats. –Increased reliance on IT Systems –Managed Risk

GSA EXPO 2009 Office of Emergency Response and Recovery 5 Risk Avoidance vs. Risk Management Risk Avoidance –Assumes an aggressive adversary in all scenarios –Counters ALL possible vulnerabilities –Responds based on worst-case scenarios Risk Management –Integrates the process of assessing the threat, the vulnerabilities, and the value of the asset to the owner –Weighs the risk of compromise/loss against the cost of mitigation strategies. Checklist

GSA EXPO 2009 Office of Emergency Response and Recovery 6 Risk Management at a Glance Assess Assets 1 Assess Threats 2 Assess Vulnerabilities 3 Assess Risks 4 Determine Countermeasure Options 5 Make RM Decisions Cost Analysis Benefits Analysis Monitor Implement Test & Eval

GSA EXPO 2009 Office of Emergency Response and Recovery 7 Five Step Process 1: Identify Assets and Loss Impacts 2: Identify and Characterize the Threat to Specific Assets 3: Identify and Characterize Vulnerabilities 4: Assess Risks and Determine Priorities for Asset Protection 5: Identify Countermeasures, Costs and tradeoffs.

GSA EXPO 2009 Office of Emergency Response and Recovery 8 Step #1: Identify Assets and Loss Impacts Determine valued assets requiring protection –(assets = processes, functions, systems, critical staff) Identify undesirable events and expected impacts –(event leading to the loss, damage, consequence to the asset) Value/prioritize assets based on consequence of loss – (based on the definitions, rate the impact).

GSA EXPO 2009 Office of Emergency Response and Recovery 9 What is an Asset? Anything that has value to an essential function –People, information, facilities, special equipment, systems, process, workflow An asset may have value to an adversary that differs from the owner, Continuity planning endeavors to increase the resiliency of assets that enable the organization’s ability to perform its essential functions. –Focusing on the assets, processes, systems, key information, and critical staff that allow GSA to do its job and provide service and products to their customers.

GSA EXPO 2009 Office of Emergency Response and Recovery 10 Critical - Indicates that interruption to the asset//function would have grave consequences leading to loss of life, serious injury, or mission failure (50-100) High - Indicates that interruption to the asset//function would have serious consequences resulting in loss of critical data, equipment, or facilities that could impair operations for a limited period of time (13-50) Medium - Indicates that interruption to the asset//function would have moderate consequences resulting in loss of highly critical data, equipment, or facilities that could impair operations for a limited period of time (3-13) Low - Indicates that interruption to the asset//function would have little or no impact on human life or continuity of operations (1-3). Notional

GSA EXPO 2009 Office of Emergency Response and Recovery 11 People Activities & Operations Information Equipment Facilities C C C M M H H L M H Critical Asset Undesirable Event & Impact Linguistic Rating # Rating Hazardous Weatherloss of access Loss of Power Loss of Production Theft Loss of critical assets Terrorism Loss of life // productivity Disruption Schedule setback Criminal activity Unsettled employees Loss Mission failure; degraded Poor OPSEC Operational disclosure Unauthorized release Capability disclosures Chemical Spill Environment Example

GSA EXPO 2009 Office of Emergency Response and Recovery 12 Step #2 Identify and Characterize the Threat to Specific Assets Identify threat categories and adversaries Assess intent of each adversary Assess capability of each adversary Determine frequency of past incidents Estimate threat relative to each critical asset.

GSA EXPO 2009 Office of Emergency Response and Recovery 13 What is a threat? VS. an adversary? What is a threat? –Any indication, circumstance, or event that can cause the loss of, damage to, or the denial of an asset Who is an adversary? –Any entity that conducts, or has the capability and intention to conduct, activities detrimental to interests or assets.

GSA EXPO 2009 Office of Emergency Response and Recovery 14 Types of threat Foreign Intelligence Services –Facility penetration –Non-access attack –Recruiting staff Terrorist Threats –Kidnapping –Bombing –Sabotage –CBRNE Natural Threats –Fire –Flood –Storms (wind, ice, snow) –Earthquake Criminal Threats –Fraud, theft, robbery –Arson –Vandalism –Computer hacking Insider Threats –Espionage –Misuse of equipment –Malicious acts by disgruntled staff –Work place violence Military Threats –War –Insurrection –State sponsored activities

GSA EXPO 2009 Office of Emergency Response and Recovery 15 Understanding the threat: CAPABILITY TO ACT HISTORY INTENT –Goals –Motivation –Collection/action capability –Necessary skills/resources –History of successful attacks –History of attempts

GSA EXPO 2009 Office of Emergency Response and Recovery 16 Low: Indicates little or no credible evidence of capability or intent, with no history of actual or planned threats against the assets. Critical: Indicates that a definite threat exists against the assets and that the adversary has both the capability and intent to launch an attack, and that the subject or similar assets are targeted on a frequent or recurring basis High: Indicates that a credible threat against the assets exists, based on our knowledge of the adversary’s capability and intent to attack the assets and based on related incidents having taken place at similar facilities Medium: Indicates that there is a potential threat to the assets based on the adversary’s desire to compromise the assets and the possibility that the adversary could obtain the capability through a third party who has demonstrated the capability in related incidents Example

GSA EXPO 2009 Office of Emergency Response and Recovery 17 Undesirable event / Impact # Rating Critical Asset People Activities & Operations Information Equipment Facilities Threat Category Threat Rating C H H M M H M H M L Terrorist FIS / Insider Insider Criminal Weather Terrorist Militant Insider / FIS Hazardous Weather Transportation Problems Loss of Power Loss of Production Theft Loss of computers Threat of Terrorism Loss of Production Time Disruption Schedule setback Criminal activity Employee injury Loss Mission failure Poor OPSEC Operational disclosure Unauthorized release Capability disclosures Criminal Chemical Spill Facility Closure Example

GSA EXPO 2009 Office of Emergency Response and Recovery 18 Step # 3: Identify and Characterize Vulnerabilities Identify vulnerabilities of specific assets related to undesirable events Identify existing countermeasures and their level of effectiveness in reducing vulnerabilities Estimate degree of vulnerability to each asset and threat

GSA EXPO 2009 Office of Emergency Response and Recovery 19 Step #4: Assess Risks and determine priorities for asset protection Estimate degree of impact relative to each valued asset Estimate likelihood of attack by a potential adversary Estimate likelihood that a specific vulnerability will be exploited Determine relative degree of risk Prioritize risks based on integrated assessment.

GSA EXPO 2009 Office of Emergency Response and Recovery 20 Quantify the likelihood that an undesirable event will occur Determine the severity of the outcome of an undesirable event Prioritize the risks Asset (Impact) x (.Threat x.Vulnerability) = Risk Assess the Risks

GSA EXPO 2009 Office of Emergency Response and Recovery 21 Asset Threat Vulnerability Impact of Unwanted Event Likelihood Risk

GSA EXPO 2009 Office of Emergency Response and Recovery 22 Impact x (.Threat x.Vulnerability) (1-100)(0-1.0) (0-1.0) = Risk * You can build your own scale Risk Assessment Formula

GSA EXPO 2009 Office of Emergency Response and Recovery 23 Terrorism Loss of Production Loss Mission failure Unauth. Release Disclosures Theft Loss of Computers Loss of Power Loss of Production Hazardous Weather TransProb Closure of facility Chemical spill Disruption Schedule setback Poor OPSEC Disclosure CH H ( # ) * C C M M H H L M H # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # C Critical Potential Undesirable Asset Asset Threat Threat Vuln. Vuln. Risk Assets Events Rating Value Rating Value Rating Value R / V H H M M H H M M L H M M M M M M L L H ( # ) * M ( # ) * L ( # ) * M ( # ) * L ( # ) * M ( # ) * People Information Equipment Facilities Activities & Operations Example

GSA EXPO 2009 Office of Emergency Response and Recovery 24 Step # 5: Identify Countermeasures, Costs and tradeoffs Identify potential countermeasures or mitigation strategies to reduce Vulnerabilities and/or Threats and / or Impacts. Identify countermeasures or mitigation strategies benefits in terms of risk reduction Identify countermeasure or mitigation strategy costs Conduct countermeasure or mitigation strategy cost- benefit analyses Prioritize options and prepare a recommendation for decision maker

GSA EXPO 2009 Office of Emergency Response and Recovery 25 Countermeasures (mitigation strategies) –An action taken or a physical entity used to reduce or eliminate one or more Vulnerability and or Threat and or Impact. Cost-Benefit Analysis –The part of the process in which costs / benefits of countermeasure(s) are compared and the most appropriate alternative selected –Cost: Tangible, operational, and other costs of countermeasure(s) –Benefit: Amount of risk reduction based on the overall effectiveness of countermeasure(s) Countermeasure Costs and Benefits

GSA EXPO 2009 Office of Emergency Response and Recovery 26 Undesirable EventCountermeasuresRisk Level ReducedCost From/To Natural Disaster Distribute AssetsLOW/HIGH to LOW/MED Terrorist Attack Emergency proceduresHIGH/CRITICAL to physical preventionsHIGH/MED Loss of critical dataIT resiliency LOW/MEDIUM to L/M MEDIUM/MEDIUM to M/M TOTAL COST: Countermeasure Options Example

GSA EXPO 2009 Office of Emergency Response and Recovery 27 A structured yet flexible approach to understanding your threat and risk posture A process for developing effective business continuity & security countermeasures and options that consider cost & benefit A snapshot in time that provides an audit trail for performance improvement Supportable, Defendable and Repeatable. Risk based planning provides:

GSA EXPO 2009 Office of Emergency Response and Recovery 28 Questions & Contact Darren J. Blue –Director Policy and Plans, Office of Emergency Response and Recovery

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.