Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk.

Slides:



Advertisements
Similar presentations
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Advertisements

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
HIPAA Security Standards What’s happening in your office?
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks
Risk Management Vs Risk avoidance William Gillette.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Using Windows Firewall and Windows Defender
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
Copyright 2000, Marchany Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
“Integrating Property Management with Emergency Recovery” Ivonne Bachar, CPPM CF Director, Property Management Office Stanford University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Introduction.
Risk Management How To Develop a Risk Response Plan alphaPM Inc.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Introduction to Information Security
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Copyright 2001 Marchany, SANS Institute1 Auditing Networks, Perimeters and Systems Appendices/Supplemental Material The SANS Institute.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Project Risk Management Planning Stage
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Assessing Current Network Concerns Lesson 5. The Assessment Two important elements you will need to determine in order to produce a valuable assessment.
Steps in the Transition to an Impact- Focused Audit Function Modifying Procedures, Audit Practices, and Reports to Address Risk Gert van der Linde, World.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
AUDITING BUSINESS CONTINUITY PROGRAMS AND PLANS What to Look For Presented by: Tommye White, CBCP, DRP Chuck Walts, CBCP, CRP.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Lesson 19: Configuring and Managing Updates
Operating System Security
Compliance with hardening standards
COMP3357 Managing Cyber Risk
CMGT 431 Competitive Success/snaptutorial.com
CMGT 431 Education for Service-- snaptutorial.com.
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
CMGT 431 Teaching Effectively-- snaptutorial.com.
I have many checklists: how do I get started with cyber security?
Building a Security Operations Center
Risk Assessment = Risky Business
Intro to Ethical Hacking
Intro to Ethical Hacking
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
CIS12-3 IT Project Management
Auditing Networks, Perimeters and Systems
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Presentation transcript:

Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk (STAR)

Educause MARC 2003Copyright 2002, Marchany2 The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools

Educause MARC 2003Copyright 2002, Marchany3 98% On-Time Return Rate We have 180+ administrative, academic depts. Each dept is required to turn in an IT risk analysis. State Directive. We get 98% on-time return rate on the risk analysis reports. How?

Educause MARC 2003Copyright 2002, Marchany4 How Do We Do It? University IT Security Office convinces CFO of the need to do a departmental risk analysis. CFO controls the budget for all depts. CFO issues directive to all dept heads stating the need to turn in the reports on time. Or else, he’ll review their budget request. You must obtain the buy-in of the top university officials. Period.

Educause MARC 2003Copyright 2002, Marchany5 Case Study – The 1 st Time Sort of….. We applied some but not all TBS concepts in our first attempt to determine the status of our asset security. This process took about 12 months. Security committee met once every 2-3 weeks. We’re starting the sixth iteration now. Now it only takes 1 month max.

Educause MARC 2003Copyright 2002, Marchany6 The Committee Management and Technical Personnel from the major areas of IS University Libraries Educational Technologies University Network Management Group University Computing Center Administrative Information Systems

Educause MARC 2003Copyright 2002, Marchany7 The Committee’s Scope Information Systems Division only Identified and prioritized Assets RISKS associated with those ASSETS CONTROLS that may applied to the ASSETS to mitigate the RISKS Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

Educause MARC 2003Copyright 2002, Marchany8 Identifying the Assets Compiled a list of assets (+100 hosts) Categorize them as critical, essential, normal Critical - VT can’t operate w/o this asset for even a short period of time. Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap. Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Educause MARC 2003Copyright 2002, Marchany9

Educause MARC 2003Copyright 2002, Marchany10

Educause MARC 2003Copyright 2002, Marchany11 Prioritizing the Assets The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. Some assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Educause MARC 2003Copyright 2002, Marchany12 Prioritizing the Assets Asset weight values calculated by a simple formula. Weight = sum of vote values. Criteria: Criticality Value to the Org Impact of Outage

Educause MARC 2003Copyright 2002, Marchany13 Identifying the Risks A RISK was selected if it caused an incident that would: Be extremely expensive to fix Result in the loss of a critical service Result in heavy, negative publicity especially outside the university Have a high probability of occurring Risks were prioritized using matrix prioritization technique

Educause MARC 2003Copyright 2002, Marchany14 Prioritizing the Risks Same as formula for prioritizing Assets Criteria: Scope of Impact Probability of an incident Weight = sum of vote values

Educause MARC 2003Copyright 2002, Marchany15 How STAR Looked Originally Original STAR Asset, Risk, Asset-Risk, Control Matrices Original STAR Asset, Risk, Asset-Risk, Control Matrices Original STAR Compliance Matrices

Educause MARC 2003Copyright 2002, Marchany16 How STAR Looks Now Do most of the work for them Business Recovery Plan Template Intro to the BIA/RA Process General Instructions for Dept BIA/RA Blank BIA/RA Template IS Risks For Dummies Example R/A Spreadsheet Blank R/A Voting Spreadsheet

Educause MARC 2003Copyright 2002, Marchany17 The Audit/Security Checklist - Yesterday The detailed commands used to check an asset. Based on the Defense Information Infrastructure (DII) and Common Operating Environment (COE) initiative. We took the checklists from this site, modified them according to our R/A matrix and built checklists for Sun, IBM, NT. Our thanks to the unknown author who wrote the original document. The original checklist is available from in the Checklists section.

Educause MARC 2003Copyright 2002, Marchany18 The Audit/Security Checklist - Today We’re now using the CIS Benchmark Rulers as our checklists. The CIS provides a scanning tool that lets us check the status of our systems quickly. See to download the scanning tool and the checklist. Another example of changing times….

Educause MARC 2003Copyright 2002, Marchany19 STAR – The Future STAR is an evolving process We are now linking Asset identification to the mgt org chart Assets can now be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes

Educause MARC 2003Copyright 2002, Marchany20

Educause MARC 2003Copyright 2002, Marchany21 Conclusions TBS provides a quantitative, repeatable method of prioritizing your assets. The matrices provide an easy to read summary of the state of your assets. These matrices can be used to provide your auditors with the information they need. The checklist contains the detailed commands to perform the audit/security check.

Educause MARC 2003Copyright 2002, Marchany22 Building Your IT Audit Plan/Checklist Sample checklist/audit plans for Unix, NT and Windows 2000 Active Directory

Educause MARC 2003Copyright 2002, Marchany23 What Risks Should We Examine? u The SANS/FBI Top 20 vulnerabilities meet our TBS risk criteria: Have a high probability of occurring Result in the loss of a critical service Be extremely expensive to fix later Result in heavy, negative publicity Examine your IT Assets for these vulnerabilities

Educause MARC 2003Copyright 2002, Marchany24 Assessing the Cost A complete IT audit is a set of component audits. Master Equation: E=D+R E = time you’re exposed D = time to detect the attack R = time to react to the attack Components Procedural: E = D+R Perimeter(Firewall): E = D+R UNIX: E = D+R NT/Windows 2000: E =D+R

Educause MARC 2003Copyright 2002, Marchany25 CIS Rulers Rulers list a set of minimal actions that need to be done on a host system. This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others) Can’t develop your own set? Use these!

Educause MARC 2003Copyright 2002, Marchany26 Applying Security to Assets General Strategy Use STAR to identify critical risks and assets Use CIS benchmarks to determine what computer services are required to allow the business function to work Remove unnecessary services Create the “security” script

Educause MARC 2003Copyright 2002, Marchany27 Applying Security to Assets The CD to Production Cycle Install OS from CD or “install” server. Install applications Apply vendor/application recommended and security patches Install local tools (security, etc.) Run CIS-based/STAR based customization System is ready for production

Educause MARC 2003Copyright 2002, Marchany28 The CIS Checklists CIS Solaris Benchmark Document CIS Rating: After OS Installation - no patches CIS Rating: After Security/Vendor Patch Installation CIS Rating: After Security/Vendor Patch Installation CIS Rating: After Applying Local Configuration Rules CIS Rating: After Applying Local Configuration Rules CIS Linux Benchmark Document CIS Windows 2000 Benchmark Document CIS Solaris Customization Script based on VT Risk Analysis CIS Solaris Customization Script based on VT Risk Analysis

Educause MARC 2003Copyright 2002, Marchany29 Require Vendor Security Compliance Terms and conditions of Purchase Vendor must certify their product is not vulnerable to the threats listed in the SANS/FBI Top 20 Internet Vulnerabilities document ( We’ve been doing this since 7/1/02. Only 2 vendors out of 700+ have declined. Prevent vendors from hampering our security efforts.

Educause MARC 2003Copyright 2002, Marchany30 Summary Use STAR for Risk Analysis of IT assets. Use SANS/FBI Top 20 Internet Threats lists as a starting point. Use CIS benchmarks to get the actual commands needed to implement your policy based on your R/A.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.