By: Ashwin Vignesh Madhu

Slides:

Advertisements

Similar presentations

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Advertisements

Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

Service Design – Section 4.5 Service Continuity Management.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Overview Lesson 10,11 - Software Quality Assurance

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Risk Assessment Frameworks

Lucas Phillips Anurag Nanajipuram FAILURE MODE AND EFFECT ANALYSIS.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

Application Threat Modeling Workshop

Security Risk Management Paula Kiernan Ward Solutions.

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Leaders Facilitate the Planning Process

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

1 Module 4: Designing Performance Indicators for Environmental Compliance and Enforcement Programs.

Risk Analysis vs Security Controls. Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.

Analyze Opportunity Part 1

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Module 4: Systems Development Chapter 12: (IS) Project Management.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.

4-1 Chapter 4 Budgeting the Project. 4-2 Introduction 4 Budgets are plans for allocating organizational resources to project activities. –forecasting.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Business Plug-In B15 Project Management.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

SecSDLC Chapter 2.

Kathy Corbiere Service Delivery and Performance Commission

MEM 612 Project Management

Key Leader Orientation 3- Key Leader Orientation 3-1.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.

Training on Safe Hospitals in Disasters Module 3: Action Planning for “Safe Hospitals”

Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

Quality Improvement Tools for Intervention Determination Presenters: Kris Hartmann, MS Healthcare Analyst, Performance Improvement Projects Don Grostic,

Copyright 2012 John Wiley & Sons, Inc. Part II Project Planning.

INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.

Copyright 2015 John Wiley & Sons, Inc. Project Planning Part II.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Managing Project Risk – A simplified approach Presented by : Damian Leonard.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Chapter 8 – Administering Security

Project Management BBA & MBA

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE

Chapter 4 Budgeting the Project.

SEC 240 Education on your terms/tutorialrank.com.

Risk Assessment = Risky Business

Part II Project Planning © 2012 John Wiley & Sons Inc.

IS Risk Management Framework Overview

A New Concept for Laboratory Quality Management Systems

Project Management By: Michael Pantazis.

Presentation transcript:

By: Ashwin Vignesh Madhu Risk Assessment By: Ashwin Vignesh Madhu

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Objective Risk Assessment Process Not unique to the IT environment Provide the desired level of mission support depending on the budget Well-structured risk management methodology

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Introduction The process of enumerating risks Determining their classifications Assigning probability and impact scores Associating controls with each risk

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Risk Risk Assessment measures Risk R can be expressed as Magnitude of the potential loss L Probability p that the loss will occur Risk R can be expressed as R = L * p (or) Risk = Impact * Likelihood

Risk (Cont..) Risk = PA * (1-PE) * C PA – the likelihood of adversary attack PE - the security system effectiveness (1- PE) - the adversary success C – consequence of loss of the asset High L and low p – low L and high p Treated differently in practice Given nearly equal priority in dealing

Risk Management Cycle

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

RA Methodologies CCTA Risk Analysis and Management Method (CRAMM) Consultative, Objective and Bi-functional Risk Analysis (COBRA) RuSecure Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Failure Mode and Effects Analysis (FMEA) British Standard (BS)

RA Methodologies (Cont..) Methods support in Detecting critical places and parts in organization Detecting risk factors Collecting data about risk factors Evaluation and estimation of risk Generate report of risk management process

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

CRAMM

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

COBRA COBRA Two modules Support in process of evaluating risk security COBRA Risk Consultant ISO Compliance Analyst Support in process of evaluating risk security Evaluation steps Building queries Risk evaluation Constructing reports Contains library of countermeasures

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

RuSecure

RuSecure

RuSecure

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

British Standard

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Hierarchical Criteria Model

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Common Failures in RA Poor executive support High cost of implementation Untimely response Insufficient accountability Inability to qualitatively measure control environment Infrequent in assessment Inaccurate data

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Elements of good RA Provides clear instructions Simplifies user Response Identifies support contacts Focuses on leaders as well as executors Provides feedback to users and Risk leaders Has a broad Scope Identifies User for follow up if necessary and applicable

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Effective security risk evaluation Considers both organizational and technological issues Self-directed

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Characteristics Identify information-related assets Focus risk analysis activities on critical assets Consider the relationships among critical assets, the threats to those assets, and vulnerabilities Evaluate risks in an operational context - how they are used to conduct an organization’s business Create a protection strategy for risk mitigation

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

OCTAVE Process

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Criteria Principle Attribute Output Fundamental concepts driving the nature of the evaluation, and defining the philosophy behind the evaluation process Attribute Distinctive qualities, or characteristics, of the evaluation Output Define the outcomes that an analysis team must achieve during each phase

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Examples

Examples

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

OCTAVE Method Process Phase 1: Build Asset-Based Threat Profiles Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles

OCTAVE Method Process Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluate Selected Components Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis – An organizational set of impact evaluation criteria are defined to establish the impact value Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Choosing Methods Depending on organization size Depending on organization hierarchical structure Structured or Open-Ended Method Analysis team composition IT resources

Overview Common Failures in RA Objective Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

Our Methodology Policies and procedures Requirement analysis Network Topology Categorizing the network Scanning based on categorization Analysis of vulnerabilities Use different scanning tools Penetration testing Risk strategy Mitigation of risk

References NIST – Risk Management Guide for Information Technology Systems http://www.gao.gov/special.pubs/ai00033.pdf http://en.wikipedia.org/wiki/Risk_management http://en.wikipedia.org/wiki/Risk_assessment http://www.sandia.gov/ram http://www.carnet.hr/CUC/cuc2004/program/radovi/a 5_baca/a5_full.pdf http://www.octave.org

Thank You