Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Slides:

Advertisements

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Advertisements

1 PROJECT MANAGEMENT ROLE OF KEY PERSONNEL Bernd Madauss International Space University Strasbourg February, 2011

Project Management 6e..

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Chapter 2 Analyzing the Business Case.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Project Risk Management

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

By: Ashwin Vignesh Madhu

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Computer Security: Principles and Practice

Managing Project Risk.

Risk Assessment Frameworks

Part II Project Planning © 2012 John Wiley & Sons Inc.

Security Risk Management Paula Kiernan Ward Solutions.

What is Business Analysis Planning & Monitoring?

PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.

Degree and Graduation Seminar Project Management Processes

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Process Standardization Project

Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Chapter 11: Project Risk Management

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

NIST Special Publication Revision 1

Federal Agency Update - A Public Real Estate Symposium Las Vegas, Nevada January 26, 2010 Procedures Guide for Right of Way Cost Estimation and Cost Management.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.

Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.

Technology Planning. Primary Elements Stakeholders Leadership team Needs assessment Technology components Work plan Budget Policies Evaluation.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Strong9 Consulting Services, LLC 1 PMI - SVC I-80 Breakfast Roundtable Monthly Meeting Thursday, October 12, :00 am – 9:00 am.

ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Project Management Methodology Development Stage.

Develop Project Charter

Service Level Agreements Service Level Statements NO YES The process of negotiating and defining the levels of user service (service levels) required.

1 Appendix B Initial Briefing Template. 2 Site X Vulnerability Assessment (VA) Presenter name Presenter organization Presenter phone Presenter phone/ .

1 | 2010 Lecture 3: Project processes. Covered in this lecture Project processes Project Planning (PP) Project Assessment & Control (PAC) Risk Management.

Chapter 3 Strategic Information Systems Planning.

Project Risk Management Planning Stage

Introduction to Project Management Chapter 9 Managing Project Risk

Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

Copyright 2012 John Wiley & Sons, Inc. Part II Project Planning.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Prof. Shrikant M. Harle.  The Project Life Cycle refers to a logical sequence of activities to accomplish the project’s goals or objectives.  Regardless.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Sourcing Evaluation Life Cycle Go/No Go decision points Competition Alignment Discovery Con tract Modification Project Initiation Vendor Capabilities Contract.

Part II Project Planning.

Office 365 Security Assessment Workshop

Chapter 8 – Administering Security

د. حنان الداقيز خريف /28/2016 Software Quality Assurance ضمان جودة البرمجيات ITSE421 5 – The components of the SQA.

Lifecycle Services for Advanced Wireless LAN (LCSAWLAN) practice-questions.html.

Description of Revision

Part II Project Planning © 2012 John Wiley & Sons Inc.

USAID/Peru Risk Assessment In-Briefing

Risk Mitigation & Incident Response Week 12

Project Management Group

The Survival Plan.

{Project Name} Organizational Chart, Roles and Responsibilities

Project Management Essentials

Presentation transcript:

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project objectives  Provide guidance for improvement

Outcome Framework Example  Build Asset-based Threat profiles  Identify Infrastructure vulnerabilities  Develop security strategy and plans  Measure adherence to policies…?  Recommend mitigation strategies

Build Profiles  Profiles are guides to help frame recommendations –Threat –Vulnerability –Exposure –Assets –Value –Processes –Etc..  Good way to organize information- current state

Identify Vulnerabilities  CVE  ICAT  Cassandra  Vendor tools  “SANs / ISO, FMEA, Best practices”  Can be administrative, personnel, technical or physical

Develop Strategy  This is the “value” of the final deliverable  Make suggestions for areas of improvement  DO NOT RELY ON VENDOR TOOLS  Research like crazy- contact support network  Make sure easy to digest and accomplish

Context  How do you determine what is “at risk” and what is not?  Low, medium, high  Scale of 1-10  Red, Yellow, green  Ultimately comes down to applying the threat profile to the asset- to determine level of risk

Risk Assessment Planning Overview Session #7

RA Process Elements  Identify Organizational Information  Build Asset-based Threat Profiles  Identify Infrastructure Vulnerabilities  Develop Protection Strategy OCTAVE Methodology

Identify Organizational Information  Identify information-related assets  Selects those that are most critical to the organization  Evaluate current security practices to identify what the company is doing well  Identify which practices are missing or inadequate

Build Threat Profiles  Identify security requirements for critical assets  Identify threats to those assets  Based on business mission of organization

Infrastructure Vulnerabilities  Identify components to evaluate  Develop a vulnerability management practice  Find problems linked with technology and processes

Develop Protection Strategy  Identifies risks to the organization’s critical assets  Evaluates the risks to establish a value for the resulting impact on the assets  Decision is made to accept of mitigate each risk  Selects highest priority actions  Develop the protection strategy for priorities

Risk Assessment / Management Decision Process

Objects of the RA  Mission  Systems Description  Assets  Sensitivity  Criticality  Vulnerabilities  Threats  Safeguards

RA Planning  Figure out where data needs to come from: –Info needed before on site visit –Collect info from public sources –Work on WBS tasks –Decide interview schedule and personnel  Stay true to SOW –Watch time investment –Always match actions to goals –Avoid SOW creep

Pre Site Visit Goals  Confirm Client’s goals with delivery team  Connect Sponsor with delivery team lead  Establish escalation procedures and contact personnel  Goal is to get client comfortable with: –Approach –Needs –Consultants doing work –Process for moving project to conclusion

Pre Site Visit Information  Policies  Infrastructure Architecture Drawing / maps  Administrator passwords  Org Chart  Secure workspace  Budget information  Mission statements

Document Review  Access Logs - System, Maintenance, and Visitor  Incident Reports  Documents - Plans, Policies, and Procedures  Previous Risk Assessments  Continuity of Operations Plans  Contingency Reports  Directories  Inventory Records  Floor Plans  Organization Charts  Mission Statements  System and Network Configurations

On Site Process  Hold meeting ASAP to introduce players and state objectives and discuss process  Collect information requested in pre-site visit process  Discuss interview process, scheduling and targets: –Line up personnel to interview –Have questions already prepared –Run interviews in parallel to other data collection techniques

Initial On Site Process  Need to discuss facility access: –After hours building access needed –Normal business hours access required –Badges may be needed- get them –Understand departmental work hours –Get facilities tour:  Restrooms  Cafeteria  Sponsor’s office  Work Area  Off limit areas

Initial On Site Activity  Start scans  Arrange interviews  Perform facility walkthrough  Examine Policies  Dumpster dive  Printers output trays  Open desk areas