1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)
OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
1 An Overview of Computer Security computer security.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Vs Risk avoidance William Gillette.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.
Information Systems Security Computer System Life Cycle Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
Information Security What is Information Security?
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Certification and Accreditation CS Unit 2:ITSEC System Classes LTC Tim O’Hara Ms Jocelyne Farah Mr Clinton Campbell.
Alaa Mubaied Risk Management Alaa Mubaied
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chap1: Is there a Security Problem in Computing?.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering | Architecture | Design-Build | Surveying | Planning | GeoSpatial Solutions November 16, 2015 THE AWWA J100 - WHAT IT IS, WHY IT IS BEING UPDATED,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Risk Identification and Risk Assessment
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Headquarters U.S. Air Force
CS457 Introduction to Information Security Systems
Headquarters U.S. Air Force
Chapter 8 – Administering Security
Security Risk Analysis & Management
CS 450/650 Fundamentals of Integrated Computer Security
Information and documentation media systems.
IT Vocab IT = information technology Server Client or host
Effective Risk Management in Decision Making Process
Presentation transcript:

1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah

2Acknowledgement n DOD , DoD Information Technology Security Certification and Accreditation Process (DITSCAP) n DOD M, DITSCAP Application Manual n Risk Management Guide for IT Systems by NIST n Basic Risk Management For DOD n E-commerce Risk Management slides (Dr. Hale CS-slides) n Risk Management within an IT system environment by Communication Security Establishment CSE, Canada.

3Overview n General definitions n Risk Management Process n C&A

4 What is Threat ? n Threat is any circumstance or event with the potential to cause harm to an IS through: – Unauthorized access. – Destruction. – Disclosure. – Modification of data. – Denial of service.

5 What is a Vulnerability? n Vulnerability is a weakness in an IS system security procedures, internal controls, or implementation that could be exploited.

6 So, What is Risk? Risk is the combined notion of... The harm caused by specific events (threats) AND The likelihood that HARM will happen (using vulnerabilities)

7 What is Residual Risk? n Residual risk is the portion of risk remaining after security measures have been applied

8 Risk Management n Definition: process of –Identifying risk, –Assessing risk –Taking steps to reduce risk to an acceptable level (residual risk)

9 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Implement Decided Actions Understand Mission Objectives Understand Security Needs (Services)

10 Mission Is Everything… n Mission defines component values –People –Equipment –Information systems –Facilities n Mission is the guiding force for determining risk n Organization mission must be understood by the risk management team n Information Systems(IS) play a critical role in supporting the mission

11 n Discrete set of information resources organized for the -collection -processing -maintenance -use -sharing -dissemination -disposition of information NTISSI No Information System -- Definition

12 Information System Assets n Hardware - PCs, servers, cables, disk drives, routers n Software - programs, utilities, O/S n Data and Information - created, processed, stored, databases, in transit, and removed n People - users, people needed to run systems n Documentation - programs, hardware, systems, local administrative procedures, on entire system n Supplies - paper, forms, ribbons, magnetic media

13 Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services)

14 ITSEC Class Characteristics CharacteristicOperationDataInfrastructureSystemAlternatives Interfacing Mode Processing Mode Attribution Mode Mission- Reliance Factor Accessibility Factor Accuracy Factor Information Categories

15 ITSEC Classification Mission Reliance on IS n The degree that mission success depends on the system operation, data, or infrastructure (Mission Reliance Factor) –None-- mission not dependent on specific aspect. –Cursory-- mission incidentally dependent on specific aspect –Partial-- mission partially dependent on specific aspect –Total-- mission is totally dependent on the specific aspect Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IS-related risk.

16 Security CharacteristicMission Reliance Alternative CONFIDENTIALITY Sensitive, Classified, Special Access AVAILABILITY Reasonable, Soon, ASAP, Immediate INTEGRITY ACCURACY NA, Approximate, Exact ACCOUNTABILITY ATTRIBUTION None, Rudimentary, Basic, Comprehensive ITSEC Classification Security Characteristics

17 Mission Trees Missions Deploy Warning Order Movement Order CIACIACIACIA Develop Equipment Performance Characteristics Equipment Patentable Characteristics

18 Risk Management Cycle Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

19 Threat Analysis Sources n Threat agent: Individual/thing responsible –Adversarial (hackers & spies) –Non-adversarial (rec. hackers & accidents) –Disasters (floods & power outages) n Attack: Sequence of steps taken to cause an event n Finding Vulnerabilities

20 Threat Analysis Basic Process 1. Identify/define mission 2. Determine required security services 3. Theory of adversarial behavior  Identify potential adversaries  Determine adversary intentions/characteristics  Determine adversary strategies 4. Identify attack scenarios 5. Match adversary behavior w/ attack scenarios

21 Threat Analysis Mission Security Requirements n Threat: Potential for harm –3 dimensions; confidentiality, integrity & availability n Confidentiality –Information valuable to adversaries? –Consequences of leak? n Within 1 minute, 1 hour, 1 day, 1 weak n Integrity –Mission dependency on accuracy of data? –Consequences of integrity breach? n Availability –Mission dependency on access to data/services? –Consequences for unavailability (over time)? –Alternative modes of operation?

22 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

23 Characterize Options n What is the impact of specific attacks on mission ? n Which vulnerabilities may permit successful attacks? n Where should resources be expended to achieve the greatest reduction in risk? n Avoid tendency to view vulnerabilities in isolation

24 Countermeasures Selection n Countermeasure possibilities n Characterize countermeasure options n Compare countermeasure options n Determine changes to risk n Determine costs vs. benefit

25 Countermeasures Factors to be considered –Security mechanisms –Physical security –Personnel security –Administrative security –Media security –Life cycle controls n A Countermeasure may change the initial Design\Mission?

26 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Understand Mission Objectives Understand Security Needs (Services)

27 n Overriding goal – Mission Success n Weighted in terms of cost versus benefits n Identify +/- for each course of action n Decision options: –Reduce Risk –Accept Risk –Avoid Risk –Transfer Risk Risk Analysis Options/ Decisions Risk avoidance avoidanceRiskacceptance

28 LIKELIHOOD OF SUCCESSFUL ATTACK (1) (before countermeasures) COSTS Vs. BENEFITS COSTS Dollars Additional people resources Lost system functionality Time BENEFITS Improve mission success Countermeasures: Costs/Benefits (1B) (option 2)(option1) (1A) M i s i o I n m p a c t High LowHigh

29 What is acceptable? n Will we have 100 % effectiveness? – Vulnerabilities eliminated – Vulnerabilities reduced – Vulnerabilities remaining n What are they? n Why are they still there? n Is risk acceptable? (Residual Risk)

30 Security Risk Management Process Government of Canada, Communication Security Establishment CSE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.