1. CYSM Business Diagrams Dr. Thanos Karantjias Dr. Spyros Papastergiou 1

2. Risk Assessment Service Risk Assessment Administration Calendar Management Configure Organizational Structure Configure Risk Assessment Elements 2 Topics

3. Administrator Organizational Calendar Management Configure Organization Structure Risk Assessment Administration Type of UserS Main Functions Configure Risk Assessment Elements 3 Slides 4, 5 Slide 6 Slide 7

4. Organizational Calendar Management Calendar Management (Apply Standards) Main Options Add New Risk Assessment View Completed Risk Assessments Apply Standards Invite Involved Departments Define applied Sections (ISO27001) Define Level of appliance (ISPS) Define applied Subsections Slide 5 4 1 st Level Activities 2 nd Level Activities Statement of Applicability

5. Organizational Calendar Management Calendar Management (Invite Involved Departments) Main Options Add New Risk Assessment View Completed Risk Assessments Apply Standards Invite Involved Departments Slide 4 5 Definition Departments / Third Parties (names) Applied Managers (names) Applied Employees (names) 1 st Level Activities 2 nd Level Activities Organizational CHART

6. Configure Organizational Structure Configure Organizational Structure (Add/Edit/Delete Entities, Configure Entities) Main Options Configure Internal Departments Configure Third Trusted Parties Add / Edit / Delete Entities (Deps & TTPs) Entity Configuration 6 Entity – (Sub)Section Relation Weight of Entity on (Sub)Section Add / Edit / Delete Entity Managers Add / Edit / Delete Entity Employees Weight of Personnel on (Sub)Section 1 st Level Activities 2 nd Level Activities View

7. Configure Risk Assessment Elements Configure Risk Assessment Elements (Configure List of Assets’ Categories, Threats, Vulnerabilities, Countermeasures) Main Options (Configure Assets)* Configure Vulnerabilities Configure AllView 7 Map Assets to Assets’ Categories Map list of Vulnerabilities to Threats 1 st Level Activities 2 nd Level Activities Configure Threats Configure Countermeasures Configure Assets’ Categories Add / Edit / Delete Map Threats to Standard (Sub)Sections* Map Vulnerabilities to Standard (Sub)Sections* Map Countermeasures to Standard (Sub)Sections* Define a Scale of appliance on Countermeasure Map list of Threats to Assets’ Categories Map list of Countermeasures to Vulnerabilities

8. Administrator Evaluated Infrastructure Risk Assessment Administration Type of UserS Main Functions 8 Physical Port FacilityICT Port Facility Physical & ICT Port Facility Business Processes & Activities Identification of Assets

9. Administrator/User Identification of Assets Risk Assessment Administration Type of UserS Main Functions 9 Identification of Human Assets Definition of Physical Infrastructure Identification of Software Identification of Network Assets Identification of Physical Assets Identification of Hardware Assets Identification of Information Slide 14 Slide 13 Slide 12 Slide 11 Slide 10

10. Identification of Physical Assets Risk Assessment Administration Main elements 10 External environment (etc. Homes of the personnel, premises of another organization) Premises (etc. buildings, terminal) Zones (etc. Offices, secure zone) Telecommunications services and equipment (etc. Telephone line) Services and means (sources and wiring) required for providing power(etc. Low voltage power supply) Correlation of Physical Assets

11. Identification of Hardware Assets Risk Assessment Administration Main elements 11 Transportable equipment (etc. laptop, tablet PDA) Fixed equipment (etc. server, workstation) Processing peripherals (etc. Printer, removable disc drive) Computer Hardware(etc. case, motherboard, memory, graphic cards) Electronic medium (etc. tape, memory key, CD ROM, floppy disc, back-up cartridge) Correlation of Hardware Assets Correlation with Physical Assets

12. Identification of Network Assets Risk Assessment Administration Main elements 12 Medium and supports (PSTN, Ethernet, GigabitEthernet, cable, fibre, WiFi 802.11, BlueTooth, FireWire) Passive or active relay (etc. Bridge, router, hub, switch, automatic exchange) Communication interface (etc. Wifi, GPRS, Ethernet adaptor) Correlation of Network Assets Correlation with Hardware Assets

13. Identification of Software Assets Risk Assessment Administration Main elements 13 Operating system Virtual Server (etc. server) Cyber Physical System (etc. process control systems, distributed robotics) Package software or standard software (etc. Data base management software, Webserver software) Standard business application (etc. Accounts software) Correlation of Software Assets Correlation with Hardware Assets

14. Identification of Information Assets Risk Assessment Administration Main elements 14 Hardcopies Digital Correlation with Hardware Assets Correlation with Software Assets Correlation with Hardware Assets Correlation with Physical Assets

15. Administrator/User For each asset Risk Assessment Administration Type of UserS Main Functions 15 Identification of existing countermeasures Calculation of the asset value Confidentiality Estimation of likelihood of occurrence of a threat IntegrityAvailability

16. Risk Assessment Procedure 16 Phase 1: Set the boundaries of RA Phase 2: Asset Identification Phase 3: Threat Analysis Phase 4: Vulnerability Analysis Phase 5: Generate RA results

17. Risk Assessment Procedure (Phase 1: Set the boundaries of RA) 17 Information Security Officer Define Service(s) to be assessed Define Standard(s) (and areas) to be applied Define Department(s) to be invited Define involved Employees

18. Risk Assessment Procedure (Phase 2: Asset Identification) 18 All invited users Identify Assets Categorize Assets Set the impact (value) of Assets Define assets’ correlation and dependency

19. Risk Assessment Procedure (Phase 3: Threat Analysis) 19 All invited users For each identified Asset, identify its threats Based on threat’s appearance sequence, identify threat level Based on Assets’ dependency, threat level will be inherited Configure inheritance and dependencies Transparent System function

20. Risk Assessment Procedure (Phase 4: Vulnerability Analysis) 20 All invited users For each identified Threat, identify its applied countermeasures Based on countermeasures’ identification, define Vulnerability level Based on Assets’ dependency and threat definition, vulnerability level will be inherited Configure inheritance and dependencies Transparent System function

21. Risk Assessment Procedure (Phase 5: Generate RA results) 21 Information Security Officer Apply CYSM methodology Generate RA results Export RA Results in various formats Get (and Publish) RA results Transparent System function

22. Design – CYSM main site 22 Logo Main Menu Home / Digital Library / Collaboration Suite / Help / Contact Home -> Template? Content? Digital Library -> Template? Collaboration Suite -> Template? Help -> Template? Content (e.g. videos)? Contact -> Template?

23. Design – CYSM port site 23 Logo Main Menu Home / Digital Library / Collaboration Suite / Services / Help / Contact / Administration (Language -> Translation?) Home -> Template? Content? Digital Library -> Template? Collaboration Suite -> Template? Services -> Template? Help -> Template? Content (e.g. videos)? Contact -> Template? Administration -> Template?