Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management Workshop

Published byBertram Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Risk Management Workshop"— Presentation transcript:

1 Risk Management Workshop
Introduction to the WISE-RAW risk analysis approach for e-infrastructures easy-to-use, direct results Alf Moens, SURFnet

2 WISE RAW-WG WISE Risk Assessment Working Group shares information and best practices on how risk assessments can be effectively implemented RAW will now release an easy-to-use risk assessment template and related instructions for e-infrastructures for research and higher education Check our web page and our wiki: Join by contacting the chairs and by subscribing to our list More information from the WG chairs Urpo Kaila Bart Bosma Bart Bosma has been appointed vice chair of RAW WG Intro page with purpose of this mini workshop: Het acquaintanced with this method Give feedback for improvement Overview risk analysis methods with plusses and minuses Background how we came to this method Explain the method Explain the exercise Do exercise Feedback from groups Feedback on method

3 Why Risk Analysis/Assessment/Management?
You only have limited resources You need to know where the value of your operation is You need to know against which threats you need to protect Not a one-time process, it is recurring: Periodically After a major change After serious incidents (own organization, peers, sector, globally)

4 Risk Assessment Methods and Tools
Austrian IT Security Handbook ISO/IEC 27001 IT-Grundschutz Cramm Magerit Dutch A&K Analysis Marion Ebios Mehari ISAMM MIGRA ISF Methods Octave ISO/IEC RiskSafe Assessment ISO/IEC 17799 NIST SP800-30 Callio GSTool Casis KRiO CCS Risk Manager ISAMM CloudeAssurance Mehari 2010 basic tool Cobra MIGRA Tool Countermeasures Modulo Risk Manager Cramm Octave EAR / PILAR Proteus Ebios Ra2 Methods Tools

5 2 Ways to start: By Threat of by Asset
Normally you start risk assessment and other security measures by identifying assets to be protected. In some environments, for example in NRENs the assets are well known, an you can instead start with identifying threats.

6 Sharing Best Practices: Survey on Risks Related to Vulnerabilities
A survey* sent to IT security specialist and system and network administrators in research infrastructures , 55 persons from 19 countries replied: 9. The best way to mitigate risks caused by software vulnerabilities are (choose three) Interesting answers, more information in linked the article. *

7 Risk analysis by Threat
Initial Threat based approach Ad hoc analysis vulnerabilities ‘Heartbleed’ ’Broadpwn’ (Broadcom wifi chip) Wannacry Threats are: Vulnerabilities, Misconfiguration Rogue admin Abuse of stolen credentials Human error ….. Plaatje van poodle of recente wifi attack of digicert of heartbleed!

8 Risk Analysis for assets
Initial Asset based approach Risk analysis for new equipment, major changes in infrastructure, network etc. Assestes are: infrastucture, scientific data, pesonal data, reputation Plaatje va infrastructuur: BCS? Of Huygens?

9 Release of RAW Risk Assessment template 1
Release of RAW Risk Assessment template now available from RAW wiki An easy to use spreadsheet template with example implementations and with instructions on how to implement a risk assessment. Wise Security Risk AssessmentInstructions Some samples risks Authors: Linda Cornwall, STFC; Stéphan Coutin,CINES; Sedat Çapkın, SURFsara; Urpo Kaila, CSC/EUDAT; Dankmar Lauter, DFN-CERT; Christian S. Fötinger, hs-augsburg.de; Bart Bosma, Surfnet; Mischa Sallé, NIKHEF, Ingimar Örn Jónsson, RHNET The WISE RAW Risk Assessment template is hereby released. Many thanks to all who contributed by sharing best practices. Asset or service Business value Risk targets Threat Existing controls Still existing vulnerabilities Description of Impact Impact Probability Risk Risk owner Approved residual risk Actions items Reviewed

10 Likelyhood, Impact and other “standards”
1 Unlikely to happen Minimal impact 2 Happens less than once a year Minor, local service disruption of less than 1 week 3 Happens every few months/ more than once a year Serious disruption for multiple users or sites 4 Happens every 2 – 3 months or even more frequent Service cannot be delivered for a length of time

11 Let’s get to work Asset bases or Threat based?
Granularity? Complete data center or the wifi chip in your smartphone? Initial risk analysis (your “baseline”) should probable be high level, with more detailed follow-up analysis based on specific threats (Heartbleed) or vulnerable equipment (wifi chips)

Download ppt "Risk Management Workshop"

Similar presentations

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
SC2 meeting 24 November 2014 Security Measures and Resources Toolbox

SC2 meeting 24 November 2014 Security Measures and Resources Toolbox
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
OFFICE 365 GROUPS Administrative look into Groups July 9, 2015.

OFFICE 365 GROUPS Administrative look into Groups July 9, 2015.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
1 August 18, 2010 Disaster Recovery Coordinators’ Meeting.

1 August 18, 2010 Disaster Recovery Coordinators’ Meeting.
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
Topic 5: Basic Security.

Topic 5: Basic Security.
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Similar presentations

Ads by Google