Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG Computer Security Plans

Published byOpal Patricia Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "OSG Computer Security Plans"— Presentation transcript:

1 OSG Computer Security Plans
Irwin Gaines, Don Petravick, Vikram Andem 20-Jun-2006

2 Security for the OSG OSG Facility Security Officer coordinates, monitors and supports the security of the OSG infrastructure. Two different kinds of OSG security plans: Core OSG and facility security templates. Risk Assessment Following NIST ( process leading to Controls Management Operational Technical

3 Two Types of Security Plans
Core OSG: assets under complete control of OSG (eg, middleware software cache). OSG is responsible for security of these systems Facilities, VOs and software providers that are “part” of OSG. OSG can create examples and templates of security plans that can be incorporated into site and VO plans. Sites and VOs are responsible for security of these Starting with core OSG.

4 First the Risk Assessment
What can go wrong ? What is the potential impact ? what to protect and what resources to commit to protective measures. Ensure that all possible risks are considered and categorized Security plan - security controls that mitigate identified risks. Contingency plans - procedures for dealing with residual unmitigated risks

5 What’s a Risk Assessment ?
A statement of what could go wrong, Countermeasures to prevent some of these things from happening, and Statement that you will live with the risk of the rest - residual risks. Covers: Threat: who is knocking on the door Vulnerability: improperly secured door; you cannot have a risk without both a threat and a vulnerability Likelihood: probability of occurrence Impact: what is the damage if the risk occurs Security controls: mitigations against risks

6 Threat Agent Threat Risk Asset (OSG) Exposure Safeguard
Gives rise to Threat Exploits Vulnerability Leads to Risk Directly affects Asset (OSG) Exposure Can damage And causes an Safeguard Can be counter measured by

7 Examples from Fermilab
Threat those who walk in and use our resources, generally non malicious: worms, bots, squatters. Vulnerability Remote Access - living on an open network

8 Identifying important risks
Likelihood/impact table: each risk is ranked low/medium/high in both likelihood and potential impact if unmitigated; then important risks are those that are >low in both Bulleted list of those risks considered to be more than minimal (=low) in likelihood and/or impact Currently low is defined as minimal impact to program; medium is limited but non minimal impact

9 Residual risks Residual risks are divided into categories based on expected frequency of occurrence after full implementation of all security controls. We consider an occurrence rate to be: low if it is expected to happen <10 times per year, very low if it is expected to happen less than once/year extremely low if it is expected to happen less than once every five years.

10 Risk Assessment document

11 Next a Security Plan Fully describe each control mentioned in your risk assessment Organize controls into management (policies), operational (things people do) and technical (things machines do) controls, and relate them to NIST control families Show how each control will be assessed (Interview, Examination, Test)

12 Next Steps Complete risk assessments and security plans for core OSG resources Start with overall OSG (common baseline for subsidiary assessments) Proceed per OSG core asset inventory Determine relationship between OSG core resources and those of its host organizations and VOs. Establish basis for trust relationships among OSG, sites and VOs - plans and agreements. Collaborate with sites and VOs on preparation of their plans.

Download ppt "OSG Computer Security Plans"

Similar presentations

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.
Control and Accounting Information Systems

Control and Accounting Information Systems
Project Management.

Project Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Risk Assessment Frameworks

Risk Assessment Frameworks
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
8 Managing Risk Teaching Strategies

8 Managing Risk Teaching Strategies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework

Similar presentations

Ads by Google