Download presentation
Presentation is loading. Please wait.
Published byTyler Chapman Modified over 9 years ago
2
GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response and Recovery June 2009, GSA Expo
3
GSA EXPO 2009 Office of Emergency Response and Recovery 2 What is Risk Based Planning? The process of selecting and implementing countermeasures or mitigation strategies to achieve an acceptable level of risk at an acceptable cost –Risk Management and Continuity planning begins with the identification of critical assets (processes, functions, systems, information) that enable the execution of essential functions Once we ID these assets we then can work towards ensuring their resilency.
4
GSA EXPO 2009 Office of Emergency Response and Recovery 3 Purpose Provides a systematic approach to acquiring and analyzing the information necessary to support decision makers in the allocation of scarce continuity resources to ensure the protection of critical assets and capabilities. –Structured process –Not a exact science.
5
GSA EXPO 2009 Office of Emergency Response and Recovery 4 Continuity what's Changed ? Old Think: –Warning of Event –Single Use Assets –movement of people with data –Reliance on static plans –Not integrated into daily operations –Singular view of threat –Avoided Risk New Think: –No warning of attack or event –Dual Use Assets –Routine Geographic Dispersion of people, data and functions –Integrated into daily business operations Capabilities based –Acknowledgment of diverse threats. –Increased reliance on IT Systems –Managed Risk
6
GSA EXPO 2009 Office of Emergency Response and Recovery 5 Risk Avoidance vs. Risk Management Risk Avoidance –Assumes an aggressive adversary in all scenarios –Counters ALL possible vulnerabilities –Responds based on worst-case scenarios Risk Management –Integrates the process of assessing the threat, the vulnerabilities, and the value of the asset to the owner –Weighs the risk of compromise/loss against the cost of mitigation strategies. Checklist
7
GSA EXPO 2009 Office of Emergency Response and Recovery 6 Risk Management at a Glance Assess Assets 1 Assess Threats 2 Assess Vulnerabilities 3 Assess Risks 4 Determine Countermeasure Options 5 Make RM Decisions Cost Analysis Benefits Analysis Monitor Implement Test & Eval
8
GSA EXPO 2009 Office of Emergency Response and Recovery 7 Five Step Process 1: Identify Assets and Loss Impacts 2: Identify and Characterize the Threat to Specific Assets 3: Identify and Characterize Vulnerabilities 4: Assess Risks and Determine Priorities for Asset Protection 5: Identify Countermeasures, Costs and tradeoffs.
9
GSA EXPO 2009 Office of Emergency Response and Recovery 8 Step #1: Identify Assets and Loss Impacts Determine valued assets requiring protection –(assets = processes, functions, systems, critical staff) Identify undesirable events and expected impacts –(event leading to the loss, damage, consequence to the asset) Value/prioritize assets based on consequence of loss – (based on the definitions, rate the impact).
10
GSA EXPO 2009 Office of Emergency Response and Recovery 9 What is an Asset? Anything that has value to an essential function –People, information, facilities, special equipment, systems, process, workflow An asset may have value to an adversary that differs from the owner, Continuity planning endeavors to increase the resiliency of assets that enable the organization’s ability to perform its essential functions. –Focusing on the assets, processes, systems, key information, and critical staff that allow GSA to do its job and provide service and products to their customers.
11
GSA EXPO 2009 Office of Emergency Response and Recovery 10 Critical - Indicates that interruption to the asset//function would have grave consequences leading to loss of life, serious injury, or mission failure (50-100) High - Indicates that interruption to the asset//function would have serious consequences resulting in loss of critical data, equipment, or facilities that could impair operations for a limited period of time (13-50) Medium - Indicates that interruption to the asset//function would have moderate consequences resulting in loss of highly critical data, equipment, or facilities that could impair operations for a limited period of time (3-13) Low - Indicates that interruption to the asset//function would have little or no impact on human life or continuity of operations (1-3). Notional
12
GSA EXPO 2009 Office of Emergency Response and Recovery 11 People Activities & Operations Information Equipment Facilities C C C M M H H L M H Critical Asset Undesirable Event & Impact Linguistic Rating # Rating Hazardous Weatherloss of access Loss of Power Loss of Production Theft Loss of critical assets Terrorism Loss of life // productivity Disruption Schedule setback Criminal activity Unsettled employees Loss Mission failure; degraded Poor OPSEC Operational disclosure Unauthorized release Capability disclosures Chemical Spill Environment Example
13
GSA EXPO 2009 Office of Emergency Response and Recovery 12 Step #2 Identify and Characterize the Threat to Specific Assets Identify threat categories and adversaries Assess intent of each adversary Assess capability of each adversary Determine frequency of past incidents Estimate threat relative to each critical asset.
14
GSA EXPO 2009 Office of Emergency Response and Recovery 13 What is a threat? VS. an adversary? What is a threat? –Any indication, circumstance, or event that can cause the loss of, damage to, or the denial of an asset Who is an adversary? –Any entity that conducts, or has the capability and intention to conduct, activities detrimental to interests or assets.
15
GSA EXPO 2009 Office of Emergency Response and Recovery 14 Types of threat Foreign Intelligence Services –Facility penetration –Non-access attack –Recruiting staff Terrorist Threats –Kidnapping –Bombing –Sabotage –CBRNE Natural Threats –Fire –Flood –Storms (wind, ice, snow) –Earthquake Criminal Threats –Fraud, theft, robbery –Arson –Vandalism –Computer hacking Insider Threats –Espionage –Misuse of equipment –Malicious acts by disgruntled staff –Work place violence Military Threats –War –Insurrection –State sponsored activities
16
GSA EXPO 2009 Office of Emergency Response and Recovery 15 Understanding the threat: CAPABILITY TO ACT HISTORY INTENT –Goals –Motivation –Collection/action capability –Necessary skills/resources –History of successful attacks –History of attempts
17
GSA EXPO 2009 Office of Emergency Response and Recovery 16 Low: Indicates little or no credible evidence of capability or intent, with no history of actual or planned threats against the assets. Critical: Indicates that a definite threat exists against the assets and that the adversary has both the capability and intent to launch an attack, and that the subject or similar assets are targeted on a frequent or recurring basis High: Indicates that a credible threat against the assets exists, based on our knowledge of the adversary’s capability and intent to attack the assets and based on related incidents having taken place at similar facilities Medium: Indicates that there is a potential threat to the assets based on the adversary’s desire to compromise the assets and the possibility that the adversary could obtain the capability through a third party who has demonstrated the capability in related incidents Example
18
GSA EXPO 2009 Office of Emergency Response and Recovery 17 Undesirable event / Impact # Rating Critical Asset People Activities & Operations Information Equipment Facilities Threat Category Threat Rating C H H M M H M H M L Terrorist FIS / Insider Insider Criminal Weather Terrorist Militant Insider / FIS Hazardous Weather Transportation Problems Loss of Power Loss of Production Theft Loss of computers Threat of Terrorism Loss of Production Time Disruption Schedule setback Criminal activity Employee injury Loss Mission failure Poor OPSEC Operational disclosure Unauthorized release Capability disclosures Criminal Chemical Spill Facility Closure Example
19
GSA EXPO 2009 Office of Emergency Response and Recovery 18 Step # 3: Identify and Characterize Vulnerabilities Identify vulnerabilities of specific assets related to undesirable events Identify existing countermeasures and their level of effectiveness in reducing vulnerabilities Estimate degree of vulnerability to each asset and threat
20
GSA EXPO 2009 Office of Emergency Response and Recovery 19 Step #4: Assess Risks and determine priorities for asset protection Estimate degree of impact relative to each valued asset Estimate likelihood of attack by a potential adversary Estimate likelihood that a specific vulnerability will be exploited Determine relative degree of risk Prioritize risks based on integrated assessment.
21
GSA EXPO 2009 Office of Emergency Response and Recovery 20 Quantify the likelihood that an undesirable event will occur Determine the severity of the outcome of an undesirable event Prioritize the risks Asset (Impact) x (.Threat x.Vulnerability) = Risk Assess the Risks
22
GSA EXPO 2009 Office of Emergency Response and Recovery 21 Asset Threat Vulnerability Impact of Unwanted Event Likelihood Risk
23
GSA EXPO 2009 Office of Emergency Response and Recovery 22 Impact x (.Threat x.Vulnerability) (1-100)(0-1.0) (0-1.0) = Risk * You can build your own scale Risk Assessment Formula
24
GSA EXPO 2009 Office of Emergency Response and Recovery 23 Terrorism Loss of Production Loss Mission failure Unauth. Release Disclosures Theft Loss of Computers Loss of Power Loss of Production Hazardous Weather TransProb Closure of facility Chemical spill Disruption Schedule setback Poor OPSEC Disclosure CH H ( # ) * C C M M H H L M H # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # C Critical Potential Undesirable Asset Asset Threat Threat Vuln. Vuln. Risk Assets Events Rating Value Rating Value Rating Value R / V H H M M H H M M L H M M M M M M L L H ( # ) * M ( # ) * L ( # ) * M ( # ) * L ( # ) * M ( # ) * People Information Equipment Facilities Activities & Operations Example
25
GSA EXPO 2009 Office of Emergency Response and Recovery 24 Step # 5: Identify Countermeasures, Costs and tradeoffs Identify potential countermeasures or mitigation strategies to reduce Vulnerabilities and/or Threats and / or Impacts. Identify countermeasures or mitigation strategies benefits in terms of risk reduction Identify countermeasure or mitigation strategy costs Conduct countermeasure or mitigation strategy cost- benefit analyses Prioritize options and prepare a recommendation for decision maker
26
GSA EXPO 2009 Office of Emergency Response and Recovery 25 Countermeasures (mitigation strategies) –An action taken or a physical entity used to reduce or eliminate one or more Vulnerability and or Threat and or Impact. Cost-Benefit Analysis –The part of the process in which costs / benefits of countermeasure(s) are compared and the most appropriate alternative selected –Cost: Tangible, operational, and other costs of countermeasure(s) –Benefit: Amount of risk reduction based on the overall effectiveness of countermeasure(s) Countermeasure Costs and Benefits
27
GSA EXPO 2009 Office of Emergency Response and Recovery 26 Undesirable EventCountermeasuresRisk Level ReducedCost From/To Natural Disaster Distribute AssetsLOW/HIGH to LOW/MED Terrorist Attack Emergency proceduresHIGH/CRITICAL to physical preventionsHIGH/MED Loss of critical dataIT resiliency LOW/MEDIUM to L/M MEDIUM/MEDIUM to M/M TOTAL COST: Countermeasure Options Example
28
GSA EXPO 2009 Office of Emergency Response and Recovery 27 A structured yet flexible approach to understanding your threat and risk posture A process for developing effective business continuity & security countermeasures and options that consider cost & benefit A snapshot in time that provides an audit trail for performance improvement Supportable, Defendable and Repeatable. Risk based planning provides:
29
GSA EXPO 2009 Office of Emergency Response and Recovery 28 Questions & Contact Darren J. Blue –Director Policy and Plans, Office of Emergency Response and Recovery Darren.blue@gsa.gov.Darren.blue@gsa.gov
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.