Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.

Published byGarey Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah."— Presentation transcript:

1 1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah

2 2Acknowledgement n DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) n DOD 8510.1-M, DITSCAP Application Manual n Risk Management Guide for IT Systems by NIST n Basic Risk Management For DOD n E-commerce Risk Management slides (Dr. Hale CS-slides) n Risk Management within an IT system environment by Communication Security Establishment CSE, Canada.

3 3Overview n General definitions n Risk Management Process n C&A

4 4 What is Threat ? n Threat is any circumstance or event with the potential to cause harm to an IS through: – Unauthorized access. – Destruction. – Disclosure. – Modification of data. – Denial of service.

5 5 What is a Vulnerability? n Vulnerability is a weakness in an IS system security procedures, internal controls, or implementation that could be exploited.

6 6 So, What is Risk? Risk is the combined notion of... The harm caused by specific events (threats) AND The likelihood that HARM will happen (using vulnerabilities)

7 7 What is Residual Risk? n Residual risk is the portion of risk remaining after security measures have been applied

8 8 Risk Management n Definition: process of –Identifying risk, –Assessing risk –Taking steps to reduce risk to an acceptable level (residual risk)

9 9 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Implement Decided Actions Understand Mission Objectives Understand Security Needs (Services)

10 10 Mission Is Everything… n Mission defines component values –People –Equipment –Information systems –Facilities n Mission is the guiding force for determining risk n Organization mission must be understood by the risk management team n Information Systems(IS) play a critical role in supporting the mission

11 11 n Discrete set of information resources organized for the -collection -processing -maintenance -use -sharing -dissemination -disposition of information NTISSI No. 4009 Information System -- Definition

12 12 Information System Assets n Hardware - PCs, servers, cables, disk drives, routers n Software - programs, utilities, O/S n Data and Information - created, processed, stored, databases, in transit, and removed n People - users, people needed to run systems n Documentation - programs, hardware, systems, local administrative procedures, on entire system n Supplies - paper, forms, ribbons, magnetic media

13 13 Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services)

14 14 ITSEC Class Characteristics CharacteristicOperationDataInfrastructureSystemAlternatives Interfacing Mode Processing Mode Attribution Mode Mission- Reliance Factor Accessibility Factor Accuracy Factor Information Categories

15 15 ITSEC Classification Mission Reliance on IS n The degree that mission success depends on the system operation, data, or infrastructure (Mission Reliance Factor) –None-- mission not dependent on specific aspect. –Cursory-- mission incidentally dependent on specific aspect –Partial-- mission partially dependent on specific aspect –Total-- mission is totally dependent on the specific aspect Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IS-related risk.

16 16 Security CharacteristicMission Reliance Alternative CONFIDENTIALITY Sensitive, Classified, Special Access AVAILABILITY Reasonable, Soon, ASAP, Immediate INTEGRITY ACCURACY NA, Approximate, Exact ACCOUNTABILITY ATTRIBUTION None, Rudimentary, Basic, Comprehensive ITSEC Classification Security Characteristics

17 17 Mission Trees Missions Deploy Warning Order Movement Order CIACIACIACIA Develop Equipment Performance Characteristics Equipment Patentable Characteristics

18 18 Risk Management Cycle Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

19 19 Threat Analysis Sources n Threat agent: Individual/thing responsible –Adversarial (hackers & spies) –Non-adversarial (rec. hackers & accidents) –Disasters (floods & power outages) n Attack: Sequence of steps taken to cause an event n Finding Vulnerabilities

20 20 Threat Analysis Basic Process 1. Identify/define mission 2. Determine required security services 3. Theory of adversarial behavior  Identify potential adversaries  Determine adversary intentions/characteristics  Determine adversary strategies 4. Identify attack scenarios 5. Match adversary behavior w/ attack scenarios

21 21 Threat Analysis Mission Security Requirements n Threat: Potential for harm –3 dimensions; confidentiality, integrity & availability n Confidentiality –Information valuable to adversaries? –Consequences of leak? n Within 1 minute, 1 hour, 1 day, 1 weak n Integrity –Mission dependency on accuracy of data? –Consequences of integrity breach? n Availability –Mission dependency on access to data/services? –Consequences for unavailability (over time)? –Alternative modes of operation?

22 22 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

23 23 Characterize Options n What is the impact of specific attacks on mission ? n Which vulnerabilities may permit successful attacks? n Where should resources be expended to achieve the greatest reduction in risk? n Avoid tendency to view vulnerabilities in isolation

24 24 Countermeasures Selection n Countermeasure possibilities n Characterize countermeasure options n Compare countermeasure options n Determine changes to risk n Determine costs vs. benefit

25 25 Countermeasures Factors to be considered –Security mechanisms –Physical security –Personnel security –Administrative security –Media security –Life cycle controls n A Countermeasure may change the initial Design\Mission?

26 26 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Understand Mission Objectives Understand Security Needs (Services)

27 27 n Overriding goal – Mission Success n Weighted in terms of cost versus benefits n Identify +/- for each course of action n Decision options: –Reduce Risk –Accept Risk –Avoid Risk –Transfer Risk Risk Analysis Options/ Decisions Risk avoidance avoidanceRiskacceptance

28 28 LIKELIHOOD OF SUCCESSFUL ATTACK (1) (before countermeasures) COSTS Vs. BENEFITS COSTS Dollars Additional people resources Lost system functionality Time BENEFITS Improve mission success Countermeasures: Costs/Benefits (1B) (option 2)(option1) (1A) M i s i o I n m p a c t High LowHigh

29 29 What is acceptable? n Will we have 100 % effectiveness? – Vulnerabilities eliminated – Vulnerabilities reduced – Vulnerabilities remaining n What are they? n Why are they still there? n Is risk acceptable? (Residual Risk)

30 30 Security Risk Management Process Government of Canada, Communication Security Establishment CSE

Download ppt "1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Similar presentations

Ads by Google