Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27.

Published byBrice Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27."— Presentation transcript:

1 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27 April 2012 Patricia Méndez Lorenzo, Mats Moller On behalf of the (IT&GS) Service Management team

2 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL Principles Risk Management in ITIL Elements of Risk Management Quantification of Risks: Risk Assessment Method Examples applied to CERN functions Summary and plans Outlook ITIL and Business Continuity

3 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL Principles ITIL and Business Continuity RISK Business and Service Continuity Management require a formal analysis of the risks affecting the services or the business ITIL processes involved : Service Continuity Management and Availability Management o Establishment of a Continuity & Availability Plan through:  Risk Assessment  Critical Services identification INC Mgt Change Mgt SLM

4 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Purpose of the process o Identification and quantification of risks  To ensure the provision of CERN services  To protect CERN business interests & assets  To support and maintain CERN’s reputation  This means: Protect the organization’s ability to perform its business o Application of (cost-) justifiable countermeasures ensuring the availability of the services Risk Management in ITIL ITIL and Business Continuity Assets Vulnerabilities Threats RISKS Countermeasures Essential management function, not just a technical process

5 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Risk equation: R = f (A, V, T), where: A = Asset (in some cases considered ‘cost’ ) o Anything that can contribute to the delivery of a service; anything with a certain value o Example: People, data, applications V = Vulnerability o Weakness that can be accidentally triggered or intentionally exploited o Example: single points of failures (SPOF) T = Threat o Anything that might exploit a vulnerability o Example: Terminated employees, airport close to CERN There is not too much to do against threats. However we can have influence on the vulnerability Elements of Risk Management ITIL and Business Continuity

6 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Aim of a formal approach: o Identification of the risks affecting the services o Application of countermeasures based on the impact in case of failure  Reduction of the risk likelihood, severity and unpredictability Procedure: o Qualitative and quantitative evaluation of the risk function variables o Business Impact Analysis (BIA) procedures which identifies critical services o Definition of countermeasures based on:  Cost-justifications  Impact  Acceptance threshold Quantification of Risks ITIL and Business Continuity

7 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Risk Assessment Method ITIL and Business Continuity IDENTIFICATION  Risk equation variables and available control analysis CALCULATION  Likelihood determination and Impact analysis RISK DETERMINATION  Risk-level matrix OR risk evaluations COUNTERMEASURES  Necessary actions and control recommendations Results DOCUMENTATION 1 1 3 3 4 4 5 5 2 2

8 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t STEP1: Identification of variables ITIL and Business Continuity SERVICE CATALOGUE Input: Hardware, software, people, data, application Critical Services Output: Understanding of the system boundary, criticality Input: Hardware, software, people, data, application Critical Services Output: Understanding of the system boundary, criticality Input: Security reports INC reports Output: Understanding of threat- sources Input: Security reports INC reports Output: Understanding of threat- sources Input: Security tests and checklists Audit results Output: List of weakness Vulnerability/th reat pairs Input: Security tests and checklists Audit results Output: List of weakness Vulnerability/th reat pairs ASSET THREAT VULNERABILITY

9 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t To define Assets o Specific value of each Service Element for the organization  Identification of critical services  Evaluation of the cost in case of a service lose To define Threats o Individual threats affecting the Functional Elements (hence the organization) To define Vulnerabilities o Known weak points against the defined threats Define Threats/Vulnerabilities pairs (relations) o In association to the assets Our Source of information: Service Catalogue ITIL and Business Continuity Assets SE FE Threats Vulnerabilities A/B/C RISKS Countermeasure 1 1 2 2 3 3 4 4 5 5

10 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t STEP1: Vulnerability/Threat ITIL and Business Continuity VulnerabilityThreat-SourceDescription Terminated employee ID’s are not removed from the system Terminated employees Dialing into the company’s network and accessing the systems Guest ID is enabled on the servers Unauthorized users (hackers) Unauthorized users can access data Single points of failures: not redundant expertise SicknessExperiment cannot apply a specific patch… Identification of Vulnerability/Threat pairs o This identification is necessary to quantify the risk

11 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Previous elements needs to be evaluated in terms of likelihood and impact o Likelihood depends on the threat-source and the vulnerability level (e.g., High, Medium, Low)  L = f (T, V) o Impact depends on the criticality and the asset (e.g., High, Medium, Low)  I = f (C, A) Existing mitigating security controls should be considered Risk = Likelihood x Impact STEP 2: Risk calculation ITIL and Business Continuity ImpactLow (10)Medium (50)High (100) Likelihood High (1.0)Low =10Medium = 50High = 100 Medium (0.5)Low = 5Medium = 25Medium = 50 Low (0.1)Low = 1Low = 5Low = 10 Example of basic Risk matrix

12 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t STEP 3: Risk Determination ITIL and Business Continuity VulnerabilityThreat Source DescriptionControlsLikelihoodImpactRisk Level Terminated employee ID’s are not removed from the system Terminated employees Dialing into the company’s network and accessing the systems Account locked after 90 days L (0.1)H (100)L (10) Guest ID is enabled on the servers Unauthoriz ed users - hackers Unauthorized users can access data NoneH (1)H (100) Single points of failures: not redundant expertise SicknessExperiment cannot apply a specific patch… NoneM (0.5)M (50)M (25) A complete risk determination will include both qualitative inputs and risk assessment based on the risk-matrix

13 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Formal establishment of actions based on the risk assessment towards risk mitigation o Effectiveness and costs STEP 4: Countermeasures ITIL and Business Continuity Risk LevelCountermeasures HighStrong need for measures to put in place ASAP MediumPlan developed within reasonable period of time LowCan we accept the risk and do nothing?

14 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Assets: CERN facilities o Examples applied to: EDH, CERN Service Desk Criticalities: (defined as impact of application lost) Examples applied to CERN functions ITIL and Business Continuity CriticalityDescriptionFactorLevels Minornil1Very few people affected; < 1KCHF Hardly visible2Several people affected; < 5KCHF Very limited3Small group affected; < 10KCHF AverageLimited4People affected > 20; cost < 20KCHF Visible5People affected > 50; cost < 50 KCHF Significant6People affected > 100; cost < 100 KCHF MajorVery important7People affected > 150; cost < 400 KCHF Important8People affected > 500; cost < 1MCHF CriticalDisastrous9People affected > 1000; cost < 10MCHF Catastrophic10People affected > 1000, > 10MCHF, life danger

15 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Threats/Vulnerabilities Likelihood Calculations and mitigation plans Examples applied to CERN functions ITIL and Business Continuity LikelihoodFactor No (once > 10 years)Impossible  1 Almost impossible  2 Very unlikely  3 Maybe (once in 5-10 years) Unlikely  4 Little plausible  5 Plausible  6 Likely  7 Yes (once < year)Very likely  8 Almost certain  9 Certain  10 Common Threat-Sources Natural Threats – Floods, electrical storms, etc Human Threats – network attacks, errors, malicious sw upload, etc Environment Threats – pollution, long-term power failure, etc

16 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Examples applied to CERN functions ITIL and Business Continuity Final calculation of risk and recommendations: Threat x Vulnerability = Probability Probability x Impact = RISK ThreatsLoss of data: 5Viruses: 5Hacking: 8Strike: 7 AssetsVRiskV V V EDH4180313542884252 Service Desk418029042884252 Mitigation plans over Risk > 200

17 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Risk Management is a crucial process to ensure the continuity of the services and the business o Formal approach in needed for consistency, scalability and predictability In the Service Management project, we have established some of the fundamental processes that will supply necessary inputs: o Service Catalogue, INC Mgt, Change Mgt and SLM (ongoing) Establishment of the process foreseen in 2012 following a formal ITIL approach that will require the involvement of both Service Owners and Users Your feedback and knowledge will be crucial to ensure a continuity plan for all our services Summary and Plans ITIL and Business Continuity

Download ppt "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ITIL: Service Transition

ITIL: Service Transition
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. Yau CSE , Fall Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.

Risk Management.
Software Process and Product Metrics

Software Process and Product Metrics
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

Similar presentations

Ads by Google