Presentation is loading. Please wait.

Presentation is loading. Please wait.

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Published bySandra Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project."— Presentation transcript:

1 Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project objectives  Provide guidance for improvement

2 Outcome Framework Example  Build Asset-based Threat profiles  Identify Infrastructure vulnerabilities  Develop security strategy and plans  Measure adherence to policies…?  Recommend mitigation strategies

3 Build Profiles  Profiles are guides to help frame recommendations –Threat –Vulnerability –Exposure –Assets –Value –Processes –Etc..  Good way to organize information- current state

4 Identify Vulnerabilities  CVE  ICAT  Cassandra  Vendor tools  “SANs / ISO, FMEA, Best practices”  Can be administrative, personnel, technical or physical

5 Develop Strategy  This is the “value” of the final deliverable  Make suggestions for areas of improvement  DO NOT RELY ON VENDOR TOOLS  Research like crazy- contact support network  Make sure easy to digest and accomplish

6 Context  How do you determine what is “at risk” and what is not?  Low, medium, high  Scale of 1-10  Red, Yellow, green  Ultimately comes down to applying the threat profile to the asset- to determine level of risk

7 Risk Assessment Planning Overview Session #7

8 RA Process Elements  Identify Organizational Information  Build Asset-based Threat Profiles  Identify Infrastructure Vulnerabilities  Develop Protection Strategy OCTAVE Methodology

9 Identify Organizational Information  Identify information-related assets  Selects those that are most critical to the organization  Evaluate current security practices to identify what the company is doing well  Identify which practices are missing or inadequate

10 Build Threat Profiles  Identify security requirements for critical assets  Identify threats to those assets  Based on business mission of organization

11 Infrastructure Vulnerabilities  Identify components to evaluate  Develop a vulnerability management practice  Find problems linked with technology and processes

12 Develop Protection Strategy  Identifies risks to the organization’s critical assets  Evaluates the risks to establish a value for the resulting impact on the assets  Decision is made to accept of mitigate each risk  Selects highest priority actions  Develop the protection strategy for priorities

13 Risk Assessment / Management Decision Process

14 Objects of the RA  Mission  Systems Description  Assets  Sensitivity  Criticality  Vulnerabilities  Threats  Safeguards

15 RA Planning  Figure out where data needs to come from: –Info needed before on site visit –Collect info from public sources –Work on WBS tasks –Decide interview schedule and personnel  Stay true to SOW –Watch time investment –Always match actions to goals –Avoid SOW creep

16 Pre Site Visit Goals  Confirm Client’s goals with delivery team  Connect Sponsor with delivery team lead  Establish escalation procedures and contact personnel  Goal is to get client comfortable with: –Approach –Needs –Consultants doing work –Process for moving project to conclusion

17 Pre Site Visit Information  Policies  Infrastructure Architecture Drawing / maps  Administrator passwords  Org Chart  Secure workspace  Budget information  Mission statements

18 Document Review  Access Logs - System, Maintenance, and Visitor  Incident Reports  Documents - Plans, Policies, and Procedures  Previous Risk Assessments  Continuity of Operations Plans  Contingency Reports  Directories  Inventory Records  Floor Plans  Organization Charts  Mission Statements  System and Network Configurations

19 On Site Process  Hold meeting ASAP to introduce players and state objectives and discuss process  Collect information requested in pre-site visit process  Discuss interview process, scheduling and targets: –Line up personnel to interview –Have questions already prepared –Run interviews in parallel to other data collection techniques

20 Initial On Site Process  Need to discuss facility access: –After hours building access needed –Normal business hours access required –Badges may be needed- get them –Understand departmental work hours –Get facilities tour:  Restrooms  Cafeteria  Sponsor’s office  Work Area  Off limit areas

21 Initial On Site Activity  Start scans  Arrange interviews  Perform facility walkthrough  Examine Policies  Dumpster dive  Printers output trays  Open desk areas

Download ppt "Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
1 PROJECT MANAGEMENT ROLE OF KEY PERSONNEL Bernd Madauss International Space University Strasbourg February, 2011

1 PROJECT MANAGEMENT ROLE OF KEY PERSONNEL Bernd Madauss International Space University Strasbourg February, 2011
Project Management 6e..

Project Management 6e..
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Chapter 2 Analyzing the Business Case.

Chapter 2 Analyzing the Business Case.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Project Risk Management

Project Risk Management
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Managing Project Risk.

Managing Project Risk.
Risk Assessment Frameworks

Risk Assessment Frameworks
Part II Project Planning © 2012 John Wiley & Sons Inc.

Part II Project Planning © 2012 John Wiley & Sons Inc.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.

PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.
Degree and Graduation Seminar Project Management Processes

Degree and Graduation Seminar Project Management Processes

Similar presentations

Ads by Google