Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Workshop Performing a Cyber Security Risk Assessment Why? When? and How? National Webcast Initiative August 26, 2004 3:00pm – 4:00pm Eastern.

Published byBernard McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Security Workshop Performing a Cyber Security Risk Assessment Why? When? and How? National Webcast Initiative August 26, 2004 3:00pm – 4:00pm Eastern."— Presentation transcript:

1 Cyber Security Workshop Performing a Cyber Security Risk Assessment Why? When? and How? National Webcast Initiative August 26, 2004 3:00pm – 4:00pm Eastern

2   Joint Partnership between MS- ISAC and DHS US-CERT   Coordinated through the New York State Office of Cyber Security and Critical Infrastructure Coordination and the New York State Forum William F. Pelgrin National Webcast Initiative

3 94 Federal Government 94 Federal Government 491 State Government 491 State Government 117 Local Government 117 Local Government 145 Academia, non-profit 145 Academia, non-profit Webcast Attendees

4 Accenture Accenture AT&T AT&T Aon Aon Computer Associates Computer Associates CDW-G CDW-G CGI CGI CMA CMA D&D Consulting D&D Consulting Ernst & Young Ernst & Young Gartner Gartner HP HP IIC IIC Jay Dee Systems Jay Dee Systems Keane Keane Microsoft Microsoft Nortel Networks Nortel Networks Novell Novell NYSTEC NYSTEC Oracle Oracle SAIC SAIC SAS SAS Sybase Sybase Symantec Symantec Veritas Veritas Current Listing of Vendors Interested In Participation This listing will continue to evolve over time

5 Introduction and Opening Remarks Introduction and Opening Remarks William Pelgrin, Chair of the Multi-State ISAC; Director, New York State Office of Cyber Security and Critical Infrastructure CoordinationWilliam Pelgrin, Chair of the Multi-State ISAC; Director, New York State Office of Cyber Security and Critical Infrastructure Coordination Lawrence C. Hale, Deputy Director, National Cyber Security Division, US CERT, Department of Homeland SecurityLawrence C. Hale, Deputy Director, National Cyber Security Division, US CERT, Department of Homeland Security Performing a Cyber Security Risk Assessment Graeme Payne, CA, CISSP, CISM, CISA; Partner, Security & Technology Solutions, Ernst & Young Rick Trapp, Vice President, Product Management, Computer Associates Today’s Speakers 3:00pm-3:15pm 3:15pm-4:00pm

6 US-CERT – established in September 2003 and is the operational arm of the National Cyber Security Division at the Department of Homeland Security. US-CERT is the nation’s focal point for preventing, protecting against, and responding to cyber security threats and vulnerabilities. US-CERT interacts with all federal agencies, private industry, the research community, state and local governments, and others on a 24x7 basis to disseminate timely and actionable cyber security information. US-CERT

7 US-CERT and the Multi-State ISAC are working together on a number of programs, including this webcast series, to help enhance our Nation’s cyber security readiness and response. The Multi-State ISAC has recently become a member of the HSIN/US-CERT portal, which provides a secure mechanism for sharing information between and among partners, improving cyber preparedness, readiness and response capabilities. US-CERT also hosts a public website, at www.us-cert.gov, which provides a wealth of information regarding cyber security – helpful tips for protecting against cyber security threats; cyber security alerts and bulletins, as well as the ability to sign up to receive free cyber security alerts via email.www.us-cert.gov US-CERT

8 Graeme Payne Ernst & Young Rick Trapp Computer Associates CA, CISSP, CISM, CISA Partner, Security & Technology Solutions Vice President, Product Management

9 Today’s Objectives Identify reasons for performing a CyberSecurity Risk Assessment Identify reasons for performing a CyberSecurity Risk Assessment Identify key components of a CyberSecurity Risk Assessment Identify key components of a CyberSecurity Risk Assessment Understand considerations in performing a CyberSecurity Risk Assessment Understand considerations in performing a CyberSecurity Risk Assessment

10 Today’s Agenda Developing a Common Language Developing a Common Language Why Perform Cyber Security Assessments? Why Perform Cyber Security Assessments? When to perform a CyberSecurity Risk Assessment? When to perform a CyberSecurity Risk Assessment? How to perform a CyberSecurity Risk Assessment How to perform a CyberSecurity Risk Assessment Q&A Q&A

11 Developing a Common Language

12 What is a Risk Assessment? Source: GAO/AIMD-00-33

13 Definitions Refer: Glossary of Terms

14 Partners Customers Contractors Hackers Malware Spam

15 Why Perform CyberSecurity Risk Assessments?

16 The Need for CyberSecurity Risk Assessments Reported vulnerabilities rose from 417 in 1999 to 3,784 in 2003 (CERT Coordination Center) Reported vulnerabilities rose from 417 in 1999 to 3,784 in 2003 (CERT Coordination Center) 2004 CSI/FBI Computer Crime and Security Survey respondents reported nearly $142 million in total losses as a result of computer security incidents 2004 CSI/FBI Computer Crime and Security Survey respondents reported nearly $142 million in total losses as a result of computer security incidents Helpful Hint

17 Objectives of a CyberSecurity Risk Assessment Baseline Baseline Where am I today?Where am I today? What controls do I have in place?What controls do I have in place? Evaluate effectiveness of security controls Evaluate effectiveness of security controls Where do I want to be?Where do I want to be? Identify gaps or opportunities for improvementIdentify gaps or opportunities for improvement Establish awareness of threats and vulnerabilities Establish awareness of threats and vulnerabilities Lay foundation for development of security improvement plan Lay foundation for development of security improvement plan

18 When to Perform a CyberSecurity Risk Assessment

19 When to Perform Periodic Periodic Often event drivenOften event driven Typically year-over-year comparisonTypically year-over-year comparison Generally labor-intensiveGenerally labor-intensive Most organizations start with periodic assessmentsMost organizations start with periodic assessments Continuous Continuous Part of the normal workflowPart of the normal workflow Provides “real-time” risk viewProvides “real-time” risk view Often supported by technology and analysis toolsOften supported by technology and analysis tools Integrated with other IT/business processesIntegrated with other IT/business processes Helpful Hint

20 How to Perform a CyberSecurity Risk Assessment

21 Key Steps 1.Define the objectives 2.Define deliverables 3.Establish workplan 4.Perform assessment 5.Review results and develop risk mitigation plans 6.Plan next assessment (steps 1-5)

22 1. Define the Objectives ConsiderationExamples Scope of assessment High level – identify gaps in policies and practices High level – identify gaps in policies and practices Detailed – identify risks for specific assets Detailed – identify risks for specific assets Standards to be applied ISO17799 ISO17799 HIPAA, GLBA HIPAA, GLBA NIST NIST Coverage Comprehensive Comprehensive Representative sample Representative sample Helpful Hint

23 2. Determine the Deliverables ConsiderationExamples Intended audience Executive – business impact Executive – business impact Operational – technical focus Operational – technical focus Format Technical Report Technical Report Summary Presentation Summary Presentation Risk Database Risk Database Distribution Internal Internal External – consider sensitivity External – consider sensitivity

24 3. Establish the Workplan ConsiderationExamples Documents to be reviewed Policies, standards, procedures Policies, standards, procedures System configuration System configuration Application design standards Application design standards Interviews Executive management Executive management Operations Operations Business units Business units 3 rd Parties 3 rd Parties Technical procedures Asset discovery and valuation Asset discovery and valuation Threat analysis Threat analysis Vulnerability analysis Vulnerability analysis Helpful Hint

25 3. Establish the Workplan (cont’d) ConsiderationExamples Assessment tools Asset inventory Asset inventory Configuration validation Configuration validation Vulnerability assessment Vulnerability assessment Penetration testing Penetration testing Password auditing Password auditing Process modeling Process modeling Documentation tools Documentation tools Resources Internal Internal External External Helpful Hint

26 4. Perform the Risk Assessment Characterize System/Area Identify Threats Identify Vulnerabilities Identify Controls Assess Risk Activities Example Worksteps Interview system owner Review system documents Use threat checklist Review external sources Review vulnerability sources Perform security testing Review security requirements checklist Review system documents Prepare likelihood/impact matrix

27 5. Review Results and Develop Mitigation Plans

28 5. Review Results and Develop Mitigation Plans (cont’d) Risk Treatments Examples Accept the risk Trust employees to “do right thing” Trust employees to “do right thing” X% downtime X% downtime Reduce impact of the risk Implement controls Implement controls Add resilience Add resilience Avoid the risk Shut down system or unit Shut down system or unit Cancel contract Cancel contract Transfer the risk Purchase insurance Purchase insurance Outsource Outsource

29 Next Steps Helpful Hint

30 Questions?

31 Summary Developing a Common Language Developing a Common Language Why Perform Cyber Security Assessments? Why Perform Cyber Security Assessments? When to perform a CyberSecurity Risk Assessment? When to perform a CyberSecurity Risk Assessment? How to perform a CyberSecurity Risk Assessment How to perform a CyberSecurity Risk Assessment

32 Thank you for participating Thank you for participating Future webcast sessions will offer a variety of topics Future webcast sessions will offer a variety of topics Please remain online to participate in an interactive series of survey questions Please remain online to participate in an interactive series of survey questions Written Q and A to the presenters is available for the next 15 minutes Written Q and A to the presenters is available for the next 15 minutes

33 Thank You! Thank you for attending this virtual learning session

Download ppt "Cyber Security Workshop Performing a Cyber Security Risk Assessment Why? When? and How? National Webcast Initiative August 26, 2004 3:00pm – 4:00pm Eastern."

Similar presentations

Stop. Think. Connect. National Cybersecurity Awareness Campaign October 2010.

Stop. Think. Connect. National Cybersecurity Awareness Campaign October 2010.
Department of Homeland Security Site Assistance Visit (SAV)

Department of Homeland Security Site Assistance Visit (SAV)
PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
National Webcast Initiative June 22, 2004 3:00pm – 4:00pm Eastern.

National Webcast Initiative June 22, :00pm – 4:00pm Eastern.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
1 NGA Regional Bio-Terrorism Conference Boston, Massachusetts January 12-13, 2004.

1 NGA Regional Bio-Terrorism Conference Boston, Massachusetts January 12-13, 2004.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
National Cybersecurity Awareness Campaign 11 www.DHS.gov/StopThinkConnect.

National Cybersecurity Awareness Campaign 11
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 July 08, 2010 Information Security Officer Meeting.

1 July 08, 2010 Information Security Officer Meeting.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.

The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.

Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Similar presentations

Ads by Google