Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

Published byMarshall Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine."— Presentation transcript:

1 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine risk Respond = evaluate & implement approaches Monitor = detect failures, changes

2 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-2 Risk Management Process Assess MonitorRespond Frame Information Flows

3 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-3 Risk Assessment Supports Develop information security architecture Develop security solutions –Controls, products, procedures, configurations Authorizations Modifications of organization processes Implementation of security solutions Operation and maintenance

4 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-4 Risk Concepts Measure that combines Potential for loss/harm Impact of loss/harm Likelihood of various forms of loss/harm

5 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-5 Overall Process Identify and Classify Assets –What are we protecting? How are they important? Identify Exposures and Threats –What would be bad? How could it happen? Identify Vulnerabilities and Threat Sources –Who or what could cause loss, and how? Determine Policies and Controls –What should be allowed and what disallowed? –How will the policies be enforced Implement and Monitor –Deploy controls and use them, gain experience to update p.r.n.

6 July 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-6 Risk Framing Components Organizational Risk Frame Risk Assessment Methodology Risk Model Risk Assessment Process Assessment Approach Analysis Approach determines Assumptions Constraints Priorities Trade-offs Risk Tolerance Uncertainty Establishes foundation Delineates boundaries for decisions

7 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-7 Risk Model Determines risk factors –Inputs to determination of risk Threats/threat shifting –Sources, events, scenarios, responses Vulnerabilities, predispositions Likelihoods –Intent, capability, targeting

8 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-8 Risk Model Determines risk factors Threats/threat shifting Vulnerabilities, predispositions Likelihoods Impacts Risk, aggregation Uncertainty

9 July 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-9 Generic Risk Model Threat Event Threat Source Predisposing Conditions Controls initiates Vulnerability exploitscauses Adverse Impact with severity in context of with pervasiveness with effectiveness with likelihood of initiation with likelihood of success with degree Organizational Risk producing

10 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-10 Risk Assessment Approaches Quantitative –numerical Qualitative –E.g, low, moderate, high Semi-quantitative –Bins, scales

11 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-11 Risk Analysis Approaches Threat-oriented –What can cause harm/loss –What are sources, capabilities, inclinations Asset-oriented –What are assets, processes, impacts Vulnerability-oriented –What are weaknesses –Can they be expoited

12 July 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-12 Risk Management Hierarchy Traceability & Transparency of Risk-based Decisions Inter-Tier and Intra- Tier Communications Strategic Risk Tactical Risk Organization-wide Risk Awareness Feedback Loop for Continuous Improvement Tier 1 Organization Tier 2 Mission/Business Processes Tier 3 Information Systems

13 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-13 Risk Management Framework Categorize –Assets, threats, vulnerabilities Select –Controls Implement Assess Authorize Monitor Repeat!

14 July 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-14 Risk Management Framework Select Controls Categorize Info Systems Monitor Security Controls Implement Security Controls Assess Controls Authorize Info Systems Architecture Description Mission/Business Processes FEA Reference Models Segment and Solution Arch Info System Boundaries Organizational Inputs Laws, Directives, Policy, Guidance Strategic Goals & Objectives Information Security Requirements Priorities and Resources Available Security Life Cycle

15 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-15 Categorizing Information Systems Determine types of information handled –NIST SP 800-60 Determine impact values (FIPS-199) –Low, medium, high impact Security Category = {(C, i c ), (I, i i ), (A, i a )} –Confidentiality, Integrity, Availability impacts –Impacts may not be the same Overall impact is high-water mark (max)

16 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-16 Control Families From NIST SP 800-53: Access Control (AC) Awareness and Training (AT) Audit and Accountability (AU) Security Assessment and Authorization (CA) Configuration Management (CM) Contingency Planning (CP)

17 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-17 Control Families (con’t) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental (PE) Planning (PL) Personnel Security (PS)

18 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-18 Control Families (con’t) Risk Assessment (RA) System and Services Acquisition (SA) System and Communications Protection (SC) System and Information Integrity (SI) Program Management (PM)

19 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-19 Security Control Structure Control Section Supplemental Guidance Section Control Enhancements References Priority and Baseline Allocation

20 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-20 Security Control Structure Control Section –Prescribes actions/activities for control Supplemental Guidance Section Control Enhancements References Priority and Baseline Allocation

21 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-21 Security Control Structure Control Section Supplemental Guidance Section –Non-prescriptive information Control Enhancements References Priority and Baseline Allocation

22 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-22 Security Control Structure Control Section Supplemental Guidance Section Control Enhancements –Ways to add functionality/specificity and/or –Increase strength of control References Priority and Baseline Allocation

23 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-23 Security Control Structure Control Section Supplemental Guidance Section Control Enhancements References –Includes relevant laws, directives, etc. Priority and Baseline Allocation

24 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-24 Security Control Structure Control Section Supplemental Guidance Section Control Enhancements References Priority and Baseline Allocation –Priority code indicates order of sequencing for decisions and for implementation/deployment –Allocation (with enhancements) for each impact level (should it be used, and with which enhance’t)

25 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-25 Security Controls May involve aspects of Policy Oversight Supervision Manual processes Actions by people Automated mechanisms

26 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-26 Security Control Selection Select Security Control Baselines –Based on system impact level Review assumptions/environment Tailor Baseline Security Controls Create Overlays (if needed) –Community-wide and specialize control sets Document Security Control Decisions

27 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-27 Security Control Tailoring Identify and Designate Common Controls Apply Scoping Considerations –Control allocation and placement –Operational/Environmental considerations –Security objective-related considerations –Technology-related considerations –Mission requirement-related considerations

28 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-28 Security Control Tailoring Identify and Designate Common Controls Apply Scoping Considerations Select Compensating Controls Assign Security Control Parameter Values Supplement Security Control Baselines Provide Additional Specification Information for Control Implementation

29 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-29 Risk Assessment Process Prepare using framework Identify threat sources and events Identify vulnerabilities and predispositions Determine likelihood of occurrence Determine magnitude of impact Determine risk Communicate results Maintain assessment

30 July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-30 Key Points Security is all about risk management –There are no absolutes! Important to identify assets, processes –Know what you are trying to protect and why! Important to how threats, vulnerabilities –What can go wrong? How likely? Impact and likelihood lead to tradeoffs –Selection and implementation of controls Security is not an event, it is a process!

Download ppt "July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine."

Similar presentations

PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Control and Accounting Information Systems

Control and Accounting Information Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Project Risk Management

Project Risk Management
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.

1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
Risk Analysis COEN 250.

Risk Analysis COEN 250.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google