© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Slides:

Advertisements

Similar presentations

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Advertisements

OCTAVESM Process 4 Create Threat Profiles

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

Information Security Policies and Standards

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Lecture 11 Reliability and Security in IT infrastructure.

By: Ashwin Vignesh Madhu

Computer Security: Principles and Practice

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.

© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Securing Information Systems

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Working with HIT Systems

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Information Security Program

ISSeG Integrated Site Security for Grids WP2 - Methodology

Educause/Internet 2 Computer and Network Security Task Force

Introduction to the Federal Defense Acquisition Regulation

Risk Assessment Richard Newman

Making Information Security Manageable with GRC

Threat Trends and Protection Strategies Barbara Laswell, Ph. D

Cybersecurity ATD technical

Presentation transcript:

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software Engineering Institute Carnegie Mellon University

© 2003 by Carnegie Mellon University page 2 Copyright Statement Copyright Carol Woody This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

© 2003 by Carnegie Mellon University page 3 Objectives Internet Context Security Risk Management Information Security Risk Evaluation using the OCTAVE® Approach

© 2003 by Carnegie Mellon University page 4 Internet Context

© 2003 by Carnegie Mellon University page 5 The Old ’Net

© 2003 by Carnegie Mellon University page 6 The New ’Net Source: labs.com/who/ches/map/gallery/index.html

© 2003 by Carnegie Mellon University page 7 Unwarranted Trust Address spoofing Viruses & worms Denial of service attacks Packet sniffing Password cracking

© 2003 by Carnegie Mellon University page 8 All Sites are Potentially Vulnerable Design Vulnerabilities Implementation Vulnerabilities Configuration Vulnerabilities Resource Vulnerabilities User Vulnerabilities Business Process Vulnerabilities

© 2003 by Carnegie Mellon University page 9 Growth in Number of Vulnerabilities Reported to the CERT/CC

© 2003 by Carnegie Mellon University page 10 Attack Impact v Intruder Knowledge Source:

© 2003 by Carnegie Mellon University page 11 Statistics from IT Security CSI & FBI 2003 Computer Crime and Security Survey 78% of 530 respondents detected Internet security breaches 30% detected internal security breaches

© 2003 by Carnegie Mellon University page 12 Statistics from IT Security Likely sources of attack Independent hackers Disgruntled employees (current & former) Competitors Foreign governments & corporations

© 2003 by Carnegie Mellon University page 13 Protection Responses Implement effective security practices Fire walls Intrusion detection Encryption and authentication Software upgrades and patching Self-hacking

© 2003 by Carnegie Mellon University page 14 Protection is Incomplete Security management requires a plan to recognize, resist, and recover Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities). People using the Internet are unaware of the risks (organizational vulnerabilities)

© 2003 by Carnegie Mellon University page 15 Selecting Security Practices - 1 What do you need to protect? What will protection failure mean? What vulnerabilities exist in your environment? How much protection can you afford?

© 2003 by Carnegie Mellon University page 16 Selecting Security Practices - 2 Technical Vulnerability Management Focus is primarily on technology Led by external experts Driven by software vendor information Accurate for a very limited timeframe

© 2003 by Carnegie Mellon University page 17 Selecting Security Practices - 3 Security Risk Management Led by the organization Defines and prioritizes the risks based on organizational goals Includes security issues in the planning, policy and procedures of the organization Considers a wider range of risks

© 2003 by Carnegie Mellon University page 18 Security Risk Management

© 2003 by Carnegie Mellon University page 19 Risk Management Each organization must “own” its risk. Each organization has a unique set of information security risks. Information security risks can affect an organization’s ability to meet its mission.

© 2003 by Carnegie Mellon University page 20 Organizational Gap

© 2003 by Carnegie Mellon University page 21 Multiple Perspectives of Security Internal and external participants Information technology (IT) staff Employees Managers Contractors Service providers Partners and collaborators

© 2003 by Carnegie Mellon University page 22 Risk Management Regulations Regulations may mandate security risk management: Health Insurance Portability and Accountability Act (HIPAA) for health care organizations Gramm-Leach-Bliley Act for financial organizations

© 2003 by Carnegie Mellon University page 23 Risk Aware Culture Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers. Everyone must be able to identify and respond to security risks.

© 2003 by Carnegie Mellon University page 24 Risk - 1 The possibility of suffering harm or loss Risk consists of an event consequence uncertainty

© 2003 by Carnegie Mellon University page 25 Risk - 2 Event Consequence Uncertainty

© 2003 by Carnegie Mellon University page 26 Risk - 3 Threat Actor Asset Organizational vulnerabilities Technology vulnerabilities Impact on organization Event Consequence Uncertainty

© 2003 by Carnegie Mellon University page 27 Effective Risk Management Effective information security risk management requires: a systematic process experience and expertise information (e.g., risks, lessons learned) a risk-aware culture

© 2003 by Carnegie Mellon University page 28 Information Security Risk Management Framework

© 2003 by Carnegie Mellon University page 29 The OCTAVE ® Approach Operationally Critical Threat, Asset, and Vulnerability Evaluation SM ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.

© 2003 by Carnegie Mellon University page 30 Establish a Shared Risk Language

© 2003 by Carnegie Mellon University page 31 OCTAVE Approach Use OCTAVE to identify, analyze, and plan security risk management.

© 2003 by Carnegie Mellon University page 32 OCTAVE Phases OCTAVE is structured into the following three phases: Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans

© 2003 by Carnegie Mellon University page 33

© 2003 by Carnegie Mellon University page 34 OCTAVE Analysis Team An interdisciplinary team – consisting of -teaching and administrative staff -information technology staff

© 2003 by Carnegie Mellon University page 35 Catalog of Security Practices Security Practice Survey OCTAVE Catalog of Practices Protection Strategy Mitigation Plan

© 2003 by Carnegie Mellon University page 36 Catalog Structure

© 2003 by Carnegie Mellon University page 37 Strategic Practice Areas

© 2003 by Carnegie Mellon University page 38 System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security Operational Practice Areas

© 2003 by Carnegie Mellon University page 39 Outputs of the OCTAVE Approach Defines organizational direction Plans designed to reduce risk Near-term action items Protection Strategy Mitigation Plan Action List

© 2003 by Carnegie Mellon University page 40 OCTAVE Method Focused on large-scale (300 or more employees) or complex organizations A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT Uses open-ended “essay” worksheets for information collection Requires moderate level of security expertise

© 2003 by Carnegie Mellon University page 41 OCTAVE-S Focused on small (less than 100 employees) or simple organizations Requires analysis team to have a full, or nearly full, understanding of the organization and what is important Uses “fill-in-the-blank” worksheets in a structured process Requires less security expertise

© 2003 by Carnegie Mellon University page 42 Key Selection Question - 1 Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?

© 2003 by Carnegie Mellon University page 43 Key Selection Question - 2 Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?

© 2003 by Carnegie Mellon University page 44

© 2003 by Carnegie Mellon University page 45 OCTAVE Information Visit Introduction to the OCTAVE® Approach OCTAVE® Method Implementation Guide OCTAVE®-S (preliminary version)

© 2003 by Carnegie Mellon University page 46 Additional Options OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach Book: Managing Information Security Risks: The OCTAVE SM Approach Public Training at the SEI

© 2003 by Carnegie Mellon University page 47 Questions?