CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ITIL: Service Transition
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lecture 11 Reliability and Security in IT infrastructure.
Stephen S. Yau CSE , Fall Risk Management.
Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.
Software Process and Product Metrics
Session 3 – Information Security Policies
Application Threat Modeling Workshop
Introduction to Network Defense
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
SEC835 Database and Web application security Information Security Architecture.
PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
G53SEC Computer Security Introduction to G53SEC 1.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Security Risk Assessment Applied Risk Management July 2002.
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
CERN IT Department CH-1211 Genève 23 Switzerland t Service Management GLM 15 November 2010 Mats Moller IT-DI-SM.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
CREATE THE DIFFERENCE Data and Information (Special thanks to Janet Francis for this presentation)
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Assessing Current Network Concerns Lesson 5. CERT/CC Stats.
Eliza de Guzman HTM 520 Health Information Exchange.
Alaa Mubaied Risk Management Alaa Mubaied
CERN IT Department CH-1211 Genève 23 Switzerland t Experience with new Service Management at CERN Hepix 2012 Conference Prague, April.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
karRKb;RKghaniP½yrbs;KMerag Project Risks Management
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
CERN - IT Department CH-1211 Genève 23 Switzerland t A Quick Overview of ITIL John Shade CERN WLCG Collaboration Workshop April 2008.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Assessing Current Network Concerns Lesson 5. The Assessment Two important elements you will need to determine in order to produce a valuable assessment.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Headquarters U.S. Air Force
Information Systems Security
ITIL: Service Transition
Information Security, Theory and Practice.
Risk management.
Chapter 8 – Administering Security
Compliance with hardening standards
COMP3357 Managing Cyber Risk
A Thread Relevant to all Levels of the EA Cube
RISK MANAGEMENT An Overview: NIPC Model
Presentation transcript:

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, April 2012 Patricia Méndez Lorenzo, Mats Moller On behalf of the (IT&GS) Service Management team

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL Principles Risk Management in ITIL Elements of Risk Management Quantification of Risks: Risk Assessment Method Examples applied to CERN functions Summary and plans Outlook ITIL and Business Continuity

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL Principles ITIL and Business Continuity RISK Business and Service Continuity Management require a formal analysis of the risks affecting the services or the business ITIL processes involved : Service Continuity Management and Availability Management o Establishment of a Continuity & Availability Plan through:  Risk Assessment  Critical Services identification INC Mgt Change Mgt SLM

CERN IT Department CH-1211 Genève 23 Switzerland t Purpose of the process o Identification and quantification of risks  To ensure the provision of CERN services  To protect CERN business interests & assets  To support and maintain CERN’s reputation  This means: Protect the organization’s ability to perform its business o Application of (cost-) justifiable countermeasures ensuring the availability of the services Risk Management in ITIL ITIL and Business Continuity Assets Vulnerabilities Threats RISKS Countermeasures Essential management function, not just a technical process

CERN IT Department CH-1211 Genève 23 Switzerland t Risk equation: R = f (A, V, T), where: A = Asset (in some cases considered ‘cost’ ) o Anything that can contribute to the delivery of a service; anything with a certain value o Example: People, data, applications V = Vulnerability o Weakness that can be accidentally triggered or intentionally exploited o Example: single points of failures (SPOF) T = Threat o Anything that might exploit a vulnerability o Example: Terminated employees, airport close to CERN There is not too much to do against threats. However we can have influence on the vulnerability Elements of Risk Management ITIL and Business Continuity

CERN IT Department CH-1211 Genève 23 Switzerland t Aim of a formal approach: o Identification of the risks affecting the services o Application of countermeasures based on the impact in case of failure  Reduction of the risk likelihood, severity and unpredictability Procedure: o Qualitative and quantitative evaluation of the risk function variables o Business Impact Analysis (BIA) procedures which identifies critical services o Definition of countermeasures based on:  Cost-justifications  Impact  Acceptance threshold Quantification of Risks ITIL and Business Continuity

CERN IT Department CH-1211 Genève 23 Switzerland t Risk Assessment Method ITIL and Business Continuity IDENTIFICATION  Risk equation variables and available control analysis CALCULATION  Likelihood determination and Impact analysis RISK DETERMINATION  Risk-level matrix OR risk evaluations COUNTERMEASURES  Necessary actions and control recommendations Results DOCUMENTATION

CERN IT Department CH-1211 Genève 23 Switzerland t STEP1: Identification of variables ITIL and Business Continuity SERVICE CATALOGUE Input: Hardware, software, people, data, application Critical Services Output: Understanding of the system boundary, criticality Input: Hardware, software, people, data, application Critical Services Output: Understanding of the system boundary, criticality Input: Security reports INC reports Output: Understanding of threat- sources Input: Security reports INC reports Output: Understanding of threat- sources Input: Security tests and checklists Audit results Output: List of weakness Vulnerability/th reat pairs Input: Security tests and checklists Audit results Output: List of weakness Vulnerability/th reat pairs ASSET THREAT VULNERABILITY

CERN IT Department CH-1211 Genève 23 Switzerland t To define Assets o Specific value of each Service Element for the organization  Identification of critical services  Evaluation of the cost in case of a service lose To define Threats o Individual threats affecting the Functional Elements (hence the organization) To define Vulnerabilities o Known weak points against the defined threats Define Threats/Vulnerabilities pairs (relations) o In association to the assets Our Source of information: Service Catalogue ITIL and Business Continuity Assets SE FE Threats Vulnerabilities A/B/C RISKS Countermeasure

CERN IT Department CH-1211 Genève 23 Switzerland t STEP1: Vulnerability/Threat ITIL and Business Continuity VulnerabilityThreat-SourceDescription Terminated employee ID’s are not removed from the system Terminated employees Dialing into the company’s network and accessing the systems Guest ID is enabled on the servers Unauthorized users (hackers) Unauthorized users can access data Single points of failures: not redundant expertise SicknessExperiment cannot apply a specific patch… Identification of Vulnerability/Threat pairs o This identification is necessary to quantify the risk

CERN IT Department CH-1211 Genève 23 Switzerland t Previous elements needs to be evaluated in terms of likelihood and impact o Likelihood depends on the threat-source and the vulnerability level (e.g., High, Medium, Low)  L = f (T, V) o Impact depends on the criticality and the asset (e.g., High, Medium, Low)  I = f (C, A) Existing mitigating security controls should be considered Risk = Likelihood x Impact STEP 2: Risk calculation ITIL and Business Continuity ImpactLow (10)Medium (50)High (100) Likelihood High (1.0)Low =10Medium = 50High = 100 Medium (0.5)Low = 5Medium = 25Medium = 50 Low (0.1)Low = 1Low = 5Low = 10 Example of basic Risk matrix

CERN IT Department CH-1211 Genève 23 Switzerland t STEP 3: Risk Determination ITIL and Business Continuity VulnerabilityThreat Source DescriptionControlsLikelihoodImpactRisk Level Terminated employee ID’s are not removed from the system Terminated employees Dialing into the company’s network and accessing the systems Account locked after 90 days L (0.1)H (100)L (10) Guest ID is enabled on the servers Unauthoriz ed users - hackers Unauthorized users can access data NoneH (1)H (100) Single points of failures: not redundant expertise SicknessExperiment cannot apply a specific patch… NoneM (0.5)M (50)M (25) A complete risk determination will include both qualitative inputs and risk assessment based on the risk-matrix

CERN IT Department CH-1211 Genève 23 Switzerland t Formal establishment of actions based on the risk assessment towards risk mitigation o Effectiveness and costs STEP 4: Countermeasures ITIL and Business Continuity Risk LevelCountermeasures HighStrong need for measures to put in place ASAP MediumPlan developed within reasonable period of time LowCan we accept the risk and do nothing?

CERN IT Department CH-1211 Genève 23 Switzerland t Assets: CERN facilities o Examples applied to: EDH, CERN Service Desk Criticalities: (defined as impact of application lost) Examples applied to CERN functions ITIL and Business Continuity CriticalityDescriptionFactorLevels Minornil1Very few people affected; < 1KCHF Hardly visible2Several people affected; < 5KCHF Very limited3Small group affected; < 10KCHF AverageLimited4People affected > 20; cost < 20KCHF Visible5People affected > 50; cost < 50 KCHF Significant6People affected > 100; cost < 100 KCHF MajorVery important7People affected > 150; cost < 400 KCHF Important8People affected > 500; cost < 1MCHF CriticalDisastrous9People affected > 1000; cost < 10MCHF Catastrophic10People affected > 1000, > 10MCHF, life danger

CERN IT Department CH-1211 Genève 23 Switzerland t Threats/Vulnerabilities Likelihood Calculations and mitigation plans Examples applied to CERN functions ITIL and Business Continuity LikelihoodFactor No (once > 10 years)Impossible  1 Almost impossible  2 Very unlikely  3 Maybe (once in 5-10 years) Unlikely  4 Little plausible  5 Plausible  6 Likely  7 Yes (once < year)Very likely  8 Almost certain  9 Certain  10 Common Threat-Sources Natural Threats – Floods, electrical storms, etc Human Threats – network attacks, errors, malicious sw upload, etc Environment Threats – pollution, long-term power failure, etc

CERN IT Department CH-1211 Genève 23 Switzerland t Examples applied to CERN functions ITIL and Business Continuity Final calculation of risk and recommendations: Threat x Vulnerability = Probability Probability x Impact = RISK ThreatsLoss of data: 5Viruses: 5Hacking: 8Strike: 7 AssetsVRiskV V V EDH Service Desk Mitigation plans over Risk > 200

CERN IT Department CH-1211 Genève 23 Switzerland t Risk Management is a crucial process to ensure the continuity of the services and the business o Formal approach in needed for consistency, scalability and predictability In the Service Management project, we have established some of the fundamental processes that will supply necessary inputs: o Service Catalogue, INC Mgt, Change Mgt and SLM (ongoing) Establishment of the process foreseen in 2012 following a formal ITIL approach that will require the involvement of both Service Owners and Users Your feedback and knowledge will be crucial to ensure a continuity plan for all our services Summary and Plans ITIL and Business Continuity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.