Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project objectives  Provide guidance for improvement

Outcome Framework Example  Build Asset-based Threat profiles  Identify Infrastructure vulnerabilities  Develop security strategy and plans  Measure adherence to policies…?  Recommend mitigation strategies

Build Profiles  Profiles are guides to help frame recommendations –Threat –Vulnerability –Exposure –Assets –Value –Processes –Etc..  Good way to organize information- current state

Identify Vulnerabilities  CVE  ICAT  Cassandra  Vendor tools  “SANs / ISO, FMEA, Best practices”  Can be administrative, personnel, technical or physical

Develop Strategy  This is the “value” of the final deliverable  Make suggestions for areas of improvement  DO NOT RELY ON VENDOR TOOLS  Research like crazy- contact support network  Make sure easy to digest and accomplish

Context  How do you determine what is “at risk” and what is not?  Low, medium, high  Scale of 1-10  Red, Yellow, green  Ultimately comes down to applying the threat profile to the asset- to determine level of risk

Risk Assessment Planning Overview Session #7

RA Process Elements  Identify Organizational Information  Build Asset-based Threat Profiles  Identify Infrastructure Vulnerabilities  Develop Protection Strategy OCTAVE Methodology

Identify Organizational Information  Identify information-related assets  Selects those that are most critical to the organization  Evaluate current security practices to identify what the company is doing well  Identify which practices are missing or inadequate

Build Threat Profiles  Identify security requirements for critical assets  Identify threats to those assets  Based on business mission of organization

Infrastructure Vulnerabilities  Identify components to evaluate  Develop a vulnerability management practice  Find problems linked with technology and processes

Develop Protection Strategy  Identifies risks to the organization’s critical assets  Evaluates the risks to establish a value for the resulting impact on the assets  Decision is made to accept of mitigate each risk  Selects highest priority actions  Develop the protection strategy for priorities

Risk Assessment / Management Decision Process

Objects of the RA  Mission  Systems Description  Assets  Sensitivity  Criticality  Vulnerabilities  Threats  Safeguards

RA Planning  Figure out where data needs to come from: –Info needed before on site visit –Collect info from public sources –Work on WBS tasks –Decide interview schedule and personnel  Stay true to SOW –Watch time investment –Always match actions to goals –Avoid SOW creep

Pre Site Visit Goals  Confirm Client’s goals with delivery team  Connect Sponsor with delivery team lead  Establish escalation procedures and contact personnel  Goal is to get client comfortable with: –Approach –Needs –Consultants doing work –Process for moving project to conclusion

Pre Site Visit Information  Policies  Infrastructure Architecture Drawing / maps  Administrator passwords  Org Chart  Secure workspace  Budget information  Mission statements

Document Review  Access Logs - System, Maintenance, and Visitor  Incident Reports  Documents - Plans, Policies, and Procedures  Previous Risk Assessments  Continuity of Operations Plans  Contingency Reports  Directories  Inventory Records  Floor Plans  Organization Charts  Mission Statements  System and Network Configurations

On Site Process  Hold meeting ASAP to introduce players and state objectives and discuss process  Collect information requested in pre-site visit process  Discuss interview process, scheduling and targets: –Line up personnel to interview –Have questions already prepared –Run interviews in parallel to other data collection techniques

Initial On Site Process  Need to discuss facility access: –After hours building access needed –Normal business hours access required –Badges may be needed- get them –Understand departmental work hours –Get facilities tour:  Restrooms  Cafeteria  Sponsor’s office  Work Area  Off limit areas

Initial On Site Activity  Start scans  Arrange interviews  Perform facility walkthrough  Examine Policies  Dumpster dive  Printers output trays  Open desk areas