1. 1 Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah

2. 2Acknowledgement n DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) n DOD 8510.1-M, DITSCAP Application Manual n Risk Management Guide for IT Systems by NIST n Basic Risk Management For DOD n E-commerce Risk Management slides (Dr. Hale CS-slides) n Risk Management within an IT system environment by Communication Security Establishment CSE, Canada.

3. 3Overview n General definitions n Risk Management Process n C&A

4. 4 What is Threat ? n Threat is any circumstance or event with the potential to cause harm to an IS through: – Unauthorized access. – Destruction. – Disclosure. – Modification of data. – Denial of service.

5. 5 What is a Vulnerability? n Vulnerability is a weakness in an IS system security procedures, internal controls, or implementation that could be exploited.

6. 6 So, What is Risk? Risk is the combined notion of... The harm caused by specific events (threats) AND The likelihood that HARM will happen (using vulnerabilities)

7. 7 What is Residual Risk? n Residual risk is the portion of risk remaining after security measures have been applied

8. 8 Risk Management n Definition: process of –Identifying risk, –Assessing risk –Taking steps to reduce risk to an acceptable level (residual risk)

9. 9 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Implement Decided Actions Understand Mission Objectives Understand Security Needs (Services)

10. 10 Mission Is Everything… n Mission defines component values –People –Equipment –Information systems –Facilities n Mission is the guiding force for determining risk n Organization mission must be understood by the risk management team n Information Systems(IS) play a critical role in supporting the mission

11. 11 n Discrete set of information resources organized for the -collection -processing -maintenance -use -sharing -dissemination -disposition of information NTISSI No. 4009 Information System -- Definition

12. 12 Information System Assets n Hardware - PCs, servers, cables, disk drives, routers n Software - programs, utilities, O/S n Data and Information - created, processed, stored, databases, in transit, and removed n People - users, people needed to run systems n Documentation - programs, hardware, systems, local administrative procedures, on entire system n Supplies - paper, forms, ribbons, magnetic media

13. 13 Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services)

14. 14 ITSEC Class Characteristics CharacteristicOperationDataInfrastructureSystemAlternatives Interfacing Mode Processing Mode Attribution Mode Mission- Reliance Factor Accessibility Factor Accuracy Factor Information Categories

15. 15 ITSEC Classification Mission Reliance on IS n The degree that mission success depends on the system operation, data, or infrastructure (Mission Reliance Factor) –None-- mission not dependent on specific aspect. –Cursory-- mission incidentally dependent on specific aspect –Partial-- mission partially dependent on specific aspect –Total-- mission is totally dependent on the specific aspect Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IS-related risk.

16. 16 Security CharacteristicMission Reliance Alternative CONFIDENTIALITY Sensitive, Classified, Special Access AVAILABILITY Reasonable, Soon, ASAP, Immediate INTEGRITY ACCURACY NA, Approximate, Exact ACCOUNTABILITY ATTRIBUTION None, Rudimentary, Basic, Comprehensive ITSEC Classification Security Characteristics

17. 17 Mission Trees Missions Deploy Warning Order Movement Order CIACIACIACIA Develop Equipment Performance Characteristics Equipment Patentable Characteristics

18. 18 Risk Management Cycle Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

19. 19 Threat Analysis Sources n Threat agent: Individual/thing responsible –Adversarial (hackers & spies) –Non-adversarial (rec. hackers & accidents) –Disasters (floods & power outages) n Attack: Sequence of steps taken to cause an event n Finding Vulnerabilities

20. 20 Threat Analysis Basic Process 1. Identify/define mission 2. Determine required security services 3. Theory of adversarial behavior  Identify potential adversaries  Determine adversary intentions/characteristics  Determine adversary strategies 4. Identify attack scenarios 5. Match adversary behavior w/ attack scenarios

21. 21 Threat Analysis Mission Security Requirements n Threat: Potential for harm –3 dimensions; confidentiality, integrity & availability n Confidentiality –Information valuable to adversaries? –Consequences of leak? n Within 1 minute, 1 hour, 1 day, 1 weak n Integrity –Mission dependency on accuracy of data? –Consequences of integrity breach? n Availability –Mission dependency on access to data/services? –Consequences for unavailability (over time)? –Alternative modes of operation?

22. 22 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Understand Mission Objectives Understand Security Needs (Services)

23. 23 Countermeasure Characterize Options n What is the impact of specific attacks on mission ? n Which vulnerabilities may permit successful attacks? n Where should resources be expended to achieve the greatest reduction in risk? n Avoid tendency to view vulnerabilities in isolation

24. 24 Countermeasure Selection n Countermeasure possibilities n Characterize countermeasure options n Compare countermeasure options n Determine changes to risk n Determine costs vs. benefit

25. 25 Countermeasures Factors to be considered –Security mechanisms –Physical security –Personnel security –Administrative security –Media security –Life cycle controls n A Countermeasure may change the initial Design\Mission?

26. 26 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Understand Mission Objectives Understand Security Needs (Services)

27. 27 n Overriding goal – Mission Success n Weighted in terms of cost versus benefits n Identify +/- for each course of action n Decision options: –Reduce Risk –Accept Risk –Avoid Risk –Transfer Risk Risk Analysis Options/ Decisions Risk avoidance avoidanceRiskacceptance

28. 28 LIKELIHOOD OF SUCCESSFUL ATTACK (1) (before countermeasures) COSTS Vs. BENEFITS COSTS Dollars Additional people resources Lost system functionality Time BENEFITS Improve mission success Countermeasures: Costs/Benefits (1B) (option 2)(option1) (1A) M i s i o I n m p a c t High LowHigh

29. 29 What is acceptable? n Will we have 100 % effectiveness? – Vulnerabilities eliminated – Vulnerabilities reduced – Vulnerabilities remaining n What are they? n Why are they still there? n Is risk acceptable? (Residual Risk)

30. 30 Security Risk Management Process Government of Canada, Communication Security Establishment CSE

31. 31Overview n Definitions n Risk Management (RM) Process n RM in C&A process –Phase 1 –Phase 2 –Phase 3 –Phase 4 n Conclusion

32. 32Certification n Certification is the comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements.

33. 33Accreditation n Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

34. 34 Risk Management Cycle Characterize What Can Be Done (Countermeasures) Characterize Risk Posture (Threat Analysis) Decide What Will Be Done Implement Decided Actions Understand Mission Objectives Understand Security Needs (Services)

35. 35 Security Risk Management Process Government of Canada, Communication Security Establishment CSE

36. 36SSAA n n System Security Authorization Agreement (SSAA). – –The SSAA is a formal agreement among the DAA(s), the Certifier, user representative, and program manager. – – It is used throughout the entire DITSCAP to guide actions, document decisions, specify IA requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.

37. 37 Who are players of the C&A? n They are: –The Designated Approving Authority (DAA) –Certification Authority –Program Manager(PM) –User Representative –Information system security officers (ISSO)

38. 38 Certification Authority (certifier) n n Certifier is the individual responsible for making a technical judgment of – –the system’s compliance with stated requirements, – –identifying and assessing the risks associated with operating the system, – – coordinating the certification activities, and – –consolidating the final certification and accreditation package. n n Certifier recommends one of four levels – –Level 1 – Basic Security Review – –Level 2 – Minimum Analysis – –Level 3 – Detailed Analysis – –Level 4 – Comprehensive Analysis

39. 39 Designated Approving Authority (Accreditor) Accreditor is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk..

40. 40 Phase-1 Definition Document Mission Need Preparation Registration Negotiation Agreement? SSAA No Yes

41. 41 Phase 1 Risk Management n Preparation: The document is reviewed to understand the mission objectives. n Registration: – Potential threats are described and the points where the failure affects the C,I,A are stated. –S ystem criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. – System criticality should consider the impact if the system were not operational (the impact of loss of life from system failure, inability to meet contingencies, impact to credibility, and danger to national security). System criticality will affect the level of risk that is acceptable. –The certifier reviews this and upon the agreement of the players develops the draft and gives to DAA. develops the draft and gives to DAA.

42. 42 Phase 1 Risk Management n Negotiation: –Certification Requirements Review is performed and the players agree on the security requirements, the level of effort and schedule –Finally after DAA approval, the system is checked if it is ready for Phase 2

43. 43 Phase 2 Verification System Development Certification Analysis Pass? SSAA No Yes Ready for Certification? No Yes A Phase 1 Definition Phase 3 Validation

44. 44 Phase 2 Risk Management n SSAA refinement :If there has been a significant time delay since the completion of Phase 1 or if new people are involved in the C&A process, the SSAA should be reviewed in detail n System Development: Verifies that the requirements in the SSAA are met in the evolving system before it is integrated into the operating environment

45. 45 Phase 2(contd) n Certification Analysis: n Vulnerability Assessment:The security vulnerabilities, residual risk are evaluated and counter measures are recommended by the certifier n Output:vulnerability assessment report is prepared by the program manger n Certifier checks if it is ready for certification n DAA reviews the system for compliance with the SSAA

46. 46 Phase 3 Validation Certify System? SSAA Certification Evaluation Of Integrated System Develop Recommendation Yes Accreditation Granted? No Yes Phase 4: Post Accreditation No A Phase 1 Definition

47. 47 Phase 3 Risk Management n Security test and Evaluation: ST&E is done by the certifier to provide the sufficient evidence of the amount of residual risk n Risk Management overview: –Assessing the overall system –security design and threats –Ensuring that risks to C,I,A are acceptable n For each risk, statement is made by the certifier to accept the risk, reject the risk or perform any modifications n Certifier issues system certification

48. 48 Phase-3 Risk Management n Certifier may do one of the following: –Recommend that the IS not be accredited –Recommend the IS to be accredited –May uncover security deficiencies, but continue to believe that the short-term system continue to believe that the short-term system operation is within the bounds of acceptable risk operation is within the bounds of acceptable risk ***** The Certifier may recommend an Interim Approval to Operate (IATO) with the understanding that deficiencies will be corrected in a time period specified by the DAA ***** The Certifier may recommend an Interim Approval to Operate (IATO) with the understanding that deficiencies will be corrected in a time period specified by the DAA

49. 49 Phase 4 Post Accreditation Phase 1: Definition SSAA System Operation Compliance Validation Validation Req’d? No Yes No Change Required? Yes

50. 50 Phase-4 Risk Management n System operations: Analyze known threats and new threats to see if system still protects against all –The User representative oversees the system operation and reports threats, vulnerabilities or any security incidents –Program manager reports the changes in threats n Compliance Validation: Ensures that IS complies with security requirements and threat assessment

51. 51Phase-4(contd) n ISSO –reviews the mission statement periodically –maintains integrity and initiates C&A if necessary. n DAA reviews the proposed changes (changes in security policy,change in IT mission) ****C&A ends only with system termination

52. 52Conclusion n The IS risks may not be completely eliminated by the countermeasures and safeguards  Residual Risk (acceptable level) n The Certification and Accreditation process is a continuous process

53. Questions