Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mission Assurance Risk Management System

Published byLidia Świątek Modified over 6 years ago

Similar presentations

Presentation on theme: "Mission Assurance Risk Management System"— Presentation transcript:

1 Mission Assurance Risk Management System
Antiterrorism / Force Protection Assessment Tool Training Lesson #3: AT/FP Risk Assessments Trainer: Caleb Jones Contact: Supporting Joint Staff J33 via US Army Armament, Research, Development and Engineering Center

2 Course Overview Scope Primary: Focus on entering AT/FP risk assessments and managing risks Delivery method: Lecture and demonstration

3 Terminal Learning Objectives (TLO)
Understand the process of entering an AT/FP risk assessment in EPRM (How) Understand how to obtain EPRM account, training and help (How)

4 Background on EPRM EPRM is an Air Force managed, SIPRNET-hosted security risk assessment tool Guides standards-based assessment to help standardize self-inspections and assessment teams Contains metrics to calculate risk in T*C*V construct Classified threat ‘push’ from intel community Rolls-up risk ratings to higher headquarters Fielded in 2015 as extension pre-existing DoD Operations Security Collaboration Architecture (OSCAR) to address all areas of the Defense Security Enterprise DoD-wide for OPSEC Required by DITMAC/OUSD(I) for Component to use EPRM to report status of Insider Threat programs In use in Air Force for INFOSEC, PERSEC, INDUSTSEC Air Force partnering in developing AT/FP module, will require use in Oct 2018 Certified by DHS to do off-base AT/FP assessments to Interagency Security Committee (ISC) standards

5 Starting a Risk Assessment
“Start” assessment brings assessors to the workflow (below) to collect data. Opportunity to ‘copy from’ Each icon takes users to the appropriate screen

6 CD 2 Phase 1 – AT/FP Risk Assessments
The method for conducting an assessment is illustrated in the process model* shown below It guides users through a standards based assessment using fillable forms for each step Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase Unit Details Tailors Assessment Contains asset selections relevant to profiled facilities Consequence criteria for facility assets Presents list of threats and hazards Preloaded baseline will allow local tailoring Library of Benchmarks Locks Assessment; Ready for Analysis *Risk Assessment: A systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks. (DoDD , Mission Assurance, November 29, 2016)

7 Profile the Organization
Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase The Profile screen contain information that: Filters subsequent screens Provides ‘hooks’ on which queries can be conducted Collects data that can be inserted to the MS Word Assessment Report Mouse-over info bubbles provide guidance

8 Finish Risk Assessment Phase
Scope the Assessment Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase The Scope screen contains information that: Filters subsequent screens Is a data feed for reporting Characterizes the benchmarks that will apply --Select-- Each question uses a pulldown yes/no format Items grayed out only apply after certain “Yes” responses

9 Finish Risk Assessment Phase
Asset Identification Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase Select and score assets. Add comments / justifications Name Pull-down list / filter of all Asset Groups Local name of asset Asset Subcategories Export to Excel for off-line data entry

10 Asset Characterization
Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase ‘Yes’ selection triggers questions from UFC (DoD Security Engineering Facilities Planning Manual) Responses to questions calculate criticality on 0-1 scale TCAs use pre-scored criticality from authoritative source

11 Finish Risk Assessment Phase
Threat Selection Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase Threat/hazard assessment is filterable, sortable, printable Preloaded with regional baseline Duplicate Selected Threat Name Local name of Adversary Default Adversary Threat Level preloaded by region Relevant Adversary-Tactic Pairs

12 Threat Characterization
Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase ‘Yes’ selection triggers questions from UFC Responses drive 0-1 score Current ‘baseline’ preloads are available based on region Each question has a set of pulldown answers

13 Assessing to Benchmark Standards
Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase Filterable list of benchmark ‘questions’ with assessor guidance Export list in Excel for off-line entry & upload Description / assessor guidance window Drill-down questions, where appropriate Observation made. View / edit with icon

14 Finish the Assessment Phase
Profile Organization Scope Assessment Identify Assets Characterize Threats Conduct Assessment Finish Risk Assessment Phase When all benchmarks have been considered, the Assessment is ready to be locked and to proceed to Analysis Click to lock the assessment for analysis

15 Assessment – Analysis - Response
The MARMS tool provides the systematic process to move from vulnerability assessment to full risk assessment IAW DoD direction. risk management. A process by which decision makers accept, reduce, or offset risk…is composed of risk assessment and risk response. risk assessment. A systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks. risk response. Actions taken to remediate or mitigate risk or reconstitute capability in the event of loss or degradation. Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval The following slides will move beyond the assessment to the analysis, mitigation and response to the risks.

16 Analysis and Risk Response
Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval The Analysis and Mitigation button leads users to a page with multiple options for analysis for vulnerability, risk, and cost, as well as report generation. Visualizing Vulnerability Risk Analysis Cost/Benefit Analysis Report Generation

17 Communicating Aggregate ‘Vulnerability’
The contribution of individual benchmarks is used to model vulnerability levels to individual threat tactics/hazards.

18 Calculate Risk by Scenario
Risk scenarios viewable on Risk Assessment Tool dashboard Calculated Risk Score Threat adversary / tactic with 0-1 scale for severity Vulnerability to tactic calculated on 0-1 scale Asset and criticality on 0-1 scale

19 Analyze Risk Contribution of Benchmarks
Mitigation dashboard prioritizes benchmarks based on contribution to risk mitigation Amount that implementation will reduce overall risk profile Assessor proposes mitigations and can assign to an individual and provide due date

20 Cost Benefit Analysis Cost Benefit Analysis (CBA) provides commanders a framework for risk-based allocation of resources Can be used for Integrated Priority List, POM & budget exercises Mitigation dashboard ranks benchmarks based on the amount of risk they reduce If cost estimates are entered for proposed mitigations, system compares the risk reduced per dollar spent The comparison is a relative calculation that can be done for security measures in a single assessment or across a collection of assessments

21 Cost Benefit Analysis Total costs and risk-reduction-per dollar calculated Drop-downs for status of funding for selected remediation

22 Reports Generate editable report contains a combination of:
Output of prioritized mitigations and status of implementation plan Current and revised by asset Generate editable report contains a combination of: Boilerplate with system generated insertions (e.g. dates, installation name) Tables with system generate insertions (e.g. team member, asset lists, etc.) Outputs from risk analysis Comments, observations and other assessor-entered text

23 Reports Benchmarks along left & units/installations along top Reports of risk by unit/installation & benchmark implementation Relative risk of units / assessments or installations

24 Finalizing a Risk Decision
Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval Installation personnel can review all proposed mitigations on mitigation dashboard to: Accept or reject proposed mitigations Develop proposed implementation schedule Assign responsibility for a mitigation to installation personnel ( automatically generate to them and task added to their dashboard) Submit completed package for Commander’s approval Finish the assessment; submit results to commander; recommend mitigations (if any), commander approve the assessment;

25 Documenting Recommendations
Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval Document risk acceptance or reduction Yes = Accept Risk No = Reduce Risk Identify target dates for implementation Comments Document recommendation for Commander to either Accept or Reduce overall risks to installation

26 Obtaining Commander’s Approval
Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval Commander approves assessment results and releases risk decision package Review risk and mitigations Review history of assessment Approve and release

27 Managing Implementation of Decisions
Data Collection & Assessment Analysis, Mitigation, Recommendations Risk Response Command Approval Finalized assessment results are locked and released Risk scores update to show progress towards risk goal Continue to manage implementation of mitigations

28 Attachments Signed reports (and other artifacts) uploaded to assessment

29 User Support (TLO #7) Requesting Access - the following information to and or (SIPRNET) Name Title/Rank Phone Number (NOT DSN) Service or Component Major Command (i.e. MAJCOM or ACOM) Installation (i.e. base, post) Unit NIPR SIPR Type of account required: MARMS, OPSEC, IP, DODInt Accessing system: (SIPRNET)  Help: For assistance and for any questions, please or call Eastern time  Resources: User guides, videos & other materials are available on the EPRMHelp page and on EPRM in the resources section (MARMS users guides are currently being created and will be added soon).

Download ppt "Mission Assurance Risk Management System"

Similar presentations

Using EU-fin Interactive user manual for coordinators (Using EU-fin to the fullest)

Using EU-fin Interactive user manual for coordinators (Using EU-fin to the fullest)
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
August 2014 Liver quest User Demo: Liver Quality Enhancement Service Tool (QuEST)

August 2014 Liver quest User Demo: Liver Quality Enhancement Service Tool (QuEST)
WASTE MANAGEMENT ©2010 SciQuest USA Confidential 1 Powered by RFx User Guide.

WASTE MANAGEMENT ©2010 SciQuest USA Confidential 1 Powered by RFx User Guide.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Passport Usage Instructions The following instructions will help you to navigate through the Passport system. The instructions have been designed as a.

Passport Usage Instructions The following instructions will help you to navigate through the Passport system. The instructions have been designed as a.
Oracle Sourcing Quick Start Guide.

Oracle Sourcing Quick Start Guide.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
OSF/ISD Project Portfolio Management Framework January 17, 2011.

OSF/ISD Project Portfolio Management Framework January 17, 2011.
NIST Special Publication Revision 1

NIST Special Publication Revision 1
SPSA Tool User Manual. Contents About the SPSA Tool……….……………………………………………………………………………...4-7 Login…………………………………………………………………………………………..……….……..……..8 Home.

SPSA Tool User Manual. Contents About the SPSA Tool……….…………………………………………………………………………… Login…………………………………………………………………………………………..……….……..……..8 Home.
Welcome to the Manage Scoping module of the “MIP Release 3 Study Workflow Training” course! This module guides you through the process of managing the.

Welcome to the Manage Scoping module of the “MIP Release 3 Study Workflow Training” course! This module guides you through the process of managing the.
0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.

0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.
User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – September 2014.

User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – September 2014.
User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – Summer 2014.

User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – Summer 2014.
Implementing School Plans in ePlan

Implementing School Plans in ePlan
0 eCPIC Admin Training: OMB Submission Packages and Annual Submissions These training materials are owned by the Federal Government. They can be used or.

0 eCPIC Admin Training: OMB Submission Packages and Annual Submissions These training materials are owned by the Federal Government. They can be used or.
“The Monitor System Training Guide For Providers IMS Health.

“The Monitor" System Training Guide For Providers IMS Health.
Secaucus Reflect Live Observation Process Observer Guide.

Secaucus Reflect Live Observation Process Observer Guide.
NYS Division of Homeland Security And Emergency Services (DHSES) E-Grants Tutorial Creating an Application for the EOC RFP To access DHSES E-Grants you.

NYS Division of Homeland Security And Emergency Services (DHSES) E-Grants Tutorial Creating an Application for the EOC RFP To access DHSES E-Grants you.

Similar presentations

Ads by Google