Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Similar presentations


Presentation on theme: "Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005."— Presentation transcript:

1 Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005

2 Much about technology… Information and Communication Technologies Security –Networks –Wireless –Databases –Internet –Smart cards –Keys –Cryptography –Intrusion detection –…..

3 Real world…

4 IS or ICT Security? Information and Communication Technologies Security –Confidentiality, Integrity, Availability etc. Information System –An Information System comprises five interdependent elements: hardware, software, data, procedures, and people. These elements interact for the purpose of processing data and delivering information. –An IS exists to serve an enterprise or organization and, consequently, it may only be studied in the context of the organization it serves.

5 Information Systems overview

6 How to fit security in the picture Having people as part of the system we can forget any simple solutions. IS security has no strict definition Security is a kind of …feeling –“Are you secure?” or “Do you feel secure?” What’s the right question?

7 Example: Airport security

8 List of possible measures 1.Scissors etc. not allowed 2.ID check (photo ID must be presented) 3.Only the person named on the ticket can travel 4.X-rays 5.Lighters are not allowed anywhere in the airport (…it’s time to quit smoking) 6.Biometrics 7.Boot your laptop to see if it has a battery 8.Lock the captain’s cabin 9.Armed guards on board 10.Interview all passengers before boarding

9 In such a complex environment… Total security is out of the question –People’s behaviour is unpredictable –We cannot account for all possible threats and we cannot detect all vulnerabilities. –Security costs money; and also time, people and other resources. So, what shall we do?

10 Risk analysis & management We need to employ methods that will allow us to measure the risk associated with the operation of an IS, in order to take measures analogous to the level of risk. We need risk analysis and management methods

11 What is Risk and how to measure it Risk is determined by the following factors –Assets (A) –Impact (I) –Threats (T) –Vulnerabilities (V) R= f(A, I, T, V)

12 Assets, Impacts, Threats & Vulnerabilities Assets; what needs protection Business impact is the outcome of a failure to protect the assets of the IS. Threat is any action or event that may cause damage to an Information System. Vulnerability is a characteristic of the IS that may allow a threat to succeed.

13 Conceptualisation of IS Sec

14 Risk analysis & management

15 Risk management methods There are more than 100 methods –CRAMM –MARION –SBA –OCTAVE

16 SBA (Security By Analysis) Developed in Sweden in the early ’80s Very popular in Sweden and other Scandinavian countries Focus on people –People involved in every day operations have a better chance to identify problems A set of methods –SBA check –SBA scenario

17 CRAMM CCTA Risk Analysis and Management Method Developed in the UK in the late ’80s Used in many countries; it has been applied in many hundreds of cases It includes a ‘countermeasures library’

18 CRAMM overview Stage 1: Initiation and asset valuation –Model the IS; Valuate the assets; Management review Stage 2: Risk assessment –Identify threats; Assess threats and vulnerabilities; Calculate risks; Management review Stage 3: Risk management –Select countermeasures; Prioritise countermeasures and schedule implementation; Obtain management approval; Monitor

19 Octave Operationally Critical Threat, Asset, and Vulnerability Evaluation® ®

20 What is OCTAVE? A comprehensive, repeatable methodology for identifying risks in networked systems through organizational self-assessment. Helps organizations apply information security risk management to secure their existing information infrastructure and to protect their critical information assets.

21 Goal of OCTAVE Plan how to apply good security practices to address organizational and technical vulnerabilities that could impact critical assets –Two versions: One for large organisations (> 300 employees) and one for small organisations Organizational issues –Policies or security practices Technical issues –Technology infrastructure

22 Information Security Risk Management Framework

23 Mind the gap Security Practices Gaps Result From an Organizational Communication Gap

24 Octave is the bridge OCTAVE is an Organizational Approach to Security Risk Management

25 The process

26 OCTAVE Analysis Team An interdisciplinary team (4-6) consisting of business or mission-related staff information technology staff

27

28 Phase 1 – Organizational View Data gathering of the organizational perspectives on –assets –threats to the assets –security requirements of the assets –current protection strategy practices –organizational vulnerabilities The perspectives will come from –senior managers –operational area managers (including IT) –staff (from the operational areas and IT)

29 Phase 1 Questions What are your organization’s critical information-related assets? What is important about each critical asset? Who or what threatens each critical asset? What is your organization currently doing to protect its critical assets? What weaknesses in policy and practice currently exist in your organization?

30 Asset Something of value to the organization that includes one or more of the following: –information –systems –services and applications –people Critical when there will be a large adverse impact to the organization if –the asset is disclosed to unauthorized people. –the asset is modified without authorization. –the asset is lost or destroyed. –access to the asset is interrupted.

31 Asset protection requirements Prioritize the qualities of an asset that are important to the organization: –confidentiality –integrity –availability Example for availability: Internet access should be provided 24x7x365, 97% of the time.

32 Threat An indication of a potential undesirable event involving a critical asset Examples –A disappointed student could set a fire. –A virus could interrupt access to the university network. –An operator may set the firewall to deny all access without noticing

33 Threat Properties Critical Asset Actor (human, system, other) Motive (deliberate or accidental) – human actor only Access (network or physical) – human actor only Outcome –Disclosure or viewing of sensitive information –Modification of important or sensitive information –Destruction or loss of important information, hardware, or software –Interruption of access to important information, software, applications, or services

34 Asset-based risk profile

35

36 Phase 2 – Technology View Identify technology vulnerabilities that provide opportunities for impacting critical assets

37 Methods / Tools You can use a variety of methods and tools: –Interviews with people –Documentation analysis –Network scanners –Log analysers –Vulnerability assessment tools –etc.

38 Phase 2 Questions How do people access each critical asset? What infrastructure components are related to each critical asset? What technological weaknesses expose your critical assets to threats?

39

40 Phase 3 – Risk Analysis –Establish the risks to the organization’s critical assets. –Define mitigation plans to protect the critical assets. –Characterize the organization’s protection strategy. –Identify the next steps to take after the evaluation to ensure progress is made.

41 Impact Evaluation Criteria Define the organization’s tolerance for risk. Standard areas of impact considered include: –reputation/customer confidence –life/health of customers –productivity –fines/legal penalties –financial –other

42 Expression of Risk A risk is expressed using –a threat scenario (a branch on a threat tree) –the resulting impact on the organization Example Viruses can interrupt staff members from accessing the network. They will not prepare their lectures on time. Impact value: medium

43 Threat scenario disclosure modification loss/destruction High interruption Low accidental deliberate accidental outside inside network asset disclosure Medium modification High loss/destruction High interruption Low disclosure modification loss/destruction interruption asset access actor motive outcome impact disclosure Medium modification High loss/destruction High interruption Low

44 Phase 3 Questions What is the potential impact on your organization due to each threat? What are your organization’s risks? Which are the highest priority risks to your organization? What policies and practices does your organization need to address? What actions can your organization take to mitigate its highest priority risks? Which technological weaknesses need to be addressed immediately?

45 Outputs of Octave Defines organizational direction Plans designed to reduce risk Near-term action items Protection Strategy Mitigation Plan Action List

46 Protection Strategy Structured around the catalog of practices and addresses the following areas: –Security Awareness and Training –Security Strategy –Security Management –Security Policies and Regulations –Collaborative Security Management –Contingency Planning/Disaster Recovery –Physical Security –Information Technology Security –Staff Security

47 Mitigation Plan Defines the activities required to remove or reduce unacceptable risk to a critical asset. Focus is on activities to –recognize or detect threats when they occur –resist or prevent threats from occurring –recover from threats if they occur Mitigations that cross many critical assets might be more cost effective as protection strategies

48 OCTAVE-S Defines a more structured method for evaluating risks in small (less than 100 employees) or simple organizations –requires less security expertise in analysis team –requires analysis team to have a full, or nearly full, understanding of the organization and what is important –uses “fill-in-the-blank” as opposed to “essay” style Will also be defined with procedures, guidance, worksheets, information catalogs, and training

49 OCTAVE Information Visit http://www.cert.org/octave –Introduction to the OCTAVE Approach –OCTAVE Method Implementation Guide –OCTAVE-S (version 0.9) Book: Managing Information Security Risks: The OCTAVE Approach by Christopher Alberts and Audrey Dorofee from Addison-Wesley.


Download ppt "Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005."

Similar presentations


Ads by Google