1 / 22

Information Risk Assessment in a University Environment

Information Risk Assessment in a University Environment. Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics. Agenda. Introduction Elements of Risk Management Strategy for Information Risk Assessment OCTAVE vs. OCTAVE/S

hedda
Download Presentation

Information Risk Assessment in a University Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Risk Assessmentin a University Environment Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics

  2. Agenda • Introduction • Elements of Risk Management • Strategy for Information Risk Assessment • OCTAVE vs. OCTAVE/S • CSUSB Strategy for Risk Assessment • Resources • Questions and Final Thoughts

  3. Reality Check • You can never eliminate/mitigate ALL the information security risks • You cannot prevent highly skill and sophisticated attacks • Resources are limited – planning is critical • Must plan for systems to be resilient and survive an event • Survivability is good risk management

  4. What is Risk? Risk: The possibility of harm or loss Characterized by: • Event or Scenario • Consequence or impact to the organization • Probability that the event will take place

  5. Risks vs. Vulnerabilities • Information Security Vulnerability Assessment • Provide security picture at one moment • Only considers technology related issues • Information Security Risk Assessment • Consider strategic practices – business related practices • Includes operational practices – focus on technology related issues • Incorporates the mission of the university

  6. Risk Management • Each organization owns its risks • Each organization has its own information security risks • Each organization must characterize its risks • Each organization must analyze its risks • Each organization must manage its risks • Information Security risks are more element

  7. Strategy for Information Risk Management • Is this a university wide risk assessment? • What are the long term goals of the Information risk assessment? • Scope – Strategic and/or Operational Practices • How do you include all areas of the university? • How do you define/measure progress? • Who will coordinate/summarize overall university risk security posture?

  8. Effective Risk Management Requires: • Risk Aware Culture • Experience and Expertise • Self Direction • Systematic Process • OCTAVE, OCTAVE-S • STAR • etc

  9. OCTAVE/-S Method • A systematic method for risk assessment that involves • senior managers • operational area managers • staff • IT staff • Defined with procedures, worksheets, information catalogs, and training

  10. OCTAVE/-S Method • OCTAVE is broken into the following three major phases: • Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop Security Strategy and Plans

  11. OCTAVE vs. OCTAVE-S • Main differences • OCTAVE-S designed for smaller organizations/departments • OCTAVE-S defines a more structured method for evaluating risks • uses “fill-in-the-blank” as opposed to “essay” style • OCTAVE-S requires less security expertise in analysis team • OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important • OCTAVE-S is easier to start!

  12. University Risk Management Committee Division Risk Assessment Division Risk Assessment Division Risk Assessment CSUSB Strategy for Information Risk Management …

  13. CSUSB Strategy for Information Risk Management • Information Risk Management Committee • Two individuals from each Division • Must be members of the Division Information Risk Assessment Group • Division Information Risk Assessment Group • One or Two members from each Office/Department Risk Assessment Team • Office/Department Risk Assessment Team

  14. CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE • Selected elements of OCTAVE for • Senior Management • Operational Area Managements • Selected elements of OCTAVE-S for • IT-Staff • Staff

  15. CSUSB Strategy for Risk Assessment Pilot Project • Identify a few interested Offices/Departments in each division • Set up Office/Departments Risk Assessment Teams • Provide training in Risk Assessment • Office/Department Risk Assessment Teams • Division Information Risk Assessment Group • Tailor Risk Assessment tools to meet the needs of each Department/Office • Tailoring OCTAVE & OCTAVE-S

  16. CSUSB Strategy for Risk Assessment Objectives of the Pilot • Identify critical assets • Identify security requirements for each critical asset • Identify threats for each critical asset • Conduct organizational and operational vulnerability assessments • Identify risks and impacts • Develop and implement mitigation plans

  17. CSUSB Strategy for Risk Assessment Results from the Pilot • Office/Department Risk Assessments • Training in Risk Assessment took longer that expected – • Increased staff/managers “Risk Awareness Culture” • First tailored version of OCTAVE-S • Catalog of Practices • Operational Practice Areas – worked very well • Strategic Practice Area – under revision

  18. CSUSB Strategy for Risk Assessment • Office/Department Risk Assessments • Produced good and effective mitigation plans • Issues associated with Strategic Practices – difficult to implement at this level • Division Information Risk Assessments • In progress

  19. Next Steps Develop and gain approval of a university wide Risk Assessment Tool • Database structure • Obtain final approval for a campus wide implementation

  20. Resources • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ • Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ • ISO/IEC 17799 – International Code of Practices for Information Security Management http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf

  21. Questions? Final Thoughts?

  22. Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA 92407 Telephone: (909) 880-7262 E-mail: jtorner@csusb.edu

More Related