210 likes | 217 Views
Process for Analysis. Choose a standard / type Qualitative / Quantitative Or Formal / Informal Select access controls Match outcome to project objectives Provide guidance for improvement. Outcome Framework Example. Build Asset-based Threat profiles
E N D
Process for Analysis • Choose a standard / type • Qualitative / Quantitative Or • Formal / Informal • Select access controls • Match outcome to project objectives • Provide guidance for improvement
Outcome Framework Example • Build Asset-based Threat profiles • Identify Infrastructure vulnerabilities • Develop security strategy and plans • Measure adherence to policies…? • Recommend mitigation strategies
Build Profiles • Profiles are guides to help frame recommendations • Threat • Vulnerability • Exposure • Assets • Value • Processes • Etc.. • Good way to organize information- current state
Identify Vulnerabilities • CVE • ICAT • Cassandra • Vendor tools • “SANs / ISO, FMEA, Best practices” • Can be administrative, personnel, technical or physical
Develop Strategy • This is the “value” of the final deliverable • Make suggestions for areas of improvement • DO NOT RELY ON VENDOR TOOLS • Research like crazy- contact support network • Make sure easy to digest and accomplish
Context • How do you determine what is “at risk” and what is not? • Low, medium, high • Scale of 1-10 • Red, Yellow, green • Ultimately comes down to applying the threat profile to the asset- to determine level of risk
Session #7 Risk Assessment Planning Overview
RA Process Elements • Identify Organizational Information • Build Asset-based Threat Profiles • Identify Infrastructure Vulnerabilities • Develop Protection Strategy OCTAVE Methodology
Identify Organizational Information • Identify information-related assets • Selects those that are most critical to the organization • Evaluate current security practices to identify what the company is doing well • Identify which practices are missing or inadequate
Build Threat Profiles • Identify security requirements for critical assets • Identify threats to those assets • Based on business mission of organization
Infrastructure Vulnerabilities • Identify components to evaluate • Develop a vulnerability management practice • Find problems linked with technology and processes
Develop Protection Strategy • Identifies risks to the organization’s critical assets • Evaluates the risks to establish a value for the resulting impact on the assets • Decision is made to accept of mitigate each risk • Selects highest priority actions • Develop the protection strategy for priorities
Objects of the RA • Mission • Systems Description • Assets • Sensitivity • Criticality • Vulnerabilities • Threats • Safeguards
RA Planning • Figure out where data needs to come from: • Info needed before on site visit • Collect info from public sources • Work on WBS tasks • Decide interview schedule and personnel • Stay true to SOW • Watch time investment • Always match actions to goals • Avoid SOW creep
Pre Site Visit Goals • Confirm Client’s goals with delivery team • Connect Sponsor with delivery team lead • Establish escalation procedures and contact personnel • Goal is to get client comfortable with: • Approach • Needs • Consultants doing work • Process for moving project to conclusion
Pre Site Visit Information • Policies • Infrastructure Architecture Drawing / maps • Administrator passwords • Org Chart • Secure workspace • Budget information • Mission statements
Document Review • Access Logs - System, Maintenance, and Visitor • Incident Reports • Documents - Plans, Policies, and Procedures • Previous Risk Assessments • Continuity of Operations Plans • Contingency Reports • Directories • Inventory Records • Floor Plans • Organization Charts • Mission Statements • System and Network Configurations
On Site Process • Hold meeting ASAP to introduce players and state objectives and discuss process • Collect information requested in pre-site visit process • Discuss interview process, scheduling and targets: • Line up personnel to interview • Have questions already prepared • Run interviews in parallel to other data collection techniques
Initial On Site Process • Need to discuss facility access: • After hours building access needed • Normal business hours access required • Badges may be needed- get them • Understand departmental work hours • Get facilities tour: • Restrooms • Cafeteria • Sponsor’s office • Work Area • Off limit areas
Initial On Site Activity • Start scans • Arrange interviews • Perform facility walkthrough • Examine Policies • Dumpster dive • Printers output trays • Open desk areas