1 / 33

Performing a Cyber Security Risk Assessment

National Webcast Initiative. Performing a Cyber Security Risk Assessment. Why? When? and How?. Cyber Security Workshop. August 26, 2004 3:00pm – 4:00pm Eastern. National Webcast Initiative. Joint Partnership between MS-ISAC and DHS US-CERT

avak
Download Presentation

Performing a Cyber Security Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. National Webcast Initiative Performing a Cyber Security Risk Assessment Why? When? and How? Cyber Security Workshop August 26, 2004 3:00pm – 4:00pm Eastern

  2. National Webcast Initiative • Joint Partnership between MS-ISAC and DHS US-CERT • Coordinated through the New York State Office of Cyber Security and Critical Infrastructure Coordination and the New York State Forum William F. Pelgrin

  3. Webcast Attendees • 94 Federal Government • 491 State Government • 117 Local Government • 145 Academia, non-profit

  4. Accenture AT&T Aon Computer Associates CDW-G CGI CMA D&D Consulting Ernst & Young Gartner HP IIC Jay Dee Systems Keane Microsoft Nortel Networks Novell NYSTEC Oracle SAIC SAS Sybase Symantec Veritas Current Listing of Vendors Interested In Participation This listing will continue to evolve over time

  5. Today’s Speakers 3:00pm-3:15pm • Introduction and Opening Remarks • William Pelgrin, Chair of the Multi-State ISAC; Director, New York State Office of Cyber Security and Critical Infrastructure Coordination • Lawrence C. Hale,Deputy Director, National Cyber Security Division, US CERT, Department of Homeland Security • Performing a Cyber Security Risk Assessment • Graeme Payne, CA, CISSP, CISM, CISA; Partner, Security & Technology Solutions, Ernst & Young • Rick Trapp, Vice President, Product Management, Computer Associates 3:15pm-4:00pm

  6. US-CERT US-CERT – established in September 2003 and is the operational arm of the National Cyber Security Division at the Department of Homeland Security. US-CERT is the nation’s focal point for preventing, protecting against, and responding to cyber security threats and vulnerabilities. US-CERT interacts with all federal agencies, private industry, the research community, state and local governments, and others on a 24x7 basis to disseminate timely and actionable cyber security information.

  7. US-CERT US-CERT and the Multi-State ISAC are working together on a number of programs, including this webcast series, to help enhance our Nation’s cyber security readiness and response. The Multi-State ISAC has recently become a member of the HSIN/US-CERT portal, which provides a secure mechanism for sharing information between and among partners, improving cyber preparedness, readiness and response capabilities. US-CERT also hosts a public website, at www.us-cert.gov, which provides a wealth of information regarding cyber security – helpful tips for protecting against cyber security threats; cyber security alerts and bulletins, as well as the ability to sign up to receive free cyber security alerts via email.

  8. Graeme Payne Ernst & Young Rick Trapp Computer Associates CA, CISSP, CISM, CISA Partner, Security & Technology Solutions Vice President, Product Management

  9. Today’s Objectives • Identify reasonsfor performing a CyberSecurity Risk Assessment • Identify key components of a CyberSecurity Risk Assessment • Understand considerations in performing a CyberSecurity Risk Assessment

  10. Today’s Agenda • Developing a Common Language • Why Perform Cyber Security Assessments? • When to perform a CyberSecurity Risk Assessment? • How to perform a CyberSecurity Risk Assessment • Q&A

  11. Developing a Common Language

  12. What is a Risk Assessment? Source: GAO/AIMD-00-33

  13. Definitions Refer: Glossary of Terms

  14. Hackers Customers Malware Partners Contractors Spam

  15. Why Perform CyberSecurity Risk Assessments?

  16. Helpful Hint The Need for CyberSecurity Risk Assessments • Reported vulnerabilities rose from 417 in 1999 to 3,784 in 2003 (CERT Coordination Center) • 2004 CSI/FBI Computer Crime and Security Survey respondents reported nearly $142 million in total losses as a result of computer security incidents

  17. Objectives of a CyberSecurity Risk Assessment • Baseline • Where am I today? • What controls do I have in place? • Evaluate effectiveness of security controls • Where do I want to be? • Identify gaps or opportunities for improvement • Establish awareness of threats and vulnerabilities • Lay foundation for development of security improvement plan

  18. When to Perform a CyberSecurity Risk Assessment

  19. Helpful Hint When to Perform • Periodic • Often event driven • Typically year-over-year comparison • Generally labor-intensive • Most organizations start with periodic assessments • Continuous • Part of the normal workflow • Provides “real-time” risk view • Often supported by technology and analysis tools • Integrated with other IT/business processes

  20. How to Perform a CyberSecurity Risk Assessment

  21. Key Steps • Define the objectives • Define deliverables • Establish workplan • Perform assessment • Review results and develop risk mitigation plans • Plan next assessment (steps 1-5)

  22. Helpful Hint 1. Define the Objectives

  23. 2. Determine the Deliverables

  24. Helpful Hint 3. Establish the Workplan

  25. Helpful Hint 3. Establish the Workplan (cont’d)

  26. 4. Perform the Risk Assessment Example Worksteps Activities • Interview system owner • Review system documents Characterize System/Area • Use threat checklist • Review external sources Identify Threats • Review vulnerability sources • Perform security testing Identify Vulnerabilities Identify Controls • Review security requirements checklist • Review system documents Assess Risk • Prepare likelihood/impact matrix

  27. 5. Review Results and Develop Mitigation Plans

  28. 5. Review Results and Develop Mitigation Plans (cont’d)

  29. Helpful Hint Next Steps

  30. Questions?

  31. Summary • Developing a Common Language • Why Perform Cyber Security Assessments? • When to perform a CyberSecurity Risk Assessment? • How to perform a CyberSecurity Risk Assessment

  32. Thank you for participating • Future webcast sessions will offer a variety of topics • Please remain online to participate in an interactive series of survey questions • Written Q and A to the presenters is available for the next 15 minutes

  33. Thank You! Thank you for attending this virtual learning session

More Related