900 likes | 1.21k Views
Security Risk Management Medley. Tom Siu Brad Judy Joshua Mauk. Overview. Definitions Business process risk assessment Operational risk management Life cycle risk management How to get started. Definition—Risk. A problem that has not happened yet
E N D
Security Risk Management Medley Tom Siu Brad Judy Joshua Mauk
Overview • Definitions • Business process risk assessment • Operational risk management • Life cycle risk management • How to get started
Definition—Risk • A problem that has not happened yet • A potential occurrence that can negatively impact an individual, process, system, facility • “Exposure to the chance of injury or loss; a hazard or dangerous chance” (Dictionary.com) • Risk combines the probability of an event occurring with the impact of that event
How do we know we are managing risk? • Establish standards for tolerable levels of risk and acceptable methods of risk reduction • Develop risk reduction plan for unacceptable risks • Implement risk reduction plans • Integrate risk assessment into new projects • Assess risk of existing processes and systems on a periodic basis • Verify that risk reduction has resulted in acceptable risk level • Wash, Rinse, Repeat (i.e. all of the above are done on an on-going basis)
Business Process Risk Assessment Brad Judy
Carnegie classification • A&S+prof/HGC • CompDoc/Nmed • HU • FT4/MS/HT • L4/NR
My Background • Computing labs • Active Directory • IT architecture • IT Security Office
Risk Assessment Background • Data breech events • High risk departments • Critical business processes • Sensitive data handling • Contracted with vendor • Developed in-house process
Goals for in-house process • Department scoped • “True” risk assessment • Draw from industry best practices • Leverage knowledge of campus environment • Broad examination of risk
To Do • Self Assessment Process • Link Processes • Better data collection?
Operational Risk Management Tom SiuCISOCase Western Reserve UniversityCleveland, OH
External Drivers for RM in Higher Education • Regulatory and Compliance • GLBA- Gramm Leach Bliley Act • HIPAA • FISMA (Federal Funded Research) • PCI Compliance • University Security Policies • Guidelines • COBIT • ITIL • NIST
Background: Case Western Reserve University • Carnegie Class • FT4/MS/LTI, non-profit, Bal/HGC, CompDoc/MedVet, MGP, M4/HR, RU/VH • Private Research University • ~ 5k undergrad, ~4k grad • ~ 20k users (faculty, staff, reserarchers, affiliates • Med School, Nursing School, Dental School, Law, Business, Social Sciences, Engineering • ~ affiliates: • 4 hospitals, Cleveland Institute of Art, Cleveland Institute of Music 38
Risk Management Concepts • Risk and Benefit • Risk definitions • Running toward risk • Operational Risk • Risk in context • Assessment Approach • Cyclic assessment and management • Case Examples
Risk Perspective: Why I See It This Way • Multidisciplinary • Software Process Assessment (CMM, CMMI) • Process risk assessments • Requirements engineering • Information Warfare and Information Operations • Software Quality Assurance and Test Engineering • NASA Systems Engineering and Safety • Security and safety overlap • Progressive Casualty Insurance Company • Data driven risk business
Running Towards Risk “If a software project has no risks, don’t do it”
Risk and Exploration: Earth, Sea, and the Stars • Public Understanding of Risk • Why we explore • How to manage operational risk • Examples South Pole: • Sir Walter Scott • Earnest Shackleton 42 http://www.nasa.gov/mission_pages/exploration/whyweexplore/Why_We_14.html
Definitions: Risk • Risk Statement • Condition: a combination of • Threat source • Vulnerability • Consequence: Impact, usually negative • Disclosure • Modification • Loss/Destruction • Interruption • Recommendation: • Keep it qualitative in this domain until you have data, lots of data
Condition Risk Statement Consequence there is a possibility that Risk Statement
Happy Easter in Cleveland! sshd happens…
Risk Statement in Context Contributing Factors Related Issues Risk Source there is a possibility that Condition Consequence Risk Statement Circumstances Interdependencies Context
Definitions: Risk Tolerance Acceptable Unacceptable
Typical University Risk Tolerance Acceptable Unacceptable
Speculative Risk vs. Hazard Risk Hazard Risk Profit/Gain Nominal Loss Speculative Risk Operational Risk: Potential failure to achieve mission objectives Source: “Common Elements of Risk; Alberts, Christopher,Technical Note CMU/SEI-2006-TN-014
Risk Terms • Risk Statement • Condition • Consequence • Risk Parameters • Context • Probability • Impact • Timeframe
Risk Management Approach @ Case • Using CRM • Domain independent • Brainstorming Method • Focusing Tools • 6 Hats • OCTAVE • Small, Repetitive • Facilitated • Users involved • Consistency Focus: Identification and Analysis phases
FOD Walkdown- a simple risk assessment • Risk Identification • Directed focus • Get a list of risks • Context driven
Before Starting, Prepare Shortcuts • Review Incident Post-Mortems • Context • Past performance IS an indicator of future risk • Previous Assessment Results • What actions have taken place? • What conditions have changed? • Are past problems unlikely now? • Gather Facts (see white hat)
Focusing Tools http://viscog.beckman.uiuc.edu/grafs/demos/15.html 57
6 Hats Usage in Risk Brainstorming • Occasional use • wear one hat at a time • request a certain thinking type- to change thinking • “I think it is time for some green hat thinking- we need some new ideas.” • Systematic use • quick exploration of a subject • sequence the hats (white, black, yellow/green, red) • critical thinking saved for just the right moment • Risk Identification is Black Hat • Controls and Workarounds use Yellow and Green Hat • The 6 Thinking Hats, by Edward DeBono