Information Risk Assessment in a University Environment

1. Information Risk Assessmentin a University Environment Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics

2. Agenda • Introduction • Elements of Risk Management • Strategy for Information Risk Assessment • OCTAVE vs. OCTAVE/S • CSUSB Strategy for Risk Assessment • Resources • Questions and Final Thoughts

3. Reality Check • You can never eliminate/mitigate ALL the information security risks • You cannot prevent highly skill and sophisticated attacks • Resources are limited – planning is critical • Must plan for systems to be resilient and survive an event • Survivability is good risk management

4. What is Risk? Risk: The possibility of harm or loss Characterized by: • Event or Scenario • Consequence or impact to the organization • Probability that the event will take place

5. Risks vs. Vulnerabilities • Information Security Vulnerability Assessment • Provide security picture at one moment • Only considers technology related issues • Information Security Risk Assessment • Consider strategic practices – business related practices • Includes operational practices – focus on technology related issues • Incorporates the mission of the university

6. Risk Management • Each organization owns its risks • Each organization has its own information security risks • Each organization must characterize its risks • Each organization must analyze its risks • Each organization must manage its risks • Information Security risks are more element

7. Strategy for Information Risk Management • Is this a university wide risk assessment? • What are the long term goals of the Information risk assessment? • Scope – Strategic and/or Operational Practices • How do you include all areas of the university? • How do you define/measure progress? • Who will coordinate/summarize overall university risk security posture?

8. Effective Risk Management Requires: • Risk Aware Culture • Experience and Expertise • Self Direction • Systematic Process • OCTAVE, OCTAVE-S • STAR • etc

9. OCTAVE/-S Method • A systematic method for risk assessment that involves • senior managers • operational area managers • staff • IT staff • Defined with procedures, worksheets, information catalogs, and training

10. OCTAVE/-S Method • OCTAVE is broken into the following three major phases: • Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop Security Strategy and Plans

11. OCTAVE vs. OCTAVE-S • Main differences • OCTAVE-S designed for smaller organizations/departments • OCTAVE-S defines a more structured method for evaluating risks • uses “fill-in-the-blank” as opposed to “essay” style • OCTAVE-S requires less security expertise in analysis team • OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important • OCTAVE-S is easier to start!

12. University Risk Management Committee Division Risk Assessment Division Risk Assessment Division Risk Assessment CSUSB Strategy for Information Risk Management …

13. CSUSB Strategy for Information Risk Management • Information Risk Management Committee • Two individuals from each Division • Must be members of the Division Information Risk Assessment Group • Division Information Risk Assessment Group • One or Two members from each Office/Department Risk Assessment Team • Office/Department Risk Assessment Team

14. CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE • Selected elements of OCTAVE for • Senior Management • Operational Area Managements • Selected elements of OCTAVE-S for • IT-Staff • Staff

15. CSUSB Strategy for Risk Assessment Pilot Project • Identify a few interested Offices/Departments in each division • Set up Office/Departments Risk Assessment Teams • Provide training in Risk Assessment • Office/Department Risk Assessment Teams • Division Information Risk Assessment Group • Tailor Risk Assessment tools to meet the needs of each Department/Office • Tailoring OCTAVE & OCTAVE-S

16. CSUSB Strategy for Risk Assessment Objectives of the Pilot • Identify critical assets • Identify security requirements for each critical asset • Identify threats for each critical asset • Conduct organizational and operational vulnerability assessments • Identify risks and impacts • Develop and implement mitigation plans

17. CSUSB Strategy for Risk Assessment Results from the Pilot • Office/Department Risk Assessments • Training in Risk Assessment took longer that expected – • Increased staff/managers “Risk Awareness Culture” • First tailored version of OCTAVE-S • Catalog of Practices • Operational Practice Areas – worked very well • Strategic Practice Area – under revision

18. CSUSB Strategy for Risk Assessment • Office/Department Risk Assessments • Produced good and effective mitigation plans • Issues associated with Strategic Practices – difficult to implement at this level • Division Information Risk Assessments • In progress

19. Next Steps Develop and gain approval of a university wide Risk Assessment Tool • Database structure • Obtain final approval for a campus wide implementation

20. Resources • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ • Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ • ISO/IEC 17799 – International Code of Practices for Information Security Management http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf

21. Questions? Final Thoughts?

22. Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA 92407 Telephone: (909) 880-7262 E-mail: jtorner@csusb.edu