230 likes | 446 Views
Information Risk Assessment in a University Environment. Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics. Agenda. Introduction Elements of Risk Management Strategy for Information Risk Assessment OCTAVE vs. OCTAVE/S
E N D
Information Risk Assessmentin a University Environment Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics
Agenda • Introduction • Elements of Risk Management • Strategy for Information Risk Assessment • OCTAVE vs. OCTAVE/S • CSUSB Strategy for Risk Assessment • Resources • Questions and Final Thoughts
Reality Check • You can never eliminate/mitigate ALL the information security risks • You cannot prevent highly skill and sophisticated attacks • Resources are limited – planning is critical • Must plan for systems to be resilient and survive an event • Survivability is good risk management
What is Risk? Risk: The possibility of harm or loss Characterized by: • Event or Scenario • Consequence or impact to the organization • Probability that the event will take place
Risks vs. Vulnerabilities • Information Security Vulnerability Assessment • Provide security picture at one moment • Only considers technology related issues • Information Security Risk Assessment • Consider strategic practices – business related practices • Includes operational practices – focus on technology related issues • Incorporates the mission of the university
Risk Management • Each organization owns its risks • Each organization has its own information security risks • Each organization must characterize its risks • Each organization must analyze its risks • Each organization must manage its risks • Information Security risks are more element
Strategy for Information Risk Management • Is this a university wide risk assessment? • What are the long term goals of the Information risk assessment? • Scope – Strategic and/or Operational Practices • How do you include all areas of the university? • How do you define/measure progress? • Who will coordinate/summarize overall university risk security posture?
Effective Risk Management Requires: • Risk Aware Culture • Experience and Expertise • Self Direction • Systematic Process • OCTAVE, OCTAVE-S • STAR • etc
OCTAVE/-S Method • A systematic method for risk assessment that involves • senior managers • operational area managers • staff • IT staff • Defined with procedures, worksheets, information catalogs, and training
OCTAVE/-S Method • OCTAVE is broken into the following three major phases: • Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop Security Strategy and Plans
OCTAVE vs. OCTAVE-S • Main differences • OCTAVE-S designed for smaller organizations/departments • OCTAVE-S defines a more structured method for evaluating risks • uses “fill-in-the-blank” as opposed to “essay” style • OCTAVE-S requires less security expertise in analysis team • OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important • OCTAVE-S is easier to start!
University Risk Management Committee Division Risk Assessment Division Risk Assessment Division Risk Assessment CSUSB Strategy for Information Risk Management …
CSUSB Strategy for Information Risk Management • Information Risk Management Committee • Two individuals from each Division • Must be members of the Division Information Risk Assessment Group • Division Information Risk Assessment Group • One or Two members from each Office/Department Risk Assessment Team • Office/Department Risk Assessment Team
CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE • Selected elements of OCTAVE for • Senior Management • Operational Area Managements • Selected elements of OCTAVE-S for • IT-Staff • Staff
CSUSB Strategy for Risk Assessment Pilot Project • Identify a few interested Offices/Departments in each division • Set up Office/Departments Risk Assessment Teams • Provide training in Risk Assessment • Office/Department Risk Assessment Teams • Division Information Risk Assessment Group • Tailor Risk Assessment tools to meet the needs of each Department/Office • Tailoring OCTAVE & OCTAVE-S
CSUSB Strategy for Risk Assessment Objectives of the Pilot • Identify critical assets • Identify security requirements for each critical asset • Identify threats for each critical asset • Conduct organizational and operational vulnerability assessments • Identify risks and impacts • Develop and implement mitigation plans
CSUSB Strategy for Risk Assessment Results from the Pilot • Office/Department Risk Assessments • Training in Risk Assessment took longer that expected – • Increased staff/managers “Risk Awareness Culture” • First tailored version of OCTAVE-S • Catalog of Practices • Operational Practice Areas – worked very well • Strategic Practice Area – under revision
CSUSB Strategy for Risk Assessment • Office/Department Risk Assessments • Produced good and effective mitigation plans • Issues associated with Strategic Practices – difficult to implement at this level • Division Information Risk Assessments • In progress
Next Steps Develop and gain approval of a university wide Risk Assessment Tool • Database structure • Obtain final approval for a campus wide implementation
Resources • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ • Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ • ISO/IEC 17799 – International Code of Practices for Information Security Management http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf
Questions? Final Thoughts?
Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA 92407 Telephone: (909) 880-7262 E-mail: jtorner@csusb.edu