1 / 21

Process for Analysis

A detailed guide to conducting security analysis, including building threat profiles, identifying vulnerabilities, developing strategies, and measuring adherence to policies for organizational protection. Learn the OCTAVE methodology and Risk Assessment Planning elements.

jchow
Download Presentation

Process for Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Process for Analysis • Choose a standard / type • Qualitative / Quantitative Or • Formal / Informal • Select access controls • Match outcome to project objectives • Provide guidance for improvement

  2. Outcome Framework Example • Build Asset-based Threat profiles • Identify Infrastructure vulnerabilities • Develop security strategy and plans • Measure adherence to policies…? • Recommend mitigation strategies

  3. Build Profiles • Profiles are guides to help frame recommendations • Threat • Vulnerability • Exposure • Assets • Value • Processes • Etc.. • Good way to organize information- current state

  4. Identify Vulnerabilities • CVE • ICAT • Cassandra • Vendor tools • “SANs / ISO, FMEA, Best practices” • Can be administrative, personnel, technical or physical

  5. Develop Strategy • This is the “value” of the final deliverable • Make suggestions for areas of improvement • DO NOT RELY ON VENDOR TOOLS • Research like crazy- contact support network • Make sure easy to digest and accomplish

  6. Context • How do you determine what is “at risk” and what is not? • Low, medium, high • Scale of 1-10 • Red, Yellow, green • Ultimately comes down to applying the threat profile to the asset- to determine level of risk

  7. Session #7 Risk Assessment Planning Overview

  8. RA Process Elements • Identify Organizational Information • Build Asset-based Threat Profiles • Identify Infrastructure Vulnerabilities • Develop Protection Strategy OCTAVE Methodology

  9. Identify Organizational Information • Identify information-related assets • Selects those that are most critical to the organization • Evaluate current security practices to identify what the company is doing well • Identify which practices are missing or inadequate

  10. Build Threat Profiles • Identify security requirements for critical assets • Identify threats to those assets • Based on business mission of organization

  11. Infrastructure Vulnerabilities • Identify components to evaluate • Develop a vulnerability management practice • Find problems linked with technology and processes

  12. Develop Protection Strategy • Identifies risks to the organization’s critical assets • Evaluates the risks to establish a value for the resulting impact on the assets • Decision is made to accept of mitigate each risk • Selects highest priority actions • Develop the protection strategy for priorities

  13. Risk Assessment / Management Decision Process

  14. Objects of the RA • Mission • Systems Description • Assets • Sensitivity • Criticality • Vulnerabilities • Threats • Safeguards

  15. RA Planning • Figure out where data needs to come from: • Info needed before on site visit • Collect info from public sources • Work on WBS tasks • Decide interview schedule and personnel • Stay true to SOW • Watch time investment • Always match actions to goals • Avoid SOW creep

  16. Pre Site Visit Goals • Confirm Client’s goals with delivery team • Connect Sponsor with delivery team lead • Establish escalation procedures and contact personnel • Goal is to get client comfortable with: • Approach • Needs • Consultants doing work • Process for moving project to conclusion

  17. Pre Site Visit Information • Policies • Infrastructure Architecture Drawing / maps • Administrator passwords • Org Chart • Secure workspace • Budget information • Mission statements

  18. Document Review • Access Logs - System, Maintenance, and Visitor • Incident Reports • Documents - Plans, Policies, and Procedures • Previous Risk Assessments • Continuity of Operations Plans • Contingency Reports • Directories • Inventory Records • Floor Plans • Organization Charts • Mission Statements • System and Network Configurations

  19. On Site Process • Hold meeting ASAP to introduce players and state objectives and discuss process • Collect information requested in pre-site visit process • Discuss interview process, scheduling and targets: • Line up personnel to interview • Have questions already prepared • Run interviews in parallel to other data collection techniques

  20. Initial On Site Process • Need to discuss facility access: • After hours building access needed • Normal business hours access required • Badges may be needed- get them • Understand departmental work hours • Get facilities tour: • Restrooms • Cafeteria • Sponsor’s office • Work Area • Off limit areas

  21. Initial On Site Activity • Start scans • Arrange interviews • Perform facility walkthrough • Examine Policies • Dumpster dive • Printers output trays • Open desk areas

More Related