1 / 17

Information SECURITY Risk Assessment

Information SECURITY Risk Assessment. Turning Project in Process: Segmentation, Prioritization and Iteration. Cornell University: Steve Schuster ( sjs74@cornell.edu ) Interim Executive Director for Cornell Information Technologies.

latoyac
Download Presentation

Information SECURITY Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information SECURITY Risk Assessment Turning Project in Process: Segmentation, Prioritization and Iteration • Cornell University: Steve Schuster (sjs74@cornell.edu) • Interim Executive Director for Cornell Information Technologies Illumant, LLC: Matija Siljak (siljak@illumant.com) • Director, Advisory Services

  2. To answer these questions: What constitutes sensitive information? Where is it? How much of it is there? How effectively is it protected? What are the vulnerabilities that could lead to compromise? What is the likelihood of compromise? What is the potential impact? What is the most effective use of protection resources? Why Risk Assessment?

  3. Traditional risk assessment: • One-offs • project not process = limited ongoing benefit • Breach response • reactive not proactive = skewed expectations • Big endeavor • expensive and effort-intensive = risky project • Questionable value • predictable results and imbalanced cost-benefit = dissatisfaction Problems with risk assessment

  4. Modified risk assessment: • One-offs • segment into small, independent components and iterate • Breach response • minimize time to partial results • Big endeavor • segment into small, independent components and iterate • start at a high level, drill down later based on interim results • Questionable value • minimize cost and effort and time to results, balance cost and benefit Solutions

  5. The formula remains the same: Risk =ThreatxVulnerabilityxImpact • Change is to administration and expectations • Divide up the data gathering into segments • Use interim results to prioritize further tasks and where to drill down • Tolerate incompleteness, omission – circle back • Analogy: mainframe vs. linux cluster What is different?

  6. Risk assessment methodology overview

  7. Risk Assessment Process Summary Data Classification MAP TO Data Types MAP TO Assets (Apps, DBs, etc.) MAP TO Departments and Units = Exposure Analysis

  8. Start with the data classification policy. Consider other potentially sensitive data, for example: data classification • Student Info • SSN/ • Financial Info • Credit Card Info • Driver’s License • Protected Health Info • Academic Records • Employee / Faculty (HR) Info • SSN • Payroll Info • Driver’s License • Bank Account Info • Protected Health Info • Alumni and Donor Info • SSN • Credit Card Info • Driver’s License • Bank Account Info • Financial Data • University Finances • Point-of-Sale • Customer Credit Card Data • Physical Plant • Buildings, Facilities, Utilities • Grounds • Cyber Infrastructure • Access Info, Logs, LDAP • Other PII • Human Subject Research • Key Performance Indicators • Protected Health Info (PHI) • Info in Non-medical Systems • Library • Citation DB • Digital Full Text • Circulation • Intellectual Property • Courseware, Research, Papers, Books, Code

  9. Map the assets to data types and locations and attempt to roughly quantify the data data and asset inventory

  10. After completing the inventory exercise, identify the key assets and departments on which to focus. exposure analysis

  11. Risk Assessment Process Summary Threats MAP TO Vulnerabilities Controls Regulations MAP TO MAP TO MAP TO Assets (Apps, DBs, etc.) MAP TO Departments and Units = Controls Assessment

  12. Select an appropriate threat model: • Malicious activity • Malfunction • Human error • Environmental threat analysis

  13. Using best practice frameworks, standards, and regulations, we evaluate departmental and university controls • EDUCAUSE Risk Management Framework • Look for: • Existence • Effectiveness • Compliance Controls analysis New York Information Security Breach and Notification Act 2005

  14. Start at a high level and drill down. • For example, we examine: controls analysis

  15. Control Maturity Model

  16. Risk Assessment Process Summary + Exposure Analysis Controls Assessment Risk Assessment Security Roadmap

  17. Review exposures, vulnerabilities and potential impact • Create list of remediation options • Estimate costs and compare with benefits • Outline security roadmap • Identify long-range plans • Highlight action items • Quick wins • High priority exposures • Determine on-going risk assessment schedule • to revisit units and departments • Visit new units and departments • drill down on areas that need further investigation and more detail Cost-Benefit Analysis

More Related