1 / 86

Security Risk Management Medley

Security Risk Management Medley. Tom Siu Brad Judy Joshua Mauk. Overview. Definitions Business process risk assessment Operational risk management Life cycle risk management How to get started. Definition—Risk. A problem that has not happened yet

leishman
Download Presentation

Security Risk Management Medley

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Risk Management Medley Tom Siu Brad Judy Joshua Mauk

  2. Overview • Definitions • Business process risk assessment • Operational risk management • Life cycle risk management • How to get started

  3. Definition—Risk • A problem that has not happened yet • A potential occurrence that can negatively impact an individual, process, system, facility • “Exposure to the chance of injury or loss; a hazard or dangerous chance” (Dictionary.com) • Risk combines the probability of an event occurring with the impact of that event

  4. Risk Analysis to Management

  5. How do we know we are managing risk? • Establish standards for tolerable levels of risk and acceptable methods of risk reduction • Develop risk reduction plan for unacceptable risks • Implement risk reduction plans • Integrate risk assessment into new projects • Assess risk of existing processes and systems on a periodic basis • Verify that risk reduction has resulted in acceptable risk level • Wash, Rinse, Repeat (i.e. all of the above are done on an on-going basis)

  6. Business Process Risk Assessment Brad Judy

  7. University of Colorado at Boulder

  8. Carnegie classification • A&S+prof/HGC • CompDoc/Nmed • HU • FT4/MS/HT • L4/NR

  9. Research

  10. 30,000Students

  11. 7,000Faculty &Staff

  12. 26,000 Network Nodes

  13. My Background • Computing labs • Active Directory • IT architecture • IT Security Office

  14. Risk Assessment Background • Data breech events • High risk departments • Critical business processes • Sensitive data handling • Contracted with vendor • Developed in-house process

  15. Goals for in-house process • Department scoped • “True” risk assessment • Draw from industry best practices • Leverage knowledge of campus environment • Broad examination of risk

  16. To Do • Self Assessment Process • Link Processes • Better data collection?

  17. Operational Risk Management Tom SiuCISOCase Western Reserve UniversityCleveland, OH

  18. External Drivers for RM in Higher Education • Regulatory and Compliance • GLBA- Gramm Leach Bliley Act • HIPAA • FISMA (Federal Funded Research) • PCI Compliance • University Security Policies • Guidelines • COBIT • ITIL • NIST

  19. Background: Case Western Reserve University • Carnegie Class • FT4/MS/LTI, non-profit, Bal/HGC, CompDoc/MedVet, MGP, M4/HR, RU/VH • Private Research University • ~ 5k undergrad, ~4k grad • ~ 20k users (faculty, staff, reserarchers, affiliates • Med School, Nursing School, Dental School, Law, Business, Social Sciences, Engineering • ~ affiliates: • 4 hospitals, Cleveland Institute of Art, Cleveland Institute of Music 38

  20. Risk Management Concepts • Risk and Benefit • Risk definitions • Running toward risk • Operational Risk • Risk in context • Assessment Approach • Cyclic assessment and management • Case Examples

  21. Risk Perspective: Why I See It This Way • Multidisciplinary • Software Process Assessment (CMM, CMMI) • Process risk assessments • Requirements engineering • Information Warfare and Information Operations • Software Quality Assurance and Test Engineering • NASA Systems Engineering and Safety • Security and safety overlap • Progressive Casualty Insurance Company • Data driven risk business

  22. Running Towards Risk “If a software project has no risks, don’t do it”

  23. Risk and Exploration: Earth, Sea, and the Stars • Public Understanding of Risk • Why we explore • How to manage operational risk • Examples South Pole: • Sir Walter Scott • Earnest Shackleton 42 http://www.nasa.gov/mission_pages/exploration/whyweexplore/Why_We_14.html

  24. Definitions: Risk • Risk Statement • Condition: a combination of • Threat source • Vulnerability • Consequence: Impact, usually negative • Disclosure • Modification • Loss/Destruction • Interruption • Recommendation: • Keep it qualitative in this domain until you have data, lots of data

  25. Welcome to DIA

  26. Condition Risk Statement Consequence there is a possibility that Risk Statement

  27. Happy Easter in Cleveland! sshd happens…

  28. Risk Statement in Context Contributing Factors Related Issues Risk Source there is a possibility that Condition Consequence Risk Statement Circumstances Interdependencies Context

  29. Definitions: Risk Tolerance Acceptable Unacceptable

  30. Typical University Risk Tolerance Acceptable Unacceptable

  31. Speculative Risk vs. Hazard Risk Hazard Risk Profit/Gain Nominal Loss Speculative Risk Operational Risk: Potential failure to achieve mission objectives Source: “Common Elements of Risk; Alberts, Christopher,Technical Note CMU/SEI-2006-TN-014

  32. Risk Assessment and Analysis

  33. Risk Terms • Risk Statement • Condition • Consequence • Risk Parameters • Context • Probability • Impact • Timeframe

  34. Risk Management Approach @ Case • Using CRM • Domain independent • Brainstorming Method • Focusing Tools • 6 Hats • OCTAVE • Small, Repetitive • Facilitated • Users involved • Consistency Focus: Identification and Analysis phases

  35. FOD Walkdown- a simple risk assessment • Risk Identification • Directed focus • Get a list of risks • Context driven

  36. Risk Context

  37. Before Starting, Prepare Shortcuts • Review Incident Post-Mortems • Context • Past performance IS an indicator of future risk • Previous Assessment Results • What actions have taken place? • What conditions have changed? • Are past problems unlikely now? • Gather Facts (see white hat)

  38. Focusing Tools http://viscog.beckman.uiuc.edu/grafs/demos/15.html 57

  39. The 6 Hats

  40. 6 Hats Usage in Risk Brainstorming • Occasional use • wear one hat at a time • request a certain thinking type- to change thinking • “I think it is time for some green hat thinking- we need some new ideas.” • Systematic use • quick exploration of a subject • sequence the hats (white, black, yellow/green, red) • critical thinking saved for just the right moment • Risk Identification is Black Hat • Controls and Workarounds use Yellow and Green Hat • The 6 Thinking Hats, by Edward DeBono

  41. Threat Analysis

More Related