100 likes | 126 Views
Automation of Risk Analysis and Management. Dan Cvrcek, Marek Kumpost - BUSLab Ludek Novak - ANECT. BUSLab – IT Security Laboratory . BUSLab (Brno University Security Laboratory) Informal security research group of Brno University of Technology and Masaryk University
E N D
Automation of Risk Analysis and Management • Dan Cvrcek, Marek Kumpost - BUSLab • Ludek Novak - ANECT Brno – Center of Education and Inovation
BUSLab – IT Security Laboratory • BUSLab (Brno University Security Laboratory) • Informal security research group of Brno University of Technology and Masaryk University • Concentrates people interested in IT security • Research projects, conferences, industrial cooperation • Leading persons: Dan Cvrcek, Vashek Matyas • Cooperation with ANECT • Strong company in the area of network infrastructures and risk management • Certified by Czech NSA for classified information • Experience with critical infrastructures Automation of Risk Analysis and Management
BUSLab Expertise • Privacy • Participate in the FIDIS project (Future of Identity in Information Society) • Strong cooperation with KU Leuven, TU Dresden • Reputation Systems • Experience of participation in SECURE project • Currently running national research project • Implementation of reputation system for WiFi networks • Secure Cryptographic Devices • Cooperation with Cambridge University, security of crypto-modules, smartcards, Chip&PIN cards • Key infrastructures • Design of schemes for key management in emerging areas like sensor networks Automation of Risk Analysis and Management
Management of Security • Crucial problem of security is to pinpoint the important risks/threats • No-one ever did this for home computers used for Internet banking, personal communication, and recently voice communication • Number of different methodologies for large systems (CRAMM, CobiT, EBIOS, RA2 art of risk, …) • Hard to utilise, expensive, and time consuming • An audit may take several months • Not usable for everyday management, fast-changing environments • Unreachable for common users, SMEs, government Automation of Risk Analysis and Management
If • Floods • Reevaluate communications, transport, healthcare,… • Coordinate emergency services, supplies, … • Later on – change infrastructures, … • Air-traffic suspension • Delivery of goods, passengers, strengthening other means of traffic • Transport of perishable goods, drugs, organs for transplantations • Later on – security measures, obligations for airlines, … Multidisciplinary assessment, analysis, reaction, … Automation of Risk Analysis and Management
Risk Management Starting Points • EU business needs genuine risk management arrangement combining • Risk-correctness – appropriate accuracy of data about system and applicable threats • Control-effectiveness – measures are effective and fulfill their goals and objectives • Cost-efficiency – economically reasonable • Time-dependency – risk management must react on changes of system and its environment • Methodologies for risk management are not stable yet • ISO is rewriting its recommendations (General risk management principles, Information security risk management) • EU – ENISA’s recommendations for risk management Automation of Risk Analysis and Management
Project Relevance and Needs • ENISA Risk Management Road Map • 9 of 10 identified areas are directly relevant • Interoperability/compatibility of methods • Comparability/merging of methods • Measurements of risks • Unified information bases for risk management • Risk management and relevant security issues • Business Continuity Planning (BCP) • Emerging risks • Awareness, training, communication • Security measurement • Methods inventory maintenance Automation of Risk Analysis and Management
Project Objectives and Focus • Develop risk management environment/tools able to: • Integrate risk management in different domains - operational, environmental, information, … • Integrate risk management in different levels of details • Timely, effective, and efficient reassessment of relevant security aspects • Hierarchical risk management • Subordination of risk management engines • Coverage of risks by subordinate management engines • Data flows (downwards threats, upwards impact/risk) • Access control to sensitive data • XML based information exchange schemes • Pilot • Usability in different situation (home, SME, government) • Quick spreading of change data on risks Automation of Risk Analysis and Management
Added Value and Project Innovation • Nearly real-time tools helping to solve situation • Tight risk management environment integrating different risk domains • SME, Government, Large enterprises • Informatics: integration of differently focused methodologies • Critical infrastructure protection: telecommunications, emergency, utilities, healthcare, banking, transportation, government, … • Tight risk management environment integrating different risk levels • Government: Region-Local, Country-Region, EU-Country • Large enterprises: Central office-Branches • Informatics: integration of individual systems Automation of Risk Analysis and Management
Thanks for your attention! • Questions, comments … • Useful links • BUSLab’s web page:http://www.buslab.org • ANECThttp://www.anect.cz • emails: • Dan Cvrcekcvrcek@fit.vutbr.cz • Marek Kumpostkumpost@fit.vutbr.cz • Ludek NovakLudek.Novak@anect.cz Automation of Risk Analysis and Management