Download
security risk management medley n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Risk Management Medley PowerPoint Presentation
Download Presentation
Security Risk Management Medley

Security Risk Management Medley

281 Views Download Presentation
Download Presentation

Security Risk Management Medley

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Risk Management Medley Tom Siu Brad Judy Joshua Mauk

  2. Overview • Definitions • Business process risk assessment • Operational risk management • Life cycle risk management • How to get started

  3. Definition—Risk • A problem that has not happened yet • A potential occurrence that can negatively impact an individual, process, system, facility • “Exposure to the chance of injury or loss; a hazard or dangerous chance” (Dictionary.com) • Risk combines the probability of an event occurring with the impact of that event

  4. Risk Analysis to Management

  5. How do we know we are managing risk? • Establish standards for tolerable levels of risk and acceptable methods of risk reduction • Develop risk reduction plan for unacceptable risks • Implement risk reduction plans • Integrate risk assessment into new projects • Assess risk of existing processes and systems on a periodic basis • Verify that risk reduction has resulted in acceptable risk level • Wash, Rinse, Repeat (i.e. all of the above are done on an on-going basis)

  6. Business Process Risk Assessment Brad Judy

  7. University of Colorado at Boulder

  8. Carnegie classification • A&S+prof/HGC • CompDoc/Nmed • HU • FT4/MS/HT • L4/NR

  9. Research

  10. 30,000Students

  11. 7,000Faculty &Staff

  12. 26,000 Network Nodes

  13. My Background • Computing labs • Active Directory • IT architecture • IT Security Office

  14. Risk Assessment Background • Data breech events • High risk departments • Critical business processes • Sensitive data handling • Contracted with vendor • Developed in-house process

  15. Goals for in-house process • Department scoped • “True” risk assessment • Draw from industry best practices • Leverage knowledge of campus environment • Broad examination of risk

  16. To Do • Self Assessment Process • Link Processes • Better data collection?

  17. Operational Risk Management Tom SiuCISOCase Western Reserve UniversityCleveland, OH

  18. External Drivers for RM in Higher Education • Regulatory and Compliance • GLBA- Gramm Leach Bliley Act • HIPAA • FISMA (Federal Funded Research) • PCI Compliance • University Security Policies • Guidelines • COBIT • ITIL • NIST

  19. Background: Case Western Reserve University • Carnegie Class • FT4/MS/LTI, non-profit, Bal/HGC, CompDoc/MedVet, MGP, M4/HR, RU/VH • Private Research University • ~ 5k undergrad, ~4k grad • ~ 20k users (faculty, staff, reserarchers, affiliates • Med School, Nursing School, Dental School, Law, Business, Social Sciences, Engineering • ~ affiliates: • 4 hospitals, Cleveland Institute of Art, Cleveland Institute of Music 38

  20. Risk Management Concepts • Risk and Benefit • Risk definitions • Running toward risk • Operational Risk • Risk in context • Assessment Approach • Cyclic assessment and management • Case Examples

  21. Risk Perspective: Why I See It This Way • Multidisciplinary • Software Process Assessment (CMM, CMMI) • Process risk assessments • Requirements engineering • Information Warfare and Information Operations • Software Quality Assurance and Test Engineering • NASA Systems Engineering and Safety • Security and safety overlap • Progressive Casualty Insurance Company • Data driven risk business

  22. Running Towards Risk “If a software project has no risks, don’t do it”

  23. Risk and Exploration: Earth, Sea, and the Stars • Public Understanding of Risk • Why we explore • How to manage operational risk • Examples South Pole: • Sir Walter Scott • Earnest Shackleton 42 http://www.nasa.gov/mission_pages/exploration/whyweexplore/Why_We_14.html

  24. Definitions: Risk • Risk Statement • Condition: a combination of • Threat source • Vulnerability • Consequence: Impact, usually negative • Disclosure • Modification • Loss/Destruction • Interruption • Recommendation: • Keep it qualitative in this domain until you have data, lots of data

  25. Welcome to DIA

  26. Condition Risk Statement Consequence there is a possibility that Risk Statement

  27. Happy Easter in Cleveland! sshd happens…

  28. Risk Statement in Context Contributing Factors Related Issues Risk Source there is a possibility that Condition Consequence Risk Statement Circumstances Interdependencies Context

  29. Definitions: Risk Tolerance Acceptable Unacceptable

  30. Typical University Risk Tolerance Acceptable Unacceptable

  31. Speculative Risk vs. Hazard Risk Hazard Risk Profit/Gain Nominal Loss Speculative Risk Operational Risk: Potential failure to achieve mission objectives Source: “Common Elements of Risk; Alberts, Christopher,Technical Note CMU/SEI-2006-TN-014

  32. Risk Assessment and Analysis

  33. Risk Terms • Risk Statement • Condition • Consequence • Risk Parameters • Context • Probability • Impact • Timeframe

  34. Risk Management Approach @ Case • Using CRM • Domain independent • Brainstorming Method • Focusing Tools • 6 Hats • OCTAVE • Small, Repetitive • Facilitated • Users involved • Consistency Focus: Identification and Analysis phases

  35. FOD Walkdown- a simple risk assessment • Risk Identification • Directed focus • Get a list of risks • Context driven

  36. Risk Context

  37. Before Starting, Prepare Shortcuts • Review Incident Post-Mortems • Context • Past performance IS an indicator of future risk • Previous Assessment Results • What actions have taken place? • What conditions have changed? • Are past problems unlikely now? • Gather Facts (see white hat)

  38. Focusing Tools http://viscog.beckman.uiuc.edu/grafs/demos/15.html 57

  39. The 6 Hats

  40. 6 Hats Usage in Risk Brainstorming • Occasional use • wear one hat at a time • request a certain thinking type- to change thinking • “I think it is time for some green hat thinking- we need some new ideas.” • Systematic use • quick exploration of a subject • sequence the hats (white, black, yellow/green, red) • critical thinking saved for just the right moment • Risk Identification is Black Hat • Controls and Workarounds use Yellow and Green Hat • The 6 Thinking Hats, by Edward DeBono

  41. Threat Analysis