870 likes | 972 Vues
This overview covers definitions, business process risk assessment, operational risk management, and life cycle risk management. Learn how to get started with risk analysis, setting tolerable risk levels, and developing risk reduction plans.
E N D
Security Risk Management Medley Tom Siu Brad Judy Joshua Mauk
Overview • Definitions • Business process risk assessment • Operational risk management • Life cycle risk management • How to get started
Definition—Risk • A problem that has not happened yet • A potential occurrence that can negatively impact an individual, process, system, facility • “Exposure to the chance of injury or loss; a hazard or dangerous chance” (Dictionary.com) • Risk combines the probability of an event occurring with the impact of that event
How do we know we are managing risk? • Establish standards for tolerable levels of risk and acceptable methods of risk reduction • Develop risk reduction plan for unacceptable risks • Implement risk reduction plans • Integrate risk assessment into new projects • Assess risk of existing processes and systems on a periodic basis • Verify that risk reduction has resulted in acceptable risk level • Wash, Rinse, Repeat (i.e. all of the above are done on an on-going basis)
Business Process Risk Assessment Brad Judy
Carnegie classification • A&S+prof/HGC • CompDoc/Nmed • HU • FT4/MS/HT • L4/NR
My Background • Computing labs • Active Directory • IT architecture • IT Security Office
Risk Assessment Background • Data breech events • High risk departments • Critical business processes • Sensitive data handling • Contracted with vendor • Developed in-house process
Goals for in-house process • Department scoped • “True” risk assessment • Draw from industry best practices • Leverage knowledge of campus environment • Broad examination of risk
To Do • Self Assessment Process • Link Processes • Better data collection?
Operational Risk Management Tom SiuCISOCase Western Reserve UniversityCleveland, OH
External Drivers for RM in Higher Education • Regulatory and Compliance • GLBA- Gramm Leach Bliley Act • HIPAA • FISMA (Federal Funded Research) • PCI Compliance • University Security Policies • Guidelines • COBIT • ITIL • NIST
Background: Case Western Reserve University • Carnegie Class • FT4/MS/LTI, non-profit, Bal/HGC, CompDoc/MedVet, MGP, M4/HR, RU/VH • Private Research University • ~ 5k undergrad, ~4k grad • ~ 20k users (faculty, staff, reserarchers, affiliates • Med School, Nursing School, Dental School, Law, Business, Social Sciences, Engineering • ~ affiliates: • 4 hospitals, Cleveland Institute of Art, Cleveland Institute of Music 38
Risk Management Concepts • Risk and Benefit • Risk definitions • Running toward risk • Operational Risk • Risk in context • Assessment Approach • Cyclic assessment and management • Case Examples
Risk Perspective: Why I See It This Way • Multidisciplinary • Software Process Assessment (CMM, CMMI) • Process risk assessments • Requirements engineering • Information Warfare and Information Operations • Software Quality Assurance and Test Engineering • NASA Systems Engineering and Safety • Security and safety overlap • Progressive Casualty Insurance Company • Data driven risk business
Running Towards Risk “If a software project has no risks, don’t do it”
Risk and Exploration: Earth, Sea, and the Stars • Public Understanding of Risk • Why we explore • How to manage operational risk • Examples South Pole: • Sir Walter Scott • Earnest Shackleton 42 http://www.nasa.gov/mission_pages/exploration/whyweexplore/Why_We_14.html
Definitions: Risk • Risk Statement • Condition: a combination of • Threat source • Vulnerability • Consequence: Impact, usually negative • Disclosure • Modification • Loss/Destruction • Interruption • Recommendation: • Keep it qualitative in this domain until you have data, lots of data
Condition Risk Statement Consequence there is a possibility that Risk Statement
Happy Easter in Cleveland! sshd happens…
Risk Statement in Context Contributing Factors Related Issues Risk Source there is a possibility that Condition Consequence Risk Statement Circumstances Interdependencies Context
Definitions: Risk Tolerance Acceptable Unacceptable
Typical University Risk Tolerance Acceptable Unacceptable
Speculative Risk vs. Hazard Risk Hazard Risk Profit/Gain Nominal Loss Speculative Risk Operational Risk: Potential failure to achieve mission objectives Source: “Common Elements of Risk; Alberts, Christopher,Technical Note CMU/SEI-2006-TN-014
Risk Terms • Risk Statement • Condition • Consequence • Risk Parameters • Context • Probability • Impact • Timeframe
Risk Management Approach @ Case • Using CRM • Domain independent • Brainstorming Method • Focusing Tools • 6 Hats • OCTAVE • Small, Repetitive • Facilitated • Users involved • Consistency Focus: Identification and Analysis phases
FOD Walkdown- a simple risk assessment • Risk Identification • Directed focus • Get a list of risks • Context driven
Before Starting, Prepare Shortcuts • Review Incident Post-Mortems • Context • Past performance IS an indicator of future risk • Previous Assessment Results • What actions have taken place? • What conditions have changed? • Are past problems unlikely now? • Gather Facts (see white hat)
Focusing Tools http://viscog.beckman.uiuc.edu/grafs/demos/15.html 57
6 Hats Usage in Risk Brainstorming • Occasional use • wear one hat at a time • request a certain thinking type- to change thinking • “I think it is time for some green hat thinking- we need some new ideas.” • Systematic use • quick exploration of a subject • sequence the hats (white, black, yellow/green, red) • critical thinking saved for just the right moment • Risk Identification is Black Hat • Controls and Workarounds use Yellow and Green Hat • The 6 Thinking Hats, by Edward DeBono