automation of risk analysis and management
DESCRIPTION
Automation of Risk Analysis and Management. Dan Cvrcek, Marek Kumpost - BUSLab Ludek Novak - ANECT. BUSLab – IT Security Laboratory. BUSLab (Brno University Security Laboratory) Informal security research group of Brno University of Technology and Masaryk University - PowerPoint PPT PresentationTRANSCRIPT
www.buslab.orgBrno – Center of Education and Inovation
Automation of Risk Analysis and Management
Dan Cvrcek, Marek Kumpost - BUSLab
Ludek Novak - ANECT
www.buslab.orgAutomation of Risk Analysis and Management
BUSLab – IT Security Laboratory
BUSLab (Brno University Security Laboratory)
● Informal security research group of Brno University of Technology and Masaryk University
● Concentrates people interested in IT security
● Research projects, conferences, industrial cooperation
● Leading persons: Dan Cvrcek, Vashek Matyas Cooperation with ANECT
● Strong company in the area of network infrastructures and risk management
● Certified by Czech NSA for classified information
● Experience with critical infrastructures
www.buslab.orgAutomation of Risk Analysis and Management
BUSLab Expertise
Privacy● Participate in the FIDIS project (Future of Identity in
Information Society)● Strong cooperation with KU Leuven, TU Dresden
Reputation Systems● Experience of participation in SECURE project● Currently running national research project
● Implementation of reputation system for WiFi networks Secure Cryptographic Devices
● Cooperation with Cambridge University, security of crypto-modules, smartcards, Chip&PIN cards
Key infrastructures● Design of schemes for key management in emerging areas
like sensor networks
www.buslab.orgAutomation of Risk Analysis and Management
Management of Security
Crucial problem of security is to pinpoint the important risks/threats
No-one ever did this for home computers used for Internet banking, personal communication, and recently voice communication
Number of different methodologies for large systems (CRAMM, CobiT, EBIOS, RA2 art of risk, …)● Hard to utilise, expensive, and time consuming● An audit may take several months● Not usable for everyday management, fast-changing
environments Unreachable for common users, SMEs, government
www.buslab.orgAutomation of Risk Analysis and Management
IfFloods Reevaluate communications,
transport, healthcare,… Coordinate emergency services,
supplies, … Later on – change infrastructures, …
Air-traffic suspension Delivery of goods, passengers,
strengthening other means of traffic Transport of perishable goods, drugs,
organs for transplantations Later on – security measures, obligations
for airlines, …
Multidisciplinary assessment, analysis, reaction, …
www.buslab.orgAutomation of Risk Analysis and Management
Risk Management Starting Points
EU business needs genuine risk management arrangement combining● Risk-correctness – appropriate accuracy of data about
system and applicable threats ● Control-effectiveness – measures are effective and fulfill
their goals and objectives● Cost-efficiency – economically reasonable● Time-dependency – risk management must react on
changes of system and its environment Methodologies for risk management are not stable yet
● ISO is rewriting its recommendations (General risk management principles, Information security risk management)
● EU – ENISA’s recommendations for risk management
www.buslab.orgAutomation of Risk Analysis and Management
Project Relevance and Needs
ENISA Risk Management Road Map ● 9 of 10 identified areas are directly relevant● Interoperability/compatibility of methods● Comparability/merging of methods● Measurements of risks● Unified information bases for risk management● Risk management and relevant security issues● Business Continuity Planning (BCP)● Emerging risks● Awareness, training, communication● Security measurement
● Methods inventory maintenance
www.buslab.orgAutomation of Risk Analysis and Management
Project Objectives and Focus
Develop risk management environment/tools able to:● Integrate risk management in different domains - operational,
environmental, information, …
● Integrate risk management in different levels of details● Timely, effective, and efficient reassessment of relevant
security aspects Hierarchical risk management
● Subordination of risk management engines● Coverage of risks by subordinate management engines● Data flows (downwards threats, upwards impact/risk)● Access control to sensitive data● XML based information exchange schemes
Pilot● Usability in different situation (home, SME, government)● Quick spreading of change data on risks
www.buslab.orgAutomation of Risk Analysis and Management
Added Value and Project Innovation
Nearly real-time tools helping to solve situation Tight risk management environment integrating different risk
domains● SME, Government, Large enterprises● Informatics: integration of differently focused methodologies● Critical infrastructure protection: telecommunications,
emergency, utilities, healthcare, banking, transportation, government, …
Tight risk management environment integrating different risk levels● Government: Region-Local, Country-Region, EU-Country● Large enterprises: Central office-Branches● Informatics: integration of individual systems
www.buslab.orgAutomation of Risk Analysis and Management
Thanks for your attention!
Questions, comments …
Useful linksBUSLab’s web page: http://www.buslab.orgANECT http://www.anect.czemails:
Dan Cvrcek [email protected] Kumpost [email protected] Novak [email protected]