certification and accreditation cs-7493-01 unit 4:risk management
DESCRIPTION
Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT. Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah. Acknowledgement. DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) DOD 8510.1-M, DITSCAP Application Manual - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/1.jpg)
1
Certification Certification and and
AccreditationAccreditationCS-7493-01CS-7493-01
UnitUnit 4:RISK MANAGEMENT4:RISK MANAGEMENT
Jesus GonzalezJesus GonzalezKalpana BahunoothulaKalpana Bahunoothula
Jocelyne Farah Jocelyne Farah
![Page 2: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/2.jpg)
2
AcknowledgementAcknowledgement
DOD 5200.40, DoD Information Technology Security DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP)Certification and Accreditation Process (DITSCAP)
DOD 8510.1-M, DITSCAP Application Manual DOD 8510.1-M, DITSCAP Application Manual Risk Management Guide for IT Systems by NISTRisk Management Guide for IT Systems by NIST Basic Risk Management For DODBasic Risk Management For DOD E-commerce Risk Management slides E-commerce Risk Management slides
(Dr. Hale CS-slides) (Dr. Hale CS-slides) Risk Management within an IT system environment Risk Management within an IT system environment
by Communication Security Establishment CSE, by Communication Security Establishment CSE, Canada.Canada.
![Page 3: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/3.jpg)
3
OverviewOverview
General definitionsGeneral definitions Risk Management ProcessRisk Management Process C&AC&A
![Page 4: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/4.jpg)
4
What is What is ThreatThreat??
Threat is any circumstance or event with Threat is any circumstance or event with the potential to cause harm to an IS the potential to cause harm to an IS through:through:– Unauthorized access.Unauthorized access.– Destruction.Destruction.– Disclosure.Disclosure.– Modification of data.Modification of data.– Denial of service.Denial of service.
![Page 5: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/5.jpg)
5
What is a Vulnerability?What is a Vulnerability?
Vulnerability is a weakness in an IS system Vulnerability is a weakness in an IS system security procedures, internal controls, or security procedures, internal controls, or implementation that could be exploited.implementation that could be exploited.
![Page 6: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/6.jpg)
6
So, What is Risk?So, What is Risk?
RiskRisk is the combined notion of . . . is the combined notion of . . .
The The harmharm caused by specific events caused by specific events (threats)(threats)
ANDAND
The The likelihoodlikelihood that that HARMHARM will happen will happen (using (using vulnerabilities)vulnerabilities)
![Page 7: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/7.jpg)
7
What is Residual Risk?What is Residual Risk?
Residual risk is the portion of risk Residual risk is the portion of risk remaining after security measures have remaining after security measures have been appliedbeen applied
![Page 8: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/8.jpg)
8
Risk ManagementRisk Management
DefinitionDefinition: process of: process of– Identifying risk, Identifying risk, – Assessing riskAssessing risk– Taking steps to reduce risk to an acceptable Taking steps to reduce risk to an acceptable
level (residual risk)level (residual risk)
![Page 9: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/9.jpg)
9
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
ImplementDecidedActions
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 10: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/10.jpg)
10
Mission Is Everything…Mission Is Everything…
Mission defines component valuesMission defines component values– PeoplePeople– EquipmentEquipment– Information systemsInformation systems– FacilitiesFacilities
Mission is the guiding force for determining riskMission is the guiding force for determining risk
Organization mission must be understood by the risk Organization mission must be understood by the risk management teammanagement team
Information Systems(IS) play a critical role in supporting Information Systems(IS) play a critical role in supporting the missionthe mission
![Page 11: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/11.jpg)
11
Discrete set of information resources Discrete set of information resources organized for the organized for the - collectioncollection- processingprocessing- maintenance maintenance - use use - sharing sharing - dissemination dissemination - disposition of information disposition of information
NTISSI No. 4009
Information System -- Information System -- DefinitionDefinition
![Page 12: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/12.jpg)
12
Information System AssetsInformation System Assets
Hardware - PCs, servers, cables, disk drives, Hardware - PCs, servers, cables, disk drives, routersrouters
Software - programs, utilities, O/S Software - programs, utilities, O/S Data and Information - created, processed, Data and Information - created, processed,
stored, databases, in transit, and removedstored, databases, in transit, and removed People - users, people needed to run systems People - users, people needed to run systems Documentation - programs, hardware, systems, Documentation - programs, hardware, systems,
local administrative procedures, on entire local administrative procedures, on entire systemsystem
Supplies - paper, forms, ribbons, magnetic Supplies - paper, forms, ribbons, magnetic mediamedia
![Page 13: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/13.jpg)
13
Risk Management CycleRisk Management Cycle
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 14: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/14.jpg)
14
ITSEC Class CharacteristicsITSEC Class Characteristics
Characteristic Operation Data Infrastructure System Alternatives
Interfacing Mode
Processing Mode
Attribution Mode
Mission-Reliance Factor
Accessibility Factor
Accuracy Factor
InformationCategories
![Page 15: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/15.jpg)
15
ITSEC ClassificationITSEC ClassificationMission Reliance on ISMission Reliance on IS
The degree that mission success depends on The degree that mission success depends on the system operation, data, or infrastructure the system operation, data, or infrastructure (Mission Reliance Factor)(Mission Reliance Factor)
– None--None--mission not dependent on specific aspectmission not dependent on specific aspect..– Cursory--Cursory--mission incidentally dependent on specific mission incidentally dependent on specific
aspectaspect
– Partial--Partial--mission partially dependent on specific aspectmission partially dependent on specific aspect
– Total--Total--mission is totally dependent on the specific aspectmission is totally dependent on the specific aspect
Risk management plays a critical role in protecting an Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, organization’s information assets, and therefore its mission, from IS-related risk.from IS-related risk.
![Page 16: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/16.jpg)
16
Security Characteristic Mission Reliance Alternative
CONFIDENTIALITY Sensitive, Classified, Special Access
AVAILABILITY Reasonable, Soon, ASAP, Immediate
INTEGRITYACCURACY NA, Approximate, Exact
ACCOUNTABILITYATTRIBUTION None, Rudimentary, Basic,
Comprehensive
ITSEC ClassificationITSEC ClassificationSecurity CharacteristicsSecurity Characteristics
![Page 17: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/17.jpg)
17
Mission TreesMission Trees
Missions Deploy
Warning Order
MovementOrder
C I A C I A C I A C I A
Develop
EquipmentPerformance
Characteristics
EquipmentPatentable
Characteristics
![Page 18: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/18.jpg)
18
Risk Management CycleRisk Management Cycle
CharacterizeRisk
Posture(Threat Analysis)
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 19: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/19.jpg)
19
Threat AnalysisThreat AnalysisSourcesSources
Threat agent: Individual/thing responsibleThreat agent: Individual/thing responsible– Adversarial (hackers & spies)Adversarial (hackers & spies)– Non-adversarial (rec. hackers & accidents)Non-adversarial (rec. hackers & accidents)– Disasters (floods & power outages)Disasters (floods & power outages)
Attack: Sequence of steps taken to cause Attack: Sequence of steps taken to cause an eventan event
Finding VulnerabilitiesFinding Vulnerabilities
![Page 20: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/20.jpg)
20
Threat AnalysisThreat AnalysisBasic ProcessBasic Process
1.1. Identify/define missionIdentify/define mission
2.2. Determine required security servicesDetermine required security services
3.3. Theory of adversarial behaviorTheory of adversarial behavior Identify potential adversariesIdentify potential adversaries Determine adversary intentions/characteristicsDetermine adversary intentions/characteristics Determine adversary strategiesDetermine adversary strategies
4.4. Identify attack scenariosIdentify attack scenarios
5.5. Match adversary behavior w/ attack Match adversary behavior w/ attack scenariosscenarios
![Page 21: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/21.jpg)
21
Threat AnalysisThreat Analysis Mission Security Mission Security
RequirementsRequirements
Threat: Potential for harmThreat: Potential for harm– 3 dimensions; confidentiality, integrity & availability3 dimensions; confidentiality, integrity & availability
ConfidentialityConfidentiality– Information valuable to adversaries?Information valuable to adversaries?– Consequences of leak?Consequences of leak?
Within 1 minute, 1 hour, 1 day, 1 weakWithin 1 minute, 1 hour, 1 day, 1 weak IntegrityIntegrity
– Mission dependency on accuracy of data?Mission dependency on accuracy of data?– Consequences of integrity breach?Consequences of integrity breach?
AvailabilityAvailability– Mission dependency on access to data/services?Mission dependency on access to data/services?– Consequences for unavailability (over time)?Consequences for unavailability (over time)?– Alternative modes of operation?Alternative modes of operation?
![Page 22: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/22.jpg)
22
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be Done
(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 23: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/23.jpg)
23
Countermeasure Countermeasure Characterize OptionsCharacterize Options
What is the impact of specific attacks on mission ?What is the impact of specific attacks on mission ?
Which vulnerabilities may permit successful Which vulnerabilities may permit successful attacks? attacks?
Where should resources be expended to achieve Where should resources be expended to achieve the greatest reduction in risk?the greatest reduction in risk?
Avoid tendency to view vulnerabilities in isolationAvoid tendency to view vulnerabilities in isolation
![Page 24: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/24.jpg)
24
Countermeasure Countermeasure SelectionSelection
Countermeasure possibilitiesCountermeasure possibilities Characterize countermeasure optionsCharacterize countermeasure options Compare countermeasure optionsCompare countermeasure options Determine changes to riskDetermine changes to risk Determine costs vs. benefitDetermine costs vs. benefit
![Page 25: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/25.jpg)
25
Countermeasures Countermeasures Factors to be consideredFactors to be considered
– Security mechanismsSecurity mechanisms– Physical securityPhysical security– Personnel securityPersonnel security– Administrative securityAdministrative security– Media securityMedia security– Life cycle controlsLife cycle controls
A Countermeasure may change the initial A Countermeasure may change the initial Design\Mission?Design\Mission?
![Page 26: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/26.jpg)
26
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 27: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/27.jpg)
27
Overriding goal – Mission SuccessOverriding goal – Mission Success Weighted in terms of cost versus Weighted in terms of cost versus
benefitsbenefits Identify +/- for each course of actionIdentify +/- for each course of action
Decision options:Decision options:– Reduce RiskReduce Risk– Accept RiskAccept Risk– Avoid RiskAvoid Risk– Transfer RiskTransfer Risk
Risk AnalysisRisk Analysis Options/ Options/DecisionsDecisions
RiskRisk avoidanceavoidance
Risk Risk acceptanceacceptance
![Page 28: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/28.jpg)
28LIKELIHOOD OF SUCCESSFUL ATTACK
(1)(beforecountermeasures)
COSTS Vs. BENEFITS
COSTSDollars
Additional people resourcesLost system functionality
Time
BENEFITSImprove mission
success
Countermeasures: Countermeasures: Costs/BenefitsCosts/Benefits
(1B)(option 2) (option1)
(1A)Missi
o I n m p a c t
High
Low High
![Page 29: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/29.jpg)
29
What is acceptable?What is acceptable?
Will we have 100 % effectiveness?Will we have 100 % effectiveness?– Vulnerabilities eliminatedVulnerabilities eliminated– Vulnerabilities reducedVulnerabilities reduced– Vulnerabilities remainingVulnerabilities remaining
What are they?What are they? Why are they still there?Why are they still there? Is risk acceptable? (Residual Risk)Is risk acceptable? (Residual Risk)
![Page 30: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/30.jpg)
30
Security Risk Management Security Risk Management Process Process
Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE
![Page 31: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/31.jpg)
31
OverviewOverview
DefinitionsDefinitions Risk Management (RM) ProcessRisk Management (RM) Process RM in C&A processRM in C&A process
– Phase 1Phase 1– Phase 2Phase 2– Phase 3Phase 3– Phase 4Phase 4
ConclusionConclusion
![Page 32: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/32.jpg)
32
CertificationCertification
Certification is the comprehensive Certification is the comprehensive evaluation of the technical and non-evaluation of the technical and non-technical security features of an IS and technical security features of an IS and other safeguards made in support of the other safeguards made in support of the accreditation process, to establish the accreditation process, to establish the extent to which a particular design and extent to which a particular design and implementation meets a set of specified implementation meets a set of specified security requirements.security requirements.
![Page 33: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/33.jpg)
33
AccreditationAccreditation
Accreditation is the formal declaration by Accreditation is the formal declaration by a a Designated Approving Authority (DAA)Designated Approving Authority (DAA) that an IS is approved to operate in a that an IS is approved to operate in a particular security mode using a particular security mode using a prescribed set of safeguards at prescribed set of safeguards at an an acceptable level of risk.acceptable level of risk.
![Page 34: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/34.jpg)
34
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
ImplementDecidedActions
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
![Page 35: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/35.jpg)
35
Security Risk Management Security Risk Management Process Process
Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE
![Page 36: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/36.jpg)
36
SSAASSAA
System Security Authorization Agreement (SSAA).– The SSAA is a formal agreement among the
DAA(s), the Certifier, user representative, and program manager.
– It is used throughout the entire DITSCAP to guide actions, document decisions, specify IA requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.
![Page 37: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/37.jpg)
37
Who are players of the Who are players of the C&A?C&A?
They are: They are: – The Designated Approving Authority (DAA) The Designated Approving Authority (DAA) – Certification AuthorityCertification Authority– Program Manager(PM)Program Manager(PM)– User RepresentativeUser Representative
– Information system security officers (ISSO)Information system security officers (ISSO)
![Page 38: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/38.jpg)
38
Certification Authority (certifier)Certification Authority (certifier)
Certifier is the individual responsible for making a technical judgment of – the system’s compliance with stated requirements,– identifying and assessing the risks associated with
operating the system,– coordinating the certification activities, and – consolidating the final certification and accreditation
package. Certifier recommends one of four levels
– Level 1 – Basic Security Review– Level 2 – Minimum Analysis– Level 3 – Detailed Analysis– Level 4 – Comprehensive Analysis
![Page 39: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/39.jpg)
39
Designated Approving Authority Designated Approving Authority (Accreditor)(Accreditor)
Accreditor is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.
.
![Page 40: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/40.jpg)
40
Phase-1Phase-1DefinitionDefinition
Document Mission Need
Preparation
Registration
Negotiation
Agreement?
SSAA
No
Yes
![Page 41: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/41.jpg)
41
Phase 1Phase 1Risk ManagementRisk Management
PreparationPreparation: The document is reviewed to understand the : The document is reviewed to understand the mission objectives.mission objectives.
RegistrationRegistration::– Potential threats are described and the points where the failure Potential threats are described and the points where the failure
affects the C,I,A are stated.affects the C,I,A are stated.– SSystem criticality and the acceptable riskystem criticality and the acceptable risk for the system in for the system in
meeting the mission responsibilities are defined.meeting the mission responsibilities are defined.– System criticality should consider the impact if the system System criticality should consider the impact if the system
were not operational (the impact of loss of life from system were not operational (the impact of loss of life from system failure, inability to meet contingencies, impact to failure, inability to meet contingencies, impact to credibility, and danger to national security). System credibility, and danger to national security). System criticality will affect the level of risk that is acceptable.criticality will affect the level of risk that is acceptable.
– The certifier reviews this and upon the agreement of the playersThe certifier reviews this and upon the agreement of the players
develops the draft and gives to DAA.develops the draft and gives to DAA.
![Page 42: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/42.jpg)
42
Phase 1Phase 1Risk ManagementRisk Management
NegotiationNegotiation: :
– Certification Requirements Review is performed and the Certification Requirements Review is performed and the players agree on the security requirements , the level of players agree on the security requirements , the level of effort and scheduleeffort and schedule
– Finally after DAA approval, the system is checked if it is Finally after DAA approval, the system is checked if it is ready for Phase 2ready for Phase 2
![Page 43: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/43.jpg)
43
Phase 2Phase 2VerificationVerification
System Development
Certification Analysis
Pass?
SSAA
No
Yes
Ready forCertification?
No
Yes
APhase 1
Definition
Phase 3 Validation
![Page 44: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/44.jpg)
44
Phase 2 Phase 2 Risk ManagementRisk Management
SSAA refinementSSAA refinement :If there has been a :If there has been a significant time delay since the completion of significant time delay since the completion of Phase 1 or if new people are involved in the Phase 1 or if new people are involved in the C&A process, the SSAA should be reviewed in C&A process, the SSAA should be reviewed in detaildetail
System DevelopmentSystem Development: Verifies that the : Verifies that the requirements in the SSAA are met in the requirements in the SSAA are met in the evolving system before it is integrated into evolving system before it is integrated into the operating environmentthe operating environment
![Page 45: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/45.jpg)
45
Phase 2(contd)Phase 2(contd)
Certification AnalysisCertification Analysis:: Vulnerability Assessment:The Vulnerability Assessment:The
security vulnerabilities, residual risk security vulnerabilities, residual risk are evaluated and counter measures are evaluated and counter measures are recommended by the certifierare recommended by the certifier
Output:vulnerability assessment Output:vulnerability assessment report is prepared by the program report is prepared by the program mangermanger
Certifier checks if it is ready for Certifier checks if it is ready for certification certification
DAA reviews the system for compliance DAA reviews the system for compliance with the SSAAwith the SSAA
![Page 46: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/46.jpg)
46
Phase 3Phase 3ValidationValidation
CertifySystem?
SSAA
Certification EvaluationOf Integrated System
Develop Recommendation
Yes
AccreditationGranted?
No
YesPhase 4: Post Accreditation
NoA
Phase 1Definition
![Page 47: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/47.jpg)
47
Phase 3Phase 3Risk ManagementRisk Management
Security test and EvaluationSecurity test and Evaluation: ST&E is done by : ST&E is done by the certifier to provide the sufficient evidence the certifier to provide the sufficient evidence of the amount of residual riskof the amount of residual risk
Risk Management overview:Risk Management overview:– Assessing the overall system Assessing the overall system – security design and threatssecurity design and threats– Ensuring that risks to C,I,A are acceptableEnsuring that risks to C,I,A are acceptable
For each risk, statement is made by the For each risk, statement is made by the certifier to accept the risk, reject the risk or certifier to accept the risk, reject the risk or perform any modificationsperform any modifications
Certifier issues system certificationCertifier issues system certification
![Page 48: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/48.jpg)
48
Phase-3Phase-3Risk ManagementRisk Management
Certifier may do one of the following:Certifier may do one of the following:–Recommend that the IS not be accreditedRecommend that the IS not be accredited–Recommend the IS to be accreditedRecommend the IS to be accredited–May uncover security deficiencies, butMay uncover security deficiencies, but
continue to believe that the short-term systemcontinue to believe that the short-term system
operation is within the bounds of acceptable operation is within the bounds of acceptable riskrisk
**********The Certifier may recommend an The Certifier may recommend an Interim Approval to Operate (IATO) with the Interim Approval to Operate (IATO) with the understanding that deficiencies will be understanding that deficiencies will be corrected in a time period specified by the corrected in a time period specified by the DAADAA
![Page 49: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/49.jpg)
49
Phase 4Phase 4 Post Accreditation Post Accreditation
Phase 1: Definition
SSAA
System Operation
Compliance Validation
ValidationReq’d?
No
Yes
NoChangeRequired?
Yes
![Page 50: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/50.jpg)
50
Phase-4Phase-4Risk ManagementRisk Management
System operations:System operations: Analyze known Analyze known threats and new threats to see if system threats and new threats to see if system still protects against allstill protects against all– The User representative oversees the system The User representative oversees the system
operation and reports threats, vulnerabilities operation and reports threats, vulnerabilities or any security incidentsor any security incidents
– Program manager reports the changes in Program manager reports the changes in threatsthreats
Compliance ValidationCompliance Validation: Ensures that IS : Ensures that IS complies with security requirements and complies with security requirements and threat assessmentthreat assessment
![Page 51: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/51.jpg)
51
Phase-4(contd)Phase-4(contd)
ISSO ISSO – reviews the mission statement reviews the mission statement
periodicallyperiodically– maintains integrity and initiates C&A maintains integrity and initiates C&A
if necessary.if necessary. DAA reviews the proposed changes DAA reviews the proposed changes
(changes in security policy,change in IT (changes in security policy,change in IT mission)mission)
****C&A ends only with system ****C&A ends only with system terminationtermination
![Page 52: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/52.jpg)
52
ConclusionConclusion
The IS risks may not be completely eliminated by The IS risks may not be completely eliminated by the countermeasures and safeguards the countermeasures and safeguards Residual Residual Risk (acceptable level)Risk (acceptable level)
The Certification and Accreditation The Certification and Accreditation process is a continuous processprocess is a continuous process
![Page 53: Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT](https://reader036.vdocument.in/reader036/viewer/2022062315/56815821550346895dc58812/html5/thumbnails/53.jpg)
QuestionsQuestions