d9.2 risk assessment plandisiem-project.eu/wp-content/uploads/2017/10/d9.2.pdfrisk management is a...
TRANSCRIPT
1
ProjectDeliverable
D9.2RiskAssessmentPlan
ProjectNumber 700692ProjectTitle DiSIEM–Diversity-enhancementsforSIEMsProgramme H2020-DS-04-2015Deliverabletype ReportDisseminationlevel PUSubmissiondate 30thSeptember2017Responsiblepartner FCiências.ID(FCID)Editor AnaRespícioRevision 1.0
The DiSIEM project has received funding from the European Union’s Horizon 2020researchandinnovationprogrammeundergrantagreementNo700692.
D9.2
2
EditorAnaRespício,FCIDContributorsAnaRespício,FCIDAlyssonBessani,FCIDGustavoGonzalezGranadillo,AtosSusanaGonzalezZazosa,Atos
D9.2
3
ExecutiveSummaryThisreportpresents theriskassessmentandmanagementplan for theDiSIEMproject.Following themethodologydefined in thestandard ISO3100:2019,westart by establishing the project context, defining the adoption of a qualitativeriskassessmentapproach,thecriteriaforriskassessmentandthecorrespondingrisk evaluationmatrix, and the risk tolerance levels.To support theprocessofrisk identification, an analysis of the projectwork packages and of the criticalpathofDiSIEMactivities isperformed,aswellas identificationof thepartners’roles and responsibilities for each identified risk. In total, 50 major risks areidentifiedandanalysed, resulting in aqualitativeestimationof their individuallikelihoodandimpact.Fromtheserisks,14areconsideredofhigh impact.Riskcontrolsareenvisagedwithintheprojectimplementation.Allthisinformationiskept in a risk register from which the first version is presented. A plan forregularlymonitoring risks (during themonthly teleconferences), updating therisk register (every six months, on the internal management reports), andestablishing mitigation actions is defined, considering possible environmentalchangesandthemilestonesoftheproject.Insummary,thedeliverableprovidesthefollowingcontributionsfortheDiSIEMproject:
• DefinitionofDISIEMriskmanagementplan;• Identificationandanalysisofrisks;• Identificationofmitigationactionsandresponsibilitiesforeachrisk;
D9.2
4
TableofContents1 Introduction................................................................................................................................71.1 OrganizationoftheDocument...................................................................................8
2 Methodology...............................................................................................................................92.1 GeneralConcepts.............................................................................................................92.2 Methodology....................................................................................................................10
3 Establishingthecontext.......................................................................................................133.1 Objectives.........................................................................................................................133.2 Scopeandboundaries.................................................................................................133.3 Contextforriskmanagementestablishment....................................................143.3.1 Goalsandobjectives...........................................................................................143.3.2 Responsibilities....................................................................................................143.3.3 Assessmentapproach........................................................................................153.3.4 Organizationoftheriskmanagementprocess.......................................15
3.4 Riskcriteria......................................................................................................................163.4.1 Impactcriteria......................................................................................................173.4.1 Likelihoodcriteria...............................................................................................173.4.1 Riskevaluationcriteria.....................................................................................17
4 Riskassessmentandtreatment........................................................................................184.1 CriticalPathoftheProject.........................................................................................184.2 Riskassessment.............................................................................................................214.3 Risktreatment................................................................................................................22
5 SummaryandConclusions..................................................................................................44ListofAcronyms...............................................................................................................................45References...........................................................................................................................................46
D9.2
5
ListofFiguresFigure1–Theriskmanagementprocessextractedfrom[ISO09].............................11Figure2–TheDiSIEMmanagementstructure....................................................................14Figure3–InterdependenciesbetweenprojectWPs........................................................18Figure4-GANTTchartfortheDiSIEMproject,withdeliverables,projectreports
andmilestones.........................................................................................................................19Figure5-DiSIEMactivitiescriticalpath................................................................................19
D9.2
6
ListofTablesTable1–Listoftermsanddefinitionsextractedfrom[ISO09]...................................10Table2–Matrixforclassificationofrisks.............................................................................17Table3–Riskregister....................................................................................................................23
D9.2
7
1 Introduction
The DiSIEM project aims to address limitations of SIEM systems alreadydeployedinproduction,byextendingthem,leveragingtheirbuilt-incapacityforcustomisation,andenhancingSIEMswithdiversity-awaremechanisms.
InnovationinDiSIEMreferstothedevelopment,integration,anddemonstrationof several novel diversity-related components to existing SIEM systems. Theseinnovative components must improve the security management and threatawarenessofexistingSIEMs.Themanagementofan innovationprojectsuch isDiSIEM,involvingmultiplepartnersfromindustryandacademia,requiresariskmanagementprocessthatisbothsoundandagile.
Risk management is a process that should be integrated within the projectmanagement at all stages of the its lifecycle. Therefore, awell-established riskmanagementplanisrequiredtoaddressinherentrisksinatimelyandeffectivemanner. According to the PMBOK Guide [PMI13], riskmanagement should beaddressedproactivelyandconsistently,asthelackofsuchproactivityinprojectrisk management is likely to increase problems that arise from unmanagedthreats.Aneffectivemonitoringandcontroloftheprojecttasksandactivitiesaswell as regular reviews and communication of project risks among theprojectpartners improve the capacity of timely risk identification and rapid riskhandlingactions.TheseactivitiesareinlinewiththerecommendationsofthedefactostandardforriskmanagementISO31000:2009[ISO09]:“Allactivitiesofanorganisation involve risk, and organisations manage risk by anticipating,understanding and deciding whether to modify it. Throughout this process theycommunicateandconsultwithstakeholdersandmonitorandreviewtheriskandthecontrolsthataremodifyingtherisk.”TheDiSIEMprojectproposalanddescriptionofactionalreadyidentifiedalistofrisksandproposedmeasurestocontrolandmitigatethem.Riskmonitoringandcontrolhasbeenperformedduring the first yearof theproject execution.Thisdeliverable presents a first iteration of risk assessment. More specifically, thedocument reviews all the previously identified risks, identifies new ones andanalyses themexhaustively.All identifiedrisksaredetailedandanalysed; theirlikelihoodsandimpactsareestimated,thusprovidingafirstassessmentofrisks.SomerisksareparticularofaspecificWP,otherstransversaltotwoorthreeWP,oreventothewholeproject.Aspecialfocusisgiventoexternalriskswhichwerenotconsideredintheproposalwriting.Aplanforriskmanagementisdesigned,includingplansforreportingandcommunication.Theriskassessment includesaCriticalPathAnalysis(CPA)of themainprojectactivities, thus allowing identifying risks of non-compliance with the project
D9.2
8
work plan, and foreseeing measures to minimise the impact or likelihood ofthoserisks.
1.1 OrganizationoftheDocument
Chapter 2 presents general principles and concepts helpful to establish acommon understanding of the project risk management task, and brieflydescribesthemethodologyadoptedforriskmanagementinDiSIEM.Chapter3isdevoted to establishing the project context for risk management. Chapter 4analysesthecriticalactivitiesoftheDiSIEM,makesananalysisandassessmentof DiSIEM current risks, and proposes control and mitigation measures toaddressthem.Finally,Chapter5presentsasummaryofhowDiSIEMwillmanagetheprojectrisks.
D9.2
9
2 Methodology
2.1 GeneralConcepts
The ISO 31000:2009 risk management standard provides the following riskdefinition:“risk istheeffectofuncertaintyonobjectives”[ISO09].Thisdefinitionencloses several notes to support theunderstanding of the involved terms.Aneffect is a deviation from the expected,which canbepositive or negative. It isworthtonotethatconsideringapositiveeffectofuncertaintyonobjectiveswasanovelty from this standard, as in the past only negative effects had beenconsidered. By uncertainty we should comprehend the state, even partial, ofdeficiencyofinformationrelatedto,understandingorknowledgeof,anevent,itsconsequence, or likelihood. The standard points out that objectives “can havedifferent aspects (such as financial, health and safety, and environmental goals)and can apply at different levels (such as strategic, organization-wide, project,productandprocess)”.Therefore,objectivesarenotdefinedbythestandardbutcanbeassumedasanexpectedordesiredresult,whenconsideringthedefinitionofeffect.Moreover, the standard states that risk is often characterized by reference topotentialeventsandconsequences,oracombinationofthem.Here,aneventisthe“occurrence or change of a particular set of circumstances”, presuming that anevent can lead to one or more occurrences, can have several causes, or cancorrespond to something not happening. A consequence is the “outcomeofaneventaffectingobjectives”andcanbecertainoruncertainandhavingpositiveornegativeeffectsonobjectives.In addition, the standard identifies that risk is often expressed in terms of acombination of the consequences of an event (including changes incircumstances)andtheassociatedlikelihoodofoccurrence.Table1summarises theconceptspreviouslyexposed in this chapteraswell asothertermsanddefinitions,extractedfrom[ISO09].
D9.2
10
Table1–Listoftermsanddefinitionsextractedfrom[ISO09].
Term/expression
Definition
risk effectofuncertaintyonobjectives
levelofrisk magnitudeofariskorcombinationofrisks,expressedintermsofthecombinationofconsequencesandtheirlikelihood
consequence outcomeofaneventaffectingobjectives
likelihood chanceofsomethinghappening
event occurrenceorchangeofaparticularsetofcircumstances
riskcriteria termsofreferenceagainstwhichthesignificanceofariskisevaluated
riskmanagement
coordinatedactivitiestodirectandcontrolanorganizationwithregardtorisk
riskmanagementpolicy
statementoftheoverallintentionsanddirectionofanorganizationrelatedtoriskmanagement
riskmanagementframework
setofcomponentsthatprovidethefoundationsandorganizationalarrangementsfordesigning,implementing,monitoring,reviewingandcontinuallyimprovingriskmanagementthroughouttheorganization
riskmanagementplan
schemewithintheriskmanagementframeworkspecifyingtheapproach,themanagementcomponents(procedures,practices,assignmentofresponsibilities,sequenceandtimingofactivities)andresourcestobeappliedtothemanagementofrisk
riskowner personorentitywiththeaccountabilityandauthoritytomanagearisk
riskmanagementprocess
systematicapplicationofmanagementpolicies,proceduresandpracticestotheactivitiesofcommunicating,consulting,establishingthecontext,andidentifying,analyzing,evaluating,treating,monitoringandreviewingrisk
riskanalysis processtocomprehendthenatureofriskandtodeterminethelevelofrisk
riskevaluation processofcomparingtheresultsofriskanalysiswithriskcriteriatodeterminewhethertheriskand/oritsmagnitudeisacceptableortolerable
risktreatment processtomodifyrisk
control measurethatismodifyingrisk
2.2 Methodology
DiSIEM risk management is performed within the framework and processdescribedintheISO31000:2009[ISO09],whichisastandardproducedbyone
D9.2
11
ofthemosttrustedregulatoryandstandardizationbodies,theISO(InternationalOrganization for Standardization), and which is widely applied for riskmanagement purposes. The adoption of a standard facilitates following well-structuredrulesandprocessesdefinedbyglobally-establishedexperts inorderto effectively implement organisational activities regardless of any specificfeatures.A risk management framework provides the policies, procedures andarrangements that will implement risk management throughout the projectconsortium at all levels [IEC09]. As part of this framework, the project shouldhaveapolicyorstrategyfordecidingwhenandhowrisksshouldbeassessed.
Figure1presentstheprocessofriskmanagementaccordingtothestandard.
Figure1–Theriskmanagementprocessextractedfrom[ISO09].
By establishing the context, the project enunciates its objectives, defines theexternalandinternalprojectcontext,suchastheapproachforriskassessment,thecriteriaforriskevaluation,thecriteriaforriskacceptanceandothers.Thetargetofriskidentificationisbeingawareofpossiblerisksourcesinadditiontotheeventsandcircumstancesthatcouldaffecttheachievementofobjectives.Further,itincludestheidentificationofpossiblecausesandconsequences.Riskmanagement is integrated into the project plan at various levels throughmonitoringandreviewingprocesses.Thecontinuousriskmonitoringandreview
Establishingthecontext
Riskidentification
Riskanalysis
Risktreatment
Riskevaluation
Riskassessment
Monitoring
andreview
Comm
unicationandconsultation
D9.2
12
process allows for the early identification and control of events that cancompromisetheoutcomesoftheproject.
TheresponsibleforeachWPistheWPrisksownerand,therefore,isaccountableto monitor and treat those risks, and identify new ones. Once a new risk isidentified its owner communicates it to the other partners and to the projectcoordinator,assoonastheidentificationoccurs,byemail,tobediscussedinthemailinglistorinafollowingmeeting.Theregularmeetingsandtelcosinvolvingall partners are the main forum for risk consultation and communication.Consequently, these meetings facilitate risk identification. The identified risksare then analysed and evaluated, based on an estimation of their impact andlikelihoodofoccurrence.Moreover,theelaborationoftheDiSIEMriskmanagementplanistotallyalignedwith the riskmanagement processes proposed by the PMBOK Guide [PMI13].ThePMBOKGuide (Guide to theProjectManagementBodyofKnowledge) is arecognizedreferenceofprojectmanagementknowledge,focusingonprocesses,knowledge, and practices applicable to project management. In fact, the riskmanagement PMBOK Guide section can be seen as complementary to the ISO31000:2009.
D9.2
13
3 Establishingthecontext
3.1 Objectives
Theobjectivesof theDiSIEMprojectare toaddress limitationsofcurrentSIEMsystems already deployed in production, by extending them, leveraging theirbuilt-in capacity for extension and customisation, and enhancing SIEMs withdiversity mechanisms. These mechanisms are sustained by the followingresearch&innovationtopicsdefinedfortheproject[D22]:
1. TheintegrationofdiverseOSINT(OpenSourceIntelligence);2. The development of novel probabilistic security models and risk-based
metrics to supportdecision-makingon the infrastructure configurationsandtoincreasetheevaluationcapacityoftheorganizationsecuritystatus.
3. Thedesignofnovelvisualisationmethodstopresentthediverseliveandarchival data sets. The devised methods should better support thedecision-makingprocessbyenablingtheextractionofhigh-levelsecurityinsight from thedata thatwillbeusedby the securityanalystsworkingwithSOCs.
4. The integration of diverse, redundant and enhanced monitoringcapabilities to the SIEM ecosystem using diverse enhanced sensors andprotectiontools.
5. Theadditionof support for long termarchival of events inpublic cloudstorageservices,satisfyingthesecurityrequirementsofsuchdata(whichcontainsa lotofsensitive information)byemployingtechniquessuchassecretsharingandinformationdispersal.
Besidestheseobjectives,exploitationisrecognizedasanimportantdimensionofDiSIEM, and partners are fully aware and committed to the exploitation ofprojectresults. Thekeyobjectiveofexploitationistousetheappliedresearchand technological development results to create value within all participatingorganizations,andthusimprovetheircompetitiveadvantages.Thiscanbedonethrough the improvement of their secure operation centres (EDP andAMADEUS), creating new products or business opportunities (ATOS andDigitalMR), high-impact research targeting hot topics in security or even thecreationofstart-upsforcommercializingtechnologies(FCID,CITYandFHG).
3.2 Scopeandboundaries
The external and internal context can be defined based on the analysisperformed in the DISIEM deliverable D2.1 (In-depth analysis of SIEMsextensibility)[D21].
D9.2
14
On one side, in this deliverable, a study was done to identify the factors(technological, socialorpolitical) thatcouldaffect (asbarriersorenablers) theevolutionandfutureoftheSIEMs.Ontheotherhand,itwasalsodoneadetailedanalysisofthemostrelevantSIEMsolutionsavailableinthemarket(suchasIBMQRadar or Intel McAfee) with their strengths and weaknesses, including theSIEMsystemsselectedintheprojectforthevalidatingthedevisedcomponentsin EDP, Amadeus and ATOS environments: HPE ArchSight, Elastic Stack andSplunk,andXL-SIEM,respectively.
3.3 Contextforriskmanagementestablishment
All theriskmanagement intheDiSIEMprojectwillbeconductedinaccordancewiththeprojectmanagementstructure,depictedinFigure2.
Figure2–TheDiSIEMmanagementstructure.
3.3.1 GoalsandobjectivesThe objectives of risk management activities within the management of theDiSIEMproject are to ensure that the objectives of the project are attained orexceeded.
3.3.2 ResponsibilitiesAt a first level of action, each work-package leader is the owner of the risksexistinginhis/herWPand,therefore, isresponsible fortheir identificationandtreatment,with thehelpof other relevantpartners (e.g., a partner responsibleforadeliverabledirectlyaffectedbyarisk).Anynewrisksidentifiedshouldbe
• Overallresponsibilityfortheproject• Onerepresentativeandonedeputyperpartner• Theexecutiveorganoftheproject• Regularteleconferencessupplementedwithbiyearlymeetings• Monitorandguidestechnicalandscientificwork• Establishesprocessesandframeworks• Evaluatesperformanceandresults
COORDINATIONCOMMITTEECoordinator(FFCUL,Prof.AlyssonBessani)
• Adviceonstrategicdirections• Suggestexploitationactivities• Reviewtechnicalandscientificprogress
ADIVISORYBOARDTechnicalandbusinessadvisors
• Operationallyresponsiblefortheproject• InterfacetotheCommission• Provideandmaintaininfrastructureandprocesses• Knowledgeandriskmanagement• Qualityassurance
PROJECTMANAGEMENTCoordinatorandProjectManager(FFCUL)
WORKPACKAGEWorkpackageleaderWorkpackagemembers
WORKPACKAGEWorkpackageleaderWorkpackagemembers
WORKPACKAGEWorkpackageleaderWorkpackagemembers
WORKPACKAGEWorkpackageleaderWorkpackagemembers
• ResponsiblefortheworkwithintheWP• Reporttothecoordinationcommittee• Meetingsandteleconferencessynchronized
withcoordinationcommittee
WORKPACKAGEWorkpackageleaderWorkpackagemembers
EUROPEANCOMISSION
• Adviceonethicalissueswrt dataprotection• Reviewethicalimplicationsofprojectresults
ETHICSADIVISORIndependentdataprotectionethicsadvisor
D9.2
15
communicated to the coordinator and to the consortium, either by email orduringthemonthlyteleconferencesoftheproject.
Thecoordinatorandprojectmanager, togetherwith theexecutiveboardof theproject,areresponsibleforrisksthataretransversaltothedifferentWPsandtotakesecond-levelactionontherisksmaterializingatWP.Theirresponsibilitiesare to identify, and react to any possible risk on any of the deliverables,milestones,and,ultimately,ontheobjectivesoftheproject.
3.3.3 AssessmentapproachTheprojectadoptedaqualitativeapproach to riskassessment.Themonitoringandreviewoftheriskswillbedonecontinuouslyandindividually foreachWPseparatelybythepartnerresponsibleforeachWP.Theassessmentoftheriskswill bedonebasedon the inputs receivedduring themonthly teleconferences,the quarterly face-to-face meetings, and intermediate reports delivered bypartnerseverysixmonths.Eachidentifiedriskwillbegivenascorepriority(low,medium,orhigh)basedonitsassessmentregardingthelikelihoodandimpactitmighthaveontheprojectoutcome.Aninitiallistofthemainriskstotheprojectwas identified during the project proposal preparation and is described in theDiSIEMDescriptionofAction.A firstupdateonthis list ispresented intheriskregister,presentedinChapter4.
3.3.4 OrganizationoftheriskmanagementprocessTheDiSIEMprojectqualityplan[D91]definedmeansformonitoringandcontrolthe execution and management of the project, which includes the InterimManagement Report and realization of meetings and teleconferences. These(virtual and physical) meetings, together with a well-documented projectexecution management plan allow for anticipating the concretization of riskspreviouslyidentified,thereforedecidingonimplementingcontrolmeasures(risktreatment). Additionally, they also allow foreseeing emerging risks (riskidentification) and, whenever a new risk is identified, a new risk assessmentprocess should be accomplished and new risk control measures will beimplemented or anticipated. As the meeting and teleconferences have aregularity of at least one permonth, we can set a time span of onemonth torevise the risk assessment. Consequently, the revision and update of the riskregisterdocument[PMI13]issettoonemonth.Communication and consultation is continuouslymade, in parallel to the otherrisk management stages: establishing the context, risk assessment and risktreatment, through the meetings and the project Internal CommunicationInfrastructure:mailinglists, instantmessaging,tele-conferencesandtheprojectinternalfilesrepository[D81].Throughcommunicationandconsultationonecanensure that theexpertise fromdifferentpartners is taken intoaccount for risk
D9.2
16
analysis and different perspectives are considered for risk evaluation and riskmodification.Consultationoftheadvisoryboardallowsforidentifyingnewrisks,especially with respect to the technical objectives of the project. Finally,communication and consultation support decision making concerning specificriskmodificationactionsthatshouldbetakenbypartnersaccountableforrisks.
Monitoring and review activities are performed by risk owners and by theproject coordinator and allow ensuring that control measures are effectivelyimplemented, as well as detecting changes that can compromise the projectobjectives and consequently require revising risks, their evaluation andtreatments.
3.4 Riskcriteria
TomaximisethelikelihoodofachievingtheobjectivesoftheDiSIEMprojectitisessential to identify and understand, in advance, the significant project risks.Risk management was an integral component in the preparation andorganisationofthisprojectproposal,andhasbeenproactivelyexecutedduringthe first year of the project execution. In an innovation action project such asDiSIEM,wedifferentiateseveralrisktypes:
– Technical–technicalrisksarethosethatmayaffect theachievementofthe project technical objectives. Keymilestones and dependencies havebeen analysed for identifying the possible risks and considered whenpreparingthetimeplanandresourcesassignmentforriskmitigation.
– Schedule compliance – these risks are those thatmay cause delays oraffecttheoverallschedule:Athoroughplanningofdependenciesandtimespansneededweredone throughout theproposalplanningprocess.Ourplanning covers small- to medium-sized delays. Any major delay withimpact to our project schedule will be fully tackled by our projectprocedures.
– Cost–risksaddingcosttotheprojectorenvisionedproducts:Resourcesneeded to perform the taskswere created and verified by each partnerindependently.Ourprojectorganisation is fullycapableof takingonanyfinancial risks arising during the project duration. All partners are fullyawareoftheircommonprojectresponsibilityaccordingtoECregulations.
– Exploitation – risks that may affect the achievement of the projectexploitation results. These risks includeboth the exploitation ofDiSIEMindividual components and the exploitation of a complete product thatintegrates several components developed in DiSIEM. It considerstransferringthesuccessfulresultsoftheprojecttoappropriatedecision-makersinregulatedlocal,regional,nationaland/orEuropeansystems,as
D9.2
17
wellas,convincingindividualend-userstoadoptand/orapplytheDiSIEMresultstotheirSIEMinfrastructure.
3.4.1 ImpactcriteriaTheriskimpactisclassifiedaccordingtothefollowingqualitativescale:
– Low–Riskhasrelativelylittleimpactintheprojectobjectivesregardingtechnologicalandfinancialperformanceaswellasintheworkplan.Ifriskmaterializes, insignificant or no changes in the project objectives willoccur(e.g.,conflictbetweenpartners).
– Medium – Risk has moderate impact in the project technological andfinancialperformanceaswellasintheworkplan.Iftheriskmaterializes,moderate changes in the project objectiveswill occur (e.g., componentsfromaWPcannotbeintegratedintheSIEM).
– High – Risk has high impact in the project technological and financialperformance as well as in the work plan. If the risk materializes,significant changes in theprojectobjectiveswilloccur (e.g., componentsfromaWPthatdonottranslatetoeffectivebenefitsforSIEMusers).
3.4.1 LikelihoodcriteriaTherisklikelihoodisclassifiedaccordingtothefollowingqualitativescale:
– Low–Riskisunlikelytomaterialize.
– Medium–Riskpossibletomaterialize.– High–Riskislikelyoralmostcertaintomaterialize.
3.4.1 RiskevaluationcriteriaThecriteriafortheriskevaluationarebasedonaproductmatrixoftheimpactandlikelihoodclassificationandtherespectivevaluesaregivenbythematrixinTable 2. For instance, a riskwith a likelihood classified as low and an impactclassifiedasmediumwillbeclassifiedaslow,whileariskwithalowlikelihoodandahighimpactwillbeclassifiedasmedium.
Table2–Matrixforclassificationofrisks.
Likelihood
L(Low) M(Medium) H(High)
Projectimpact
L(Low) Low Low MediumM(Medium) Low Medium HighH(High) Medium High High
D9.2
18
4 Riskassessmentandtreatment
TomaximisethelikelihoodofachievingtheobjectivesoftheDiSIEMprojectitisessential to identify and understand, in advance, the significant project risks.ThischapterisdevotedtotheassessmentofDiSIEMrisks.
4.1 CriticalPathoftheProject
The critical pathdetermines the targeted time to complete theproject and thecriticalactivitiesthatmightbeabletothreatentheprojectobjectives.Figure 3 presents the Interdependencies between projectWPs,while Figure 4presents the project’s GANTT chart. Both these elements supported thedetermination of the critical path of DiSIEM activities, which is displayed inFigure5.
Figure3–InterdependenciesbetweenprojectWPs.
WP4– OSINTDataFusionandAnalysis
WP7
–Techno
logyValidationand
PilotDep
loym
ent
WP9– Project,RiskandInnovationManagement
WP2
–Re
quirem
entsand
Architecturefor
SIEM
Integration
WP6– InfrastructureEnhancements
WP8– Dissemination,CommunicationandExploitation
WP3– SecurityandRiskModeling
WP5–VisualAnalysisPlatform
WP1– EthicsRequirements
D9.2
19
Figure4-GANTTchartfortheDiSIEMproject,withdeliverables,projectreportsandmilestones.
Figure5-DiSIEMactivitiescriticalpath.
In the figure, critical activities are those that if delayed will compromise theachievementoftheachievementofprojectobjectivesontime,andare,therefore,the key activities of the project regarding the satisfaction of the project work
M1 M4 M7 M10 M13 M16 M19 M22 M25 M28 M31 M34 Leading
T1.1-OSINTdataprotectionrequirements D1.1 FFCUL
T1.2-Ethicsmonitoring PR1 FPR FFCUL
T2.1-In-depthanalysisofSIEMtechnology D2.1 FFCUL
T2.2-ReferenceArchitecture ATOS
T2.3-Integrationworkplan D2.2 CITY
T3.1-Multi-levelriskandsecuritymetrics D3.1 FFCUL
T3.2-Probabilisticmodellingofdiversityforsecurity D3.2 CITY
T3.3-Evaluationandvalidationofpredictioncapabilities D3.3 CITY
T4.1-OSINTdatasourcesindentificationandinformationextraction D4.1 FFCUL
T4.2-ScalablemachinelearningmodelsforOSINTanalysis D4.2 FFCUL
T4.3-Implementationofathreatpredictor D4.3 DigitalMR
T4.4-SIEMintegration FFCUL
T4.5-Supportandrefinement D4.4 DigitalMR
T5.1-Visualisationarchitecturedesignandrequirementsgathering D5.1 CITY
T5.2-Visualanalyticsformodelbuilding Fraunhofer
T5.3-Diversityvisualisationandanalysisofstreamingdata CITY
T5.4-SIEMintegration Atos
T5.5-Supportandrefinement D5.3 Fraunhofer
T6.1-Enhancedmonitoringofapplications Amadeus
T6.2-Diversemonitoringofcriticalassets CITY
T6.3-Cloudstoragemanagementandeventdatalayout FFCUL
T6.4-SIEMintegration CITY
T6.5-Supportandrefinement D6.3 Amadeus
T7.1-Validationworkplan D7.1 EDP
T7.2-EDPvalidationandpilotdeployment EDP
T7.3-Amadeusvalidationandpilotdeployment Amadeus
T7.4-ATOSvalidationandpilotdeployment ATOS
T8.1-Disseminationandcommunication D8.1 D8.2 FFCUL
T8.2-Exploitationandintellectualpropertyrights D8.3 D8.4 ATOS
T8.3-Security-relatedthreatpredictioncompetition D8.5 FFCUL
T9.1-Organizationleadandriskandinnovationmanagement D9.1 D9.2 FFCUL
T9.2-Technicalandfinancialreporting PR1 FPR FFCUL
ML1 ML2 ML3 ML4 ML5
Workplan(tasksvs.months)
WP2
WP4
WP3
WP5
D7.3D7.2
WP1
D5.2
D6.1 D6.2
WP7
ProjectMilestones
WP8
WP9
WP6
MS1 MS2 MS3 MS4 MS5
M1 M4 M7 M10 M13 M16 M19 M22 M25 M28 M31 M34M36timeline
M:monthMS:milestoneWP:workpackage
Communicationanddisseminationactivities,preparationofexploitationactivities(WP8)
Successfulprojectstart
Referencearchitecture,Integrationworkplan(WP2)
SIEMintegration(WP4,WP5,WP6)
Deploymentintestenvironment(WP4,WP5,WP6,WP7)
Developmentandimplementationofindividualenhancements(WP3,WP4,WP5,WP6)
Kickoffand
organizatio
n
Deployinproduction(WP7)
Referencearchitectureandintegrationplan
Prototypeofindividualcomponents
Validationinrelevanttestenvironment
Pilotdeploymentinoperationalenvironment
D9.2
20
plan.Critical activities aremostly reflectedbyprojectmilestones.The timelineindicates the project milestones. The analysis of critical activities helps theconsortium topredictwhether theproject canbe completedon time and as itprogresses, and to keep track of execution of tasks that ensure theaccomplishment of critical activities, thus guaranteeing that deliverables areproducedandcompletedaccordingtotheGANTTchartofFigure4.After a successful project kick-off in September 2016, DiSIEM partnersmainlyfocusedonthereferencearchitecturespecificationsofWP2.Infact,theactivitiesofthisworkpackage,concerningthedefinitionofthereferencearchitectureandthe integrationplan,arealreadycompletedanddocumented inDeliverable2.2[D22].Thedevelopmentandimplementationofindividualenhancements(components)is the critical activity that is currently in course. This activity includesdevelopments inWP3,WP4,WP5 andWP6, and is well on track, as planned.Deliverables4.1,5.1,and6.1documentsuchprogressafterthefirstyearoftheproject[D41,D51,D61].
Thenextcriticalactivity,theintegrationofcomponentswithSIEMenvironments,willstartinM22,withtheintegrationtasksinWP4,WP5,andWP6,forensuringthe devised components work well with selected SIEMs. The activities ofdeploymentofthecomponentsintestenvironmentwillalsostartbetweenM22-M24, and strongly depends on the completion of the components and asuccessful integration with the target SIEM(s). Finally, the deployment inproduction totally depends on the successful validation of the components inindustrial environments. This activity (WP7) will reveal the effectiveachievementoftheprojectobjectives.The project consortium has been preparing and publishing some scientificarticlesandpresentedtheprojecttoexternalstakeholders.Toconclude,itcanbesaid that theanalysisof thecriticalpathhelps to identify critical activitiesandconsequently discriminate associated risks. The identification of the criticalactivities allows us to envisagemitigation actions whenever required and putnecessarymeasuresintoplaceregardingthesuccessfulachievementoftheworkplan.
Risk identification is a continuousprocessof attachingawareness forpotentialrisks.Toaddressthisawarenessbest,theconsortiumdefinedtheWPleadersasriskmanagersfortheirWPs.TheWPleaderisanexpertinthefieldhisorherWPisconcentratingonandtherefore,themostcapablepersontoidentifyWPrisks.Onprojectlevel,thecoordinator(FCID)paycloseattentiontotheidentificationofpotentialrisksandisresponsibletomonitorriskstransversaltoseveralWP.This structure and distribution of responsibilities allows the continuous
D9.2
21
identification of new risks and encourages the discussion of potential riskswithinteleconferences,face-to-facemeetingsandtheWPsthemselves.
4.2 Riskassessment
Tomaintainanupdatedrecordofriskassessment,DiSIEMadoptedtheuseofarisk register, a document inwhich the results of risk analysis, risk evaluation,andenvisagedriskresponsesarerecorded[PMI13].Theriskregisterallowsallpartnerstoaddnewrisksatanytime.Additionally,thecoordinatorasksthemtopay special consideration on risks on a regular basis within the InterimManagement Reports (IMR). The risk register should contain all the relevantinformationregardingeachrisk.Riskswereanalysedandevaluatedbyestimatingtheirimpactandlikelihoodontheobjectivesoftheproject.Knowinghowariskimpactstheprojectisimportantasseveralrisksof thesametypecanbean indicationofa largerproblem.Fewmajor technical risksconnected to the individualWPandphasesofworkwereidentified in the course of this proposal preparation.As the risks are easier tounderstand in the context ofWP, they are described on aWP level in the riskassessment Table 3. To avoid possible negative impact on the project, thecorrespondingWPleaderhasproposedrisk-mitigationmeasuresforallrisksinhis/herWPtogetherwiththeconsortium.The risk assessment should be revised periodically, on eachmonthly telco forcritical risks affecting next milestones, and every six months for other risks(togetherwiththeInternalManagementReport),andupdatedaccordinglyintheDiSIEMprojectrepository.
Afirstversionoftheriskslistwasproducedduringtheproposalelaboration,anda first revisionwaselaborated for thegrant agreementdocument.The currentriskregisterpresentedinTable3,producedinSeptember2017,wasbuiltuponthis list, identifies new risks, disaggregates others, evaluates all the risks andenrichestheproposalofmitigationactions.Acomprehensivedescriptionofeachriskisgiven,theconcernedWPidentified,togetherwiththecorrespondingriskowners. Risks are evaluated using the evaluation risk criteria for likelihood,impact and risk score presented in Section 3.4. The register also includes thedateofthelastrevision,anycommentstheconsortiumfindsrelevantforfurtherassessments, if theregisterwasmaterializedornot,and informationregardingthe application of mitigationmeasures and if they were revised from the lastassessment.Intotal50majorrisksareidentifiedandanalysed,fromwhich,14areconsideredof high impact, 26 are of medium priority, and none of high priority. Theseresults reveal that at least 50% of the major risks identified require strict
D9.2
22
monitoringandcontrol toavoidriskmaterialization.Mitigationmeasureshavebeen takenwheneverneeded to reduceor, at least,maintain risk likelihoodorimpact.Regardingrisksofpositiveeffect,nonewasidentifiedinthecurrentassessment.
4.3 Risktreatment
Four strategies are commonly used to handle negative risks: avoidance,mitigation, transference, and acceptance [PMI13]. Avoidance corresponds toeliminate the threat that origins the risk or its impact. Usually, this strategyinvolveschangingtheprojectplanorscope.Thetransferencestrategycomprisesshifting the risk ownership and impact to a third-party. Finally, mitigationconsists of modifying, by reducing, the risk likelihood or impact. Consideringredundancy is away of implementingmodification, and taking early action tomodifyrisksisacommonstrategytoavoidlaterrepairingofdamagestriggeredby risks materialization, typically by using contingency measures. Acceptancecorrespondstotakenoactionunlesstheriskmaterializes.Nevertheless,evenifarisk is accepted, a contingency can be set to handle the risk in case of itsmaterialization.Inaddition,acontingentresponsestrategycanbeappliedonlyifcertaineventshappen,suchasthematerializationofahighimpactriskthatcaneffectivelycompromisetheprojectobjectives.
InDiSIEM,continuousmonitoringandcontrolisperformedoverallriskstoavoidincreasingrisksimpactandriskslikelihood.The project adopted a mixed strategy for risk treatment. For all major risksidentified,mitigationmeasureswereidentifiedandappliedwherevernecessary.Risksclassifiedasmediumrequirestrongermonitoringandcontrolandfurtherevaluationclosertomilestonestodecideifacontingencymeasureisjustifiableineconomic grounds. In these cases, contingency plans could be set to eliminatefurthercriticalimpactontheprojectobjectives.
Wheneverariskisclassifiedashighrequireimmediateavoidanceorcontingencyresponse actions. Examples of such these responsesmay include, for instance,changing the work plan to avoid the materialization of the risk, changing theresources allocation to be able to meet expected milestones or even replaceleadership.AccordingtotheassessmentshowninTable3,therearenohighrisksatthispointintheDiSIEMproject.
As designed, the current plan considers a contingency reserve of slack timeallocatedtotaskstohandlesmalldelaysincompletionofactivities.
D9.2
23
Table3–Riskregister.
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R1Underperformingpartners
WP1-WP9
FCID
ClosecontactisestablishedbetweentheWPleadersandProjectCoordinator.Shortfeedbackloopsandpersonalcontacts(atregularCoordinationCommitteetelcos,physicalmeetings,etc.)helptoputunderperformingpartnersbackontracktoguaranteeoverallprojectperformance.
M13 H L M No
Coordinationmeetingshavebeenheld.Closecontactbetweenpartners.Allpartnersparticipateinconf.call.Starttogeneratecontributions.WP2isconcluded.
Yes No
R2Conflictsbetweenpartners
WP1-WP9
FCID
Manypartnersintheconsortiumhavealreadyworkedtogethersmoothlyandsuccessfullyinpastcollaborativeprojects.Moreover,mostofthesecurityexpertsinvolvedknoweachotherpersonally,collaboratingextensivelythroughjointpublications,programcommittees,organisationofinternationalconferences,etc.Shouldanydifficultiesarise,astrongmulti-levelprojectmanagementgovernancestructurehasbeensetuptotackleissuesimmediately(atWPlevels,involvingtheProjectCoordinator,theCoordinationCommittee,ortheAdvisoryBoard,for“forcemajeure”cases)toavoidtheissuespreadingandputtingtheoverallprojectatrisk.Toavoidsuchsituations,conflictmanagementisputinplaceallalongtheprojectlife-cyclethroughcloseandgoodcontacts,frequenttelcoandphysicalmeetings.
M13 L L L No
WP2isconcluded.Noissueshavebeenidentified.Theface-to-facemeetingshelptogetacquaintancewithpartnerteams.
Yes No
D9.2
24
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R3RTDeffortsarenotreachingtechnicaltargets
WP2-WP7
FCID
Continuousinternalqualityandprogresscontrolisperformed(e.g.,throughInternalManagementReportseverysixmonths).TheProjectCoordinatorispresentinalltechnicalmeetings.Hereliesontheknowledgeandskillsofkeyexpertsintheproject,someofthembeingalsoWPleaderstosteertheworktowardsthetechnicaltargets.WPmeetingsshouldhelptofindworkaroundsincaseofsignificantdeviations.Greaterdeviationsmaybesolvedaccordingtothegovernancestructuredefinedintheproject.Forinstance,additionalexpertsmaybecalledupon,ortheadvisoryboardmaybeconsultedtoselectanadequatecourseofaction.
M13 M M M No
Continuousinternalqualityandprogresscontrolhasbeenperformed.WP2isconcluded.
Yes No
R4.4.A
ComponentsfromWP4cannotbeintegratedinArcSight.
WP4DigitalMR,
EDP
AccordingtothestudydoneinWP2(seeD2.1andD2.2),ArcSightsupportextensibilityviaconnectorinterfaces.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L M L NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis
Yes No
D9.2
25
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R4.4.X
ComponentsfromWP4cannotbeintegratedinXL-SIEM.
WP4DigitalMR,
ATOS
ThereisanagreementbetweenpartnersdevelopingWP4componentsandATOSinusingacommonexchangedataformatSTIX2.0(JSON)andsendthemusingthesyslogprotocol.XL-SIEMispreparedtoreceiveeventsusingthisprotocolandtoprocesseventsinJSONformat.Specificplugin/parserwillbepreparedtodealwiththeinformationprovidedintheSTIXobjectstointegrateitintheXL-SIEMprocessing.ATOSalsoparticipatesinthedevelopmentofWP4components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.
M13 L M L NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis
Yes No
R4.4.S
ComponentsfromWP4cannotbeintegratedinSplunkand/orElasticstack.
WP4DigitalMR,Amadeus
AccordingtothestudydoneinWP2(seeD2.1andD2.2),bothSplunkandElasticstackcanreceiveinputsfromexternalcomponentsinarbitraryformats.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L M L No
1)Splunkhasanativesupportforthreatintelligencefeedintegration,AMSOCteamhasalreadyintegratedThreatIntelSourcestoSplunk.2)DifferentapproacheshavebeenusedtointegrateThreatInteldatatoElasticStack(Logstashtranslatefilter,IndexdataandThreatIntelfeedsinthesameindices,...)StrongcontrolM20-May2018
No No
D9.2
26
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R4.4
ComponentsfromWP4cannotbeintegratedinanyoftheSIEMs.
WP4 DigitalMR
AllSIEMsystemsthatweareusinginthisprojectsupportextensibilityviaconnectorinterfaces.WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.
M13 L H M NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis
Yes No
R4.5.A
ComponentsfromWP5cannotbeintegratedinArcSight.
WP5Fraunhofer,
EDP
ArcSightdoesnotsupporthighlycustomizabledashboards,thereforeitisprobablethatthevisualisationcomponentswouldbeusedasseparatedserviceontopoftheSIEMdatainEDP.ThisisnotahugeproblemasEDPalreadydothatwithothersystemsintheirSOC.
M13 M M M
EDPalreadyhasacomplementarydashboardapplication,maybethecomponentscanbeintegratedthere(using,forinstance,HTML5).
Yes No
R4.5.X
ComponentsfromWP5cannotbeintegratedinXL-SIEM.
WP5Fraunhofer,
ATOS
DashboardinXL-SIEMisimplementedusingweb-basedtechnologieslikethecomponentsdevelopedinWP5.Therefore,itshouldbepossibletointegratethevisualizationcomponents.Moreover,sinceATOShasaccesstotheXL-SIEMdashboardcode,changescanbedoneinthedashboardifrequiredtointegratesomeofthesecomponents.ATOSalsoparticipatesinthedevelopmentofWP5components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.
M13 L M L No Yes No
D9.2
27
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R4.5.S
ComponentsfromWP5cannotbeintegratedinSplunkand/orElasticstack.
WP5Fraunhofer,Amadeus
WP5ComponentsarebeingdesignedbasedonD3JSlibrary,whichissupportedbytheextensibledashboardofthesesystems.
M13 L M L No
BothSplunkandElasticStack'sKibanasupportD3JScustomvisualisationsandoffersflexibleAPItoconsumeeventdata.Therefore,thelikelihoodofthisriskisverylow.StrongcontrolM20-May2018
Yes No
R4.5
ComponentsfromWP5cannotbeintegratedinanyoftheSIEM.
WP5 Fraunhofer
MostoftheSIEMsusedintheprojectsupportextensibledashboardsthatsupportthesametechnologyweWP5isusinginitscomponents.TheexceptionisArcSight,butthemthecomponentscanbeusedindependentlybytheEDPSOCorbeintegratedinthedashboardstheyuse(whichiscompatiblewithWP5web-basedtechnology).WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L H M No Yes No
D9.2
28
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R4.6.A
ComponentsfromWP6cannotbeintegratedinArcSight.
WP6Amadeus,
EDP
DuringWP2westudiedhowthedifferentcomponentsdevisedinWP6canbeintegratedinallSIEMsystemsthatweareusinginthisproject.ForArcSightthekeymechanismisthesupportofconnectors.Wethereforebelievethatthelikelihoodofthisriskmaterialisingisverylow,asthemechanismsanddataformatswerealreadytestedatthispoint.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L M L No
WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.StrongcontrolM20-May2018
Yes No
R4.6.X
ComponentsfromWP6cannotbeintegratedinXL-SIEM.
WP6Amadeus,ATOS
WP6componentswillprovideeventsusingsyslogprotocol.XL-SIEMispreparedtoreceiveeventsusingthisprotocol.SpecificpluginwillbepreparedtodealwiththeinformationprovidedintheWP6componentseventstointegrateitintheXL-SIEMprocessing.ATOSalsoparticipatesinthedevelopmentofWP6components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.
M13 L M L No
WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.StrongcontrolM20-May2018
Yes No
D9.2
29
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R4.6.S
ComponentsfromWP6cannotbeintegratedinSplunkand/orElasticstack.
WP6 Amadeus
DuringWP2westudiedhowthedifferentcomponentsdevisedinWP6canbeintegratedinallSIEMsystemsthatweareusinginthisproject.BothSplunkandElasticstacksupporttheintegrationwithsuchcomponents.Wethereforebelievethatthelikelihoodofthisriskmaterialisingisverylow,asthemechanismsanddataformatswerealreadytestedatthispoint.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L M L No
WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.ApreliminaryversionofEnhancedApplicationMonitoringhasalreadybeenintegratedbyAMtotheElasticStack.StrongcontrolM20-May2018
Yes No
R4.6
ComponentsfromWP6cannotbeintegratedinanyoftheSIEM.
WP6 Amadeus
AllSIEMsystemsthatweareusinginthisprojectsupportextensibility.WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.
M13 L H M No Yes No
D9.2
30
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R5.4
ComponentsfromWP4arenoteasilyintegratableinotherSIEMs(beyondtheonesusedinthevalidation).
WP4,WP8
DigitalMR
InWP2ananalysisofmostrelevantSIEMsinthemarketwasmadeandthereferencearchitectureconsidersintegrationpatternsthatare,inprinciple,supportedbymostofthem.
M13 M M M No Yes No
R5.5
ComponentsfromWP5arenoteasilyintegratableinotherSIEMs(beyondtheonesusedinthevalidation).
WP5,WP8
Fraunhofer
InWP2ananalysisofmostrelevantSIEMsinthemarketwasmadeandthereferencearchitectureconsidersintegrationpatternsthatare,inprinciple,supportedbymostofthem.
M13 M M M No Yes No
R5.6
ComponentsfromWP6arenoteasilyintegratableinotherSIEMs(beyondtheonesusedinthevalidation).
WP6,WP8
Amadeus
InWP2ananalysisofmostrelevantSIEMsinthemarketwasmadeandthereferencearchitectureconsidersintegrationpatternsthatare,inprinciple,supportedbymostofthem.
M13 M M M No Yes No
D9.2
31
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R6.4.E
TheWP4componentscannotbedeployedinEDPtestenvironmentonM24.
WP4,WP7
DigitalMR,EDP
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.
M13 L M L No
Currentarchitecturemakesitmoreflexibletobeintegratedwithinanysystem.SomecomponentsarebeingdevelopedtakingintoconsiderationtheearlyfeedbackfromEDPtoensureasmoothintegration.
Yes No
R6.5.E
TheWP5componentscannotbedeployedinEDPtestenvironmentonM24.
WP5,WP7
Fraunhofer,EDP
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.
M13 L M L No SameasR6.4E Yes No
R6.6.E
TheWP6componentscannotbedeployedinEDPtestenvironmentonM24.
WP6,WP7
Amadeus,EDP
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.
M13 L M L No
SameasR6.4E.EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
Yes No
D9.2
32
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R6.4.AT
TheWP4componentscannotbedeployedinATOStestenvironmentonM24.
WP4,WP7
DigitalMR,ATOS
ATOSparticipatesinthedevelopmentofWP4components,sothroughtheperiodicalmeetingsitcanbeidentifiedpotentialissuesordelaysforthedeploymentofthesecomponentsinitstestenvironmentandreactinconsequence.
M13 L M L No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
Yes No
R6.5.AT
TheWP5componentscannotbedeployedinATOStestenvironmentonM24.
WP5,WP7
Fraunhofer,ATOS
ATOSparticipatesinthedevelopmentofWP5components,sothroughtheperiodicalmeetingsitcanbeidentifiedpotentialissuesordelaysforthedeploymentofthesecomponentsinitstestenvironmentandreactinconsequence.
M13 L M L No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
Yes No
R6.6.AT
TheWP6componentscannotbedeployedinATOStestenvironmentonM24.
WP6,WP7
Amadeus,ATOS
ATOSparticipatesinthedevelopmentofWP6components,sothroughtheperiodicalmeetingsitcanbeidentifiedpotentialissuesordelaysforthedeploymentofthesecomponentsinitstestenvironmentandreactinconsequence.
M13 L M L No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
No No
R6.4.AM
TheWP4componentscannotbedeployedinAmadeustestenvironmentonM24.
WP4,WP7
DigitalMR.Amadeus
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalmeetingsmaybescheduledtodiscussanydeploymentissuesencountered.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.
M13 M M M No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
No No
D9.2
33
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R6.5.AM
TheWP5componentscannotbedeployedinAmadeustestenvironmentonM24.
WP5,WP7
Fraunhofer,Amadeus
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.
M13 M M M No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
No No
R6.6.AM
TheWP6componentscannotbedeployedinAmadeustestenvironmentonM24.
WP6,WP7
Amadeus
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.
M13 L M M No
EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.
No No
D9.2
34
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R7.4.E
TheWP4componentscannotbedeployedinEDPproductionenvironmentonM32.
WP4,WP7
DigitalMR.EDP
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithArcSight,andvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.
M13 L M L No
SameasR6.4E.Althoughtheproductionenvironmenthasitsuniquechallengescomparedtothetestenvironment,thelatterwillserveasastartingpointandwilllargelyfacilitatethedeploymentinproduction.Byhavingatestenvironmentthataccuratelyresemblestheproductionenvironment,weaimtoenableaneasierproductiondeployment.
Yes No
R7.5.E
TheWP5componentscannotbedeployedinEDPproductionenvironmentonM32.
WP5,WP7
Fraunhofer,EDP
SameasinR7.4E. M13 L M L No SameasinR7.4E. Yes No
R7.6.E
TheWP6componentscannotbedeployedinEDPproductionenvironmentonM32.
WP6,WP7
Amadeus,EDP
SameasinR7.4E. M13 L M L No SameasinR7.4E. Yes No
D9.2
35
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R7.4.AT
TheWP4componentscannotbedeployedinATOSproductionenvironmentonM32.
WP4,WP7DigitalMR,
ATOS
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithXL-SIEMandvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(ATOS)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.
M13 L M L No Yes No
R7.5.AT
TheWP5componentscannotbedeployedinATOSproductionenvironmentonM32.
WP5,WP7
Fraunhofer,ATOS
SameasinR7.4.AT M13 L M L No Yes No
R7.6.AT
TheWP6componentscannotbedeployedinATOSproductionenvironmentonM32.
WP6,WP7
Amadeus,ATOS
SameasinR7.4.AT M13 L M L No Yes No
D9.2
36
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R7.4.AM
TheWP4componentscannotbedeployedinAmadeusproductionenvironmentonM32.
WP4,WP7DigitalMR,Amadeus
Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithSplunk/Elasticsearch,andvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.
M13 L M L No
SameasR6.4E.Althoughtheproductionenvironmenthasitsuniquechallengescomparedtothetestenvironment,thelatterwillserveasastartingpointandwilllargelyfacilitatethedeploymentinproduction.Byhavingatestenvironmentthataccuratelyresemblestheproductionenvironment,weaimtoenableaneasierproductiondeployment.
No No
R7.5.AM
TheWP5componentscannotbedeployedinAmadeusproductionenvironmentonM32.
WP5,WP7
Fraunhofer,Amadeus
SameasinR7.4.AM M13 L M L No SameasinR7.4.AM No No
R7.6.AM
TheWP6componentscannotbedeployedinAmadeusproductionenvironmentonM32.
WP6,WP7
Amadeus SameasinR7.4.AM M13 L M L No SameasinR7.4.AM No No
D9.2
37
RiskID Descriptionofrisk WP(s)
involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R8.4.E
TheWP4componentsdonottranslatetoeffectivebenefitsforEDP.
WP4,WP7,WP8
DigitalMR
AsaSIEMoperator,EDPiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP4withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartnerssettingsinWP7.
M13 L H M No
Althoughverificationshavebeenmade(duringsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.
Yes No
R8.5.E
TheWP5componentsdonottranslatetoeffectivebenefitsforEDP.
WP5,WP7,WP8
Fraunhofer SameasinR8.4.E M13 L H M No SameasinR8.4.E Yes No
R8.6.E
TheWP6componentsdonottranslatetoeffectivebenefitsforEDP.
WP6,WP7,WP8
Amadeus SameasinR8.4.E M13 L H M No SameasinR8.4.E No No
D9.2
38
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R8.4.AT
TheWP4componentsdonottranslatetoeffectivebenefitsforATOS.
WP4,WP7,WP8
DigitalMR
ThecurrentrequirementsdefinitionforWP4componentsandfunctionalitytobeprovidedisinlinewithATOS'interestinimprovingitsXL-SIEMtoolcapabilitiesthroughtheintegrationofthreatintelligencedata.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP4).
M13 L H M No Yes No
R8.5.AT
TheWP5componentsdonottranslatetoeffectivebenefitsforATOS
WP5,WP7,WP8
Fraunhofer
ThecurrentdefinitionforWP5componentsisinlinewithATOS'interestinimprovingthevisualizationcapabilitiesofitsXL-SIEMtool.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP5).
M13 L H M No Yes No
D9.2
39
RiskID Descriptionofrisk WP(s)involved
RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R8.6.AT
TheWP6componentsdonottranslatetoeffectivebenefitsforATOS.
WP6,WP7,WP8
Amadeus
ThecurrentdefinitionforWP6componentsisinlinewithATOS'interesttoenhancethemonitoringofaninfrastructureextendingitscurrentXL-SIEMcapabilitieswithnewsensorstodetectanomaliesintheuserbehaviours,thedeploymentofdiversesecuritytoolsandimprovementsinthestoragetolong-termofevents.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP6).
M13 L H M No Yes No
D9.2
40
RiskID Descriptionofrisk WP(s)involved
RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R8.4.AM
TheWP4componentsdonottranslatetoeffectivebenefitsforAmadeus.
WP4,WP7,WP8
DigitalMR
AsaSIEMuser,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP4withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartnerssettingsinWP7.
M13 L M M No
Althoughverificationshavebeenmade(throughsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.
No No
D9.2
41
RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R8.5.AM
TheWP5componentsdonottranslatetoeffectivebenefitsforAmadeus
WP5,WP7,WP8
Fraunhofer
AsaSIEMuserandWP5componentdeveloper,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP5withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartners’settingsinWP7.
M13 L M M No
Althoughverificationshavebeenmade(throughsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.
No No
R8.6.AM
TheWP6componentsdonottranslatetoeffectivebenefitsforAmadeus.
WP6,WP7,WP8
Amadeus
AsaSIEMuserandWP6componentdeveloper,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP6withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsinWP7.
M13 L M M No SameasinR8.6.AM No No
D9.2
42
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R9
UncoordinateddisseminationactivitiesemergeduringDiSIEMoperation
WP8 ATOS
Thepartnerswillbeurgedtocoordinatetheiractivitiesupondetectionofanyuncoordinatedormutuallycontradictoryactivities.Clearleadershipisneededandexperiencegainedfromformerprojectswillbeappliedtofostercommondisseminationactivitiesandtofunnelanydispersedactionstogetheragain.
M13 L H M No Yes No
R10Dissemination/Exploitationdeviatesfromtheplan
WP8 ATOS
TheTaskLeadermonitorsthedissemination/exploitationactivitiesandwillinterveneimmediately.TheWPmeetingsshouldfindworkarounds.Typicalactionscouldbe:toproposesomeofthemajorconferences/symposiumswhereDiSIEMdisseminationisexpectedforhigherprojectimpact;toencouragejointprojectpublications;topublishprojectfactsheetsandpressreleasesontheprojectWebsitetoincreasevisibility;tofosterdisseminationofprojectresultsinopensource;ortoencouragetransferofDiSIEMtechnology.
M13 L H M No Yes No
D9.2
43
RiskID Descriptionofrisk WP(s)
involvedRisk
Owner Proposedrisk-mitigationmeasures
Dateoflast
evalua-tion
Likeli-hood(L,M,H)
Impact(L,M,H)
Riskscore
Didriskmater-ialized?
Comment
Weremea-sures
applied?
Updateof
measures
R11IPRconflictsbetweenpartnersorbetweengroupsofpartners
WP1-WP9
FCID
Earlydetectionoftheissuethroughcloseandgoodcontacts,frequentmeetingsandaclearandunambiguouslegalframework(ConsortiumAgreement).
M13 M H M No Yes No
R12
SIEMsevolveinawaythatmakestheprojectcomponentsalmostobsolete(External)
WP4-WP6
FCID
Inthebeginningoftheprojectanextensivein-depthstudyofthestateoftheartinSIEMswereconducted(seeD2.1).Furthermore,theprojectpartnersfollowthestate-of-the-artrelatedwiththeircomponentstoallowforearlydetectionofthepossibilityofDiSIEMcomponentsbecomingobsolete.
M13 L H M No
Itisunlikelythatinjusttwoyears(M13-M36)theSIEMlandscapechangescompletely,turningourcomponentsobsolete.
Yes No
R13
ThemarketisnotinterestedintheDiSIEMcomponents(External)
WP4-WP6
FCID
Inthebeginningoftheprojectanextensivein-depthstudyofthestateoftheartinSIEMswereconducted(seeD2.1).Thecomponentsarebeingdevelopedconsideringpracticaltechnologicalaspects,costs,andconsideringthelimitationsperceivedinexistingSIEMs.Theadvisoryboardsupportstheconsortiumtoreducethisrisklikelihood.
M13 L H M No
Itisunlikelythatinjusttwoyears(M13-M36)theSIEMlandscapechangescompletely,turningourcomponentsobsolete.
Yes No
D9.2
44
5 SummaryandConclusions
ThisdeliverablepresentedtheriskmanagementplanfortheDiSIEMproject.Ourplan is devised around five types of processes: 1) analysis, 2) assessment, 3)treatment, 4)monitoring and control, and 5) communication and consultation.ThequalityplanpresentedinDeliverable9.1[D91]oftheDiSIEMprojectdefinesmeans formonitoring and control the execution of the project,which includestheInterimManagementReportandrealizationofmeetingsandteleconferencespolicies. These physical and virtual meetings, as well as a well-documentedproject execution plan, allow for anticipating the concretization of riskspreviously identified and therefore implementing control measures (risktreatment). In addition, they also allow foreseeing new risks (risk analysis-identification) and whenever a new risk is identified, a new risk assessmentprocessshouldbeaccomplishedandnewriskcontrolmeasuresimplementedoranticipated(risktreatment).
For the risk assessment process, we followed a qualitative methodologysupportedbytheISO31000:2009standard,inwhichrisksareclassifiedaslow,mediumandhighbasedontheirimpactontheproject’sobjectivesandlikelihoodisclassifiedaslow,mediumandhigh,basedontheprobabilityatwhichriskcanoccur.A risk evaluationmatrix that confronts impact and likelihood is used toevaluateandclassifyrisks.Asaresult,risksthatareassessedaslowrequireriskmitigationmeasuresmoreorientedtoassurethattheimpactorlikelihooddonotincrease;risksassessedasmediumrequirestrongercontrolandtheirmitigationmeasures aim at decreasing their impact or likelihood, being re-evaluatedperiodically to decide if more strict treatment is financially justifiable; finally,risks classified as high are treated with high priority employing the definedmitigationprocedures(atthetimethisdocumentisbeingwritten,therearenohighrisksintheproject).
Thecentrepieceofthisdocumentisthecurrentriskregisterwhereallrisksarecorrespondingly registered and revised periodically. The register exhibits thedescriptionoftherisks,theirowners(i.e.,responsiblepartners),anassessmentofimpactandlikelihood,andproposalofactionstohandletherisks.
D9.2
45
ListofAcronyms
Acronym DescriptionCPA CriticalPathAnalysisCSF CriticalSuccessFactorEC EuropeanCommissionIEC InternationalElectrotechnicalCommissionISO InternationalOrganizationforStandardizationPMBOK ProjectManagementBodyOfKnowledgePMI ProjectManagementInstituteSOC SecurityOperationCentreTC TechnicalCommittee
D9.2
46
References
[D21] DiSIEM Consortium. In-depth Analysis of SIEMs Extensibility. DiSIEMProjectDeliverable2.1.February2017.[D22]DiSIEMConsortium.ReferenceArchitectureandIntegrationPlan.DiSIEMProjectDeliverable2.2.August2017.[D41] DiSIEM Consortium. Techniques and Tools for OSINT-based ThreatAnalysis.DiSIEMProjectDeliverable4.1.August2017.[D51]DiSIEMConsortium.VisualisationSystemInfrastructureandRequirementAnalysis.DiSIEMProjectDeliverable5.1.August2017.[D61] DiSIEM Consortium. Preliminary Architecture and Service Model ofInfrastructureEnhancements.DiSIEMProjectDeliverable6.1.August2017.[D81] DiSIEM Consortium. Internal and External IT CommunicationInfrastructure.DiSIEMProjectDeliverable8.1.November2016.[D91]DiSIEMConsortium.ProjectQualityPlan.DiSIEMProjectDeliverable9.1.November2016.[ISO09] ISO (2009). ISO 31000:2009, Risk management – Principles andguidelines,InternationalOrganizationforStandardization.[IEC09] IEC (2009). IEC 31010:2009, Risk management — Risk assessmenttechniques,InternationalOrganizationforStandardization.[PMI13] PMI. (2013). A Guide to the Project Management Body of Knowledge(PMBOK®Guide)(FifthEdition).ProjectManagementInstitute.