Process for Analysis

Choose a standard / type

Qualitative / Quantitative

Or

Formal / Informal

Select access controls

Match outcome to project objectives

Provide guidance for improvement

Outcome Framework Example

Build Asset-based Threat profiles

Identify Infrastructure vulnerabilities

Develop security strategy and plans

Measure adherence to policies…?

Recommend mitigation strategies

Build Profiles

Profiles are guides to help frame recommendations– Threat

– Vulnerability

– Exposure

– Assets

– Value

– Processes

– Etc..

Good way to organize information- current state

Identify Vulnerabilities

CVE

ICAT

Cassandra

Vendor tools

“SANs / ISO, FMEA, Best practices”

Can be administrative, personnel, technical or physical

Develop Strategy

This is the “value” of the final deliverable

Make suggestions for areas of improvement

DO NOT RELY ON VENDOR TOOLS

Research like crazy- contact support network

Make sure easy to digest and accomplish

Context

How do you determine what is “at risk” and what is not?

Low, medium, high

Scale of 1-10

Red, Yellow, green

Ultimately comes down to applying the threat profile to the asset- to determine level of risk

Risk Assessment Planning Overview

Session #7

RA Process Elements

Identify Organizational Information

Build Asset-based Threat Profiles

Identify Infrastructure Vulnerabilities

Develop Protection Strategy

OCTAVE Methodology

Identify Organizational Information

Identify information-related assets

Selects those that are most critical to the organization

Evaluate current security practices to identify what the company is doing well

Identify which practices are missing or inadequate

Build Threat Profiles

Identify security requirements for critical assets

Identify threats to those assets

Based on business mission of organization

Infrastructure Vulnerabilities

Identify components to evaluate

Develop a vulnerability management practice

Find problems linked with technology and processes

Develop Protection Strategy

Identifies risks to the organization’s critical assets

Evaluates the risks to establish a value for the resulting impact on the assets

Decision is made to accept of mitigate each risk

Selects highest priority actions

Develop the protection strategy for priorities

Risk Assessment / Management Decision Process

Risk Assessment

Decision

Problem Formulation

Analysis

Risk Characterization

Economic – Social Analysis

Planning

-

Scoping

New Management Needs

Objects of the RA

Mission

Systems Description

Assets

Sensitivity

Criticality

Vulnerabilities

Threats

Safeguards

RA Planning

Figure out where data needs to come from:– Info needed before on site visit

– Collect info from public sources

– Work on WBS tasks

– Decide interview schedule and personnel

Stay true to SOW– Watch time investment

– Always match actions to goals

– Avoid SOW creep

Pre Site Visit Goals

Confirm Client’s goals with delivery team

Connect Sponsor with delivery team lead

Establish escalation procedures and contact personnel

Goal is to get client comfortable with:– Approach

– Needs

– Consultants doing work

– Process for moving project to conclusion

Pre Site Visit Information

Policies

Infrastructure Architecture Drawing / maps

Administrator passwords

Org Chart

Secure workspace

Budget information

Mission statements

Document Review

Access Logs - System, Maintenance, and Visitor

Incident Reports

Documents - Plans, Policies, and Procedures

Previous Risk Assessments

Continuity of Operations Plans

Contingency Reports

Directories

Inventory Records

Floor Plans

Organization Charts

Mission Statements

System and Network Configurations

On Site Process

Hold meeting ASAP to introduce players and state objectives and discuss process

Collect information requested in pre-site visit process

Discuss interview process, scheduling and targets:– Line up personnel to interview

– Have questions already prepared

– Run interviews in parallel to other data collection techniques

Initial On Site Process

Need to discuss facility access:– After hours building access needed

– Normal business hours access required

– Badges may be needed- get them

– Understand departmental work hours

– Get facilities tour: Restrooms Cafeteria Sponsor’s office Work Area Off limit areas

Initial On Site Activity

Start scans

Arrange interviews

Perform facility walkthrough

Examine Policies

Dumpster dive

Printers output trays

Open desk areas