Professional Documents
Culture Documents
“Only those who risk going too far can possibly find
out how far they can go” T.S. Elliot
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Servers Email
Desktop Computers Data Integrity
Laptops and PDAs All Files on the Server
Switches and Routers Consumer Information
Application software Network Infrastructure
Development Tools DHCP
Source Code Web Site Availability
VPN Access Reputation
Backup Tapes Employee Morale
American Academy of Project Management
Proactive Risk Management
13
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Unlocked doors
Software Configuration
Unlocked windows
Systems not monitored
Misconfigured systems
Unnecessary protocols
Missing patches
Poorly defined procedures
Antivirus out-of-date
Stolen credentials
Poorly written apps
Poor password protection
Vendor backdoors
Poor Disaster Recovery
Spyware
Violations not reported
American Academy of Project Management
Proactive Risk Management
17
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
:Public’s
Potential
Critical
Damage Failure to
Loss of operations meet contractual
confidence halted obligations
American Academy of Project Management
Know what to do now?
25
Risk Risk RM
Assessment Mitigation Evaluation
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Identify Threat-source/Vulnerability Pairs
6) Likelihood Determination
7) Impact Analysis
8) Risk Determination
9) Control Recommendations
10) Results Documentation
American Academy of Project Management
Risk Management Process
30
Risk Risk
Assessment Mitigation
Risk Risk RM
Assessment Mitigation Evaluation
From Microsoft’s
Security Risk
Management Guide,
American Academy of Project Management Chapter 2
Microsoft Says . .
49 Assessing Risk Phase has Three Steps
1) Planning – Align your annual process with your
budget; Specify your scope; Identify and pre-sell
stakeholders; embrace subjectivity
2) Facilitated Data Gathering – Identify tangible and
intangible assets, threats, vulnerabilities, existing
controls, probable impact
3) Risk Prioritization – Determine probabilities, and
combine impact with probability to produce a risk
statement
American Academy of Project Management
Microsoft Says . .
50 Conducting Decision Support Phase
1) Determine functional requirements
2) Identify combinations of controls (Organizational,
Operational, Technological)
3) Compare proposed controls to functional
requirements
4) Calculate the probable overall risk reduction to the
organization
5) Estimate the cost of teach proposed control
6) Select which controls to implement
American Academy of Project Management
Microsoft Says . .
51 Implementing Controls Phase
Solid Building Structure
Good Network Design
Secure Wireless Segment
Disable LAN Services
Remove User Rights
Good Firewall Settings
Least Privilege Necessary
Small attack surface
Frequent Backups
Encryption
American Academy of Project Management
Microsoft Says . .
52 Measuring Program Effectiveness Phase
1) Ongoing – continues until next assessment phase
2) Should catch changes in the information systems
environment, and in applications
3) Includes creating and maintaining a security risk
scorecard that demonstrates the organization’s
current risk profile
From Microsoft’s
Security Risk
Management Guide,
American Academy of Project Management Chapter 2
NC ITS’s Risk Management Program
54
Risk Risk RM
Assessment Mitigation Evaluation
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Identify Threat-source/Vulnerability Pairs
6) Likelihood Determination
7) Impact Analysis
8) Risk Determination
9) Control Recommendations
10) Results Documentation
American Academy of Project Management
1) System Characterization
66
Loss of Integrity
- Improper modification
Loss of Availability
- System cannot be accessed or data cannot be
located
Loss of Confidentiality
- Information classified as sensitive is disclosed
without authorization
American Academy of Project Management
Impact Analysis Needs
80
Purpose
Scope
Describe
* System Controls
* Elements
* Users
* Site Locations
* Other Details as necessary
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Identify Threat-source/Vulnerability Pairs
6) Likelihood Determination
7) Impact Analysis
8) Risk Determination
9) Control Recommendations
10) Results Documentation
American Academy of Project Management
Reviewing NIST’s RA Output
96
Risk Risk
Assessment Mitigation
User Identification
Security Administration
Authentication
Authorization
Nonrepudiation
Transaction Privacy
Restore Secure State
Virus Detection and Eradication
No Risk No Risk
YES Loss
Mission
Impact?
Risk Attacker’s YES Anticipated YES Unacceptable
Exists Cost < Gain > Threshold Risk
NO NO NO
Risk Risk RM
Assessment Mitigation Evaluation
115
4) Network Risk Analysis Forms
Complete one form for
each type of component
1) Windows XP Workstations
2) Windows 2000 workstations
3) Windows 98 workstations
4) File Servers
5) Firewall
6) Router
7) Core Switch
8) Workgroup Switches
9) Wireless Segment, etc.
American Academy of Project Management
For Application Risk Analysis form instructions, click HERE
116
5) Application Risk Analysis Forms
Complete one form
for each application
1) HEARTS
2) MCPlus Pharmacy
3) NC Accounting
4) Personal Planning System
5) NCSnap
6) Restraint Tracking
7) Staff Development
Records
8) Staff Vacancies, etc.
American Academy of Project Management
6) Penetration and Vulnerability Tests
117
120
9) Vulnerability Analysis Forms
Complete one form for
each vulnerability/
threat-pair combination
1) HEARTS PHI being disclosed
to or by the Client Data
Warehouse
2) Workgroup switch located in
unlocked wiring closet
3) Loss of application
availability due to file server
running out of disk space
Penetration Testing
Vulnerability Forms
American Academy of Project Management
126
THANKYOU