Professional Documents
Culture Documents
security program
Teklebrhan W/Aregay
15/11/2012
Building and running risk management program
• Building blocks
• Threat identification
• An efficient workflow
๏ Building blocks
✓Build (TVM) program or TVA that deals with
➡processing of new vulnerability notifications,
➡keeping up to date on the news and reports of the latest emerging
threats,
✓Program essentials:
➡Take a strategic approach by starting small
➡Establish a program to cover a very small scope
‣ for example, start with a handful of Internet-facing servers
or even just one workstation and iron out any hiccups in the
process before you expand the program to tackle the entire
organization.
‣ Most risk models will grow and can be revised over time
Threat and vulnerability management(continued)
- Owner
- Resource Administrator
- Data Sensitivity
Threat and vulnerability management(continued)
‣ Vulnerability scanning
‣ Vulnerability scanning
➡Resource Profiling
‣you must first assign sensitivity ratings for the resources in
question.
- Focus on the resources on which the organization is dependent in
order to function,
- the resources with the most sensitive data, or even those that are
the most visible to the public
Threat and vulnerability management(continued)
- Information Classification
- Criticality to Organization
- Applicable Regulations
- User Community
Threat and vulnerability management(continued)
- To assign sensitivity ratings environment by environment for example, research lab, Web server farm,
sales laptops/mobile devices, backup servers/network
Threat and vulnerability management(continued)
‣When you start assessing your assets, try the simple Low-
Moderate-High scale
‣To keep things in perspective, remind yourself that if a hacker
compromised your central network switch or router that would be
much worse for the organization than a compromise of any one
desktop or laptop.
‣As you rate the assets in your organization, it can be helpful to
keep reminding yourself that you aren’t evaluating their risk
exposure, but just their sensitivity to risk.
TVM (continued…)
๏ Threat identification
✓ Threat?
‣ Describe a source of an exploitation
‣ Has the potential to harm the resource
‣ Is anything capable of acting against an asset in a
manner that can result in harm.
✓Rating vulnerabilities
‣ you need to know how to analyze a vulnerability report for details that
affect both the likelihood and the severity of the potential exposure.
‣ The need for risk analysis stems from the need to prioritize vulnerability
‣ For this, you need clear and repeatable criteria for both severity and
likelihood
TVM (continued…)
✓Defining a Workflow
TVM (continued…)
TVM (Cont…)
✓Measuring risks
‣ How do we properly calculate the rate of occurrence when
there is not enough information available? Can FAIR help
us in this case?