Process for Analysis
Download
Report
Transcript Process for Analysis
Process for Analysis
Choose a standard / type
Qualitative / Quantitative
Or
Formal / Informal
Select access controls
Match outcome to project objectives
Provide guidance for improvement
Outcome Framework Example
Build Asset-based Threat profiles
Identify Infrastructure vulnerabilities
Develop security strategy and plans
Measure adherence to policies…?
Recommend mitigation strategies
Build Profiles
Profiles are guides to help frame recommendations
– Threat
– Vulnerability
– Exposure
– Assets
– Value
– Processes
– Etc..
Good way to organize information- current state
Identify Vulnerabilities
CVE
ICAT
Cassandra
Vendor tools
“SANs / ISO, FMEA, Best practices”
Can be administrative, personnel, technical or physical
Develop Strategy
This is the “value” of the final deliverable
Make suggestions for areas of improvement
DO NOT RELY ON VENDOR TOOLS
Research like crazy- contact support network
Make sure easy to digest and accomplish
Context
How do you determine what is “at risk” and what is
not?
Low, medium, high
Scale of 1-10
Red, Yellow, green
Ultimately comes down to applying the threat profile to
the asset- to determine level of risk
Session #7
Risk Assessment Planning Overview
RA Process Elements
Identify Organizational Information
Build Asset-based Threat Profiles
Identify Infrastructure Vulnerabilities
Develop Protection Strategy
OCTAVE Methodology
Identify Organizational Information
Identify information-related assets
Selects those that are most critical to the organization
Evaluate current security practices to identify what the
company is doing well
Identify which practices are missing or inadequate
Build Threat Profiles
Identify security requirements for critical assets
Identify threats to those assets
Based on business mission of organization
Infrastructure Vulnerabilities
Identify components to evaluate
Develop a vulnerability management practice
Find problems linked with technology and processes
Develop Protection Strategy
Identifies risks to the organization’s critical assets
Evaluates the risks to establish a value for the resulting
impact on the assets
Decision is made to accept of mitigate each risk
Selects highest priority actions
Develop the protection strategy for priorities
Risk Assessment / Management Decision Process
New Management Needs
Risk Assessment
Problem
Formulation
Planning
-
Analysis
Scoping
Risk
Characterization
Economic – Social
Analysis
Decision
Objects of the RA
Mission
Systems Description
Assets
Sensitivity
Criticality
Vulnerabilities
Threats
Safeguards
RA Planning
Figure out where data needs to come from:
– Info needed before on site visit
– Collect info from public sources
– Work on WBS tasks
– Decide interview schedule and personnel
Stay true to SOW
– Watch time investment
– Always match actions to goals
– Avoid SOW creep
Pre Site Visit Goals
Confirm Client’s goals with delivery team
Connect Sponsor with delivery team lead
Establish escalation procedures and contact personnel
Goal is to get client comfortable with:
– Approach
– Needs
– Consultants doing work
– Process for moving project to conclusion
Pre Site Visit Information
Policies
Infrastructure Architecture Drawing / maps
Administrator passwords
Org Chart
Secure workspace
Budget information
Mission statements
Document Review
Access Logs - System, Maintenance, and Visitor
Incident Reports
Documents - Plans, Policies, and Procedures
Previous Risk Assessments
Continuity of Operations Plans
Contingency Reports
Directories
Inventory Records
Floor Plans
Organization Charts
Mission Statements
System and Network Configurations
On Site Process
Hold meeting ASAP to introduce players and state
objectives and discuss process
Collect information requested in pre-site visit process
Discuss interview process, scheduling and targets:
– Line up personnel to interview
– Have questions already prepared
– Run interviews in parallel to other data collection techniques
Initial On Site Process
Need to discuss facility access:
– After hours building access needed
– Normal business hours access required
– Badges may be needed- get them
– Understand departmental work hours
– Get facilities tour:
Restrooms
Cafeteria
Sponsor’s office
Work Area
Off limit areas
Initial On Site Activity
Start scans
Arrange interviews
Perform facility walkthrough
Examine Policies
Dumpster dive
Printers output trays
Open desk areas