Transcript Process for Analysis

Process for Analysis
 Choose a standard / type
 Qualitative / Quantitative
Or
 Formal / Informal
 Select access controls
 Match outcome to project objectives
 Provide guidance for improvement
Outcome Framework Example
 Build Asset-based Threat profiles
 Identify Infrastructure vulnerabilities
 Develop security strategy and plans
 Measure adherence to policies…?
 Recommend mitigation strategies
Build Profiles
 Profiles are guides to help frame recommendations
– Threat
– Vulnerability
– Exposure
– Assets
– Value
– Processes
– Etc..
 Good way to organize information- current state
Identify Vulnerabilities
 CVE
 ICAT
 Cassandra
 Vendor tools
 “SANs / ISO, FMEA, Best practices”
 Can be administrative, personnel, technical or physical
Develop Strategy
 This is the “value” of the final deliverable
 Make suggestions for areas of improvement
 DO NOT RELY ON VENDOR TOOLS
 Research like crazy- contact support network
 Make sure easy to digest and accomplish
Context
 How do you determine what is “at risk” and what is
not?
 Low, medium, high
 Scale of 1-10
 Red, Yellow, green
 Ultimately comes down to applying the threat profile to
the asset- to determine level of risk
Session #7
Risk Assessment Planning Overview
RA Process Elements
 Identify Organizational Information
 Build Asset-based Threat Profiles
 Identify Infrastructure Vulnerabilities
 Develop Protection Strategy
OCTAVE Methodology
Identify Organizational Information
 Identify information-related assets
 Selects those that are most critical to the organization
 Evaluate current security practices to identify what the
company is doing well
 Identify which practices are missing or inadequate
Build Threat Profiles
 Identify security requirements for critical assets
 Identify threats to those assets
 Based on business mission of organization
Infrastructure Vulnerabilities
 Identify components to evaluate
 Develop a vulnerability management practice
 Find problems linked with technology and processes
Develop Protection Strategy
 Identifies risks to the organization’s critical assets
 Evaluates the risks to establish a value for the resulting
impact on the assets
 Decision is made to accept of mitigate each risk
 Selects highest priority actions
 Develop the protection strategy for priorities
Risk Assessment / Management Decision Process
New Management Needs
Risk Assessment
Problem
Formulation
Planning
-
Analysis
Scoping
Risk
Characterization
Economic – Social
Analysis
Decision
Objects of the RA
 Mission
 Systems Description
 Assets
 Sensitivity
 Criticality
 Vulnerabilities
 Threats
 Safeguards
RA Planning
 Figure out where data needs to come from:
– Info needed before on site visit
– Collect info from public sources
– Work on WBS tasks
– Decide interview schedule and personnel
 Stay true to SOW
– Watch time investment
– Always match actions to goals
– Avoid SOW creep
Pre Site Visit Goals
 Confirm Client’s goals with delivery team
 Connect Sponsor with delivery team lead
 Establish escalation procedures and contact personnel
 Goal is to get client comfortable with:
– Approach
– Needs
– Consultants doing work
– Process for moving project to conclusion
Pre Site Visit Information
 Policies
 Infrastructure Architecture Drawing / maps
 Administrator passwords
 Org Chart
 Secure workspace
 Budget information
 Mission statements
Document Review
 Access Logs - System, Maintenance, and Visitor
 Incident Reports
 Documents - Plans, Policies, and Procedures
 Previous Risk Assessments
 Continuity of Operations Plans
 Contingency Reports
 Directories
 Inventory Records
 Floor Plans
 Organization Charts
 Mission Statements
 System and Network Configurations
On Site Process
 Hold meeting ASAP to introduce players and state
objectives and discuss process
 Collect information requested in pre-site visit process
 Discuss interview process, scheduling and targets:
– Line up personnel to interview
– Have questions already prepared
– Run interviews in parallel to other data collection techniques
Initial On Site Process
 Need to discuss facility access:
– After hours building access needed
– Normal business hours access required
– Badges may be needed- get them
– Understand departmental work hours
– Get facilities tour:





Restrooms
Cafeteria
Sponsor’s office
Work Area
Off limit areas
Initial On Site Activity
 Start scans
 Arrange interviews
 Perform facility walkthrough
 Examine Policies
 Dumpster dive
 Printers output trays
 Open desk areas