Allan Haverkamp

1
Risk Assessment
Allan Haverkamp Project Manager Kansas Departmen
t of Transportation
2
Risk Assessment
Background
3
Risk Assessment
What is risk?
What is risk management?
What are the methods to mitigate risk?
4
Risk Management Methodology References
National Institute of Standards and
Technology Risk Management Guide for Information
Technology Systems Publication 800-30
National Electronic Commerce Coordinating
Council White Paper on Identity Management
Office of Management and Budget E-authentication
Guidance for Federal Agencies Carnegie Mellon Go
verning for Enterprise Security
Verisign Holistic approach to Identity
Management Oracle
5
Risk Assessment
Definitions Authentication Focuses on confirmin
g a persons identity, based on the reliability
of his or her credential. (OMB)
Two types of Authentication Identity authenti
cation confirming a persons unique identity.
Attribute authentication confirming that the
person belongs to a particular group (such
as military veterans or U.S. Citizens).
(OMB) Authorization Focuses on identifyin
g the persons user permissions. It involves the
actions permitted of an identity after
authentication has taken place. (OMB)
Transaction A discrete event between user and
systems that supports a business or programmatic
purpose. (OMB)
6
Risk Assessment
NIST Organizations use risk assessment to
determine the extent of the potential threat and
the risk associated with an IT system throughout
its SDLC. NIST has developed a nine step risk
assessment process which results in a High,
Medium or Low score.
Risk Mitigation
NIST Involves Prioritizing, Evaluating and
Implementing the appropriate risk reducing
controls recommended from the risk assessment
process.
Evaluation and Assessment
NIST Changes will occur and new risks will
surface and risks previously mitigated may become
a concern. Thus, the risk management process is
ongoing and evolving.
7
Kansas PMM Risk Control Cycle

Risk Management
Risk Identification
Risk Tracking and Reviewing
Risk Assessment
Risk Mitigation And Contingency Planning
NIST 9 Step Risk Assessment results in a High,
Medium or Low Risk Assessment Score
8
Risk Assessment
A Method for Kansas State Agencies
9
Risk Assessment
Risk level is determined by two factors
1) potential for harm or impact, and 2) th
e probability of such harm or impact

Categories of Harm
Inconvenience, distress or damage to standing or
reputation Financial loss or agency liability
Harm to agency programs or public interests
Unauthorized release of sensitive information
Personal safety Civil or criminal violations
Binding Transactions (Non-repudiation)
10
Risk Assessment
Potential Impacts
Low Moderate High
Each of the categories of harm are evaluated for
their potential impact
For example, the Financial Loss or Agency
Liability category of harm is assessed against
Low at worst, an insignificant unrecoverable lo
ss to any party, or at worst an insignificant
agency liability
Moderate At worst, a serious unrecoverable
financial loss to any party, or serious agency
liability
High severe or catastrophic unrecoverable loss
to any party or severe or catastrophic agency
liability
11
Risk Level Matrix
12
Maximum Impacts For Each Authentication Assuran
ce Level
13
Risk Assessment
Acceptable Authentication Methods
Once the risks are identified and impact is
determined, the level of authentication assurance
may be determined
Level 1 Little or no confidence exists in the
asserted identity
Level 2 Confidence exists that the asserted
identity is accurate. Pin and Strong Password an
d/or PKI Certificate (Level 2) Physical Vett
ing RA to LRA Agreement LRA to Business Part
ner Agreement Individual Subscriber Agreement
Level 3 Appropriate for transactions needing
high confidence in the asserted identity or
authorization.
Level 4 Appropriate for transactions needing
very high confidence in the asserted identity or
authorization.
14
Access Management is only one portion of Risk
Mitigation

Access Management Methods
ID Badges
Biometrics
Key Cards
Kansas PKI
User ID Password
Smart Cards
PINs
Tokens
Each Access Method includes policies surrounding
the usage of each within an agency
15
States Current Risk Assessment
Risk Assessment

• Project Management Methodology/ITEC Policy 4310
• Focused on Project Success
• Makes an assessment of the risk and likely impact
  upon the project scope, budget and schedule
  
• Strategic, Financial, Project Mgmt, Technology
  and Operational Risks
  
• Default IT Security Requirements
• Focused on Network Vulnerability and Risk
• Provides General Guidelines
• References NIST 800-30
• Agencies could benefit from similar guidance to
  assess the level of security risk of individual
  applications to assist with determining an
  appropriate access method.

16
Risk Assessment

• Attempts to compromise state information are
  ongoing and will continue to become more
  sophisticated.
  
• A Risk Management methodology will help identify
  the risks and determine the level of security to
  warrant one access method over another.

17
Access Method Policies and Procedures are
necessary for an Identity Management Strategy

Identity Management Policies and Procedures
ID Badge Procedures
Biometrics Procedures
Key Card Procedures
Privacy Policy
User ID Password Procedures
PKI Certificate Policy
Records Mgmt Policy
Smart Card Procedures
PIN Procedures
Token Procedures
Effective Identity Management is the cradle to
grave procedures associated with internal and
external users and their access method
18
Discussion
The bogey man IS out there trying to get in.

Its our job to keep them OUT!