Process for Analysis

1
Process for Analysis

• Choose a standard / type
• Qualitative / Quantitative
• Or
• Formal / Informal
• Select access controls
• Match outcome to project objectives
• Provide guidance for improvement

2
Outcome Framework Example

• Build Asset-based Threat profiles
• Identify Infrastructure vulnerabilities
• Develop security strategy and plans
• Measure adherence to policies?
• Recommend mitigation strategies

3
Build Profiles

• Profiles are guides to help frame recommendations
• Threat
• Vulnerability
• Exposure
• Assets
• Value
• Processes
• Etc..
• Good way to organize information- current state

4
Identify Vulnerabilities

• CVE
• ICAT
• Cassandra
• Vendor tools
• SANs / ISO, FMEA, Best practices
• Can be administrative, personnel, technical or
  physical

5
Develop Strategy

• This is the value of the final deliverable
• Make suggestions for areas of improvement
• DO NOT RELY ON VENDOR TOOLS
• Research like crazy- contact support network
• Make sure easy to digest and accomplish

6
Context

• How do you determine what is at risk and what
  is not?
• Low, medium, high
• Scale of 1-10
• Red, Yellow, green
• Ultimately comes down to applying the threat
  profile to the asset- to determine level of risk

7
Session 7

• Risk Assessment Planning Overview

8
RA Process Elements

• Identify Organizational Information
• Build Asset-based Threat Profiles
• Identify Infrastructure Vulnerabilities
• Develop Protection Strategy

OCTAVE Methodology
9
Identify Organizational Information

• Identify information-related assets
• Selects those that are most critical to the
  organization
• Evaluate current security practices to identify
  what the company is doing well
• Identify which practices are missing or inadequate

10
Build Threat Profiles

• Identify security requirements for critical
  assets
• Identify threats to those assets
• Based on business mission of organization

11
Infrastructure Vulnerabilities

• Identify components to evaluate
• Develop a vulnerability management practice
• Find problems linked with technology and processes

12
Develop Protection Strategy

• Identifies risks to the organizations critical
  assets
• Evaluates the risks to establish a value for the
  resulting impact on the assets
• Decision is made to accept of mitigate each risk
• Selects highest priority actions
• Develop the protection strategy for priorities

13
Risk Assessment / Management Decision Process
14
Objects of the RA

• Mission
• Systems Description
• Assets
• Sensitivity
• Criticality
• Vulnerabilities
• Threats
• Safeguards

15
RA Planning

• Figure out where data needs to come from
• Info needed before on site visit
• Collect info from public sources
• Work on WBS tasks
• Decide interview schedule and personnel
• Stay true to SOW
• Watch time investment
• Always match actions to goals
• Avoid SOW creep

16
Pre Site Visit Goals

• Confirm Clients goals with delivery team
• Connect Sponsor with delivery team lead
• Establish escalation procedures and contact
  personnel
• Goal is to get client comfortable with
• Approach
• Needs
• Consultants doing work
• Process for moving project to conclusion

17
Pre Site Visit Information

• Policies
• Infrastructure Architecture Drawing / maps
• Administrator passwords
• Org Chart
• Secure workspace
• Budget information
• Mission statements

18
Document Review

• Access Logs - System, Maintenance, and Visitor
• Incident Reports
• Documents - Plans, Policies, and Procedures
• Previous Risk Assessments
• Continuity of Operations Plans
• Contingency Reports
• Directories
• Inventory Records
• Floor Plans
• Organization Charts
• Mission Statements
• System and Network Configurations

19
On Site Process

• Hold meeting ASAP to introduce players and state
  objectives and discuss process
• Collect information requested in pre-site visit
  process
• Discuss interview process, scheduling and
  targets
• Line up personnel to interview
• Have questions already prepared
• Run interviews in parallel to other data
  collection techniques

20
Initial On Site Process

• Need to discuss facility access
• After hours building access needed
• Normal business hours access required
• Badges may be needed- get them
• Understand departmental work hours
• Get facilities tour
• Restrooms
• Cafeteria
• Sponsors office
• Work Area
• Off limit areas

21
Initial On Site Activity

• Start scans
• Arrange interviews
• Perform facility walkthrough
• Examine Policies
• Dumpster dive
• Printers output trays
• Open desk areas