Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

National Webcast Initiative

advertisement 
National Webcast Initiative
Performing a Cyber Security
Risk Assessment
Why? When? and How?
Cyber Security Workshop
August 26, 2004
3:00pm – 4:00pm Eastern
National Webcast Initiative
William F. Pelgrin
 Joint Partnership between MSISAC and DHS US-CERT
Coordinated through the New
York State Office of Cyber
Security and Critical
Infrastructure Coordination and
the New York State Forum
Webcast Attendees




94 Federal Government
491 State Government
117 Local Government
145 Academia, non-profit
Current Listing of Vendors
Interested In Participation












 Jay Dee Systems
Accenture
 Keane
AT&T
 Microsoft
Aon
 Nortel Networks
Computer
Associates
 Novell
CDW-G
 NYSTEC
CGI
 Oracle
CMA
 SAIC
D&D Consulting
 SAS
Ernst & Young
 Sybase
Gartner
 Symantec
HP
 Veritas
IIC This listing will continue to evolve over time
Today’s Speakers
3:00pm-3:15pm

Introduction and Opening Remarks
• William Pelgrin, Chair of the Multi-State ISAC;
Director, New York State Office of Cyber Security
and Critical Infrastructure Coordination
• Lawrence C. Hale, Deputy Director, National
Cyber Security Division, US CERT, Department of
Homeland Security
3:15pm-4:00pm

Performing a Cyber Security Risk Assessment
• Graeme Payne, CA, CISSP, CISM, CISA; Partner,
Security & Technology Solutions, Ernst & Young
• Rick Trapp, Vice President, Product Management,
Computer Associates
US-CERT
US-CERT – established in September 2003 and is the
operational arm of the National Cyber Security Division
at the Department of Homeland Security.
US-CERT is the nation’s focal point for preventing,
protecting against, and responding to cyber security
threats and vulnerabilities. US-CERT interacts with all
federal agencies, private industry, the research
community, state and local governments, and others
on a 24x7 basis to disseminate timely and actionable
cyber security information.
US-CERT
US-CERT and the Multi-State ISAC are working together on a
number of programs, including this webcast series, to help
enhance our Nation’s cyber security readiness and response.
The Multi-State ISAC has recently become a member of the
HSIN/US-CERT portal, which provides a secure mechanism
for sharing information between and among partners,
improving cyber preparedness, readiness and response
capabilities.
US-CERT also hosts a public website, at www.us-cert.gov,
which provides a wealth of information regarding cyber
security – helpful tips for protecting against cyber security
threats; cyber security alerts and bulletins, as well as the
ability to sign up to receive free cyber security alerts via
email.
Graeme Payne
Ernst & Young
CA, CISSP, CISM, CISA
Partner, Security &
Technology Solutions
Rick Trapp
Computer Associates
Vice President, Product Management
Today’s Objectives



Identify reasons for performing a
CyberSecurity Risk Assessment
Identify key components of a
CyberSecurity Risk Assessment
Understand considerations in
performing a CyberSecurity Risk
Assessment
Today’s Agenda





Developing a Common Language
Why Perform Cyber Security
Assessments?
When to perform a CyberSecurity
Risk Assessment?
How to perform a CyberSecurity Risk
Assessment
Q&A
Developing a Common
Language
What is a Risk Assessment?
Source: GAO/AIMD-00-33
Definitions
Refer: Glossary of Terms
Customers
Hackers
Partners
Malware
Contractors
Spam
Why Perform CyberSecurity
Risk Assessments?
The Need for CyberSecurity Risk
Assessments


Reported vulnerabilities rose from 417 in
1999 to 3,784 in 2003 (CERT Coordination
Center)
2004 CSI/FBI Computer Crime and
Security Survey respondents reported
nearly $142 million in total losses as a
result of computer security incidents
Helpful Hint
Objectives of a CyberSecurity Risk
Assessment

Baseline
• Where am I today?
• What controls do I have in place?

Evaluate effectiveness of security controls
• Where do I want to be?
• Identify gaps or opportunities for improvement


Establish awareness of threats and
vulnerabilities
Lay foundation for development of
security improvement plan
When to Perform a
CyberSecurity Risk
Assessment
When to Perform

Periodic
•
•
•
•

Often event driven
Typically year-over-year comparison
Generally labor-intensive
Most organizations start with periodic assessments
Continuous
•
•
•
•
Part of the normal workflow
Provides “real-time” risk view
Often supported by technology and analysis tools
Integrated with other IT/business processes
Helpful Hint
How to Perform a
CyberSecurity Risk
Assessment
Key Steps
1.
2.
3.
4.
5.
Define the objectives
Define deliverables
Establish workplan
Perform assessment
Review results and develop risk
mitigation plans
6. Plan next assessment (steps 1-5)
1. Define the Objectives
Consideration
Examples
Scope of assessment


Standards to be applied



Coverage


Helpful Hint
High level – identify gaps in
policies and practices
Detailed – identify risks for specific
assets
ISO17799
HIPAA, GLBA
NIST
Comprehensive
Representative sample
2. Determine the Deliverables
Consideration
Examples
Intended audience


Format



Distribution


Executive – business impact
Operational – technical focus
Technical Report
Summary Presentation
Risk Database
Internal
External – consider sensitivity
3. Establish the Workplan
Consideration
Documents to be
reviewed
Examples



Interviews




Technical procedures



Helpful Hint
Policies, standards, procedures
System configuration
Application design standards
Executive management
Operations
Business units
3rd Parties
Asset discovery and valuation
Threat analysis
Vulnerability analysis
3. Establish the Workplan (cont’d)
Consideration
Examples
Assessment tools







Resources


Helpful Hint
Asset inventory
Configuration validation
Vulnerability assessment
Penetration testing
Password auditing
Process modeling
Documentation tools
Internal
External
4. Perform the Risk Assessment
Activities
Characterize
System/Area
Identify
Threats
Identify
Vulnerabilities
Identify
Controls
Assess
Risk
Example Worksteps
• Interview system owner
• Review system documents
• Use threat checklist
• Review external sources
• Review vulnerability sources
• Perform security testing
• Review security requirements checklist
• Review system documents
• Prepare likelihood/impact matrix
5. Review Results and Develop
Mitigation Plans
5. Review Results and Develop
Mitigation Plans (cont’d)
Risk Treatments
Examples
Accept the risk


Reduce impact of the
risk
Avoid the risk




Transfer the risk


Trust employees to “do right thing”
X% downtime
Implement controls
Add resilience
Shut down system or unit
Cancel contract
Purchase insurance
Outsource
Next Steps
Perform High-Level Risk
Assessment
Identify High Risk Areas
Design and Implement
Mitigation Plans
Perform Detailed Risk
Assessments
Integrate Risk Assessment into
Other Processes
Helpful Hint
Questions?
Summary




Developing a Common Language
Why Perform Cyber Security
Assessments?
When to perform a CyberSecurity
Risk Assessment?
How to perform a CyberSecurity Risk
Assessment




Thank you for participating
Future webcast sessions will offer a
variety of topics
Please remain online to participate in
an interactive series of survey
questions
Written Q and A to the presenters is
available for the next 15 minutes
Thank You!
Thank you for attending this virtual
learning session
Related documents
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
Cyber-Security Awareness PowerPoint
Cyber-Security Awareness PowerPoint
Webinar Handout
Webinar Handout
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Vulnerability Assessment and Exploitation Engineer
Vulnerability Assessment and Exploitation Engineer
Final Reflection Essay–Qi Zhu
Final Reflection Essay–Qi Zhu
Jorge Valenzuela
Jorge Valenzuela
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Download
advertisement