july 1, 2004computer security: art and science ©2002-2004 matt bishop slide #1-1 risk management...

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-1

Risk Management Process

• Frame = context, strategies• Assess = determine risk• Respond = evaluate & implement

approaches• Monitor = detect failures, changes

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-2

Risk Management Process

Assess

MonitorRespond

Frame

Information Flows

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-3

Risk Assessment Supports

• Develop information security architecture• Develop security solutions

– Controls, products, procedures, configurations• Authorizations• Modifications of organization processes• Implementation of security solutions• Operation and maintenance

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-4

Risk Concepts• Measure that combines• Potential for loss/harm• Impact of loss/harm• Likelihood of various forms of loss/harm

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-5

Overall Process• Identify and Classify Assets

– What are we protecting? How are they important?• Identify Exposures and Threats

– What would be bad? How could it happen?• Identify Vulnerabilities and Threat Sources

– Who or what could cause loss, and how?• Determine Policies and Controls

– What should be allowed and what disallowed?– How will the policies be enforced

• Implement and Monitor– Deploy controls and use them, gain experience to update p.r.n.

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-6

Risk Framing Components

Organizational Risk Frame

Risk Assessment Methodology

Risk Model

Risk Assessment Process

Assessment Approach

Analysis Approach

determines

AssumptionsConstraintsPrioritiesTrade-offsRisk ToleranceUncertainty

• Establishes foundation• Delineates boundaries

for decisions

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-7

Risk Model

• Determines risk factors– Inputs to determination of risk

• Threats/threat shifting– Sources, events, scenarios, responses

• Vulnerabilities, predispositions• Likelihoods

– Intent, capability, targeting

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-8

Risk Model

• Determines risk factors• Threats/threat shifting• Vulnerabilities, predispositions• Likelihoods• Impacts• Risk, aggregation• Uncertainty

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-9

Generic Risk Model

ThreatEvent

ThreatSource

PredisposingConditions

Controls

initiates

Vulnerability

exploits causes

AdverseImpact

with severityin context of

with pervasiveness

with effectiveness

with likelihoodof initiation

with likelihoodof success

withdegree

OrganizationalRisk

producing

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-10

Risk Assessment Approaches

• Quantitative– numerical

• Qualitative– E.g, low, moderate, high

• Semi-quantitative– Bins, scales

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-11

Risk Analysis Approaches

• Threat-oriented– What can cause harm/loss– What are sources, capabilities, inclinations

• Asset-oriented– What are assets, processes, impacts

• Vulnerability-oriented– What are weaknesses– Can they be expoited

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-12

Risk Management Hierarchy

• Traceability & Transparency of Risk-based Decisions

• Inter-Tier and Intra-Tier Communications

Strategic Risk

Tactical Risk

• Organization-wide Risk Awareness

• Feedback Loop for Continuous ImprovementTier 1

Organization

Tier 2Mission/Business Processes

Tier 3Information Systems

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-13

Risk Management Framework• Categorize

– Assets, threats, vulnerabilities• Select

– Controls• Implement• Assess• Authorize• Monitor• Repeat!

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-14

Risk Management Framework

SelectControls

CategorizeInfo Systems

MonitorSecurity Controls

ImplementSecurity ControlsAssess

Controls

AuthorizeInfo Systems

Architecture Description•Mission/Business Processes•FEA Reference Models•Segment and Solution Arch•Info System Boundaries

Organizational Inputs•Laws, Directives, Policy, Guidance•Strategic Goals & Objectives•Information Security Requirements•Priorities and Resources Available

Security Life Cycle

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-15

Categorizing Information Systems

• Determine types of information handled– NIST SP 800-60

• Determine impact values (FIPS-199)– Low, medium, high impact

• Security Category = {(C, ic), (I, ii), (A, ia)}– Confidentiality, Integrity, Availability impacts– Impacts may not be the same

• Overall impact is high-water mark (max)

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-16

Control FamiliesFrom NIST SP 800-53:•Access Control (AC)•Awareness and Training (AT)•Audit and Accountability (AU)•Security Assessment and Authorization (CA)•Configuration Management (CM)•Contingency Planning (CP)

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-17

Control Families (con’t)• Identification and Authentication (IA)• Incident Response (IR)• Maintenance (MA)• Media Protection (MP)• Physical and Environmental (PE)• Planning (PL)• Personnel Security (PS)

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-18

Control Families (con’t)• Risk Assessment (RA)• System and Services Acquisition (SA)• System and Communications Protection (SC)• System and Information Integrity (SI)• Program Management (PM)

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-19

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-20

Security Control Structure• Control Section

– Prescribes actions/activities for control• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-21

Security Control Structure• Control Section• Supplemental Guidance Section

– Non-prescriptive information• Control Enhancements• References • Priority and Baseline Allocation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-22

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements

– Ways to add functionality/specificity and/or– Increase strength of control

• References • Priority and Baseline Allocation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-23

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References

– Includes relevant laws, directives, etc.• Priority and Baseline Allocation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-24

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation

– Priority code indicates order of sequencing for decisions and for implementation/deployment

– Allocation (with enhancements) for each impact level (should it be used, and with which enhance’t)

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-25

Security ControlsMay involve aspects of•Policy•Oversight•Supervision•Manual processes•Actions by people•Automated mechanisms

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-26

Security Control Selection• Select Security Control Baselines

– Based on system impact level• Review assumptions/environment• Tailor Baseline Security Controls• Create Overlays (if needed)

– Community-wide and specialize control sets• Document Security Control Decisions

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-27

Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations

– Control allocation and placement– Operational/Environmental considerations– Security objective-related considerations– Technology-related considerations– Mission requirement-related considerations

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-28

Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations• Select Compensating Controls• Assign Security Control Parameter Values• Supplement Security Control Baselines• Provide Additional Specification Information

for Control Implementation

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-29

Risk Assessment Process• Prepare using framework• Identify threat sources and events • Identify vulnerabilities and predispositions• Determine likelihood of occurrence• Determine magnitude of impact• Determine risk• Communicate results• Maintain assessment

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-30

Key Points• Security is all about risk management

– There are no absolutes!• Important to identify assets, processes

– Know what you are trying to protect and why!• Important to how threats, vulnerabilities

– What can go wrong? How likely?• Impact and likelihood lead to tradeoffs

– Selection and implementation of controls• Security is not an event, it is a process!