july 1, 2004computer security: art and science ©2002-2004 matt bishop slide #1-1 risk management...
DESCRIPTION
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-3 Risk Assessment Supports Develop information security architecture Develop security solutions –Controls, products, procedures, configurations Authorizations Modifications of organization processes Implementation of security solutions Operation and maintenanceTRANSCRIPT
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-1
Risk Management Process
• Frame = context, strategies• Assess = determine risk• Respond = evaluate & implement
approaches• Monitor = detect failures, changes
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-2
Risk Management Process
Assess
MonitorRespond
Frame
Information Flows
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-3
Risk Assessment Supports
• Develop information security architecture• Develop security solutions
– Controls, products, procedures, configurations• Authorizations• Modifications of organization processes• Implementation of security solutions• Operation and maintenance
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-4
Risk Concepts• Measure that combines• Potential for loss/harm• Impact of loss/harm• Likelihood of various forms of loss/harm
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-5
Overall Process• Identify and Classify Assets
– What are we protecting? How are they important?• Identify Exposures and Threats
– What would be bad? How could it happen?• Identify Vulnerabilities and Threat Sources
– Who or what could cause loss, and how?• Determine Policies and Controls
– What should be allowed and what disallowed?– How will the policies be enforced
• Implement and Monitor– Deploy controls and use them, gain experience to update p.r.n.
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-6
Risk Framing Components
Organizational Risk Frame
Risk Assessment Methodology
Risk Model
Risk Assessment Process
Assessment Approach
Analysis Approach
determines
AssumptionsConstraintsPrioritiesTrade-offsRisk ToleranceUncertainty
• Establishes foundation• Delineates boundaries
for decisions
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-7
Risk Model
• Determines risk factors– Inputs to determination of risk
• Threats/threat shifting– Sources, events, scenarios, responses
• Vulnerabilities, predispositions• Likelihoods
– Intent, capability, targeting
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-8
Risk Model
• Determines risk factors• Threats/threat shifting• Vulnerabilities, predispositions• Likelihoods• Impacts• Risk, aggregation• Uncertainty
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-9
Generic Risk Model
ThreatEvent
ThreatSource
PredisposingConditions
Controls
initiates
Vulnerability
exploits causes
AdverseImpact
with severityin context of
with pervasiveness
with effectiveness
with likelihoodof initiation
with likelihoodof success
withdegree
OrganizationalRisk
producing
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-10
Risk Assessment Approaches
• Quantitative– numerical
• Qualitative– E.g, low, moderate, high
• Semi-quantitative– Bins, scales
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-11
Risk Analysis Approaches
• Threat-oriented– What can cause harm/loss– What are sources, capabilities, inclinations
• Asset-oriented– What are assets, processes, impacts
• Vulnerability-oriented– What are weaknesses– Can they be expoited
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-12
Risk Management Hierarchy
• Traceability & Transparency of Risk-based Decisions
• Inter-Tier and Intra-Tier Communications
Strategic Risk
Tactical Risk
• Organization-wide Risk Awareness
• Feedback Loop for Continuous ImprovementTier 1
Organization
Tier 2Mission/Business Processes
Tier 3Information Systems
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-13
Risk Management Framework• Categorize
– Assets, threats, vulnerabilities• Select
– Controls• Implement• Assess• Authorize• Monitor• Repeat!
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-14
Risk Management Framework
SelectControls
CategorizeInfo Systems
MonitorSecurity Controls
ImplementSecurity ControlsAssess
Controls
AuthorizeInfo Systems
Architecture Description•Mission/Business Processes•FEA Reference Models•Segment and Solution Arch•Info System Boundaries
Organizational Inputs•Laws, Directives, Policy, Guidance•Strategic Goals & Objectives•Information Security Requirements•Priorities and Resources Available
Security Life Cycle
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-15
Categorizing Information Systems
• Determine types of information handled– NIST SP 800-60
• Determine impact values (FIPS-199)– Low, medium, high impact
• Security Category = {(C, ic), (I, ii), (A, ia)}– Confidentiality, Integrity, Availability impacts– Impacts may not be the same
• Overall impact is high-water mark (max)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-16
Control FamiliesFrom NIST SP 800-53:•Access Control (AC)•Awareness and Training (AT)•Audit and Accountability (AU)•Security Assessment and Authorization (CA)•Configuration Management (CM)•Contingency Planning (CP)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-17
Control Families (con’t)• Identification and Authentication (IA)• Incident Response (IR)• Maintenance (MA)• Media Protection (MP)• Physical and Environmental (PE)• Planning (PL)• Personnel Security (PS)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-18
Control Families (con’t)• Risk Assessment (RA)• System and Services Acquisition (SA)• System and Communications Protection (SC)• System and Information Integrity (SI)• Program Management (PM)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-19
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-20
Security Control Structure• Control Section
– Prescribes actions/activities for control• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-21
Security Control Structure• Control Section• Supplemental Guidance Section
– Non-prescriptive information• Control Enhancements• References • Priority and Baseline Allocation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-22
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements
– Ways to add functionality/specificity and/or– Increase strength of control
• References • Priority and Baseline Allocation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-23
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References
– Includes relevant laws, directives, etc.• Priority and Baseline Allocation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-24
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
– Priority code indicates order of sequencing for decisions and for implementation/deployment
– Allocation (with enhancements) for each impact level (should it be used, and with which enhance’t)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-25
Security ControlsMay involve aspects of•Policy•Oversight•Supervision•Manual processes•Actions by people•Automated mechanisms
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-26
Security Control Selection• Select Security Control Baselines
– Based on system impact level• Review assumptions/environment• Tailor Baseline Security Controls• Create Overlays (if needed)
– Community-wide and specialize control sets• Document Security Control Decisions
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-27
Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations
– Control allocation and placement– Operational/Environmental considerations– Security objective-related considerations– Technology-related considerations– Mission requirement-related considerations
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-28
Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations• Select Compensating Controls• Assign Security Control Parameter Values• Supplement Security Control Baselines• Provide Additional Specification Information
for Control Implementation
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-29
Risk Assessment Process• Prepare using framework• Identify threat sources and events • Identify vulnerabilities and predispositions• Determine likelihood of occurrence• Determine magnitude of impact• Determine risk• Communicate results• Maintain assessment
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-30
Key Points• Security is all about risk management
– There are no absolutes!• Important to identify assets, processes
– Know what you are trying to protect and why!• Important to how threats, vulnerabilities
– What can go wrong? How likely?• Impact and likelihood lead to tradeoffs
– Selection and implementation of controls• Security is not an event, it is a process!