july 1, 2004computer security: art and science ©2002-2004 matt bishop slide #1-1 risk management...

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop

Slide #1-1

Risk Management Process

• Frame = context, strategies• Assess = determine risk• Respond = evaluate & implement

approaches• Monitor = detect failures, changes


Slide #1-2

Risk Management Process

Assess

MonitorRespond

Frame

Information Flows


Slide #1-3

Risk Assessment Supports

• Develop information security architecture• Develop security solutions

– Controls, products, procedures, configurations• Authorizations• Modifications of organization processes• Implementation of security solutions• Operation and maintenance


Slide #1-4

Risk Concepts• Measure that combines• Potential for loss/harm• Impact of loss/harm• Likelihood of various forms of loss/harm


Slide #1-5

Overall Process• Identify and Classify Assets

– What are we protecting? How are they important?• Identify Exposures and Threats

– What would be bad? How could it happen?• Identify Vulnerabilities and Threat Sources

– Who or what could cause loss, and how?• Determine Policies and Controls

– What should be allowed and what disallowed?– How will the policies be enforced

• Implement and Monitor– Deploy controls and use them, gain experience to update p.r.n.

July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-6

Risk Framing Components

Organizational Risk Frame

Risk Assessment Methodology

Risk Model

Risk Assessment Process

Assessment Approach

Analysis Approach

determines

AssumptionsConstraintsPrioritiesTrade-offsRisk ToleranceUncertainty

• Establishes foundation• Delineates boundaries

for decisions


Slide #1-7

Risk Model

• Determines risk factors– Inputs to determination of risk

• Threats/threat shifting– Sources, events, scenarios, responses

• Vulnerabilities, predispositions• Likelihoods

– Intent, capability, targeting


Slide #1-8

Risk Model

• Determines risk factors• Threats/threat shifting• Vulnerabilities, predispositions• Likelihoods• Impacts• Risk, aggregation• Uncertainty


Generic Risk Model

ThreatEvent

ThreatSource

PredisposingConditions

Controls

initiates

Vulnerability

exploits causes

AdverseImpact

with severityin context of

with pervasiveness

with effectiveness

with likelihoodof initiation

with likelihoodof success

withdegree

OrganizationalRisk

producing


Slide #1-10

Risk Assessment Approaches

• Quantitative– numerical

• Qualitative– E.g, low, moderate, high

• Semi-quantitative– Bins, scales


Slide #1-11

Risk Analysis Approaches

• Threat-oriented– What can cause harm/loss– What are sources, capabilities, inclinations

• Asset-oriented– What are assets, processes, impacts

• Vulnerability-oriented– What are weaknesses– Can they be expoited


Risk Management Hierarchy

• Traceability & Transparency of Risk-based Decisions

• Inter-Tier and Intra-Tier Communications

Strategic Risk

Tactical Risk

• Organization-wide Risk Awareness

• Feedback Loop for Continuous ImprovementTier 1

Organization

Tier 2Mission/Business Processes

Tier 3Information Systems


Slide #1-13

Risk Management Framework• Categorize

– Assets, threats, vulnerabilities• Select

– Controls• Implement• Assess• Authorize• Monitor• Repeat!


Risk Management Framework

SelectControls

CategorizeInfo Systems

MonitorSecurity Controls

ImplementSecurity ControlsAssess

Controls

AuthorizeInfo Systems

Architecture Description•Mission/Business Processes•FEA Reference Models•Segment and Solution Arch•Info System Boundaries

Organizational Inputs•Laws, Directives, Policy, Guidance•Strategic Goals & Objectives•Information Security Requirements•Priorities and Resources Available

Security Life Cycle


Slide #1-15

Categorizing Information Systems

• Determine types of information handled– NIST SP 800-60

• Determine impact values (FIPS-199)– Low, medium, high impact

• Security Category = {(C, ic), (I, ii), (A, ia)}– Confidentiality, Integrity, Availability impacts– Impacts may not be the same

• Overall impact is high-water mark (max)


Slide #1-16

Control FamiliesFrom NIST SP 800-53:•Access Control (AC)•Awareness and Training (AT)•Audit and Accountability (AU)•Security Assessment and Authorization (CA)•Configuration Management (CM)•Contingency Planning (CP)


Slide #1-17

Control Families (con’t)• Identification and Authentication (IA)• Incident Response (IR)• Maintenance (MA)• Media Protection (MP)• Physical and Environmental (PE)• Planning (PL)• Personnel Security (PS)


Slide #1-18

Control Families (con’t)• Risk Assessment (RA)• System and Services Acquisition (SA)• System and Communications Protection (SC)• System and Information Integrity (SI)• Program Management (PM)


Slide #1-19

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation


Slide #1-20

Security Control Structure• Control Section

– Prescribes actions/activities for control• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation


Slide #1-21

Security Control Structure• Control Section• Supplemental Guidance Section

– Non-prescriptive information• Control Enhancements• References • Priority and Baseline Allocation


Slide #1-22

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements

– Ways to add functionality/specificity and/or– Increase strength of control

• References • Priority and Baseline Allocation


Slide #1-23

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References

– Includes relevant laws, directives, etc.• Priority and Baseline Allocation


Slide #1-24

Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation

– Priority code indicates order of sequencing for decisions and for implementation/deployment

– Allocation (with enhancements) for each impact level (should it be used, and with which enhance’t)


Slide #1-25

Security ControlsMay involve aspects of•Policy•Oversight•Supervision•Manual processes•Actions by people•Automated mechanisms


Slide #1-26

Security Control Selection• Select Security Control Baselines

– Based on system impact level• Review assumptions/environment• Tailor Baseline Security Controls• Create Overlays (if needed)

– Community-wide and specialize control sets• Document Security Control Decisions


Slide #1-27

Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations

– Control allocation and placement– Operational/Environmental considerations– Security objective-related considerations– Technology-related considerations– Mission requirement-related considerations


Slide #1-28

Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations• Select Compensating Controls• Assign Security Control Parameter Values• Supplement Security Control Baselines• Provide Additional Specification Information

for Control Implementation


Slide #1-29

Risk Assessment Process• Prepare using framework• Identify threat sources and events • Identify vulnerabilities and predispositions• Determine likelihood of occurrence• Determine magnitude of impact• Determine risk• Communicate results• Maintain assessment


Slide #1-30

Key Points• Security is all about risk management

– There are no absolutes!• Important to identify assets, processes

– Know what you are trying to protect and why!• Important to how threats, vulnerabilities

– What can go wrong? How likely?• Impact and likelihood lead to tradeoffs

– Selection and implementation of controls• Security is not an event, it is a process!

july 1, 2004computer security: art and science ©2002-2004 matt bishop slide #1-1 risk management...

Documents