security and risk management · cis8110 10/8/07 ©2007 v. storey and c. stucke 1 security and risk...

CIS8110

10/8/07 ©2007 V. Storey and C. Stucke 1

SecuritySecurityandand

Risk ManagementRisk Management

MBA 8125MBA 8125

Acknowledgement: Parts of this session are based uponmaterial from Cecil Chua, Deb Dey, Kimball, Dorothy Dennings,Ray Panko, Graeme Payne, Ernst & Young, Gartner Group andArjan Raven


CorporateStrategy

Ethics/Privacy

ISStrategyand Plan

InternalSystems

Development

OutsourcedSystems

Development

Implementation

InternalSystems

Operations

OutsourcedSystems

Operations

Infrastructure

Security

Course OverviewCourse Overview

CIS8110


Learning Objectives Learning Objectives

Define information security Explain how information security fits into

business risk management Identify security context Describe current threats and mitigation

practices Identify different types of attacks Understand business process continuity Evaluate tradeoffs in business recovery

plans


Risk Management Information Security Security Concerns Management Issues Future Trends

AgendaAgenda

CIS8110


Risk ManagementRisk Management

“Effective risk management is based on afoundation of good corporate governance andrigorous internal controls. Taking calculated risksis part of any business enterprise. That is wellunderstood. At the same time, each companyneeds to have in place the technical systems andmanagement processes necessary not only toidentify risks associated with its activities butalso to effectively measure, monitor and controlthem.”

William McDonough – Former PCAOBChairman

http://www.pcaobus.org/index.aspx


Risk Management Another ViewRisk Management Another View

"Risk Management is a methodologyfor assessing the potential of futureevents that can cause adverseeffects; and implementing cost-efficient strategies that can deal withthese risks" Marilyn Greenstein(http://www.mhhe.com/business/accounting/greenstein/authors.mhtml )

CIS8110


MonitorRisk functions perform monitoring

activities to ensure processes areoperating as designed, controls

are effective and risksare managed.Executing Sustainable Processes

Companies have in place a seriesof processes to manage theirchanging risk profile.

StrategiesCompanies deploy multiple strategies tomeet stakeholder demands, to respond toenvironmental conditions, and to capitalizeon market opportunities.

Evolving Risk ProfileThe multiple strategies together withthe changing environment generaterisks and a continually evolving riskprofile.

EnhanceExecutive management

together with the riskfunctions implement

identifiedenhancements.

AssessRisk functions together with executive

management continually assess theevolving risk profile and processes.

Strategy

Risks

Process

Enhance

Asse

ssM

onitor

From Ernst & Young

http://www.ey.com/global/content.nsf/International/Global_Risk_Homehttp://www.ey.com/global/content.nsf/International/Global_Risk_Home


Risk ManagementRisk Management’’s Broad Scopes Broad Scope

BUSINESS UNITS

BOARD OF DIRECTORS

INTELLECTUAL PROPERTY

RISK MANAGEMENT COMMITTEE

REVENUECREDIT

MARKETFIDUCIARY

FINANCIAL

PROJECT MANAGEMENTINFO SECURITY AND AVAILABILITY

HUMAN CAPITAL

PHYSICAL SECURITY

OPERATIONAL

IT CAPACITY AND PERFORMANCE

RISK FINANCING AND INSURANCE

REPUTATIONSTRATEGIC

PRIVACY

Stra-tegic

Copyright © 2002

REGULATIONS

RISK

POLICIES

CIS8110


Risk Management Life CycleRisk Management Life Cycle

Copyright © 2002

Inventory AssetsWho, what, what value, what priority?

Analyze/assess/measureHow much, how often, how related, what business impact?

MitigateEliminate, avoid, reduce

TransferContractual, risk financing, insurance

Monitor Results / Initiate Update

Identify RisksWho, what, where, when, why, how?

AcceptCreate/Implement BCP

Adapted From

Start/Update Risk Planning


0

20

40

60

80

100

120

140

160

Day 1 Day 4 Week 1 Week 2

Lost Sales Order Cancel Penalties Interest

Cash flow

Competition Lost sales

Interest expense

Shareholderconfidence

Legal/contractual obligations Penalties

Companyviability

Customer serviceCanceled orders

Cost to business

Insurance issuesRegulatory requirements

Productivity

Copyright © 2002

Business Impact AnalysisBusiness Impact Analysis

CIS8110


Revenue

Know your downtimecosts per hour,day, two days ...

• Number ofemployees affectedx hours out xburdened hourly rate

Damaged Reputation• Customers• Suppliers• Financial markets• Banks• Business partners• ...

Financial Performance• Revenue recognition• Cash flow• Lost discounts (A/P)• Payment guarantees• Credit rating• Stock price

Other ExpensesTemporary employees, equipment rental, overtime costs,extra shipping costs, travel expenses, legal obligations ...

• Direct loss• Compensatory

payments• Lost future revenue• Billing losses• Investment losses

Copyright © 2002

Productivity

What Is Your Cost of Downtime?What Is Your Cost of Downtime?


Growing Impact:Growing Impact:System Vulnerability and AbuseSystem Vulnerability and Abuse

Worldwide Damage from Digital Attacks

CIS8110


The Digital Firm: Where Are The Risks?The Digital Firm: Where Are The Risks?

Source: Laudon & Laudon 2006

••Multiple Failure PointsMultiple Failure Points••Human ErrorHuman Error••Performance / CapacityPerformance / Capacity••Outsourced Service ProvidersOutsourced Service Providers••Natural DisastersNatural Disasters••Downtime (planned/unplanned)Downtime (planned/unplanned)••Security IncidentsSecurity Incidents••Links to Third PartiesLinks to Third Parties


Partners

Customers

Contractors

Hackers

Malware

Spam

From Ernst & Young

The Digital Firm: Where Are The Risks?The Digital Firm: Where Are The Risks?

CIS8110



AgendaAgenda


Top 10 Business and Technology Priorities in 2006

10Legacy application modernization10Faster innovation and cycle times

9Virtualization9Faster innovation

8Networking, voice and datacommunications8Revenue growth

7Workflow management7Security breaches and disruptionsSecurity breaches and disruptions

6Service Oriented Architectures (SOA)6Using intelligence in products andservices

5Customer sales and service5Improving competitiveness

4Collaboration technologies4Improving competitive advantage

3Mobile workforce enablement3Attracting and growing customerrelationships

2Security technologiesSecurity technologies2Controlling enterprise operating costs

1Business Intelligence applications1Business process improvement

RankingTop 10 Technology PrioritiesRankingTop 10 Business Priorities

Source: Gartner EXP (January 2006).See http://www.gartner.com/press_releases/asset_143678_11.html

CIS8110

Top 10 Business & Technology Priorities in 2007Top 10 Business & Technology Priorities in 2007

MBA 8125 2007 17 10/8/07

Top 10 Business Priorities Rank Top 10 Technology Priorities Rank

Business process improvement 1 Business Intelligence applications 1

Controlling enterprise-wideoperating costs

2 Enterprise applications (ERP, CRMand others)

2

Attract, retain and grow customerrelationships

3 Legacy application modernization 3

Improve effectiveness of enterpriseworkforce

4 Networking, voice and datacommunications

4

Revenue growth 5 Servers and storage technologies(virtualization)

5

Improving competitiveness 6 Security technologies 6

Using intelligence in products andservices

7 Service-oriented architectures 7

Deploy new business capabilities tomeet strategic goals

8 Technical infrastructuremanagement

8

Enter new markets, new products ornew services

9 Document management 9

Faster innovation 10 Collaboration technologies 10

http://www.metrics2.com/blog/2007/02/15/top_10_business_and_technology_priorities_in_2007.html Source: Gartner EXP (February 2007)


The policies, procedures, and technicalmeasures used to prevent unauthorizedaccess, alteration, theft, or physicaldamage to information systems.


Primary Issues:Confidentiality -- no “data spills”IntegrityAvailability

What is Information Security?What is Information Security?

CIS8110


Risk Concepts RelationshipsRisk Concepts Relationships

See SANS Glossary of Terms http://www.sans.org/resources/glossary.php

Threats Vulnerabilities

Security Controls Security Risks Assets

SecurityRequirements

Asset Values &Potential Impacts

exploit

exposeincrease

increase

increaseprotect against

indicateimplemented by have



AgendaAgenda

CIS8110


Information technology– Critical to business and society

Computer security– Evolving into information security

Information security– Responsibility of every member of organization– Managers play critical role

• Information security managers and professionals• Information technology managers and professionals• Non-technical business managers and professionals

Source: J. Joshi

Security in the Information SocietySecurity in the Information Society


Cookies – files stored on computer that saveinformation and track visits to a website.

Web Bugs – graphic files embedded in emailand web pages to monitor visitors

Spyware – applications secretly installed oncomputer to report user activities onInternet

Internet Internet ChallengesChallenges to Privacy to Privacy

CIS8110


Spamming – Marketers send out unsolicited mass-email to unwilling recipients

Hacking – Exploiting weaknesses in security to gainaccess to machines and data

Jamming – Denial of service, tie up resources tomake them unavailable

Worms/viruses – Malicious software that spreadsand may be destructive

Sniffing – Placing software for electroniceavesdropping

Spoofing – fraudulent misrepresentation of identity

Types of Computer CrimeTypes of Computer Crime

See Computer Crime Cases


Security Challenges in OrganizationsSecurity Challenges in Organizations


CIS8110


Unauthorized Access & Human ErrorUnauthorized Access & Human Error Use strong passwords and change frequently (more in coming slide) Use additional authentication where appropriate (something you know,

you have, or you are) Encrypt data on hard drive Install anti-virus, anti-spyware, and firewall (more later) Minimize data stored on client Limit data access to need to know basis Human error hard to prevent

– Everyone makes mistakes Software Bugs

– Errors within software program– Updates and patches

Input Mistakes– Application controls (greatest number of vulnerabilities come from

applications/developers not checking length of supplied information:potentially allows “a buffer overflow” that can take over a machine. See theSANS top 20 vulnerabilities at http://www.sans.org/top20/ )

What about SPAM and Phish?


Botnets & PhishingBotnets & Phishing

Botnets:http://images.businessweek.com/ss/05/05/hacker_botnet/index_01.htm

Phishing:http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm

CIS8110


Attacks against a weak link: passwordsAttacks against a weak link: passwords

Brute Force Attack Try every combination possible Defeated by long passwords

Default Password Attack Check if user never changed password from default Defeated by changing password (“password” most common password in DoD)

Dictionary Attack Dictionary of common passwords Name, Common words, Famous people, Domain specific

Good passwords– Minimum Length – 8 characters– Passwords should use three or four of the following four types of characters:

• Lowercase• Uppercase• Numbers• Special characters such as !@#$%^&*(){}[]

– My favorite song is “Dust in the Wind”. Password: “mFSI!492023” OK, so how do you remember 20+ good passwords? Try a program such

as: PasswordSafe at http://passwordsafe.sourceforge.net/

Factor One: What you know


Facial RecognitionFacial RecognitionFingerprint ScanFingerprint ScanFactor: What you are

Retinal ScanRetinal Scan

Biometric examples are from Kelly Rainer.

CIS8110


Iris ScanIris ScanFactor: What you are


Signature RecognitionSignature Recognition

Speech RecognitionSpeech Recognition

CIS8110


Smart ID CardSmart ID CardFactor: What you have

Hardware TokenHardware Token


Communications Line AccessCommunications Line Access

Secure physical communications lines Encrypt communications (via Virtual Private

Network – VPN http://computer.howstuffworks.com/vpn.htm or othertechniques)

Authenticate sender & receiver Use digital signatures to prevent

alteration and identify sender (seehttp://computer.howstuffworks.com/question571.htm )

Use fiber optics or “tempest” to prevent“reading” of electrical signal (see tempest athttp://www.webopedia.com/TERM/T/Tempest.html )

CIS8110


AttacksAttacks

Virus– Piece of code embedded in an e-mail

attachment• User opens the attached program• Virus copies itself into other programs on the

computer• Virus spreads until a certain date, then deletes files

Worm– Less harmful than a virus (does not destroy)– Usually increases load on a resource; may lead

crash Denial of Service

– Generate large number of useless service requests– Overload and system crash


Damages from AttacksDamages from Attacks

In 2003, viruses cost business $55billion in damages

AOL blocks over 1 million virusesand worms a day from membersemails– AOL blocked over 24 million virus in 24

hours during Sobig.f worm outbreak

Source: Jessup & Valacich 2006

CIS8110


Corporate Server ProtectionCorporate Server Protection

Limit external access by using firewalls Use anti-virus software Install “patches” for server software Limit data on servers Limit functions the servers support Use intrusion detection software Use read only media ( a cd for instance) for

“static” information on web (so these can notbe defaced)

Have agreement with ISP to assist with denialof service attacks (try to block, alternateaddresses, etc.)


Sample Firewall ConfigurationSample Firewall Configuration

WebServer DB

DBWebClient

HTTPrequest

(cleartextor SSL)

HTTP reply(HTML,

Javascript,etc)

SQLDatabase

(Also see http://computer.howstuffworks.com/firewall.htm )

Web app

Web app

Web app

Web app

Firewall Firewall

DMZ

CIS8110


NAS

DMZ Servers

Data Center

Users

InternetCorporate

Office

BusinessPartner

Intranet/InternalProtection(NIDS/HIDS)Protects DataCenters and CriticalSystems fromInternal Threats

Internet ProtectionComplements FW andVPN by MonitoringTraffic for MaliciousActivity

ExtranetProtection (NIDS)Monitors PartnerTraffic Where“Trust” is ImpliedBut Not Assured

Remote AccessProtection (NIDS)Hardens PerimeterControl byMonitoring RemoteUsers

Intrusion Detection SystemsIntrusion Detection Systems

Server FarmProtection (HIDS)Protects e-BusinessServers from Attackand Compromise

Also see http://en.wikipedia.org/wiki/Intrusion_detection_system


Corporate Systems ProtectionCorporate Systems Protection

Limit physical access Inspect media coming in & leaving Limit logical system access (most

access may be via applications ratherthan logging in)

Limit functions the systems support Encrypt data Limit decrypted data access to data

access via applications Use intrusion detection software Keep patch levels up to date Enforce change control and testing What about BCP & DR? Hold that thought.

CIS8110


Wait! These Attackers: Who are they?Wait! These Attackers: Who are they?


Attackers: Who are they?Attackers: Who are they?

Kid down the street? Professional, working for your

competitors? Foreign intelligence agency? Ex-employee? Disgruntled co-worker? “Professional” funded by organized

crime

CIS8110


Who Commits Computer Crimes?Who Commits Computer Crimes?

Group PercentageAuthorized employees 58%Employees unauthorized to use computersystem

24%

Outside computer hackers or terrorists 13%

Organization’s competitors 3%Other 2%

Source: Jessup, L. and Valacich, J. Information Systems Today: Why IS Matters, 2nd edition (2006)


Quotes from HackersQuotes from Hackers

“It’s really just a bunch of really smart kids trying to provethemselves. I know I was.”

– Splurge, sm0ked crew“It’s power at your fingertips. You can control all these

computers from the government, from the military, from largecorporations. … That’s power; it’s a power trip.”

– anonymous“You do get a rush from doing it – definitely.”“I’m like your nosy neighbor on steroids, basically.”

– Raphael Gray (aka Curador)[stole and posted 26,000 credit card numbers]

Source: Dorothy Denning

CIS8110


Why So Many Attacks?Why So Many Attacks? Today’s Systems

– Complex and vulnerable Internet Growth

– More targets and attackers Attackers Organized

– Teach each other and novices– Exchange tools and information

Attackers Develop Better Tools– Build on each other’s work– Build on work of security community

Attacks Easy, Low Risk, Hard to Trace– Investigations difficult; often international

Lack of Security Awareness, Expertise, or Priorities– .0025 percent of revenue spent on information security [Forrester]

Organized Crime now involved!


Why are Attacks Challenging in Cyberspace?Why are Attacks Challenging in Cyberspace?

Automation Action at a distance Technique propagation

– Low communication costs– Viruses, worms etc. need only a link

between two systems.

CIS8110


Attacks via Social EngineeringAttacks via Social Engineering

The acquisition of sensitive information orinappropriate access privileges by an outsider,based upon the building of an inappropriate trustrelationship with insiders.

Manipulation of human beings to obtain informationor confidence pertaining to the security ofnetworked computer systems (with malicious intent)

We are the weakest link….

http://www.kevinmitnick.com/


Area of Risk Hacker Tactic Combat Strategy

Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give outpasswords or other confidential info by phone

Building entrance Unauthorized physical access Tight badge security, employee training, andsecurity officers present

Office Shoulder surfing Don’t type in passwords with anyone else present(or if you must, do it quickly!)

Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specificto help desk support

Office Wandering through halls looking foropen offices Require all guests to be escorted

Mail room Insertion of forged memos Lock & monitor mail room

Machineroom/Phone closet

Attempting to gain access, removeequipment, and/or attach a protocolanalyzer to grab confidential data

Keep phone closets, server rooms, etc. locked atall times and keep updated inventory onequipment

Phone & PBX Stealing phone toll access Control overseas & long-distance calls, tracecalls, refuse transfers

Dumpsters Dumpster diving Keep all trash in secured, monitored areas, shredimportant data, erase magnetic media

Intranet-InternetCreation & insertion of mocksoftware on intranet or internet tosnarf passwords

Continual awareness of system and networkchanges, training on password use

Office Stealing sensitive documentsMark documents as confidential & require thosedocuments to be locked

General-Psychological Impersonation & persuasion Keep employees on their toes through continued

awareness and training programs

Sarah Granger, SecurityFocus

Social Engineering Tactics & Defenses

CIS8110


Many StudiesMany Studies

Available fromhttp://www.gocsi.com/

http://cis.gsu.edu/~cstucke/cis8680/content/FBI2006.pdf


CSI/FBI Computer Crime andCSI/FBI Computer Crime andSecurity Survey Security Survey ((www.gocsi.comwww.gocsi.com ) )

Computer Security Institute / FBI (2006)– 615 U.S. Computer Security Professionals.

Also check out http://en.wikipedia.org/wiki/Internet_fraud

CIS8110



CIS8110



Disasters (Disasters (Natural & Human-initiated)Natural & Human-initiated)

Cannot prevent natural disaster(may not be able to prevent human-initiated disaster)– Can create business continuity /

disaster recovery plans– Can choose where people, process,

and technology are located

http://www-1.ibm.com/services/us/index.wss/offerfamily/bcrs/a1000387

CIS8110

10/8/07 ©2007 V. Storey and C. Stucke 53Copyright © 2002

Security in ContextSecurity in ContextSeptember 11 Raises the Bar for RiskSeptember 11 Raises the Bar for Risk

People vs. Asset Centricity / Protection– Resilience in people/processes– Resilience in workspace– Resilience in safety and communications

New Planning Scenarios — loss of life, lack of decisionmakers, interruption of transportation, building evacuation,loss of physical assets and workspace, lack ofcommunications, crisis command center site unavailable,terrorism, bioterrorism and more

Capacity Management — technology and people Contingency Planning — mitigate risks of external events


Disaster RecoveryDisaster Recovery

Question: What is a disaster?

– 10 users out of service for 1 hour nota disaster (unless one is the CEO … )

– 1,000,000 users out of service for 24hours is disaster

Source: A.P. Snow

CIS8110


Disaster Recovery: Levels of BackupDisaster Recovery: Levels of Backup

Hot backup– Backup of complete system at another site– Data, operating components of hardware and software

Cold backup– Backup of data only– No transaction can be processed during downtime

Warm backup– Somewhere in the middle– Usually smaller system with full backup of data– Transactions processed, but more slowly


Risk ReductionRisk Reduction

Risk– (Probability of Disaster) x (Lost Revenue)

Decrease risk– Decrease chance of disaster– Decrease amount of lost revenue

Given disaster– Minimize impact by shortening duration or

size of outage

CIS8110


Distribute IS Architectures and DistributeDistribute IS Architectures and DistributeOrganizations to become ResilientOrganizations to become Resilient

Remove single point of failure so risk spread out geographically Depends on

– redundancy of human capital necessary to run OR– ability to transition to backup site

False security if personnel lost in outage, or loss of transportation orcommunication systems for transfer of operations

Reliability demands for telecommunication services increasedramatically

Redundancy requirements shift to network services

1/51/5

1/5 1/5

Network1/51/5x100%



AgendaAgenda

CIS8110


Management ConcernsManagement Concerns

Security Management

Question: Why is security a managementconcern?


• Inadequate security may lead to legal liability• Businesses must protect

• own information assets• assets of customers, employees, business partners.

• Failure to protect may bring costly litigation for dataexposure or theft

• Security framework needed to• protect business information assets• assure business continuity• high return on investment.

Business Value of Security

CIS8110



AgendaAgenda


Attacks: Challenges and TrendsAttacks: Challenges and Trends

Growing number of attacks (and attackers!)

Attacks– Faster, propagate over network– More random (size doesn’t matter, can’t be small and hide)– Growing power / sophistication of attacks/tools– Automation (kits, botnets http://en.wikipedia.org/wiki/Botnet ,…)– More malicious; have learned how to turn information into money– Growing number of vulnerabilities

• including insider vulnerabilities– Impossible to prevent all attacks

Use of always connected cable modems or DSL Lack of encryption with most Voice over IP (VoIP) Widespread use of e-mail and instant messaging (IM) Wireless access

CIS8110


Again, why is this happening?Again, why is this happening?

Information systems– Complex– Interact with each other– Have emergent properties– Have bugs

Integrated systems of the emergingdigital enterprise are very, verydifficult to secure

Humans are imperfect…


So you protected everythingSo you protected everythingand then Wireless appearedand then Wireless appeared……

Identify all wireless devices attached to network Apply all security features of products Require Authentication and Authorization and Encryption Use the same well known network security solutions as wired networks including:

– Network segmentation (We didn’t talk about this. Seehttp://www.sans.org/rr/whitepapers/hsoffice/1645.php )

– Use of personal firewalls– Well defined, trainable, and enforceable security policy

Perform Wireless Security Monitoring

802.11?

Bluetooth

Source Rick Doten, MCI NETSEC

http://www.ibahn.com/ibahn-wpa.php

CIS8110


What should we as managers implement?What should we as managers implement? Policies and Procedures (samples at http://www.sans.org/resources/policies/ ) Education and Training

– Teach users “Safe Internet Skills”– Strong authentication (e.g., 8 character password)– Social Engineering (recognizing and handling)

Techniques– Access control (need to know) / authentication (multi-factor: know, have, am)– Filtering (Firewall) & Intrusion Detection– Data encryption (code data transmitted over a link or stored)– Anti-virus software (for every computer; extend license for home use; regular virus

updates) Process

– Security not one-shot project– Continuous evaluation / investment– Business Continuity Planning– Risk Management

Vulnerability Assessment & Audit– By third-party consultant– Adhering to standards (ISO 17799 see http://en.wikipedia.org/wiki/ISO_17799 , http://www.iso-

17799.com/ and http://www.sans.org/score/checklists/ISO_17799_checklist.pdf )Based on Kimball, 2004.


Take-Away: The Security ChainTake-Away: The Security Chain

Links in the Chain(Technology based examples)

Access control mechanisms Identification & authentication mechanisms Audit mechanisms Encryption mechanisms Firewalls Smart cards Biometrics

Links in the Chain(Non-technology based examples)

Security policies and procedures Risk management Security planning Contingency planning Incident response planning Physical security Personnel security

Adversaries attack the weakest link…where is yours?

From National Information Assurance Partnership presentation by Dr. Ron Ross

CIS8110


Hope for Future . . .Hope for Future . . .

Increased security awareness Increased priority Growing number of information security experts Growing security industry

– New / better products and services Growing public and private sector security

initiatives– Joint public/private initiatives

Attention from Congress and the Administration– $$$ for research and education/training

New laws to facilitate investigations International cooperation to fight cyber crime


ConclusionConclusion

Risk management is an essential aspect of successful businessoperation

Security problems– Real and growing

Threats considerable today– worse tomorrow– plan for tomorrow’s threat environment

Many threats from many attackers Technology can reduce threats

– Firewalls– Intrusion Detection Systems– Anti-virus and anti-spyware programs

Multiple protection measures (defense in depth)– Awareness / education required

Ongoing update and evaluation critical People are your greatest risk (and your greatest asset)

CIS8110


Q&AQ&A

[email protected]


Take-Away: Information Security FrameworkTake-Away: Information Security Framework

COMPANYINFORMATION

AND INFORMATIONSYSTEMS

Information Security Program

Defines categories of information andinformation systems according to levels

of impact for confidentiality, integrity, andavailability; maps information types to

security categories.

Categorization ofInformation and

Information System

FIPS 199 SP 800-60

Documents the security requirements andsecurity controls planned or in place for the

protection of information and information systems.

Security Planning

SP 800-18

Analyzes the threats to and vulnerabilities ininformation systems and the potential impact or

magnitude of harm that the loss of confidentiality,integrity, or availability would have on an company’s

operations and assets.

Risk Assessment

SP 800-30

SP 800-37

SecurityAuthorization(Accreditation)

Authorizes information systemsto process, store, or transmit

information; granted by a seniorcompany official, based on risk

to company operations andassets.

Security ControlAssessment(Certification)

Determines extent to which securitycontrols are implemented correctly,

operating as intended, andproducing the desired outcome inmeeting security requirements.

SP 800-37 SP 800-53A

Security ControlSelection and

Implementation

Implements management, operational, andtechnical controls (i.e., safeguards and

countermeasures) planned or in place to protectinformation and information systems.

FIPS 200(Final)

SP 800-53 (Interim)

From National Information Assurance Partnership presentation by Dr. Ron Ross