1 / 12

WP2 - Methodology

WP2 - Methodology. ISS e G I ntegrated S ite S e curity for G rids Methodology for Site Security Assessment Lionel Cons CERN. Proposed Methodology. (inputs on the left came initially from ISO-17799). Step 1 – Find The Assets. Asset = Anything that has value to the organization [ISO]

mildredf
Download Presentation

WP2 - Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WP2 - Methodology ISSeG IntegratedSiteSecurity forGrids Methodology for Site Security Assessment Lionel Cons CERN WP2 – Site Assessment Methodology, 20 June 2007

  2. Proposed Methodology (inputs on the left came initially from ISO-17799) WP2 – Site Assessment Methodology, 20 June 2007

  3. Step 1 – Find The Assets • Asset = Anything that has value to the organization [ISO] • Five identified asset categories: • Organizational (intellectual property rights, public image…) • Human • Information / data (administrative, personal, physics…) • Service (network, authentication, email, office…) • Hardware • These are currently merged with “security requirements” WP2 – Site Assessment Methodology, 20 June 2007

  4. Baseline Assets • Preliminary list of asset types likely to be present everywhere: • Locally managed PC • Network • Backup • Office servers • Application servers • Centralized authentication WP2 – Site Assessment Methodology, 20 June 2007

  5. Specific Assets • Preliminary list of asset types that may be site specific: • Expensive and/or dangerous equipment • Provide services across Internet • Local email service • Exchange confidential data • Stores confidential information • High-availability services • Internal resources available to visitors • External users • Centralized backup service WP2 – Site Assessment Methodology, 20 June 2007

  6. Step 2 – Find The Threats • Threat = Potential cause of an unwanted incident, which may result in harm to a system or organization [ISO] • A generic list of threats has been compiled • Around 50 threats identified • Need to set the relevance of each threat for the given site • Linked to the role profiles (user / admin / developer / manager) and the asset types WP2 – Site Assessment Methodology, 20 June 2007

  7. Examples of Threats WP2 – Site Assessment Methodology, 20 June 2007

  8. Step 3 – Find The Risks • Risk = Combination of the probability of an event and its consequence [ISO] • We focus on threats • Threats are linked to asset types • Need to know the relative importance of the asset types • Threats are linked to controls (aka mitigation techniques) • Need to know how well the controls are applied • We could look at “best practices” too WP2 – Site Assessment Methodology, 20 June 2007

  9. Examples of Controls (based on ISO 17799) WP2 – Site Assessment Methodology, 20 June 2007

  10. Examples of Controls (based on ISO 17799) WP2 – Site Assessment Methodology, 20 June 2007

  11. Examples of Controls (based on OCTAVE) WP2 – Site Assessment Methodology, 20 June 2007

  12. Step 4 – Find The Countermeasures • Step 3 gives a prioritized list of threats • From threats, we can link to recommendations and best practices • Step 3 also gives the list of controls that can be improved and have a high impact on the overall security • From controls, we can also link to recommendations and best practices WP2 – Site Assessment Methodology, 20 June 2007

More Related