120 likes | 123 Views
WP2 - Methodology. ISS e G I ntegrated S ite S e curity for G rids Methodology for Site Security Assessment Lionel Cons CERN. Proposed Methodology. (inputs on the left came initially from ISO-17799). Step 1 – Find The Assets. Asset = Anything that has value to the organization [ISO]
E N D
WP2 - Methodology ISSeG IntegratedSiteSecurity forGrids Methodology for Site Security Assessment Lionel Cons CERN WP2 – Site Assessment Methodology, 20 June 2007
Proposed Methodology (inputs on the left came initially from ISO-17799) WP2 – Site Assessment Methodology, 20 June 2007
Step 1 – Find The Assets • Asset = Anything that has value to the organization [ISO] • Five identified asset categories: • Organizational (intellectual property rights, public image…) • Human • Information / data (administrative, personal, physics…) • Service (network, authentication, email, office…) • Hardware • These are currently merged with “security requirements” WP2 – Site Assessment Methodology, 20 June 2007
Baseline Assets • Preliminary list of asset types likely to be present everywhere: • Locally managed PC • Network • Backup • Office servers • Application servers • Centralized authentication WP2 – Site Assessment Methodology, 20 June 2007
Specific Assets • Preliminary list of asset types that may be site specific: • Expensive and/or dangerous equipment • Provide services across Internet • Local email service • Exchange confidential data • Stores confidential information • High-availability services • Internal resources available to visitors • External users • Centralized backup service WP2 – Site Assessment Methodology, 20 June 2007
Step 2 – Find The Threats • Threat = Potential cause of an unwanted incident, which may result in harm to a system or organization [ISO] • A generic list of threats has been compiled • Around 50 threats identified • Need to set the relevance of each threat for the given site • Linked to the role profiles (user / admin / developer / manager) and the asset types WP2 – Site Assessment Methodology, 20 June 2007
Examples of Threats WP2 – Site Assessment Methodology, 20 June 2007
Step 3 – Find The Risks • Risk = Combination of the probability of an event and its consequence [ISO] • We focus on threats • Threats are linked to asset types • Need to know the relative importance of the asset types • Threats are linked to controls (aka mitigation techniques) • Need to know how well the controls are applied • We could look at “best practices” too WP2 – Site Assessment Methodology, 20 June 2007
Examples of Controls (based on ISO 17799) WP2 – Site Assessment Methodology, 20 June 2007
Examples of Controls (based on ISO 17799) WP2 – Site Assessment Methodology, 20 June 2007
Examples of Controls (based on OCTAVE) WP2 – Site Assessment Methodology, 20 June 2007
Step 4 – Find The Countermeasures • Step 3 gives a prioritized list of threats • From threats, we can link to recommendations and best practices • Step 3 also gives the list of controls that can be improved and have a high impact on the overall security • From controls, we can also link to recommendations and best practices WP2 – Site Assessment Methodology, 20 June 2007