1 / 53

Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT

Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT. Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah. Acknowledgement. DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) DOD 8510.1-M, DITSCAP Application Manual

toby
Download Presentation

Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certification and AccreditationCS-7493-01Unit4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah

  2. Acknowledgement • DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) • DOD 8510.1-M, DITSCAP Application Manual • Risk Management Guide for IT Systems by NIST • Basic Risk Management For DOD • E-commerce Risk Management slides (Dr. Hale CS-slides) • Risk Management within an IT system environment by Communication Security Establishment CSE, Canada.

  3. Overview • General definitions • Risk Management Process • C&A

  4. What is Threat? • Threat is any circumstance or event with the potential to cause harm to an IS through: • Unauthorized access. • Destruction. • Disclosure. • Modification of data. • Denial of service.

  5. What is a Vulnerability? • Vulnerability is a weakness in an IS system security procedures, internal controls, or implementation that could be exploited.

  6. So, What is Risk? Risk is the combined notion of . . . The harm caused by specific events (threats) AND The likelihood that HARM will happen (using vulnerabilities)

  7. What is Residual Risk? • Residual risk is the portion of risk remaining after security measures have been applied

  8. Risk Management • Definition: process of • Identifying risk, • Assessing risk • Taking steps to reduce risk to an acceptable level (residual risk)

  9. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Implement Decided Actions Characterize Risk Posture (Threat Analysis) Risk Management Cycle Characterize What Can Be Done (Countermeasures) Decide What Will Be Done

  10. Mission Is Everything… • Mission defines component values • People • Equipment • Information systems • Facilities • Mission is the guiding force for determining risk • Organization mission must be understood by the risk management team • Information Systems(IS) play a critical role in supporting the mission

  11. Information System -- Definition • Discrete set of information resources organized for the • collection • processing • maintenance • use • sharing • dissemination • disposition of information NTISSI No. 4009

  12. Information System Assets • Hardware - PCs, servers, cables, disk drives, routers • Software - programs, utilities, O/S • Data and Information - created, processed, stored, databases, in transit, and removed • People - users, people needed to run systems • Documentation - programs, hardware, systems, local administrative procedures, on entire system • Supplies - paper, forms, ribbons, magnetic media

  13. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Risk Management Cycle

  14. ITSEC Class Characteristics

  15. ITSEC ClassificationMission Reliance on IS • The degree that mission success depends on the system operation, data, or infrastructure (Mission Reliance Factor) • None--mission not dependent on specific aspect. • Cursory--mission incidentally dependent on specific aspect • Partial--mission partially dependent on specific aspect • Total--mission is totally dependent on the specific aspect Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IS-related risk.

  16. ITSEC ClassificationSecurity Characteristics Security CharacteristicMission Reliance Alternative CONFIDENTIALITY Sensitive, Classified, Special Access AVAILABILITY Reasonable, Soon, ASAP, Immediate INTEGRITY ACCURACY NA, Approximate, Exact ACCOUNTABILITY ATTRIBUTION None, Rudimentary, Basic, Comprehensive

  17. Mission Trees Develop Equipment Performance Characteristics Equipment Patentable Characteristics C C C C I I I I A A A A Deploy Missions Warning Order Movement Order

  18. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Characterize Risk Posture (Threat Analysis) Risk Management Cycle

  19. Threat AnalysisSources • Threat agent: Individual/thing responsible • Adversarial (hackers & spies) • Non-adversarial (rec. hackers & accidents) • Disasters (floods & power outages) • Attack: Sequence of steps taken to cause an event • Finding Vulnerabilities

  20. Threat AnalysisBasic Process • Identify/define mission • Determine required security services • Theory of adversarial behavior • Identify potential adversaries • Determine adversary intentions/characteristics • Determine adversary strategies • Identify attack scenarios • Match adversary behavior w/ attack scenarios

  21. Threat Analysis Mission Security Requirements • Threat: Potential for harm • 3 dimensions; confidentiality, integrity & availability • Confidentiality • Information valuable to adversaries? • Consequences of leak? • Within 1 minute, 1 hour, 1 day, 1 weak • Integrity • Mission dependency on accuracy of data? • Consequences of integrity breach? • Availability • Mission dependency on access to data/services? • Consequences for unavailability (over time)? • Alternative modes of operation?

  22. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Characterize Risk Posture (Threat Analysis) Risk Management Cycle Characterize What Can Be Done (Countermeasures)

  23. Countermeasure Characterize Options • What is the impact of specific attacks on mission ? • Which vulnerabilities may permit successful attacks? • Where should resources be expended to achieve the greatest reduction in risk? • Avoid tendency to view vulnerabilities in isolation

  24. Countermeasure Selection • Countermeasure possibilities • Characterize countermeasure options • Compare countermeasure options • Determine changes to risk • Determine costs vs. benefit

  25. Countermeasures Factors to be considered • Security mechanisms • Physical security • Personnel security • Administrative security • Media security • Life cycle controls • A Countermeasure may change the initial Design\Mission?

  26. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Characterize Risk Posture (Threat Analysis) Risk Management Cycle Characterize What Can Be Done (Countermeasures) Decide What Will Be Done

  27. Risk Analysis Options/Decisions • Overriding goal – Mission Success • Weighted in terms of cost versus benefits • Identify +/- for each course of action • Decision options: • Reduce Risk • Accept Risk • Avoid Risk • Transfer Risk Risk avoidance Risk acceptance

  28. Countermeasures: Costs/Benefits (1A) (1B) (option1) (option 2) (1) High M i s s i o I n m p a c t (before countermeasures) COSTS Vs. BENEFITS BENEFITS Improve mission success COSTS Dollars Additional people resources Lost system functionality Time Low High LIKELIHOOD OF SUCCESSFUL ATTACK

  29. What is acceptable? • Will we have 100 % effectiveness? • Vulnerabilities eliminated • Vulnerabilities reduced • Vulnerabilities remaining • What are they? • Why are they still there? • Is risk acceptable? (Residual Risk)

  30. Security Risk Management Process Government of Canada, Communication Security Establishment CSE

  31. Overview • Definitions • Risk Management (RM) Process • RM in C&A process • Phase 1 • Phase 2 • Phase 3 • Phase 4 • Conclusion

  32. Certification is the comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements. Certification

  33. Accreditation • Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

  34. Risk Management Cycle Understand Mission Objectives Understand Security Needs (Services) Implement Decided Actions Characterize Risk Posture (Threat Analysis) Risk Management Cycle Characterize What Can Be Done (Countermeasures) Decide What Will Be Done

  35. Security Risk Management Process Government of Canada, Communication Security Establishment CSE

  36. SSAA • System Security Authorization Agreement (SSAA). • The SSAA is a formal agreement among the DAA(s), the Certifier, user representative, and program manager. • It is used throughout the entire DITSCAP to guide actions, document decisions, specify IA requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.

  37. Who are players of the C&A? • They are: • The Designated Approving Authority (DAA) • Certification Authority • Program Manager(PM) • User Representative • Information system security officers (ISSO)

  38. Certification Authority (certifier) • Certifier is the individual responsible for making a technical judgment of • the system’s compliance with stated requirements, • identifying and assessing the risks associated with operating the system, • coordinating the certification activities, and • consolidating the final certification and accreditation package. • Certifier recommends one of four levels • Level 1 – Basic Security Review • Level 2 – Minimum Analysis • Level 3 – Detailed Analysis • Level 4 – Comprehensive Analysis

  39. Designated Approving Authority (Accreditor) Accreditor is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. .

  40. Phase-1Definition Document Mission Need Preparation Registration Negotiation No Agreement? Yes SSAA

  41. Phase 1Risk Management • Preparation: The document is reviewed to understand the mission objectives. • Registration: • Potential threats are described and the points where the failure affects the C,I,A are stated. • System criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. • System criticality should consider the impact if the system were not operational (the impact of loss of life from system failure, inability to meet contingencies, impact to credibility, and danger to national security). System criticality will affect the level of risk that is acceptable. • The certifier reviews this and upon the agreement of the players develops the draft and gives to DAA.

  42. Phase 1Risk Management • Negotiation: • Certification Requirements Review is performed and the players agree on the security requirements , the level of effort and schedule • Finally after DAA approval, the system is checked if it is ready for Phase 2

  43. Phase 2Verification System Development Certification Analysis No Yes Ready for Certification? No Pass? A Phase 1 Definition Yes SSAA Phase 3 Validation

  44. Phase 2 Risk Management • SSAA refinement :If there has been a significant time delay since the completion of Phase 1 or if new people are involved in the C&A process, the SSAA should be reviewed in detail • System Development: Verifies that the requirements in the SSAA are met in the evolving system before it is integrated into the operating environment

  45. Phase 2(contd) • Certification Analysis: • Vulnerability Assessment:The security vulnerabilities, residual risk are evaluated and counter measures are recommended by the certifier • Output:vulnerability assessment report is prepared by the program manger • Certifier checks if it is ready for certification • DAA reviews the system for compliance with the SSAA

  46. Phase 3Validation Certification Evaluation Of Integrated System No Certify System? Yes Develop Recommendation No A Accreditation Granted? Yes Phase 1 Definition Phase 4: Post Accreditation SSAA

  47. Phase 3Risk Management • Security test and Evaluation: ST&E is done by the certifier to provide the sufficient evidence of the amount of residual risk • Risk Management overview: • Assessing the overall system • security design and threats • Ensuring that risks to C,I,A are acceptable • For each risk, statement is made by the certifier to accept the risk, reject the risk or perform any modifications • Certifier issues system certification

  48. Phase-3Risk Management • Certifier may do one of the following: • Recommend that the IS not be accredited • Recommend the IS to be accredited • May uncover security deficiencies, but • continue to believe that the short-term system • operation is within the bounds of acceptable risk • *****The Certifier may recommend an Interim Approval to Operate (IATO) with the understanding that deficiencies will be corrected in a time period specified by the DAA

  49. Phase 4 Post Accreditation System Operation No Validation Req’d? Yes Compliance Validation No Change Required? Yes Phase 1: Definition SSAA

  50. Phase-4Risk Management • System operations: Analyze known threats and new threats to see if system still protects against all • The User representative oversees the system operation and reports threats, vulnerabilities or any security incidents • Program manager reports the changes in threats • Compliance Validation: Ensures that IS complies with security requirements and threat assessment

More Related