Title: DATADRIVEN SECURITY Risk Management for Homeland Security
1(No Transcript)
2DATA-DRIVEN SECURITYRisk Management for
Homeland Security
- Caroline R. Hamilton,
- President Founder
- RiskWatch, Inc.
-
3WHY SECURITY PROGRAMS NEED A RISK MANAGEMENT
APPROACH
IF YOU CANT MEASURE IT, YOU CANT MANAGE
IT!
--Peter Drucker
4WORST THREAT ENVIRONMENT IN RECENT HISTORY
- Highly Charged Threat Environment
- September 11th
- International Terrorists - Al Quada, Tigers
- Uncertainty about how to proceed
- Many Security Organizations Still Unfunded
5SECURITY AS A BUSINESS FUNCTION
- Problems with both Security and Privacy
- Growth of E-Business (e-health, e-commerce)
is FORCING GOOD SECURITY - Global standards are emerging, i.e. ISO-IEC 17799
- Aim for a holistic security program integrating
corporate (physical) security and information
security.
6PHYSICAL SECURITY AND COMPUTER SECURITY HAVE TO
WORK TOGETHER
7OTHER INFLUENCES
- Increase in Security Requirements
- Increase in PENALTIES FINES
- More Government Involvement in Security standards
at infrastructure companies
8Changing Face of Terrorism
- Identified terrorist groups - based on ideology
and born in economic inequality - Protest groups today are terrorists of tomorrow
- Underlying issues are unlikely to be solved
- Preventing terrorism becomes a chess game.
9COMBATING TERRORISM REPORT BY THE GENERAL
ACCOUNTING OFFICE September 15, 2001
The risk assessment concept has been validated as
a new way to manage risk and security by the U.S.
General Accounting Office, who reported, We have
previously reported on the value of a new
approach of using sound threat and risk
assessments ... for focusing programs and
investments to combat terrorism.
(GAO/T-NSIAD-99-112).
10U.S. Government Accounting Office -(GAO) REPORT
-- Serious Weaknesses Put U.S. State Department
and FAA Operations at Risk
Washington D.C. , May 19, 1998
We obtained access to the State Dept. networks by
breaching physical security finding user account
information on active terminals. We found user
identification and passwords taped to one of the
computers. and were able to access the LAN
server and obtain supervisor-level access.
11The reason our penetration tests were successful
is that the State Department didnt perform risk
assessments-- so they could not prioritize what
needed to be protected and to what extent.
12WHAT MANAGEMENT WANTS TO KNOW ABOUT SECURITY..
- What vulnerabilities/weaknesses are present in
the organization today? - Whats the current threat level?
- How can we measure effectiveness of security?
- How much should we spend on new security features?
13RISKWATCH PRODUCTS
- RiskWatch for Information Systems
- RiskWatch for Physical Security
- RiskWatch 17799 (ISO 17799)
- HIPAA-Watch
- DITSCAP Certification Accreditation
- NIACAP Certification Accreditation
14WHATS RISKWATCH?
- Woman-owned company specializing in risk
assessment software since 1988 in Annapolis,
Maryland - Served on NSA Rating Model Workshop NIST-CSE
Model Builders Workshop - Working Group to Write DOD Directive on Risk
Management under OSD - Member, Maritime Security Council
15RiskWatch Clients
16DOD/Commercial Users
- DIA
- DISA
- LIWA
- NSA - OIG
- Joint Chiefs of Staff
- Office of Naval Intelligence
- U.S. Army
- Joint Warfighters
- NATO/NAMSA
- TRICARE
- Crowley Marine
- Dynegy
- Equistar/Lyondell
- General Electric
- KPMG
- Lockheed Martin
- ManTech
- PeDeVeSa
- PWC
- Ryder Logistics
- SAIC
- Wells Fargo Bank
17FEDERAL AGENCIES
- U.S. Department of Commerce
- Canadian Dept. of National Defence
- U.S. Department of Defense
- U.S. Department of Energy
- Department of Health and Human Services
- U.S. Department of Justice (FBI)
- FDA
- U.S. Department of the Treasury
- Federal Aviation Administration
- NASA
- National Security Agency
18BENEFITS FOR USERS
- Thousands of Questions
- Automated Question Utility
- Free Upgrades for the first year
- Free Training in Annapolis Every Month
- Tech Support
- User Group Conferences
19ELEMENTS OF A METRICS-BASED RISK ASSESSMENT
APPROACH
ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
20SAMPLE ASSET CATEGORIES
INFORMATION ASSETS Accounting Systems Cash Commun
ication Systems Data Centers Databases Evidence Fa
cilities Networks Personnel System Software
PHYSICAL ASSETS Airplanes Cash Customers Evidence
Facilities Fire Systems Monitoring
Equipment Personnel Production Resources Real
Property Security Systems
21(No Transcript)
22COLLECTING ASSET DATA
- Ability to import asset data from other parts of
the organization - What are proper methods for quantifying asset
values? Criticality? Sensitivity? - How can you quickly determine Present Day
Replacement Values? - How can you quantify the impact to your Companys
reputation?
23THREATS
- Kidnapping
- Natural Disasters
- Storms/Hurricanes/
- Cold, Frost, Snow, Ice
- Tornados, Tsunami, Lightning
- Misuse of Corporate Resources
- Modification of Data
- Power Loss
- Rioting, Civil Disorders
- Sabotage
- Terrorist Acts
- Theft of Information
- Vandalism
- Accidents
- Arson
- Assault Simple, Sexual,
- Aggravated
- Blackmail
- Bomb Threats
- Chemical Contamination
- Errors
- Explosions, Major-Minor
- Extortion
- False Alarms
- Fraud, Embezzlement
24IDENTIFYING THREAT DATA
- Quantified threat data is hard to find.
- Categories of Threats
- Natural Disasters, Criminal Activity
- Hackers, Corporate Espionage
- Collect data from Web Sources, government data,
weather data, crime casts, global info services,
access control systems, incident logs. - Use data from internally collected sources
25(No Transcript)
26Discovering Vulnerabilities
- Vulnerabilities specific by organization
- Goes to the lowest common denominator
- Includes the whole organization
- Electronic surveys will increase accuracy and
speed of survey collection
27(No Transcript)
28Quantifying Vulnerabilities
- Respondent Questionnaires have to be measurable,
using real numbers - Must be able to be easily aggregated
- Must include full audit trails for tracking
identified weaknesses.
29LOSS CATEGORIES
- Delays and Denials of Service
- Disclosure
- Direct Loss (Building Blows Up)
- Life (Employees, Customers)
- Modification of Data
- Related Direct (Cleaning up After)
- Reputation (Credibility)
30SAFEGUARDS
- Alarm Systems
- Background Checks
- Barriers
- Biometric Controls
- Bomb Threat Procedures
- Bomb Detection Identification
- CCTV Cameras
- Disaster Recovery Planning
- Emergency Response Planning
- Entry Controls
- Fire Controls
- Guard Services
- Incident Reporting
- Incident Response
- Intrusion Detection
- Lock Key Controls
- Monitoring Systems
- Risk Assessment
- Security Planning
- Security Policies
- Security Staff
- Technical Surveillance
- Training Programs
- Visitor Controls
31Additional Safeguard Cost Elements To Consider
in Calculating Return On Investment (R.O.I.)
The Initial Cost of Fully Implementing the
Safeguard The Annual Cost of Operating the
Safeguard The Annual Cost of Maintenance and
Testing The Safeguard Life Cycle
32SAFEGUARDS
33CUSTOMIZING QUESTIONS
- Questions Follow Audit Format
- Control Standard, Question Statement
- and Related Vulnerability
- Users Set Threshold for Compliance
- Each Question Validates Compliance with Standards
- Users can Add, Delete or Modify Questions
34(No Transcript)
35(No Transcript)
36RESULTS FROM THE RISK ASSESSMENTS
- Measurable data which can be benchmarked
- Prove validity of findings with full audit trails
- Use of recognized statistical probability models
- Complete reports, tailored for management
37APPLYING THE RISK ASSESSMENT MODEL
- Homeland Security
- Aviation Security
- Maritime Security
- Compliance with Privacy Standards
- Critical Infrastructure Protection
- GISRA
38AUTOMATING THE RISK MANAGEMENT SYSTEM HARDENS A
SECURITY PROGRAM
RISK ASSESSMENT DETERMINES WHAT CONTROLS ARE
NEEDED TO PROTECT AN ORGANIZATIONS ASSETS,
BOTH ADEQUATELY AND COST-EFFECTIVELY.
39VULNERABILITY ASSESSMENT RESULTS
40BREAKDOWN OF THE NON-COMPLIANT VULNERABILITIES
Data Integrity (12.0)
15 Others (26.0)
Procedures (12.0)
Access Control (10.0)
Audit Trails (6.0)
Disclosure (6.0)
Policy (10.0)
Reliability (8.0)
Accountability (10.0)
41VULNERABILITY DISTRIBUTION CHART
42How To Calculate Return on Investment
- Finish Disaster Recovery Plan 20001
- Random Password Generation 12001
- Distribute Security Policy 9431
- Mandatory Security Awareness Training 751
- Penetration Testing 501
43SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY
RETURN ON INVESTMENT
44RiskWatch Reports Writes the Complete Report
for You
- Assets.
- The asset replacement costs by category and
combined. - Vulnerabilities.
- Percentage of compliance vs. non-compliance.
- How vulnerabilities are distributed by
category. The risk analysis - identified 35 vulnerabilities covering
twenty-two vulnerability areas - Lack of package control at store entrances.
- Inadequate training of security guards.
- The level and extent of security training of
store personnel.. - Threats
- Threat profile for your organization
-
- Executive Summary automatically generated
45RISKWATCH PRICING
- Single User Licenses
- 5-pak,
- 10-pak
- Site Licenses
- Agency-level Licenses
46THE BOTTOM LINE
- Security Problems will Continue to Increase as
Terrorism Continues - Measuring and Managing Security by Return on
Investment gives you the best bang for the buck
- Risk Assessment is the best way to quantify areas
of weakness and focus security controls.
47FOR MORE INFORMATION
CHAMILTON_at_RISKWATCH.COM RiskWatch, Inc.
2568 A Riva Rd., Suite 300 Annapolis,
MD 21401