certification and accreditation cs-7493-01 unit 4:risk management

1

Certification Certification and and

AccreditationAccreditationCS-7493-01CS-7493-01

UnitUnit 4:RISK MANAGEMENT4:RISK MANAGEMENT

Jesus GonzalezJesus GonzalezKalpana BahunoothulaKalpana Bahunoothula

Jocelyne Farah Jocelyne Farah

2

AcknowledgementAcknowledgement

DOD 5200.40, DoD Information Technology Security DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP)Certification and Accreditation Process (DITSCAP)

DOD 8510.1-M, DITSCAP Application Manual DOD 8510.1-M, DITSCAP Application Manual Risk Management Guide for IT Systems by NISTRisk Management Guide for IT Systems by NIST Basic Risk Management For DODBasic Risk Management For DOD E-commerce Risk Management slides E-commerce Risk Management slides

(Dr. Hale CS-slides) (Dr. Hale CS-slides) Risk Management within an IT system environment Risk Management within an IT system environment

by Communication Security Establishment CSE, by Communication Security Establishment CSE, Canada.Canada.

3

OverviewOverview

General definitionsGeneral definitions Risk Management ProcessRisk Management Process C&AC&A

4

What is What is ThreatThreat??

Threat is any circumstance or event with Threat is any circumstance or event with the potential to cause harm to an IS the potential to cause harm to an IS through:through:– Unauthorized access.Unauthorized access.– Destruction.Destruction.– Disclosure.Disclosure.– Modification of data.Modification of data.– Denial of service.Denial of service.

5

What is a Vulnerability?What is a Vulnerability?

Vulnerability is a weakness in an IS system Vulnerability is a weakness in an IS system security procedures, internal controls, or security procedures, internal controls, or implementation that could be exploited.implementation that could be exploited.

6

So, What is Risk?So, What is Risk?

RiskRisk is the combined notion of . . . is the combined notion of . . .

The The harmharm caused by specific events caused by specific events (threats)(threats)

ANDAND

The The likelihoodlikelihood that that HARMHARM will happen will happen (using (using vulnerabilities)vulnerabilities)

7

What is Residual Risk?What is Residual Risk?

Residual risk is the portion of risk Residual risk is the portion of risk remaining after security measures have remaining after security measures have been appliedbeen applied

8

Risk ManagementRisk Management

DefinitionDefinition: process of: process of– Identifying risk, Identifying risk, – Assessing riskAssessing risk– Taking steps to reduce risk to an acceptable Taking steps to reduce risk to an acceptable

level (residual risk)level (residual risk)

9

Risk Management CycleRisk Management Cycle

CharacterizeWhat Can Be

Done(Countermeasures)

CharacterizeRisk

Posture(Threat Analysis)

Decide What Will Be

Done

ImplementDecidedActions

UnderstandMission

Objectives

UnderstandSecurity Needs

(Services)

10

Mission Is Everything…Mission Is Everything…

Mission defines component valuesMission defines component values– PeoplePeople– EquipmentEquipment– Information systemsInformation systems– FacilitiesFacilities

Mission is the guiding force for determining riskMission is the guiding force for determining risk

Organization mission must be understood by the risk Organization mission must be understood by the risk management teammanagement team

Information Systems(IS) play a critical role in supporting Information Systems(IS) play a critical role in supporting the missionthe mission

11

Discrete set of information resources Discrete set of information resources organized for the organized for the - collectioncollection- processingprocessing- maintenance maintenance - use use - sharing sharing - dissemination dissemination - disposition of information disposition of information

NTISSI No. 4009

Information System -- Information System -- DefinitionDefinition

12

Information System AssetsInformation System Assets

Hardware - PCs, servers, cables, disk drives, Hardware - PCs, servers, cables, disk drives, routersrouters

Software - programs, utilities, O/S Software - programs, utilities, O/S Data and Information - created, processed, Data and Information - created, processed,

stored, databases, in transit, and removedstored, databases, in transit, and removed People - users, people needed to run systems People - users, people needed to run systems Documentation - programs, hardware, systems, Documentation - programs, hardware, systems,

local administrative procedures, on entire local administrative procedures, on entire systemsystem

Supplies - paper, forms, ribbons, magnetic Supplies - paper, forms, ribbons, magnetic mediamedia

13


UnderstandMission

Objectives


(Services)

14

ITSEC Class CharacteristicsITSEC Class Characteristics

Characteristic Operation Data Infrastructure System Alternatives

Interfacing Mode

Processing Mode

Attribution Mode

Mission-Reliance Factor

Accessibility Factor

Accuracy Factor

InformationCategories

15

ITSEC ClassificationITSEC ClassificationMission Reliance on ISMission Reliance on IS

The degree that mission success depends on The degree that mission success depends on the system operation, data, or infrastructure the system operation, data, or infrastructure (Mission Reliance Factor)(Mission Reliance Factor)

– None--None--mission not dependent on specific aspectmission not dependent on specific aspect..– Cursory--Cursory--mission incidentally dependent on specific mission incidentally dependent on specific

aspectaspect

– Partial--Partial--mission partially dependent on specific aspectmission partially dependent on specific aspect

– Total--Total--mission is totally dependent on the specific aspectmission is totally dependent on the specific aspect

Risk management plays a critical role in protecting an Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, organization’s information assets, and therefore its mission, from IS-related risk.from IS-related risk.

16

Security Characteristic Mission Reliance Alternative

CONFIDENTIALITY Sensitive, Classified, Special Access

AVAILABILITY Reasonable, Soon, ASAP, Immediate

INTEGRITYACCURACY NA, Approximate, Exact

ACCOUNTABILITYATTRIBUTION None, Rudimentary, Basic,

Comprehensive

ITSEC ClassificationITSEC ClassificationSecurity CharacteristicsSecurity Characteristics

17

Mission TreesMission Trees

Missions Deploy

Warning Order

MovementOrder

C I A C I A C I A C I A

Develop

EquipmentPerformance

Characteristics

EquipmentPatentable

Characteristics

18


CharacterizeRisk


UnderstandMission

Objectives


(Services)

19

Threat AnalysisThreat AnalysisSourcesSources

Threat agent: Individual/thing responsibleThreat agent: Individual/thing responsible– Adversarial (hackers & spies)Adversarial (hackers & spies)– Non-adversarial (rec. hackers & accidents)Non-adversarial (rec. hackers & accidents)– Disasters (floods & power outages)Disasters (floods & power outages)

Attack: Sequence of steps taken to cause Attack: Sequence of steps taken to cause an eventan event

Finding VulnerabilitiesFinding Vulnerabilities

20

Threat AnalysisThreat AnalysisBasic ProcessBasic Process

1.1. Identify/define missionIdentify/define mission

2.2. Determine required security servicesDetermine required security services

3.3. Theory of adversarial behaviorTheory of adversarial behavior Identify potential adversariesIdentify potential adversaries Determine adversary intentions/characteristicsDetermine adversary intentions/characteristics Determine adversary strategiesDetermine adversary strategies

4.4. Identify attack scenariosIdentify attack scenarios

5.5. Match adversary behavior w/ attack Match adversary behavior w/ attack scenariosscenarios

21

Threat AnalysisThreat Analysis Mission Security Mission Security

RequirementsRequirements

Threat: Potential for harmThreat: Potential for harm– 3 dimensions; confidentiality, integrity & availability3 dimensions; confidentiality, integrity & availability

ConfidentialityConfidentiality– Information valuable to adversaries?Information valuable to adversaries?– Consequences of leak?Consequences of leak?

Within 1 minute, 1 hour, 1 day, 1 weakWithin 1 minute, 1 hour, 1 day, 1 weak IntegrityIntegrity

– Mission dependency on accuracy of data?Mission dependency on accuracy of data?– Consequences of integrity breach?Consequences of integrity breach?

AvailabilityAvailability– Mission dependency on access to data/services?Mission dependency on access to data/services?– Consequences for unavailability (over time)?Consequences for unavailability (over time)?– Alternative modes of operation?Alternative modes of operation?

22


CharacterizeWhat Can Be Done

(Countermeasures)

CharacterizeRisk


UnderstandMission

Objectives


(Services)

23

Countermeasure Countermeasure Characterize OptionsCharacterize Options

What is the impact of specific attacks on mission ?What is the impact of specific attacks on mission ?

Which vulnerabilities may permit successful Which vulnerabilities may permit successful attacks? attacks?

Where should resources be expended to achieve Where should resources be expended to achieve the greatest reduction in risk?the greatest reduction in risk?

Avoid tendency to view vulnerabilities in isolationAvoid tendency to view vulnerabilities in isolation

24

Countermeasure Countermeasure SelectionSelection

Countermeasure possibilitiesCountermeasure possibilities Characterize countermeasure optionsCharacterize countermeasure options Compare countermeasure optionsCompare countermeasure options Determine changes to riskDetermine changes to risk Determine costs vs. benefitDetermine costs vs. benefit

25

Countermeasures Countermeasures Factors to be consideredFactors to be considered

– Security mechanismsSecurity mechanisms– Physical securityPhysical security– Personnel securityPersonnel security– Administrative securityAdministrative security– Media securityMedia security– Life cycle controlsLife cycle controls

A Countermeasure may change the initial A Countermeasure may change the initial Design\Mission?Design\Mission?

26




CharacterizeRisk


Decide What Will Be

Done

UnderstandMission

Objectives


(Services)

27

Overriding goal – Mission SuccessOverriding goal – Mission Success Weighted in terms of cost versus Weighted in terms of cost versus

benefitsbenefits Identify +/- for each course of actionIdentify +/- for each course of action

Decision options:Decision options:– Reduce RiskReduce Risk– Accept RiskAccept Risk– Avoid RiskAvoid Risk– Transfer RiskTransfer Risk

Risk AnalysisRisk Analysis Options/ Options/DecisionsDecisions

RiskRisk avoidanceavoidance

Risk Risk acceptanceacceptance

28LIKELIHOOD OF SUCCESSFUL ATTACK

(1)(beforecountermeasures)

COSTS Vs. BENEFITS

COSTSDollars

Additional people resourcesLost system functionality

Time

BENEFITSImprove mission

success

Countermeasures: Countermeasures: Costs/BenefitsCosts/Benefits

(1B)(option 2) (option1)

(1A)Missi

o I n m p a c t

High

Low High

29

What is acceptable?What is acceptable?

Will we have 100 % effectiveness?Will we have 100 % effectiveness?– Vulnerabilities eliminatedVulnerabilities eliminated– Vulnerabilities reducedVulnerabilities reduced– Vulnerabilities remainingVulnerabilities remaining

What are they?What are they? Why are they still there?Why are they still there? Is risk acceptable? (Residual Risk)Is risk acceptable? (Residual Risk)

30

Security Risk Management Security Risk Management Process Process

Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE

31

OverviewOverview

DefinitionsDefinitions Risk Management (RM) ProcessRisk Management (RM) Process RM in C&A processRM in C&A process

– Phase 1Phase 1– Phase 2Phase 2– Phase 3Phase 3– Phase 4Phase 4

ConclusionConclusion

32

CertificationCertification

Certification is the comprehensive Certification is the comprehensive evaluation of the technical and non-evaluation of the technical and non-technical security features of an IS and technical security features of an IS and other safeguards made in support of the other safeguards made in support of the accreditation process, to establish the accreditation process, to establish the extent to which a particular design and extent to which a particular design and implementation meets a set of specified implementation meets a set of specified security requirements.security requirements.

33

AccreditationAccreditation

Accreditation is the formal declaration by Accreditation is the formal declaration by a a Designated Approving Authority (DAA)Designated Approving Authority (DAA) that an IS is approved to operate in a that an IS is approved to operate in a particular security mode using a particular security mode using a prescribed set of safeguards at prescribed set of safeguards at an an acceptable level of risk.acceptable level of risk.

34




CharacterizeRisk


Decide What Will Be

Done

ImplementDecidedActions

UnderstandMission

Objectives


(Services)

35

Security Risk Management Security Risk Management Process Process

Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE

36

SSAASSAA

System Security Authorization Agreement (SSAA).– The SSAA is a formal agreement among the

DAA(s), the Certifier, user representative, and program manager.

– It is used throughout the entire DITSCAP to guide actions, document decisions, specify IA requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.

37

Who are players of the Who are players of the C&A?C&A?

They are: They are: – The Designated Approving Authority (DAA) The Designated Approving Authority (DAA) – Certification AuthorityCertification Authority– Program Manager(PM)Program Manager(PM)– User RepresentativeUser Representative

– Information system security officers (ISSO)Information system security officers (ISSO)

38

Certification Authority (certifier)Certification Authority (certifier)

Certifier is the individual responsible for making a technical judgment of – the system’s compliance with stated requirements,– identifying and assessing the risks associated with

operating the system,– coordinating the certification activities, and – consolidating the final certification and accreditation

package. Certifier recommends one of four levels

– Level 1 – Basic Security Review– Level 2 – Minimum Analysis– Level 3 – Detailed Analysis– Level 4 – Comprehensive Analysis

39

Designated Approving Authority Designated Approving Authority (Accreditor)(Accreditor)

Accreditor is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

.

40

Phase-1Phase-1DefinitionDefinition

Document Mission Need

Preparation

Registration

Negotiation

Agreement?

SSAA

No

Yes

41

Phase 1Phase 1Risk ManagementRisk Management

PreparationPreparation: The document is reviewed to understand the : The document is reviewed to understand the mission objectives.mission objectives.

RegistrationRegistration::– Potential threats are described and the points where the failure Potential threats are described and the points where the failure

affects the C,I,A are stated.affects the C,I,A are stated.– SSystem criticality and the acceptable riskystem criticality and the acceptable risk for the system in for the system in

meeting the mission responsibilities are defined.meeting the mission responsibilities are defined.– System criticality should consider the impact if the system System criticality should consider the impact if the system

were not operational (the impact of loss of life from system were not operational (the impact of loss of life from system failure, inability to meet contingencies, impact to failure, inability to meet contingencies, impact to credibility, and danger to national security). System credibility, and danger to national security). System criticality will affect the level of risk that is acceptable.criticality will affect the level of risk that is acceptable.

– The certifier reviews this and upon the agreement of the playersThe certifier reviews this and upon the agreement of the players

develops the draft and gives to DAA.develops the draft and gives to DAA.

42


NegotiationNegotiation: :

– Certification Requirements Review is performed and the Certification Requirements Review is performed and the players agree on the security requirements , the level of players agree on the security requirements , the level of effort and scheduleeffort and schedule

– Finally after DAA approval, the system is checked if it is Finally after DAA approval, the system is checked if it is ready for Phase 2ready for Phase 2

43

Phase 2Phase 2VerificationVerification

System Development

Certification Analysis

Pass?

SSAA

No

Yes

Ready forCertification?

No

Yes

APhase 1

Definition

Phase 3 Validation

44

Phase 2 Phase 2 Risk ManagementRisk Management

SSAA refinementSSAA refinement :If there has been a :If there has been a significant time delay since the completion of significant time delay since the completion of Phase 1 or if new people are involved in the Phase 1 or if new people are involved in the C&A process, the SSAA should be reviewed in C&A process, the SSAA should be reviewed in detaildetail

System DevelopmentSystem Development: Verifies that the : Verifies that the requirements in the SSAA are met in the requirements in the SSAA are met in the evolving system before it is integrated into evolving system before it is integrated into the operating environmentthe operating environment

45

Phase 2(contd)Phase 2(contd)

Certification AnalysisCertification Analysis:: Vulnerability Assessment:The Vulnerability Assessment:The

security vulnerabilities, residual risk security vulnerabilities, residual risk are evaluated and counter measures are evaluated and counter measures are recommended by the certifierare recommended by the certifier

Output:vulnerability assessment Output:vulnerability assessment report is prepared by the program report is prepared by the program mangermanger

Certifier checks if it is ready for Certifier checks if it is ready for certification certification

DAA reviews the system for compliance DAA reviews the system for compliance with the SSAAwith the SSAA

46

Phase 3Phase 3ValidationValidation

CertifySystem?

SSAA

Certification EvaluationOf Integrated System

Develop Recommendation

Yes

AccreditationGranted?

No

YesPhase 4: Post Accreditation

NoA

Phase 1Definition

47


Security test and EvaluationSecurity test and Evaluation: ST&E is done by : ST&E is done by the certifier to provide the sufficient evidence the certifier to provide the sufficient evidence of the amount of residual riskof the amount of residual risk

Risk Management overview:Risk Management overview:– Assessing the overall system Assessing the overall system – security design and threatssecurity design and threats– Ensuring that risks to C,I,A are acceptableEnsuring that risks to C,I,A are acceptable

For each risk, statement is made by the For each risk, statement is made by the certifier to accept the risk, reject the risk or certifier to accept the risk, reject the risk or perform any modificationsperform any modifications

Certifier issues system certificationCertifier issues system certification

48

Phase-3Phase-3Risk ManagementRisk Management

Certifier may do one of the following:Certifier may do one of the following:–Recommend that the IS not be accreditedRecommend that the IS not be accredited–Recommend the IS to be accreditedRecommend the IS to be accredited–May uncover security deficiencies, butMay uncover security deficiencies, but

continue to believe that the short-term systemcontinue to believe that the short-term system

operation is within the bounds of acceptable operation is within the bounds of acceptable riskrisk

**********The Certifier may recommend an The Certifier may recommend an Interim Approval to Operate (IATO) with the Interim Approval to Operate (IATO) with the understanding that deficiencies will be understanding that deficiencies will be corrected in a time period specified by the corrected in a time period specified by the DAADAA

49

Phase 4Phase 4 Post Accreditation Post Accreditation

Phase 1: Definition

SSAA

System Operation

Compliance Validation

ValidationReq’d?

No

Yes

NoChangeRequired?

Yes

50

Phase-4Phase-4Risk ManagementRisk Management

System operations:System operations: Analyze known Analyze known threats and new threats to see if system threats and new threats to see if system still protects against allstill protects against all– The User representative oversees the system The User representative oversees the system

operation and reports threats, vulnerabilities operation and reports threats, vulnerabilities or any security incidentsor any security incidents

– Program manager reports the changes in Program manager reports the changes in threatsthreats

Compliance ValidationCompliance Validation: Ensures that IS : Ensures that IS complies with security requirements and complies with security requirements and threat assessmentthreat assessment

51

Phase-4(contd)Phase-4(contd)

ISSO ISSO – reviews the mission statement reviews the mission statement

periodicallyperiodically– maintains integrity and initiates C&A maintains integrity and initiates C&A

if necessary.if necessary. DAA reviews the proposed changes DAA reviews the proposed changes

(changes in security policy,change in IT (changes in security policy,change in IT mission)mission)

****C&A ends only with system ****C&A ends only with system terminationtermination

52

ConclusionConclusion

The IS risks may not be completely eliminated by The IS risks may not be completely eliminated by the countermeasures and safeguards the countermeasures and safeguards Residual Residual Risk (acceptable level)Risk (acceptable level)

The Certification and Accreditation The Certification and Accreditation process is a continuous processprocess is a continuous process

QuestionsQuestions

certification and accreditation cs-7493-01 unit 4:risk management

Documents