certification and accreditation cs-7493-01 unit 4:risk management
DESCRIPTION
Certification and Accreditation CS-7493-01 Unit 4:RISK MANAGEMENT. Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah. Acknowledgement. DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) DOD 8510.1-M, DITSCAP Application Manual - PowerPoint PPT PresentationTRANSCRIPT
1
Certification Certification and and
AccreditationAccreditationCS-7493-01CS-7493-01
UnitUnit 4:RISK MANAGEMENT4:RISK MANAGEMENT
Jesus GonzalezJesus GonzalezKalpana BahunoothulaKalpana Bahunoothula
Jocelyne Farah Jocelyne Farah
2
AcknowledgementAcknowledgement
DOD 5200.40, DoD Information Technology Security DOD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP)Certification and Accreditation Process (DITSCAP)
DOD 8510.1-M, DITSCAP Application Manual DOD 8510.1-M, DITSCAP Application Manual Risk Management Guide for IT Systems by NISTRisk Management Guide for IT Systems by NIST Basic Risk Management For DODBasic Risk Management For DOD E-commerce Risk Management slides E-commerce Risk Management slides
(Dr. Hale CS-slides) (Dr. Hale CS-slides) Risk Management within an IT system environment Risk Management within an IT system environment
by Communication Security Establishment CSE, by Communication Security Establishment CSE, Canada.Canada.
3
OverviewOverview
General definitionsGeneral definitions Risk Management ProcessRisk Management Process C&AC&A
4
What is What is ThreatThreat??
Threat is any circumstance or event with Threat is any circumstance or event with the potential to cause harm to an IS the potential to cause harm to an IS through:through:– Unauthorized access.Unauthorized access.– Destruction.Destruction.– Disclosure.Disclosure.– Modification of data.Modification of data.– Denial of service.Denial of service.
5
What is a Vulnerability?What is a Vulnerability?
Vulnerability is a weakness in an IS system Vulnerability is a weakness in an IS system security procedures, internal controls, or security procedures, internal controls, or implementation that could be exploited.implementation that could be exploited.
6
So, What is Risk?So, What is Risk?
RiskRisk is the combined notion of . . . is the combined notion of . . .
The The harmharm caused by specific events caused by specific events (threats)(threats)
ANDAND
The The likelihoodlikelihood that that HARMHARM will happen will happen (using (using vulnerabilities)vulnerabilities)
7
What is Residual Risk?What is Residual Risk?
Residual risk is the portion of risk Residual risk is the portion of risk remaining after security measures have remaining after security measures have been appliedbeen applied
8
Risk ManagementRisk Management
DefinitionDefinition: process of: process of– Identifying risk, Identifying risk, – Assessing riskAssessing risk– Taking steps to reduce risk to an acceptable Taking steps to reduce risk to an acceptable
level (residual risk)level (residual risk)
9
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
ImplementDecidedActions
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
10
Mission Is Everything…Mission Is Everything…
Mission defines component valuesMission defines component values– PeoplePeople– EquipmentEquipment– Information systemsInformation systems– FacilitiesFacilities
Mission is the guiding force for determining riskMission is the guiding force for determining risk
Organization mission must be understood by the risk Organization mission must be understood by the risk management teammanagement team
Information Systems(IS) play a critical role in supporting Information Systems(IS) play a critical role in supporting the missionthe mission
11
Discrete set of information resources Discrete set of information resources organized for the organized for the - collectioncollection- processingprocessing- maintenance maintenance - use use - sharing sharing - dissemination dissemination - disposition of information disposition of information
NTISSI No. 4009
Information System -- Information System -- DefinitionDefinition
12
Information System AssetsInformation System Assets
Hardware - PCs, servers, cables, disk drives, Hardware - PCs, servers, cables, disk drives, routersrouters
Software - programs, utilities, O/S Software - programs, utilities, O/S Data and Information - created, processed, Data and Information - created, processed,
stored, databases, in transit, and removedstored, databases, in transit, and removed People - users, people needed to run systems People - users, people needed to run systems Documentation - programs, hardware, systems, Documentation - programs, hardware, systems,
local administrative procedures, on entire local administrative procedures, on entire systemsystem
Supplies - paper, forms, ribbons, magnetic Supplies - paper, forms, ribbons, magnetic mediamedia
13
Risk Management CycleRisk Management Cycle
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
14
ITSEC Class CharacteristicsITSEC Class Characteristics
Characteristic Operation Data Infrastructure System Alternatives
Interfacing Mode
Processing Mode
Attribution Mode
Mission-Reliance Factor
Accessibility Factor
Accuracy Factor
InformationCategories
15
ITSEC ClassificationITSEC ClassificationMission Reliance on ISMission Reliance on IS
The degree that mission success depends on The degree that mission success depends on the system operation, data, or infrastructure the system operation, data, or infrastructure (Mission Reliance Factor)(Mission Reliance Factor)
– None--None--mission not dependent on specific aspectmission not dependent on specific aspect..– Cursory--Cursory--mission incidentally dependent on specific mission incidentally dependent on specific
aspectaspect
– Partial--Partial--mission partially dependent on specific aspectmission partially dependent on specific aspect
– Total--Total--mission is totally dependent on the specific aspectmission is totally dependent on the specific aspect
Risk management plays a critical role in protecting an Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, organization’s information assets, and therefore its mission, from IS-related risk.from IS-related risk.
16
Security Characteristic Mission Reliance Alternative
CONFIDENTIALITY Sensitive, Classified, Special Access
AVAILABILITY Reasonable, Soon, ASAP, Immediate
INTEGRITYACCURACY NA, Approximate, Exact
ACCOUNTABILITYATTRIBUTION None, Rudimentary, Basic,
Comprehensive
ITSEC ClassificationITSEC ClassificationSecurity CharacteristicsSecurity Characteristics
17
Mission TreesMission Trees
Missions Deploy
Warning Order
MovementOrder
C I A C I A C I A C I A
Develop
EquipmentPerformance
Characteristics
EquipmentPatentable
Characteristics
18
Risk Management CycleRisk Management Cycle
CharacterizeRisk
Posture(Threat Analysis)
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
19
Threat AnalysisThreat AnalysisSourcesSources
Threat agent: Individual/thing responsibleThreat agent: Individual/thing responsible– Adversarial (hackers & spies)Adversarial (hackers & spies)– Non-adversarial (rec. hackers & accidents)Non-adversarial (rec. hackers & accidents)– Disasters (floods & power outages)Disasters (floods & power outages)
Attack: Sequence of steps taken to cause Attack: Sequence of steps taken to cause an eventan event
Finding VulnerabilitiesFinding Vulnerabilities
20
Threat AnalysisThreat AnalysisBasic ProcessBasic Process
1.1. Identify/define missionIdentify/define mission
2.2. Determine required security servicesDetermine required security services
3.3. Theory of adversarial behaviorTheory of adversarial behavior Identify potential adversariesIdentify potential adversaries Determine adversary intentions/characteristicsDetermine adversary intentions/characteristics Determine adversary strategiesDetermine adversary strategies
4.4. Identify attack scenariosIdentify attack scenarios
5.5. Match adversary behavior w/ attack Match adversary behavior w/ attack scenariosscenarios
21
Threat AnalysisThreat Analysis Mission Security Mission Security
RequirementsRequirements
Threat: Potential for harmThreat: Potential for harm– 3 dimensions; confidentiality, integrity & availability3 dimensions; confidentiality, integrity & availability
ConfidentialityConfidentiality– Information valuable to adversaries?Information valuable to adversaries?– Consequences of leak?Consequences of leak?
Within 1 minute, 1 hour, 1 day, 1 weakWithin 1 minute, 1 hour, 1 day, 1 weak IntegrityIntegrity
– Mission dependency on accuracy of data?Mission dependency on accuracy of data?– Consequences of integrity breach?Consequences of integrity breach?
AvailabilityAvailability– Mission dependency on access to data/services?Mission dependency on access to data/services?– Consequences for unavailability (over time)?Consequences for unavailability (over time)?– Alternative modes of operation?Alternative modes of operation?
22
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be Done
(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
23
Countermeasure Countermeasure Characterize OptionsCharacterize Options
What is the impact of specific attacks on mission ?What is the impact of specific attacks on mission ?
Which vulnerabilities may permit successful Which vulnerabilities may permit successful attacks? attacks?
Where should resources be expended to achieve Where should resources be expended to achieve the greatest reduction in risk?the greatest reduction in risk?
Avoid tendency to view vulnerabilities in isolationAvoid tendency to view vulnerabilities in isolation
24
Countermeasure Countermeasure SelectionSelection
Countermeasure possibilitiesCountermeasure possibilities Characterize countermeasure optionsCharacterize countermeasure options Compare countermeasure optionsCompare countermeasure options Determine changes to riskDetermine changes to risk Determine costs vs. benefitDetermine costs vs. benefit
25
Countermeasures Countermeasures Factors to be consideredFactors to be considered
– Security mechanismsSecurity mechanisms– Physical securityPhysical security– Personnel securityPersonnel security– Administrative securityAdministrative security– Media securityMedia security– Life cycle controlsLife cycle controls
A Countermeasure may change the initial A Countermeasure may change the initial Design\Mission?Design\Mission?
26
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
27
Overriding goal – Mission SuccessOverriding goal – Mission Success Weighted in terms of cost versus Weighted in terms of cost versus
benefitsbenefits Identify +/- for each course of actionIdentify +/- for each course of action
Decision options:Decision options:– Reduce RiskReduce Risk– Accept RiskAccept Risk– Avoid RiskAvoid Risk– Transfer RiskTransfer Risk
Risk AnalysisRisk Analysis Options/ Options/DecisionsDecisions
RiskRisk avoidanceavoidance
Risk Risk acceptanceacceptance
28LIKELIHOOD OF SUCCESSFUL ATTACK
(1)(beforecountermeasures)
COSTS Vs. BENEFITS
COSTSDollars
Additional people resourcesLost system functionality
Time
BENEFITSImprove mission
success
Countermeasures: Countermeasures: Costs/BenefitsCosts/Benefits
(1B)(option 2) (option1)
(1A)Missi
o I n m p a c t
High
Low High
29
What is acceptable?What is acceptable?
Will we have 100 % effectiveness?Will we have 100 % effectiveness?– Vulnerabilities eliminatedVulnerabilities eliminated– Vulnerabilities reducedVulnerabilities reduced– Vulnerabilities remainingVulnerabilities remaining
What are they?What are they? Why are they still there?Why are they still there? Is risk acceptable? (Residual Risk)Is risk acceptable? (Residual Risk)
30
Security Risk Management Security Risk Management Process Process
Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE
31
OverviewOverview
DefinitionsDefinitions Risk Management (RM) ProcessRisk Management (RM) Process RM in C&A processRM in C&A process
– Phase 1Phase 1– Phase 2Phase 2– Phase 3Phase 3– Phase 4Phase 4
ConclusionConclusion
32
CertificationCertification
Certification is the comprehensive Certification is the comprehensive evaluation of the technical and non-evaluation of the technical and non-technical security features of an IS and technical security features of an IS and other safeguards made in support of the other safeguards made in support of the accreditation process, to establish the accreditation process, to establish the extent to which a particular design and extent to which a particular design and implementation meets a set of specified implementation meets a set of specified security requirements.security requirements.
33
AccreditationAccreditation
Accreditation is the formal declaration by Accreditation is the formal declaration by a a Designated Approving Authority (DAA)Designated Approving Authority (DAA) that an IS is approved to operate in a that an IS is approved to operate in a particular security mode using a particular security mode using a prescribed set of safeguards at prescribed set of safeguards at an an acceptable level of risk.acceptable level of risk.
34
Risk Management CycleRisk Management Cycle
CharacterizeWhat Can Be
Done(Countermeasures)
CharacterizeRisk
Posture(Threat Analysis)
Decide What Will Be
Done
ImplementDecidedActions
UnderstandMission
Objectives
UnderstandSecurity Needs
(Services)
35
Security Risk Management Security Risk Management Process Process
Government of Canada,Government of Canada, Communication Security Establishment CSE Communication Security Establishment CSE
36
SSAASSAA
System Security Authorization Agreement (SSAA).– The SSAA is a formal agreement among the
DAA(s), the Certifier, user representative, and program manager.
– It is used throughout the entire DITSCAP to guide actions, document decisions, specify IA requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.
37
Who are players of the Who are players of the C&A?C&A?
They are: They are: – The Designated Approving Authority (DAA) The Designated Approving Authority (DAA) – Certification AuthorityCertification Authority– Program Manager(PM)Program Manager(PM)– User RepresentativeUser Representative
– Information system security officers (ISSO)Information system security officers (ISSO)
38
Certification Authority (certifier)Certification Authority (certifier)
Certifier is the individual responsible for making a technical judgment of – the system’s compliance with stated requirements,– identifying and assessing the risks associated with
operating the system,– coordinating the certification activities, and – consolidating the final certification and accreditation
package. Certifier recommends one of four levels
– Level 1 – Basic Security Review– Level 2 – Minimum Analysis– Level 3 – Detailed Analysis– Level 4 – Comprehensive Analysis
39
Designated Approving Authority Designated Approving Authority (Accreditor)(Accreditor)
Accreditor is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.
.
40
Phase-1Phase-1DefinitionDefinition
Document Mission Need
Preparation
Registration
Negotiation
Agreement?
SSAA
No
Yes
41
Phase 1Phase 1Risk ManagementRisk Management
PreparationPreparation: The document is reviewed to understand the : The document is reviewed to understand the mission objectives.mission objectives.
RegistrationRegistration::– Potential threats are described and the points where the failure Potential threats are described and the points where the failure
affects the C,I,A are stated.affects the C,I,A are stated.– SSystem criticality and the acceptable riskystem criticality and the acceptable risk for the system in for the system in
meeting the mission responsibilities are defined.meeting the mission responsibilities are defined.– System criticality should consider the impact if the system System criticality should consider the impact if the system
were not operational (the impact of loss of life from system were not operational (the impact of loss of life from system failure, inability to meet contingencies, impact to failure, inability to meet contingencies, impact to credibility, and danger to national security). System credibility, and danger to national security). System criticality will affect the level of risk that is acceptable.criticality will affect the level of risk that is acceptable.
– The certifier reviews this and upon the agreement of the playersThe certifier reviews this and upon the agreement of the players
develops the draft and gives to DAA.develops the draft and gives to DAA.
42
Phase 1Phase 1Risk ManagementRisk Management
NegotiationNegotiation: :
– Certification Requirements Review is performed and the Certification Requirements Review is performed and the players agree on the security requirements , the level of players agree on the security requirements , the level of effort and scheduleeffort and schedule
– Finally after DAA approval, the system is checked if it is Finally after DAA approval, the system is checked if it is ready for Phase 2ready for Phase 2
43
Phase 2Phase 2VerificationVerification
System Development
Certification Analysis
Pass?
SSAA
No
Yes
Ready forCertification?
No
Yes
APhase 1
Definition
Phase 3 Validation
44
Phase 2 Phase 2 Risk ManagementRisk Management
SSAA refinementSSAA refinement :If there has been a :If there has been a significant time delay since the completion of significant time delay since the completion of Phase 1 or if new people are involved in the Phase 1 or if new people are involved in the C&A process, the SSAA should be reviewed in C&A process, the SSAA should be reviewed in detaildetail
System DevelopmentSystem Development: Verifies that the : Verifies that the requirements in the SSAA are met in the requirements in the SSAA are met in the evolving system before it is integrated into evolving system before it is integrated into the operating environmentthe operating environment
45
Phase 2(contd)Phase 2(contd)
Certification AnalysisCertification Analysis:: Vulnerability Assessment:The Vulnerability Assessment:The
security vulnerabilities, residual risk security vulnerabilities, residual risk are evaluated and counter measures are evaluated and counter measures are recommended by the certifierare recommended by the certifier
Output:vulnerability assessment Output:vulnerability assessment report is prepared by the program report is prepared by the program mangermanger
Certifier checks if it is ready for Certifier checks if it is ready for certification certification
DAA reviews the system for compliance DAA reviews the system for compliance with the SSAAwith the SSAA
46
Phase 3Phase 3ValidationValidation
CertifySystem?
SSAA
Certification EvaluationOf Integrated System
Develop Recommendation
Yes
AccreditationGranted?
No
YesPhase 4: Post Accreditation
NoA
Phase 1Definition
47
Phase 3Phase 3Risk ManagementRisk Management
Security test and EvaluationSecurity test and Evaluation: ST&E is done by : ST&E is done by the certifier to provide the sufficient evidence the certifier to provide the sufficient evidence of the amount of residual riskof the amount of residual risk
Risk Management overview:Risk Management overview:– Assessing the overall system Assessing the overall system – security design and threatssecurity design and threats– Ensuring that risks to C,I,A are acceptableEnsuring that risks to C,I,A are acceptable
For each risk, statement is made by the For each risk, statement is made by the certifier to accept the risk, reject the risk or certifier to accept the risk, reject the risk or perform any modificationsperform any modifications
Certifier issues system certificationCertifier issues system certification
48
Phase-3Phase-3Risk ManagementRisk Management
Certifier may do one of the following:Certifier may do one of the following:–Recommend that the IS not be accreditedRecommend that the IS not be accredited–Recommend the IS to be accreditedRecommend the IS to be accredited–May uncover security deficiencies, butMay uncover security deficiencies, but
continue to believe that the short-term systemcontinue to believe that the short-term system
operation is within the bounds of acceptable operation is within the bounds of acceptable riskrisk
**********The Certifier may recommend an The Certifier may recommend an Interim Approval to Operate (IATO) with the Interim Approval to Operate (IATO) with the understanding that deficiencies will be understanding that deficiencies will be corrected in a time period specified by the corrected in a time period specified by the DAADAA
49
Phase 4Phase 4 Post Accreditation Post Accreditation
Phase 1: Definition
SSAA
System Operation
Compliance Validation
ValidationReq’d?
No
Yes
NoChangeRequired?
Yes
50
Phase-4Phase-4Risk ManagementRisk Management
System operations:System operations: Analyze known Analyze known threats and new threats to see if system threats and new threats to see if system still protects against allstill protects against all– The User representative oversees the system The User representative oversees the system
operation and reports threats, vulnerabilities operation and reports threats, vulnerabilities or any security incidentsor any security incidents
– Program manager reports the changes in Program manager reports the changes in threatsthreats
Compliance ValidationCompliance Validation: Ensures that IS : Ensures that IS complies with security requirements and complies with security requirements and threat assessmentthreat assessment
51
Phase-4(contd)Phase-4(contd)
ISSO ISSO – reviews the mission statement reviews the mission statement
periodicallyperiodically– maintains integrity and initiates C&A maintains integrity and initiates C&A
if necessary.if necessary. DAA reviews the proposed changes DAA reviews the proposed changes
(changes in security policy,change in IT (changes in security policy,change in IT mission)mission)
****C&A ends only with system ****C&A ends only with system terminationtermination
52
ConclusionConclusion
The IS risks may not be completely eliminated by The IS risks may not be completely eliminated by the countermeasures and safeguards the countermeasures and safeguards Residual Residual Risk (acceptable level)Risk (acceptable level)
The Certification and Accreditation The Certification and Accreditation process is a continuous processprocess is a continuous process
QuestionsQuestions