SM05: Risk Analysis: A Comparison in Quantifying Asset Values, Threats, Vulnerabilities and Risk. Doug Haines Haines Security Solutions 9 April 2013
|
|
- Ami Briggs
- 6 years ago
- Views:
Transcription
1 SM05: Risk Analysis: A Comparison in Quantifying Asset Values, Threats, Vulnerabilities and Risk Doug Haines Haines Security Solutions 9 April 2013 The Broad Picture Learning Objectives Know the differences between Quantitative and Qualitative Analysis Assess and select the right methodology that serves you best Quantitative versus Qualitative Comparing MSHARPP, CARVER and RAVA 1
2 Quantitative v. Qualitative Qualitative analysis Relies on the individual s expertise Differs between individuals Not consistent over time Can work one-time or on an isolated basis Quantitative v. Qualitative Quantitative analysis Doesn t rely on the individual s expertise Doesn t differ significantly between individuals Consistent over time Works especially well for multiple assets 2
3 Risk Management Is not IS IT OVER, Complete risk avoidance YET? Developing the bunker or Ft Knox mentality Is Identifying all potential threat scenarios Accepting some level of risk CAN WE COME OUT NOW? Risk Analysis Why is identifying and understanding risk so important? Maybe it s cheaper to replace than to repair Maybe a loss isn t so bad Maybe there really is no threat 3
4 Risk Analysis Results What am I protecting (Asset) Protecting from what? (Threat) Am I in trouble? (Vulnerability) How much? (Risk)? What can I do? (Countermeasures) At what costs? (Cost benefit) What should I do first (Priorities) Risk Analysis Team Stakeholder Buy-in Must agree on asset value and priority Design Basis Threat (DBT) Weapons characteristics Levels of protection Vulnerabilities MSHARPP & CARVER No required for RAVA 4
5 M-S-H-A-R-P-P Background Primarily developed as a tool to assist asset owners on how to mitigate terrorist attacks Very adaptable Takes the perspective of the asset owner MSHARPP Mission Symbolism History Accessibility Recoverability/Recuperability Proximity Population 5
6 MSHARPP MATRIX ASSET M S H A R P P TOTAL Parking Lot Shops Parts Store Sales Offices MSHARPP Why it s important to have a different perspective 6
7 C-A-R-V-E-R Background Developed as a tool for US Special Forces Vietnam era Used to assess and determine value to military attackers From outside looking in C-A-R-V-E-R Criticality Accessibility Recoverability Vulnerability Effect on Population Recognizability 7
8 CARVER MATRIX ASSET C A R V E R TOTAL Parking Lot Shops Parts Store Sales Offices MSHARPP or CARVER MSHARPP CARVER INSIDE LOOKING OUT vs OUTSIDE LOOKING IN 8
9 Risk Analysis Vulnerability Assessment (RAVA) How about both? Plus a cost benefit tool, too! Prioritization list Implement countermeasures that will have the biggest risk reduction on the largest amount of people first MSHARPP CARVER + Cost Benefit Analysis & Prioritization = RAVA RAVA Developed by US Navy Naval Facilities Engineering Command (NAVFAC) As part of overall FAA project Several other contractors Antiterrorism Services Branch (ASB) Success likelihood validated onsite 9
10 Threat Analysis Not all threats are created equal Assumes attack will be successful Takes in to account likelihood of attack Threat Value Local Law Enforcement capabilities: Well trained and equipped and ready to assist 1 Limited resources and not well trained 3 No local resources available 5 Score 5 Organized crime, Gangs involved in thefts and/or theft rings are: Not in the geographic area 1 Known to be in the geographic area 2 Unknown if in the area 3 Known to be in the immediate vicinity 6 Score 3 10
11 Threat Value Initial Threat Likelihood (ITL) without adjustment = 0.65 Final Threat Likelihood (FTL) with adjustment = 0.65 Threat likelihood and effectiveness can be characterized as follows: Very Low Low Moderate Elevated Significant Critical Asset Analysis What are we protecting? Facilities People Money Processes/systems 11
12 Asset Value SME Perceived probability of success (Ps) in accomplishing an attack: Low probability of success <30% 1 Moderate possibility of success 30% to 85% 30 High probability of success >85% 70 Score 70 SME perceived level of sophistication required to carry out a successful attack: Aggressor would need paramilitary capability and have foreign country intelligence support Aggressorwould need exceptional sophistication, have financial support and advanced ability to collect intelligence Aggressor would need some level of sophistication, have some financial support and have limited ability to collect intelligence Score Asset Value TARGET ANALYSIS Asset Value to the Organization (AO) = 0.85 Asset Value to the Threat (AT) = 0.70 Total Asset Value (AV) = 0.78 The total asset value is the average of AO and AT. It can be characterized as follows: Very Low Importance Low Importance Moderate Importance High Importance Very High Importance 12
13 Vulnerability Analysis Baseline Where you are today Defense in depth Layer 1 (boundary perimeter) Layer 2 (internal boundary) Layer 3 (asset façade) Layer 4 (interior area) Vulnerability Value Ref # LAYER 1: Outer most perimeter (Example: Installation perimeter fence) Question 1 Is the asset located on a defined (actual physical barrier) and controlled (not easily bypassed) installation or compound? YES (1.0) NO or asset forms part of the perimeter (10.0) (If you answer NO, select the highest baseline value for all questions in Layer 1 and then go on to Layer 2) Baseline Value Optimized Value Mitigation Category PS 13
14 Vulnerability Value Ref # LAYER 2:Dedicated Asset perimeter/enclave (Example: fence around an antenna array) Question 1 Does the enclave perimeter barrier have lighting sufficient to detect movement (greater than 0.5 foot-candles)? YES (1.0) NO perimeter lighting or NO defined and controlled enclave perimeter (3.0) Baseline Value Optimized Value 3 3 Mitigation Category PS Vulnerability Optimized Where you can be after implementing countermeasures Module is intuitive enough to discount countermeasures that won t affect a risk change 14
15 Vulnerability Value Ref # LAYER 1: Outer most perimeter (Example: Installation perimeter fence) Question 1 Is the asset located on a defined (actual physical barrier) and controlled (not easily bypassed) installation or compound? YES (1.0) NO or asset forms part of the perimeter (10.0) (If you answer NO, then select the highest baseline value for all questions in Layer 1 and then go on to Layer 2) Baseline Value Optimized Value 10 1 Mitigation Category PS Vulnerability Value Ref # LAYER 2:Dedicated Asset perimeter/enclave (Example: fence around an antenna array) Question 1 Does the enclave perimeter have lighting sufficient to detect movement along the perimeter (greater than 0.5 foot-candles for 25 feet on each side of the perimeter? YES (1.0) NO perimeter lighting or NO defined and controlled enclave perimeter (3.0) Baseline Value Optimized Value 3 1 Mitigation Category PS 15
16 Risk Analysis Culmination of threat, asset & vulnerability (optimized) Determines calculated value of risk to a specific target (asset) by a specific threat Threat x Asset Value x Vulnerability = RISK Value Risk Calculations ANALYSIS OF RISK REDUCTION THREAT BASELINE RISK OPTIMIZED RISK % DECREASE REDUCTION Explosive % 0.48 Standoff % 0.34 Covert % 0.49 Overt % 0.45 Chem/Bio % 0.50 AVERAGES % 0.44 ANALYSIS OF VULNERABILITY REDUCTION THREAT VULNERABILITY VULNERABILITY VULNERABILITY REDUCTION Explosive % 0.58 Standoff % 0.41 Covert % 0.59 Overt % 0.54 Chem/Bio % 0.60 AVERAGES %
17 Value Risk Calculations Risk Risk Level Explosive Standoff Covert Overt Chem/BioAverages Threats Baseline Risk Vulnerability Level Vulnerability Explosive Standoff Covert Overt Chem/Bio Threats Baseline Vulnerability Cost Benefit Analysis PROTECTION RISK Provides Cost Benefit Analysis (CBA) Is based on cost versus reduction in vulnerability and risk Helps determine if the countermeasure is worth spending the money on Allows decision makers to prioritize funding Address countermeasures that provide the greatest amount of risk reduction to the greatest number of personnel first 17
18 Cost Benefit Analysis BASELINE RISK OPTIMIZED RISK RISK REDUCTION COST BENEFIT RATIO % 1,077 Note: 1. Baseline = current condition w/o countermeasures being implemented. 2. Optimized = future condition w/ countermeasures being implemented. 3. Results of RA equation measuring cost effectiveness. In general, the lower the number the more cost effective the countermeasures are in mitigating the risks. Refer to scaled matrix below for details. SCALED MATRIX FOR COST EFFECTIVENESS > 5001 are not cost effective and should not be implemented may not be cost effective are minimally cost effective are moderately cost effective are cost effective and should be implemented are extremely cost effective and should be implemented SCALE MATRIX FOR RISK VERY LOW LOW MODERATE HIGH VERY HIGH Cost Benefit Analysis Countermeasure# Description (Short title) ROM Cost Estimate ($K) 1 Install perimeter fencing 1,000 2 Increase Lighting Install electronic security system (CCTV) 10 4 Upgrade entry points 4,000 5 Post guard (hours of darkness) 5,000 Total 10,160 18
19 Cost Benefit Analysis Countermeasure ROM Cost Estimate ($K) Average Cost Benefit 1 Install fence 1, Increase lighting Install Electronic Security Upgrade access points 4,000 3,378 5 Post Guard 5,000 4,472 Cost Benefit Analysis Acceptance Matrix CBA Values: > 5001 are not cost effective and should not be implemented may not be cost effective are minimally cost effective are moderately cost effective are cost effective and should be implemented are extremely cost effective and should be implemented Instructions: Populate columns 1 & 2. Reference the cost benefit ratio column using the Cost Benefit Analysis Acceptance Matrix at left. Summary Quantitative is better than Qualitative Don t go it alone/get help Variety of methods out there Choose the methodology that works best for you 19
20 Questions Contact Information Tel: (805) Website: 20
Presented by Joe Burns Kentucky Rural Water Association July 19, 2005
Infrastructure Security for Public Water and Wastewater Utilities Presented by Joe Burns Kentucky Rural Water Association July 19, 2005 Public Health Security and Bioterrorism Preparedness and Response
More informationAdvanced IT Risk, Security management and Cybercrime Prevention
Advanced IT Risk, Security management and Cybercrime Prevention Course Goal and Objectives Information technology has created a new category of criminality, as cybercrime offers hackers and other tech-savvy
More informationCritical Energy Infrastructure Protection. LLNL CEIP Approach
Critical Energy Infrastructure Protection LLNL CEIP Approach LLNL-PRES-654239 This work was performed under the auspices of the U.S. Department of Energy by under Contract DE-AC52-07NA27344. Lawrence Livermore
More informationPhysical Security. Introduction. Brian LeBlanc
Physical Security Introduction 1 Physical Security Provides for the protection of property, personnel, facilities, and material against unauthorized entry, trespass, damage, sabotage, theft, or other criminal
More informationElectronic Security Systems Process Overview
US Army Corps Infrastructure Systems Conference Electronic Security Systems Process Overview Electronic Security Center 4 August 2005 Outline About the Electronic Security Center Physical Security System
More informationAn Update on Security and Emergency Preparedness Standards for Utilities
An Update on Security and Emergency Preparedness Standards for Utilities Linda P. Warren, Launch! Consulting Safety and Security in the Workplace March 28, 2013 Overview 1 Review of AWWA Standards in Water
More informationPort Facility Cyber Security
International Port Security Program Port Facility Cyber Security Cyber Security Assessment MAR'01 1 Lesson Topics ISPS Code Requirement The Assessment Process ISPS Code Requirements What is the purpose
More informationSecurity Awareness. Creating a Culture of Security within the Federal Judiciary. Thomas Garrity Chief, Court Security Division
Security Awareness Creating a Culture of Security within the Federal Judiciary Presented by: Thomas Garrity Chief, Court Security Division Mark Hartz, Security Specialist, Court Security Division Safety
More informationSecurity in Depth Webinar
Security in Depth 050213 Webinar Welcome and thank you for standing by. All parties will be in a listen-only mode for the duration of today s conference call. Today s call is being recorded; if anyone
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationInsider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey
Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey CyberMaryland Conference 2017 Bob Andersen, Sr. Manager Federal Sales Engineering robert.andersen@solarwinds.com
More informationFigure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues
1 Managing the Security Function Chapter 11 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Top Management Support Top-Management security awareness briefing (emphasis on brief)
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationThreat Centric Vulnerability Management
Threat Centric Vulnerability Management Solution Brief When it comes to vulnerability management, security leaders continue struggle to identify which of the thousands even millions of vulnerabilities
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationISO : 2013 Method Statement
ISO 27001 : 2013 Method Statement 1.0 Preface 1.1 Prepared By Name Matt Thomas Function Product Manager 1.2 Reviewed and Authorised By Name Martin Jones Function Managing Director 1.3 Contact Details Address
More informationRisk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Risk Management Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Define
More informationAntiterrorism / Force Protection (AT/FP) Assessment Tool Training. Module 1: Policy Drivers for MARMS & AT/FP Assessments
Antiterrorism / Force Protection (AT/FP) Assessment Tool Training Module 1: Policy Drivers for MARMS & AT/FP Assessments Supporting Joint Staff J33 via US Army Armament, Research, Development and Engineering
More informationCOST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE
2017 COST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE NUMBER OF SECURITY BREACHES IS RISING AND SO IS SPEND Average number of security breaches each year 130 Average
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationPTA. Practical Threat Analysis Calculative Tool
PTA Practical Threat Analysis Calculative Tool Welcome to Practical Threat Analysis (PTA) - a calculative threat modeling methodology and software technology that assist security consultants and analysts
More informationAutomated, Real-Time Risk Analysis & Remediation
Automated, Real-Time Risk Analysis & Remediation TABLE OF CONTENTS 03 EXECUTIVE SUMMARY 04 VULNERABILITY SCANNERS ARE NOT ENOUGH 06 REAL-TIME CHANGE CONFIGURATION NOTIFICATIONS ARE KEY 07 FIREMON RISK
More informationLocation-Specific Cyber Risk
Location-Specific Cyber Risk Lincoln Kaffenberger Cyber Threat Intelligence Officer IMF Information Security Group John Kupcinski Director, Cyber Security KPMG 1 Agenda Why assess the cyber risks by a
More informationCrown Jewels Risk Assessment: Cost- Effective Risk Identification
SESSION ID: GRC-W11 Crown Jewels Risk Assessment: Cost- Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll Information Security Risk Assessment
More informationOperationalizing Cyber Security Risk Assessments for the Dams Sector
Operationalizing Cyber Security Risk Assessments for the Dams Sector Kevin Burns, Jason Dechant, Darrell Morgeson, and Reginald Meeson, Jr. The Problem To evaluate vulnerability to the postulated threat,
More informationData Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.
Data Breaches: Is IBM i Really At Risk? HelpSystems LLC. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. ROBIN TATAM, CBCA CISM PCI-P Global Director
More informationCYBER SOLUTIONS & THREAT INTELLIGENCE
CYBER SOLUTIONS & THREAT INTELLIGENCE STRENGTHEN YOUR DEFENSE DarkTower is a global advisory firm focused on security for some of the world s leading organizations. Our security services, along with real-world
More informationVulnerability of U.S. Chemical Facilities to Terrorist Attack
PDHonline Course K106 (2 PDH) Vulnerability of U.S. Chemical Facilities to Terrorist Attack Instructor: Robert B. Coulter, PE 2012 PDH Online PDH Center 5272 Meadow Estates Drive Fairfax, VA 22030-6658
More informationBuilding a Smart Segmentation Strategy
Building a Smart Segmentation Strategy Using micro-segmentation to reduce your attack surface, harden your data center, and secure your cloud. WP201705 Overview Deployed at the network layer, segmentation
More informationFighting Hunger Worldwide. WFP Field Security Keeping you safe & secure
Fighting Hunger Worldwide WFP Field Security Keeping you safe & secure April 2016 Safety and security: a top priority In the field, our security risk management personnel provide specific knowledge of
More informationIntelligence-Led Policing. Executive Summary
Intelligence-Led Policing Executive Summary Five Trends to Help You See Ahead & Create Safer Communities Chicago debuted the first police call boxes in 1877, allowing citizens and police to report threats
More informationChemical Facility Anti-Terrorism Standards. T. Ted Cromwell Sr. Director, Security and
Chemical Facility Anti-Terrorism Standards T. Ted Cromwell Sr. Director, Security and NJ ELG Operations Meeting Today s Presentation ACC Action Major Rule Components Select Risk-Based Performance Standards
More informationState of Security Operations
State of Security Operations Roberto Sandoval / September 2014 Security Intelligence & Operations Consulting Founded: 2007 The best in the world at building state of the art security operations capabilities/cyber
More informationBoundary Security. Innovative Planning Solutions. Analysis Planning Design. criterra Technology
Boundary Security Analysis Planning Design Innovative Planning Solutions criterra Technology Setting the new standard DEFENSOFT - A Global Leader in Boundary Security Planning Threats, illegal immigration
More informationNetwork Security Whitepaper. Good Security Policy Ensures Payoff from Your Security Technology Investment
Network Security Whitepaper Good Security Policy Ensures Payoff from Your Security Technology Investment Version: 1.00 Release date: June 2, 2004 Author: Alan Radding Table of Contents Security breach!
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationDefence services. Independent systems and technology advice that delivers real value. Systems and Engineering Technology
Defence services Independent systems and technology advice that delivers real value Systems and Engineering Technology Frazer-Nash Consultancy Working in the UK and internationally, Frazer-Nash is making
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationApproaches and Tools to Quantifying Facility Security Risk. Steve Fogarty, CSO
Approaches and Tools to Quantifying Facility Security Risk Steve Fogarty, CSO ARES Security Corporation ARES is a high-performing Technology Solutions provider with more than 20 offices around the world.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationCSE 3482 Introduction to Computer Security. Security Risk Management Cost-Benefit Analysis
CSE 3482 Introduction to Computer Security Security Risk Management Cost-Benefit Analysis Instrutor: N. Vlajic, Winter 2017 Security Risk Management Risk Management Risk Identification Risk Control Identify
More informationCYBERSECURITY RESILIENCE
CLOSING THE IN CYBERSECURITY RESILIENCE AT U.S. GOVERNMENT AGENCIES Two-thirds of federal IT executives in a new survey say their agency s ability to withstand a cyber event, and continue to function,
More informationContinuous Risk Assessment, Made Simple
Continuous Risk Assessment, Made Simple Due to the increasing pressures from external and internal threats, organizations need to have a consistent and iterative approach to identifying, assessing, and
More informationTRB Workshop on Recommendations for Bridge and Tunnel Security
TRB Workshop on Recommendations for Bridge and Tunnel Security January 11, 2004 Prioritization and Design Criteria Joseph M. Englot,, P.E. Asst. Chief Engineer/Design Port Authority of NY & NJ Today s
More informationThe new cybersecurity operating model
The new cybersecurity operating model Help your organization become more resilient and reach its business goals. 1 slalom.com Struggling to meet security goals While the digital economy is providing major
More informationOffice of Infrastructure Protection Overview
Office of Infrastructure Protection Overview Harvey Perriott Protective Security Advisor North Texas District U.S. Department of Homeland Security Vision and Mission Vision A safe, secure, and resilient
More informationGIS in Situational and Operational Awareness: Supporting Public Safety from the Operations Center to the Field
GIS in Situational and Operational Awareness: Supporting Public Safety from the Operations Center to the Field Glasgow Bombings- June 2007 Law Enforcement, Public Safety and Homeland Security Organizations
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationCONE 2019 Project Proposal on Cybersecurity
CONE 2019 Project Proposal on Cybersecurity Project title: Comprehensive Cybersecurity Platform for Bangladesh and its Corporate Environments Sector or area: Cybersecurity for IT, Communications, Transportation,
More informationSystem Structure. Steven M. Bellovin December 14,
System Structure Steven M. Bellovin December 14, 2015 1 Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin December 14, 2015
More informationHOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS
HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS Danielle M. Zeedick, Ed.D., CISM, CBCP Juniper Networks August 2016 Today s Objectives Goal Objectives To understand how holistic network
More informationThe Open Group. Cybersecurity Risk Management
The Open Group Cybersecurity Risk Management About The Open Group Leading international standards organization, with over 400 members worldwide, and tens of thousands of participants, UNIX, TOGAF, EA Jim
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationPREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation
PREPARE & PREVENT The SD Comprehensive Cybersecurity Portfolio for Business Aviation SD CYBERSECURITY SERVICES At SD, security isn t a slogan, it is our culture. Just because you are in a business jet
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationHow to Use Micro-Segmentation to Secure Government Organizations
How to Use Micro-Segmentation to Secure Government Organizations How micro-segmentation reduces your attack surface, hardens your data center, and enables your cloud security. WP201804 Overview Deployed
More informationMitigation Controls on. 13-Dec-16 1
Mitigation Controls on 13-Dec-16 1 An organization s users are its greatest assets and its most challenging adversaries. one of the vulnerabilities posed by insiders is their knowledge of the quality of
More informationTransportation Security Risk Assessment
Transportation Security Risk Assessment Presented to: Nuclear Waste Technical Review Board Presented by: Nancy Slater Thompson Office of National Transportation October 13, 2004 Salt Lake City, Utah Introduction
More informationDefense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016
Defense in Depth Constructing Your Walls for Your Enterprise Mike D Arezzo Director of Security April 21, 2016 Defense in Depth Defense in Depth Coordinated use of multiple security countermeasures Protect
More informationHospital Threat Assessments by Karim H. Vellani, CPP, CSC
Copyright Karim H. Vellani. All Rights Reserved. Hospital Threat Assessments by Karim H. Vellani, CPP, CSC In A Study in Scarlet, Sherlock Holmes proclaimed, There is a strong family resemblance about
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationV A Physical Security Assessments LESSONS LEARNED
1 V A Physical Security Assessments LESSONS LEARNED 2 Program Goals What threats should be guarded against? How best to evaluate healthcare, cemetery, as well as office facilities against these threats?
More informationRisk Assessment. The Heart of Information Security
Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationCIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra
CIP-014 JEA Compliance Approach FRCC Fall Compliance Workshop Presenter Daniel Mishra Acronyms & Terminologies DHS Department of Homeland Security JEA It s not an acronym JSO Jacksonville Sheriff's Office
More informationThe next generation of knowledge and expertise
The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404
More informationNuclear Power Plant Security
Nuclear Power Plant Security Plant Security s Primary Mission Nuclear Plant Safety and Security All plants have comprehensive measures for safety and security Comprehensive emergency and security plans
More informationEvolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa
Evolution of Cyber Security Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa Nasser.Kettani@microsoft.com @nkettani MODERN SECURITY THREATS THERE ARE TWO KINDS OF BIG COMPANIES:
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationThe Office of Infrastructure Protection
The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Protective Security Advisors and Special Event Domestic Incident Tracker Overview Federal
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationManagement. Port Security. Second Edition KENNETH CHRISTOPHER. CRC Press. Taylor & Francis Group. Taylor & Francis Group,
Port Security Management Second Edition KENNETH CHRISTOPHER CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business Preface
More informationTHALES DATA THREAT REPORT
2018 THALES DATA THREAT REPORT Trends in Encryption and Data Security INDIA EDITION EXECUTIVE SUMMARY #2018DataThreat THE TOPLINE Rising risks for sensitive data in India In India, as in the rest of the
More informationSecurity Master Planning to Protect Water Resources Lara Kammereck John Saunders May 1, 2015
Security Master Planning to Protect Water Resources Lara Kammereck John Saunders May 1, 2015 Who is Cascade Water Alliance? Joined together in 1999 350,000 residents 20,000 businesses City of Bellevue
More informationTHE CYBERSECURITY LITERACY CONFIDENCE GAP
CONFIDENCE: SECURED WHITE PAPER THE CYBERSECURITY LITERACY CONFIDENCE GAP ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE Despite the fact that most organizations are more aware of cybersecurity risks
More informationSpotlight Report. Information Security. Presented by. Group Partner
Cloud SecuriTY Spotlight Report Group Partner Information Security Presented by OVERVIEW Key FINDINGS Public cloud apps like Office 365 and Salesforce have become a dominant, driving force for change in
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationipcgrid 2015 March 26, 2015 David Roop Director Electric Transmission Operations Dominion Virginia Power
Substation Security and Resiliency Update on Accomplishments thus far ipcgrid 2015 March 26, 2015 David Roop Director Electric Transmission Operations Dominion Virginia Power Dominion Profile Leading provider
More informationSurvey of Studies Development Plan (SDP) and Subject Matter Expert (SME) Process and Products. July 11, 2016
Survey of 217 219 Studies Development Plan (SDP) and Subject Matter Expert (SME) Process and Products July 11, 216 Survey period: /1/216 /17/216 14 Questions Respondents Designed by BOEM Office of Environmental
More informationSAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department
SAND No. 2012-1606C S 0 606C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy s National Nuclear Security Administration
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationCYBER ASSISTANCE TEAM OVERVIEW BRIEFING
CYBER ASSISTANCE TEAM OVERVIEW BRIEFING By Mr. Derek Fleischmann Cyber Assistance Team Missile Defense Agency May 16, 2018 Agenda Introduction MDA CAT Operations MDA CAT Deployment Expectations Administrative
More informationCOUNTERING IMPROVISED EXPLOSIVE DEVICES
COUNTERING IMPROVISED EXPLOSIVE DEVICES FEBRUARY 26, 2013 COUNTERING IMPROVISED EXPLOSIVE DEVICES Strengthening U.S. Policy Improvised explosive devices (IEDs) remain one of the most accessible weapons
More informationCritical Infrastructure Protection for the Energy Industries. Building Identity Into the Network
Critical Infrastructure Protection for the Energy Industries Building Identity Into the Network Executive Summary Organizations in the oil, gas, and power industries are under increasing pressure to implement
More informationIndicate whether the statement is true or false.
Indicate whether the statement is true or false. 1. An intranet vulnerability scan starts with the scan of the organization's default Internet search engine. 2. Threats cannot be removed without requiring
More informationData-Driven Security
Chapter 1 Data-Driven Security In this chapter... Need for Data-Driven Security Security Metrics Data-Driven Assessments TAG's Risk Assessment Process Asset Identification Current Security Measures Threat
More informationSoftware-Defined Secure Networks. Sergei Gotchev April 2016
Software-Defined Secure Networks Sergei Gotchev April 2016 Security Trends Today Network security landscape has changed. CISOs Treading Water Pouring money into security, yet not any more secure - Average
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationEuropean Responsible Care Forum. Security & Safe Maintenance
European Responsible Care Forum Security & Safe Maintenance Brussels, Thursday 7 April 2011 Mike Zeegers - Director Europe Agenda: History IMPROVE PROJECT To enhance Secure infrastructure Objective of
More informationL E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N
L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N Revision Date: 7/31/2014 Time: 1 hour OBJECTIVES The following objectives are covered in this Lecture Note. These objectives
More informationEmergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:
Emergency Support Function #12 Energy Annex ESF Coordinator: Department of Energy Primary Agency: Department of Energy Support Agencies: Department of Agriculture Department of Commerce Department of Defense
More information