Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group
|
|
- Dwight Stephens
- 5 years ago
- Views:
Transcription
1 Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada
2 Agenda Introduction Break Architectural Risk Analysis Break Risk Mitigation Continual Evaluation and Assessment Conclusion PAGE 2
3 Introduction Risk? The net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. A function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk Management? The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Gary Stoneburner, Alice Goguen and Alexis Feringa, Risk Management Guide for Information Technology Systems, NIST, Special Publication PAGE 3
4 Introduction The three processes of Risk Management: Risk assessment (aka Risk analysis) Risk mitigation Evaluation and assessment Why? To forecast potential problems; Risk assessment Evaluation and assessment To develop and implement appropriate controls to avoid identified problems; To plan the actions to be taken if the controls go wrong, if uncontrolled identified problems arise (residual risk) and if unforeseen problems happen. Risk mitigation PAGE 4
5 Introduction Architectural Risk Analysis (ARA)? An adaptation of general Risk Assessment (Analysis), the first step of Risk Management. ARA and Risk Management in general are more an art than a science. Their processes are defined but practice and experience tailor them to the particular organization. PAGE 5
6 Introduction Going back to Risk Management, for IT systems, it must be integrated into the Software Development Life Cycle (SDLC) to be effective. The risk management methodology is (roughly) the same regardless of the SDLC phase for which the assessment is being conducted. PAGE 6
7 Introduction Phase 1: Initiation SDLC Phases Phase 2: Development or acquisition Phase 3: Implementation (in the environment) Phase 4: Operation and maintenance Phase 5: Disposal Support from Risk Management activities System risk identification System requirements incl. security System CONOPS Architecture design Coding practices e.g., security (CERT C, ISO C) Testing e.g., security testing Validation w.r.t. the requirements and operational environment Continual evaluation and assessment Proper disposal and system migration PAGE 7
8 Introduction Participation in the risk management process is the business of many key players in organizations, including senior managers, business operations and IT procurement managers, IT security program managers and computer security officers, IT administrators and trainers. PAGE 8
9 Break PAGE 9
10 Architectural Risk Analysis Architectural Architecture Risk documentation Analysis Step 1. System characterization One-page overview Step 2. Threat identification History of system attacks Sources of intelligence Step 3. Vulnerability identification Security testing results Step 4. Control analysis Planned controls Step 6. Impact analysis Threat statement Vulnerability statement List of controls Step 5. Attack likelihood determination Attack likelihood rating Impact rating Step 7. Risk determination Rated risks One-page overview Step 8. Control recommendations Step 9. Results documentation Recommended controls or modifications Architectural Risk Analysis Report PAGE 10
11 Step 1. System Characterization Architecture documentation Mostly design diagrams Questionnaires, on-site interviews, tools, Step 1. System characterization Update or create design diagrams (validate against operational system) Merge the views and abstract the design levels to produce a one-page overview (ambiguity analysis can help) One-page overview The basis for the entire architectural risk analysis PAGE 11
12 Software Architecture Recovery Tools When your architectural documentation is incomplete, outof-date or inexistent and when you have the source code, there are robust tools available to help. Refer to Philippe Charland s presentation. PAGE 12
13 Software Architecture Recovery Tools These tools are useful when you have the source code. When you only have the binary, there are currently two choices: 1. you use decompilers to generate source code of varying quality from the binary and then you use these tools or 2. you manually analyze the binary with the help of specialized tools to accelerate the process. These tools are useful to accomplish step 1 of the Architectural Risk Analysis process. When it comes to managing the whole process, a solution like KDM Workbench (seen during the tutorial) is more appropriate. PAGE 13
14 Step 2. Threat Identification One-page overview History of system attacks Sources of intelligence OPS, ASIC, Darknets/Blacknets, CAPEC, Security design patterns, STRIDE, SANS Top Cyber Security Risks, Step 2. Threat identification Misuse and abuse cases (add the time you take for use cases) Attack resistance analysis Distributed architectures, dynamic code generation and interpretation, APIs across stateless protocols, rich internet applications, service-oriented architectures, Threat statement Identifies threats, their level of motivation, their capacities and their likelihood OPS: Operations ASIC: All-Source Intelligence Centre CAPEC: Common Attack Pattern Enumeration and Classification, STRIDE: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege, PAGE 14
15 PAGE 15
16 Step 3. Vulnerability Identification One-page overview History of system attacks Sources of intelligence OPS, ASIC, Darknets/Blacknets, seven pernicious kingdoms, 19 deadly sins, OWASP Top 10, CWE, Open Source vulnerability database, CVE, questionnaires, on-site interviews, tools, Security testing results Assess evidences that controls are working properly Step 3. Vulnerability identification Underlying framework weakness analysis System s dependencies Ambiguity analysis (in requirements and design) Trust modeling (security zones) Data sensitivity modeling (privacy and integrity) Vulnerability statement Identifies vulnerabilities and their exploitability Seven pernicious kingdoms: Brian Chess and Gary McGraw s taxonomy, 19 deadly sins: Michael Howard s list, OWASP: Open Web Application Security Project, CWE: Common Weakness Enumeration, CVE: Common Vulnerabilities and Exposures, PAGE 16
17 PAGE 17
18 Step 4. Control Analysis One-page overview Planned controls Must be considered for future assessments Security testing results Assess evidences that controls are working properly Step 4. Control analysis Controls are technical or non-technical Controls are preventive or detective Ambiguity analysis (in requirements and design) Trust modeling (security zones) Data sensitivity modeling (privacy and integrity) List of controls Identifies current and future controls and their effectiveness PAGE 18
19 Step 5. Attack Likelihood Determination Threat statement Vulnerability statement List of controls Step 5. Attack likelihood determination No black magic: a function of threat and vulnerability likelihood, the latter being dependent on controls Ambiguity analysis (in requirements and design) Threat modeling (attack surface) Attack likelihood rating Identifies the likelihood of threats exercising vulnerabilities, that is, the likelihood of attack scenarios PAGE 19
20 Step 5. Attack Likelihood Determination Vulnerability likelihood Threat likelihood High Medium Low High High High Medium Medium High Medium Low Low Medium Low Low
21 Step 6. Impact Analysis One-page overview Step 6. Impact analysis Needs key players: senior management, business operations managers and IT security program managers Interviews Impacts can be measured quantitatively or qualitatively Examples: lost revenue, maintenance cost, loss of public confidence, Impact rating Identifies the magnitude of impacts PAGE 21
22 Step 7. Risk Determination Attack likelihood rating Impact rating Step 7. Risk determination Again, no black magic: a function of attack likelihood and impact Associates attacks with impacts Rated risks Identifies the risks with their associated levels PAGE 22
23 Step 7. Risk Determination Impact Attack likelihood High Medium Low High High High Medium Medium High Medium Low Low Medium Low Low
24 Step 8. Control Recommendations Rated risks Step 8. Control recommendations Risks prioritization (cost-benefit analysis) For each risk, recommend one or more new controls or system modifications that will eliminate or mitigate that risk and are appropriate to the organization s operations Recommended controls or modifications PAGE 24
25 Step 9. Results Documentation One-page overview Threat statement Rated risks Recommended controls or modifications Step 9. Results documentation A report that describes the architecture, the identified threats, the risks with their associated levels, exploited vulnerabilities and impacts, and the final recommendations on controls and modifications to implement Architectural Risk Analysis Report PAGE 25
26 Architectural Risk Analysis and Risk Management in Practice Cigital s ARA Methodology (seen during the tutorial and mapped on the processes presented here) Microsoft s STRIDE Threat Model (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege) Security Risk Management Guide Sun s Adaptive Countermeasure Selection Mechanism/Security Adequacy Review (ACSM/SAR) Discussed in Secure Coding: Principles and Practices, Mark G. Graff & Kenneth R. van Wyk, 2003, ISBN PAGE 26
27 Architectural Risk Analysis and Risk Management in Practice Department of Homeland Security Build Security In website, NIST s Recommended Security Controls for Federal Information Systems and Organizations, Special Publication Rev. 3, August DRAFT Managing Risk from Information Systems: An Organizational Perspective, Special Publication , April DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Special Publication Rev. 1, November Risk Management Guide for Information Technology Systems, Special Publication , July PAGE 27
28 Architectural Risk Analysis and Risk Management in Practice SEI s Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ISACA s Control Objectives for Information and Related Technology (COBIT) splay.cfm&tplid=55&contentid=7981 SEI: Software Engineering Institute ISACA: Information Systems Audit and Control Association PAGE 28
29 Break PAGE 29
30 Risk Mitigation A few options: Acknowledgment and research: acknowledge threats and vulnerabilities and research for controls to lower risk Risk limitation: lower or minimize risk by implementing controls Risk planning: prioritize (cost-benefit analysis, operational impact and feasibility), implement and maintain controls and plan for residual risk Risk avoidance: eliminate risk cause and/or consequence, if possible Risk transference: transfer risk to other party, e.g., purchase insurance Risk assumption: accept the potential risk (if at an acceptable level) PAGE 30
31 Continual Evaluation and Assessment Do not forget: Threats and the system change over time: risk management is ongoing and evolving! Plan for re-evaluation and re-assessment! PAGE 31
32 Conclusion Keys for success in ARA: Senior management s commitment Full support and participation of the IT team Competence of the risk analysis team: Architectural risk analysis process Threats and vulnerabilities (the attacker s perspective) System and controls (the defender s perspective) Support of the user community: Participation in risk analysis Compliance to controls Ongoing evaluation and assessment PAGE 32
33 PAGE 33
Software Architectural Risk Analysis (SARA): SSAI Roadmap
Software Architectural Risk Analysis (SARA): SSAI Roadmap Frédéric Painchaud DRDC Valcartier / Systems of Systems November 2010 Agenda Introduction Software Architectural Risk Analysis Linking to SSAI
More informationSoftware Architecture Risk Analysis (SARA): A Methodology to Assess Security Risks in Software Architectures, and an Application
Software Architecture Risk Analysis (SARA): A Methodology to Assess ABSTRACT Frédéric Painchaud Defence Research and Development Canada Valcartier 2459 de la Bravoure Road Québec, QC G3J 1X5 CANADA Frederic.Painchaud@drdc-rddc.gc.ca
More informationSecure Development Processes
Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially
More informationStandard: Risk Assessment Program
Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university
More informationVulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.
Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult
More informationIANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty
IANS Pragmatic Threat Modeling Michael Pinch, IANS Faculty Agenda What Is Threat Modeling? Who Should Be Considering Threat Modeling? Methodologies for Threat Modeling Common Pitfalls Introduction of IANS
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationThreat Modeling. SecAppDev Copyright 2010 KRvW Associates, LLC
Threat Modeling SecAppDev 2010 Design flaws are major Difficult and costly to fix post facto Too costly to fix? Often made because of false assumptions Trust models Underestimate attackers Naïveté Ignorance
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationTransportation Security Risk Assessment
Transportation Security Risk Assessment Presented to: Nuclear Waste Technical Review Board Presented by: Nancy Slater Thompson Office of National Transportation October 13, 2004 Salt Lake City, Utah Introduction
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationCYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun Reading This lecture [McGraw]: Ch. 7-9 2 Seven Touchpoints 1. Code review 2. Architectural
More information4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints
Reading This lecture [McGraw]: Ch. 7-9 CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun 2 Seven Touchpoints Application of Touchpoints
More informationGerman OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer
German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer Daimler Business Units German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationHow Threat Modeling Can Improve Your IAM Solution
How Threat Modeling Can Improve Your IAM Solution John Fehan Senior Consultant OpenSky Corporation October 2 nd, 2015 Agenda Evolution of Identity and Access Management (IAM) Solutions An sample IAM contextual
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationWhiteboard Hacking / Hands-on Threat Modeling. Introduction
Whiteboard Hacking / Hands-on Threat Modeling Introduction Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationSoftware Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting
Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting July 14 th 2010 Copyright 2010 - The OWASP Foundation Permission
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Cigital Founded in 1992 to provide software security and software quality professional services
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationHow to Underpin Security Transformation With Complete Visibility of Your Attack Surface
How to Underpin Security Transformation With Complete Visibility of Your Attack Surface YOU CAN T SECURE WHAT YOU CAN T SEE There are many reasons why you may be considering or engaged in a security transformation
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationSANS Institute , Author retains full rights.
Steven F Burns GIAC Security Essentials Certification (GSEC) Practical Assignment Version 1.4c Threat Modeling: A Process To Ensure Application Security January 5, 2005 Abstract This paper discusses the
More informationIS 2620: Developing Secure Systems. Lecture 2 Sept 8, 2017
IS 2620: Developing Secure Systems Building Security In Lecture 2 Sept 8, 2017 Recap: Trinity of trouble Three trends Connectivity Inter networked Include SCADA (supervisory control and data acquisition
More informationThreat Modeling Using STRIDE
Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F http://www.girindropringgodigdo.net/ girindigdo@gmail.com 1 About Dealing with Information Security Fields: VAPT Generate New Attack
More informationA Security Risk Analysis Model for Information Systems
A Security Risk Analysis Model for Information Systems Hoh Peter In 1,*, Young-Gab Kim 1, Taek Lee 1, Chang-Joo Moon 2, Yoonjung Jung 3, and Injung Kim 3 1 Department of Computer Science and Engineering,
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationSTANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange
STANDARD INFORMATION SHARING FORMATS Will Semple Head of Threat and Vulnerability Management New York Stock Exchange AGENDA Information Sharing from the Practitioner s view Changing the focus from Risk
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationCybersecurity & Risks Analysis
Working Together to Build Confidence Cybersecurity & Risks Analysis Djenana Campara Chief Executive Officer Member, Object Management Group Board of Directors Co-Chair, System Assurance Task Force Cyber
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationRisk Assessment. The Heart of Information Security
Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons
More informationOWASP March 19, The OWASP Foundation Secure By Design
Secure By Design March 19, 2014 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document
More informationPractical Guide to Securing the SDLC
Practical Guide to Securing the SDLC Branko Ninkovic Dragonfly Technologies Founder Agenda Understanding the Threats Software versus Security Goals Secure Coding and Testing A Proactive Approach to Secure
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationINFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU
INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR
More informationOctave Method Component. CobIT Method Component. NIST Risk Management Framework. Generic Security Design Model. Design Theory: Governance
Outline Security Methodology Richard Baskerville Security Method Design Theories Security Method Adaptation Basic Design Theory in Secure Information Systems Methodology TFO Assumed in Many Security Method
More informationCISM QAE ITEM DEVELOPMENT GUIDE
CISM QAE ITEM DEVELOPMENT GUIDE ISACA 2015. All Rights Reserved. 2 TABLE OF CONTENTS PURPOSE OF THE CISM QAE ITEM DEVELOPMENT GUIDE... 3 PURPOSE OF THE CISM QAE... 3 CISM EXAM STRUCTURE... 3 WRITING QUALITY
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationCloud Security Standards Supplier Survey. Version 1
Cloud Security Standards Supplier Survey Version 1 Document History and Reviews Version Date Revision Author Summary of Changes 0.1 May 2018 Ali Mitchell New document 1 May 2018 Ali Mitchell Approved Version
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationThreat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board
Threat Modeling Martin Knobloch martin.knobloch@owasp.org NL Chapter Board Global Education Committee Education Project Copyright The Foundation Permission is granted to copy, distribute and/or modify
More informationSecurity Attribute Evaluation Method
Security Attribute Evaluation Method Shawn A. Butler May 2003 CMU-CS-03-132 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Thesis Committee Mary Shaw (chair) Bill Scherlis Jeannette
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationIS 2620: Developing Secure Systems. Building Security In Lecture 2
IS 2620: Developing Secure Systems Building Security In Lecture 2 Jan 30, 2007 Software Security Renewed interest idea of engineering software so that it continues to function correctly under malicious
More informationMIS Class 2. The Threat Environment
MIS 5214 Class 2 The Threat Environment Agenda In the News Models Risk Hackers Vulnerabilities Information System Categorization Risk Assessment Exercise Conceptual Modeling and Information Systems In
More informationInformation Security Policy
Document title: [ Information Security Policy May 2017 ] Approval date: [ May 2017 ] Purpose of document: [ To define AUC s information security program main pillars and components] Office/department responsible:
More informationProtecting the Nation s Critical Assets in the 21st Century
Protecting the Nation s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory OPM. Anthem BCBS. Ashley Madison. 2 Houston, we have a problem. Complexity.
More informationApplication Security Design Principles. What do you need to know?
Application Security Design Principles What do you need to know? Anshu Gupta Bio Director of Information Security at HelloSign, a leading esignature company. Served as a trusted advisor on information
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationInformation Security Risk Strategies. By
Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not
More informationRisk Assessment: Key to a successful risk management program
Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008 Learning Objectives Define risk assessment Why complete a risk assessment
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationBusiness Risk Management
slide 1 Business Risk Management Agenda slide 2 Business Risk Management Overall Issues Risk Defined Approach BRM Structure Business Operations & Critical Functions Asset Identification and Vulnerability
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationA New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO
A New Cyber Defense Management Regulation Ophir Zilbiger, CRISC, CISSP SECOZ CEO Personal Background IT and Internet professional (since 1992) PwC (1999-2003) Global SME for Network Director Information
More informationTool-Supported Cyber-Risk Assessment
Tool-Supported Cyber-Risk Assessment Security Assessment for Systems, Services and Infrastructures (SASSI'15) Bjørnar Solhaug (SINTEF ICT) Berlin, September 15, 2015 1 Me Bjørnar Solhaug Bjornar.Solhaug@sintef.no
More informationCyber Criminal Methods & Prevention Techniques. By
Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationAdvanced IT Risk, Security management and Cybercrime Prevention
Advanced IT Risk, Security management and Cybercrime Prevention Course Goal and Objectives Information technology has created a new category of criminality, as cybercrime offers hackers and other tech-savvy
More informationThreat Modeling For Secure Software Design
Threat Modeling For Secure Software Design 2016 Central Ohio InfoSec Summit March 29, 2016 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
More informationProcurement Language for Supply Chain Cyber Assurance
Procurement Language for Supply Chain Cyber Assurance Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationCybersecurity Technical Risk Indicators:
Cybersecurity Technical Risk Indicators: A Measure of Technical Debt Joe Jarzombek, CSSLP, PMP Global Manager, Software Supply Chain Solutions Synopsys Software Integrity Group Previously Director, Software
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo
ISC2 Exam Questions CAP ISC2 CAP Certified Authorization Professional Version:Demo 1. Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose
More informationSecurity Methodology
Security Methodology Richard Baskerville Georgia State University 1 Outline PSecurity Method Design Theories PSecurity Method Adaptation 2 Basic Design Theory in Secure Information Systems Methodology
More informationTerms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course
Terms, Methodology, Preparation, Obstacles, and Pitfalls Vulnerability Assessment Course All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/
More informationThe Open Group. Cybersecurity Risk Management
The Open Group Cybersecurity Risk Management About The Open Group Leading international standards organization, with over 400 members worldwide, and tens of thousands of participants, UNIX, TOGAF, EA Jim
More information13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato
13th Florence Rail Forum: Cyber Security in Railways Systems Immacolata Lamberti Andrea Pepato November 25, 2016 Cyber Security context and Cyber Attacks trend Critical Infrastructures (CIs) are both physical
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Summary Audit of Information Technology Security Prepared by: Audit and Assurance Services Branch April 2015 NCR#7367040 - NCR#7358318
More informationSupply Chain Information Exchange: Non-conforming & Authentic Components
Supply Chain Information Exchange: Non-conforming & Authentic Components Joe Jarzombek Director for Software and Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Agenda Purpose
More informationThe checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.
3 Design The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you. Data oriented design requirements Minimise and
More informationPort Facility Cyber Security
International Port Security Program Port Facility Cyber Security Cyber Security Assessment MAR'01 1 Lesson Topics ISPS Code Requirement The Assessment Process ISPS Code Requirements What is the purpose
More informationNIST Special Publication
DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationOperational Risk Management: Major Processes and Assignments
Operational Risk Management: Major Processes and Assignments Gabriel Andrade Deputy-Head of the Risk Management Department 19 September 2017 Cambridge Agenda 1. ORM Framework Operational Risk Operational
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationJust How Vulnerable is Your Safety System?
Theme 3: Cyber Security Just How Vulnerable is Your Safety System? Colin Easton MSc, CEng, FInstMC, MIET, ISA Senior Member TUV Rhienland FS Senior Expert PHRA & SIS 6 th July 2017 1 Safety System Security
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More information