Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
Transcript of Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
1/20
Cyber Security Risk Management:
A New and Holistic ApproachUnderstanding and Applying NIST SP 800-39
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Dr. Ron Ross
Computer Security Division
Information Technology Laboratory
e x os e y: us ness o ecur y an e era n o ec orum
April 12, 2011
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
2/20
Information technology is our greateststrength and at the same time, our
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
3/20
The Perfect Storm
Explosive growth and aggressive use of information
technology. Proliferation of information systems and networks with
virtually unlimited connectivity.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Increasing sophistication of threat includingexponential growth rate in malware (malicious code).
Resulting in an increasing number of penetrations of
information systems in the public and private sectors
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
4/20
The Threat SituationContinuing serious cyber attacks on public and privatesector information systems targeting key operations,assets, and individuals
Attacks are organized, disciplined, aggressive, and wellresourced; man are extremel so histicated.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Adversaries are nation states, terrorist groups, criminals,hackers, and individuals or groups with hostile intentions.
Effective deployment of malware causing significant
exfiltration of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
5/20
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
6/20
We expend far too many resources on
back-endsecurity(chasing the latest vulnerabilities and patching systems)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
and far too few resources on front-endsecurity(building information security into IT products and systems)
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
7/20
Red Zone Security
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
8/20
The New SP 800-39
TIER 1Organization
(Governance)
STRATEGIC RISK
FOCUS Multi-tiered Risk Management Approach
Implemented by the Risk Executive Function
Enterprise Architecture and SDLC Focus Flexible and Agile Implementation
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
TIER 3
Information System(Environment of Operation)
TIER 2Mission / Business Process(Information and Information Flows)
TACTICAL RISK
FOCUS
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
9/20
Characteristics of Risk-Based Approaches(1 of 2)
Integrates information security more closely into theenterprise architecture and system life cycle.
Promotes near real-time risk management and ongoing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
robust continuous monitoring processes.
Provides senior leaders with necessary information tomake risk-based decisions regarding information systemssupporting their core missions and business functions.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
10/20
Characteristics of Risk-Based Approaches(2 of 2)
Links risk management activities at the organization,mission, and information system levels through a riskexecutive (function).
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
controls deployed within information systems.
Encourages the use of automation to increaseconsistency, effectiveness, and timeliness of securitycontrol implementation.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
11/20
Risk Management Process
RespondAssess
Risk
Framing
Risk
Framing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
RRRR sksksksk
MonitorRiskFraming
RiskFraming
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
12/20
Risk Framing
Establishing the context for how organizations manageinformation security risk. Assumptions.
Constraints.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Risk tolerance. Priorities and tradeoffs.
Applied across all three tiers: organization, mission, and
information systems.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
13/20
Risk Assessment
Identifying threats and vulnerabilities.
Determining risk.
Potential mission/business impact.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Likelihood of occurrence.
Determining uncertainty.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
14/20
Risk Response
Developing risk response strategy. Accept risk.
Reject risk.
Miti ate risk.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Share risk. Transfer risk.
Developing, evaluating, deciding upon, and implementing
courses of action to respond to risk.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
15/20
Risk Monitoring
Verifying compliance.
Determining effectiveness of risk mitigation measures.
Identif in chan es to information s stems and
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
environments of operation.
Bottom Line: Increase situational awareness to help determinerisk to organizational operations and assets, individuals, other
organizations, and the Nation.
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
16/20
Defense-in-Depth
Risk assessment
Security planning, policies, procedures
Configuration management and control
Access control mechanisms
Identification & authentication mechanisms
(Biometrics, tokens, passwords)
Links in the Security Chain: Management, Operational, and Technical Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Adversaries attack the weakest linkwhere is yours?
Incident response planning Security awareness and training
Security in acquisitions
Physical security
Personnel security
Security assessments and authorization Continuous monitoring
Encryption mechanisms Boundary and network protection devices
(Firewalls, guards, routers, gateways)
Intrusion protection/detection systems
Security configuration settings
Anti-viral, anti-spyware, anti-spam software Smart cards
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
17/20
Security
Assessment
Report
Security
Plan
Plan of Action
and Milestones
Core Missions / Business Processes
Security Requirements
Policy Guidance
RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight
Security
Assessment
Report
Security
Plan
Plan of Action
and Milestones
INFORMATIONSYSTEM
System-specific
Controls
OngoingAuthorization
Decisions
OngoingAuthorization
Decisions
ols
INFORMATIONSYSTEM
System-specific
Controls
ols
Defense-in-Breadth
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Security
Assessment
Report
Plan of Action and
MilestonesSecurity
Plan
Ongoing Authorization Decisions
MANAGEMENT
FRAMEWORK(RMF)
COMMON CONTROLS
Security Controls Inherited by Organizational Information Systems
HybridContr
HybridContr
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
18/20
Joint Task Force Transformation InitiativeCore Risk Management Publications
NIST Special Publication 800-53, Revision 3
Recommended Security Controls for Federal InformationSystems and Organizations
NIST S ecial Publication 800-37 Revision 1
Completed
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach
NIST Special Publication 800-53A, Revision 1
Guide for Assessing the Security Controls in FederalInformation Systems and Organizations: Building EffectiveAssessment Plans
Completed
Completed
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
19/20
Joint Task Force Transformation InitiativeCore Risk Management Publications
NIST Special Publication 800-39Managing Information Security Risk: Organization, Mission,and Information System View
-
Completed
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
,Guide for Conducting Risk AssessmentsProjected May2011 (Public Draft)
-
8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]
20/20
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative Support Dr. Ron Ross Peggy Himes
(301) 975-5390 (301) 975-2489
[email protected] [email protected]
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
Marianne Swanson Kelley Dempsey(301) 975-3293 (301) 975-2827
[email protected] [email protected]
Pat Toth Arnold Johnson
(301) 975-5140 (301) 975-3247
[email protected] [email protected]
Web: csrc.nist.gov/sec-cert Comments: [email protected]