Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]

8/7/2019 Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]

1/20

Cyber Security Risk Management:

A New and Holistic ApproachUnderstanding and Applying NIST SP 800-39

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Dr. Ron Ross

Computer Security Division

Information Technology Laboratory

e x os e y: us ness o ecur y an e era n o ec orum

April 12, 2011


2/20

Information technology is our greateststrength and at the same time, our



3/20

The Perfect Storm

Explosive growth and aggressive use of information

technology. Proliferation of information systems and networks with

virtually unlimited connectivity.


Increasing sophistication of threat includingexponential growth rate in malware (malicious code).

Resulting in an increasing number of penetrations of

information systems in the public and private sectors


4/20

The Threat SituationContinuing serious cyber attacks on public and privatesector information systems targeting key operations,assets, and individuals

Attacks are organized, disciplined, aggressive, and wellresourced; man are extremel so histicated.


Adversaries are nation states, terrorist groups, criminals,hackers, and individuals or groups with hostile intentions.

Effective deployment of malware causing significant

exfiltration of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services.


5/20


6/20

We expend far too many resources on

back-endsecurity(chasing the latest vulnerabilities and patching systems)


and far too few resources on front-endsecurity(building information security into IT products and systems)


7/20

Red Zone Security



8/20

The New SP 800-39

TIER 1Organization

(Governance)

STRATEGIC RISK

FOCUS Multi-tiered Risk Management Approach

Implemented by the Risk Executive Function

Enterprise Architecture and SDLC Focus Flexible and Agile Implementation


TIER 3

Information System(Environment of Operation)

TIER 2Mission / Business Process(Information and Information Flows)

TACTICAL RISK

FOCUS


9/20

Characteristics of Risk-Based Approaches(1 of 2)

Integrates information security more closely into theenterprise architecture and system life cycle.

Promotes near real-time risk management and ongoing


robust continuous monitoring processes.

Provides senior leaders with necessary information tomake risk-based decisions regarding information systemssupporting their core missions and business functions.


10/20

Characteristics of Risk-Based Approaches(2 of 2)

Links risk management activities at the organization,mission, and information system levels through a riskexecutive (function).


controls deployed within information systems.

Encourages the use of automation to increaseconsistency, effectiveness, and timeliness of securitycontrol implementation.


11/20

Risk Management Process

RespondAssess

Risk

Framing

Risk

Framing


RRRR sksksksk

MonitorRiskFraming

RiskFraming


12/20

Risk Framing

Establishing the context for how organizations manageinformation security risk. Assumptions.

Constraints.


Risk tolerance. Priorities and tradeoffs.

Applied across all three tiers: organization, mission, and

information systems.


13/20

Risk Assessment

Identifying threats and vulnerabilities.

Determining risk.

Potential mission/business impact.


Likelihood of occurrence.

Determining uncertainty.


14/20

Risk Response

Developing risk response strategy. Accept risk.

Reject risk.

Miti ate risk.


Share risk. Transfer risk.

Developing, evaluating, deciding upon, and implementing

courses of action to respond to risk.


15/20

Risk Monitoring

Verifying compliance.

Determining effectiveness of risk mitigation measures.

Identif in chan es to information s stems and


environments of operation.

Bottom Line: Increase situational awareness to help determinerisk to organizational operations and assets, individuals, other

organizations, and the Nation.


16/20

Defense-in-Depth

Risk assessment

Security planning, policies, procedures

Configuration management and control

Access control mechanisms

Identification & authentication mechanisms

(Biometrics, tokens, passwords)

Links in the Security Chain: Management, Operational, and Technical Controls


Adversaries attack the weakest linkwhere is yours?

Incident response planning Security awareness and training

Security in acquisitions

Physical security

Personnel security

Security assessments and authorization Continuous monitoring

Encryption mechanisms Boundary and network protection devices

(Firewalls, guards, routers, gateways)

Intrusion protection/detection systems

Security configuration settings

Anti-viral, anti-spyware, anti-spam software Smart cards


17/20

Security

Assessment

Report

Security

Plan

Plan of Action

and Milestones

Core Missions / Business Processes

Security Requirements

Policy Guidance

RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight

Security

Assessment

Report

Security

Plan

Plan of Action

and Milestones

INFORMATIONSYSTEM

System-specific

Controls

OngoingAuthorization

Decisions

OngoingAuthorization

Decisions

ols

INFORMATIONSYSTEM

System-specific

Controls

ols

Defense-in-Breadth


Security

Assessment

Report

Plan of Action and

MilestonesSecurity

Plan

Ongoing Authorization Decisions

MANAGEMENT

FRAMEWORK(RMF)

COMMON CONTROLS

Security Controls Inherited by Organizational Information Systems

HybridContr

HybridContr


18/20

Joint Task Force Transformation InitiativeCore Risk Management Publications

NIST Special Publication 800-53, Revision 3

Recommended Security Controls for Federal InformationSystems and Organizations

NIST S ecial Publication 800-37 Revision 1

Completed


Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach

NIST Special Publication 800-53A, Revision 1

Guide for Assessing the Security Controls in FederalInformation Systems and Organizations: Building EffectiveAssessment Plans

Completed

Completed


19/20

Joint Task Force Transformation InitiativeCore Risk Management Publications

NIST Special Publication 800-39Managing Information Security Risk: Organization, Mission,and Information System View

-

Completed


,Guide for Conducting Risk AssessmentsProjected May2011 (Public Draft)


20/20

Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader Administrative Support Dr. Ron Ross Peggy Himes

(301) 975-5390 (301) 975-2489

[email protected] [email protected]


Marianne Swanson Kelley Dempsey(301) 975-3293 (301) 975-2827


Pat Toth Arnold Johnson

(301) 975-5140 (301) 975-3247


Web: csrc.nist.gov/sec-cert Comments: [email protected]

Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]

Documents

Transcript of Cyber Risk Management 800-39- Dr Ron Ross WebEX 04-12-2011[1]