Fluent Essays

Project 4: System Development or Application Assurance Step 13: Write the Risk Analysis/Supply Chain Threats/Mitigation Report Management is always interested in solutions, and Maria Sosa and the other executives at your company are no exception. In the case of cybersecurity, there are no absolute solutions to an ever-changing environment. However, there are steps to mitigation that might eliminate or minimize the results of certain vulnerabilities. This final step is to describe the mitigation strategies recommended as a result of all previous steps in the project. The final report for the executive meeting should be five to seven pages, only one to two of which will have to be written in this step. The remainder is from all the previous steps in the project. Use the Supply Chain Risk Mitigation Final Report Template to submit your specific testing and validation procedures. Check Your Evaluation Criteria Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title. 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 1.5: Use sentence structure appropriate to the task, message and audience. 2.4: Consider and analyze information in context to the issue or problem. 9.4: Software Security Assurance: Demonstrate secure principles, methods, and tools used in the software development life cycle. 9.5: Software Security Assurance: Describe the cybersecurity implications related to procurement and supply chain risk management. Submission for Project 4: Supply Chain Risk Mitigation Final Report Project 4: Supply Chain Risk Mitigation Report Template In this report, use applicable systems, tools, and concepts to minimize risks to an organizations cyberspace and prevent cybersecurity incidents. Maria and the other executives at your organization will be looking for a final report that applies security principles, methods, and tools to the software development life cycle. They are also seeking your ideas and recommendations concerning any potential cybersecurity implications related to procurement and supply chain risk management. Supply Chain Risk Mitigation Final Report (five to seven pages using this template.) The report should include the following components: The headings for the report are: · Title Page · Include: · for whom you are preparing the document, the title, the date prepared, and your name as the preparer of the document · Table of Contents · with all sections · Overview · Include: · introduction and purpose of the report · Vulnerable Software Assessment (one-column table from Step 1) · Comprehensive list of application software that could present vulnerability concerns in regards to supply chain or acquisition issues along with a short description of how you determined which software should be on the list. · Procurement Policy List and Testing Recommendations (Template in Discussion area) · Policies of concern and specific procedures to test them (4 questions provided in template. Students need to provide testing recommendation for these 4 questions plus an additional 8 questions and test steps for a total of 12) · Supply Chain Cyber Security Risk (two- to three-page report, Step 9) · Include: · identified cybersecurity risks in the procurement process of the supply chain · Provide Concerns and security recommendations. · Acquisition Alignment (one-page report: Step 10) · Include: · recommendations for alignment of the supply chain processes from start to ongoing maintenance. · Software Risk Mitigation Recommendations (two- to three-page report, Step 12) · Include: · proposed software risk mitigation recommendations Template for Project 4, Steps 2-6 Procurement Policy Concerns Specific Testing Recommendation to Address Each Policy Concern Does the vendor provide any cybersecurity certifications with the product? Inspect evidence provided by the vendor such as EAL certification or ISO certifications. Does the vendor provide access to the source code for the product? Are there other security issues in source code to be addressed? What is the guaranteed frequency of security updates to be provided for the product? What is the implementation process for software updates/upgrades? Characteristics of Graduate Study A number of you may be new to study at the graduate level. The table below outlines some of the differences in expectations between graduate and undergraduate and may help you to properly manage your time and prepare your assignments. Characteristics of Undergraduate Study Characteristics of Graduate Study Coursework focus requires study of information and material in general education courses as well as specialized courses in a particular field. Coursework focus is on specific field/specialization/narrowed area of information to facilitate the development of expertise in a particular topic. The goal of learning is to become more knowledgeable about information that is already known or has already been developed. Critical-thinking skills begin to develop as students begin solving problems, questioning ideas, and making generalizations. The goal of learning is to contribute to and expand upon existing knowledge, and to identify new thinking, methodologies, perspectives, and practices that can contribute to the field. Critical-thinking skills evolve as students begin analyzing and classifying information, challenging ideas, and identifying assumptions. Post-collegiate goals include entering/joining a particular career field to acquire basic knowledge and understanding of that field. Post-collegiate goals include leading and mastering a professional career field to bring new enhancements to or to advance that field. Students approaches to coursework and learning outcomes are largely framed by instructors. Students rely heavily upon faculty for guidance and instruction (e.g., exam preparation, what to study, how to study, etc.). Students coursework is evaluated by faculty. Students are expected to be independent learners. Approaches to coursework and learning are largely framed by the students themselves. Faculty members serve as facilitators of course content and evaluate student performance. Students may also be involved in the evaluation of their peers performance. On average, students are expected to devote to outside study 10–15 hours per week for all courses combined (study time will depend upon major and other personal study needs). Similarly, students are encouraged to adopt behaviors that help them strike a balance among their academic and nonacademic pursuits. Graduate students should expect to devote at least three hours of outside study for every credit in which they are enrolled (e.g., for a 6-credit course, students are expected to study at least 18 hours per week). Similarly, there is an expectation that time will be spent outside of assigned coursework to enhance professional development. Additionally, at the graduate level, time management goes beyond working to create balance among needs and interests. Time management requires the creation of clear priorities that align with academic goals. It is likely that decisions will be made to sacrifice certain interests, hobbies, and/or even other important commitments during graduate school. Expectations for independent research for a students major are rare and/or tied to a specific course. Students are expected to conduct research in their fields independently. Students commitment to scholarly research and/or participation in outside professional development experiences is central to their success. Students academic work is largely the result of their own independent efforts. In certain courses/majors, students may be expected to work on group projects for specific assignments; however, the majority of work is completed by students working on their own. Students academic work is largely the product of team discussion, collaboration, and/or consultation with their peers. An important outcome of the graduate student experience is the demonstration of students ability to work successfully and inclusively across diverse teams. Students may continue in coursework, remain enrolled toward degree progress, and graduate from their institutions/complete their majors when their GPAs fall below 3.0. The minimum GPA for continued enrollment is 3.0. Graduate students who fall below this GPA are immediately placed on academic probation and are at risk for dismissal from their programs. Compromises of academic integrity are perceived to have an impact on the individual and the course. Compromises of academic integrity are perceived to have individual, academic, and career ramifications, as students are developing work to impact and advance a particular profession. Security 101 Hank N. Williams, PMP, CISSP, CISM, GLEG 1 Information Security 101 2 3 Information systems security is the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Source: National Security Telecommunications and Information Systems Security Committee (NSTISSC) NSTISSI No. 4009 National Information Systems Security (INFOSEC) Glossary, 26 April 2010 Information Systems Security 4 • A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. – Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Source: National Security Telecommunications and Information Systems Security Committee (NSTISSC) NSTISSI No. 4009 National Information Systems Security (INFOSEC) Glossary, 26 April 2010 Information Systems 5 C-I-A Triad The C-I-A Triad are security goals that are utilized to determine the security classification of the system and corresponding security controls. 6 Confidentiality • “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] • A loss of confidentiality is the unauthorized disclosure of information. • Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization. 6 7 Integrity • “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] • A loss of integrity is the unauthorized modification or destruction of information. • Continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. 7 8 Availability • “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] • A loss of availability is the disruption of access to or use of information or an information system. • Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organization’s mission. 8 9 Information systems security is the protection of information systems against unauthorized access (confidentiality) to or modification of (integrity) information, whether in storage, processing or transit, and against the denial of service (availability) to authorized users, including those measures necessary to detect, document, and counter such threats. Source: National Security Telecommunications and Information Systems Security Committee (NSTISSC) NSTISSI No. 4009 National Information Systems Security (INFOSEC) Glossary, 26 April 2010 Information Systems Security 10 Key Risk Management Terms • Vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. – Vulnerabilities may exist at any point in the enterprise. Personnel, facilities, software, hardware, network components, and documentation are examples of vulnerability locations. 11 Key Risk Management Terms • Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 12 Key Risk Management Terms • Threat Source – The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability. – 4 Types • Adversarial • Accidental • Structural • Environmental 13 Key Risk Management Terms • Threat Types – ADVERSARIAL • Individual • Group • Organization • Nation-State 14 Key Risk Management Terms • Threat Types (continued) – ACCIDENTAL • User • Privileged User/Administrator 15 Key Risk Management Terms • Threat Types (continued) – STRUCTURAL • Information Technology (IT) Equipment • Environmental Controls • Software 16 Key Risk Management Terms • Threat Types (continued) – ENVIRONMENTAL • Natural or man-made disaster • Unusual Natural Event (e.g., sunspots) • Infrastructure Failure/Outage 17 Key Risk Management Terms • Attack – Type of incident involving the intentional act of attempting to bypass one or more security controls of an IS. – Also referred to as Attack Vectors – Examples include Phishing, Denial of Service, Hacking, etc. – Attacks are executed by Adversarial Threats. 18 Key Risk Management Terms • Security Incident Examples – Website is unavailable for 12 hours due to excessive web traffic. • Threat: Adversarial • Vulnerability: Lack of traffic management solution • Attack: Denial of Service Attack – Extended power outage at data center due to system wide blackout • Threat: Environmental • Vulnerability: Lack of backup power solution • Attack: No attack since it is not an intentional event. 19 Key Risk Management Terms • Likelihood of Occurrence – In Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability. 20 Key Risk Management Terms • Impact – The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. Impact levels 21 • Low – The potential impact is low if—The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. – A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. Impact levels 22 • Moderate – The potential impact is moderate if—The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. – A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. – Impact levels 23 • High – The potential impact is high if—The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. – A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. 24 Key Risk Management Terms • Risk – A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. 25 Key Risk Management Terms • Risk Assessment – The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated, potential impacts and unmitigated vulnerabilities. 26 Key Risk Management Terms So how do we determine risk? Threat x Vulnerability = Likelihood Likelihood x Impact = Risk Likelihood of Threat Event Initiation or Occurrence Likelihood Threat Events Result in Adverse Impacts Very Low Low Moderate High Very High Very High Low Moderate High Very High Very High High Low Moderate Moderate High Very High Moderate Low Low Moderate Moderate High Low Very Low Low Low Moderate Moderate Very Low Very Low Very Low Low Low Low Key Risk Management Terms • 4 courses of action to respond to risk – Risk Acceptance: No action – Risk Avoidance: Abort the activity that creates the risk – Risk Mitigation: Implementing the appropriate risk- reducing controls/countermeasures recommended from the risk management process. – Risk Sharing or Transfer: Shifting liability and responsibility to another organization. • Residual Risk: Portion of risk remaining after security measures have been applied. 27 28 Key Risk Management Terms • Defense in Depth – Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. – The Onion Model 29 Key Risk Management Terms • What are some examples of Defense in Depth? – Policies – Perimeter Defense – IDS – GPOs – Anti-virus – ??? 30 Key Risk Management Terms • Countermeasures – Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. 31 Risk Management Framework (RMF) • RMF provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle and consists of 6 steps. – Step 1: Categorize the information system – Step 2: Select the baseline security controls – Step 3: Implement the security controls – Step 4: Assess the security controls – Step 5: Authorize information system operation – Step 6: Monitor the security controls • NIST SP 800-37 32 Risk Management Framework (RMF) The Risk Management Process 33 The Risk Management Process • Framing Risk – Risk Assumptions – Risk Constraints – Risk Tolerance – Priorities and tradeoffs 34 The Risk Management Process • Assessing Risk to identify: – Threats to organization – Vulnerabilities internal and external to organization – Harm (consequences/impact) – Likelihood 35 The Risk Management Process • Responding to Risk: – Developing alternative courses of action. – Evaluating the alternative courses of action. – Determining appropriate courses of action. – Implementing risk responses based on selected courses of action. 36 The Risk Management Process • Monitoring Risk: – Verify that planned risk response measures are implemented. – Determine the ongoing effectiveness of risk response measures. – Identify risk-impacting changes to organizational information systems and the environments in which the systems operate. 37 Multi-tiered Risk Management Approach 38 Multi-tiered Risk Management Approach • Tier One – Organization View – Governance – Risk Executive Function – Risk Management Strategy – Investment Strategies 39 Multi-tiered Risk Management Approach • Tier Two – Mission/Business Process View – Risk-Aware Mission/Business Processes – Enterprise Architecture – Information Security Architecture 40 Multi-tiered Risk Management Approach • Tier Three – Information Systems View – Integrating security into the SDLC 41 42 Questions?