Tompkins Information Assurance€¦ · SRA & BIA processes. ConSec'06 4 Agenda ¾Basic phases...
Transcript of Tompkins Information Assurance€¦ · SRA & BIA processes. ConSec'06 4 Agenda ¾Basic phases...
ConSec'06 1
Information AssuranceInformation AssuranceCombining Analyses
William Tompkins, CISSP, CBCPSeptember 2006
ConSec'06 2
William Tompkins is Information Security Officer at Teacher Retirement System of Texas. He has more than 23 years of technical, managerial and consulting experience in information technology and more than 15 in information security. He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional.
He was the Manager of Texas Department of Transportation’s Information Security Section and Project Manager of the Information SecurityProgram which was selected as Computer Security Program of the Year Computer Security Program of the Year 19941994 by CSI (Computer Security Institute).
Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education.
William TompkinsWilliam TompkinsWilliam Tompkins
ConSec'06 3
By the end of this sessionBy the end of this sessionyou will be able to you will be able to ……
Describe assessment differences and similaritiesIdentify opportunities to combine SRA & BIA processes
ConSec'06 4
AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities
ConSec'06 5
PhasesPhases
AssessmentDevelopmentImplementationMaintenance/Testing
ConSec'06 6
Define/UpdateDefine/UpdateEnvironment & AssetsEnvironment & Assets
Impact/RiskImpact/RiskAnalysisAnalysis
Risk ManagementRisk Management
Policy, Guidelines,Policy, Guidelines,Standards & ProceduresStandards & Procedures
Design &Design &ImplementationImplementation
AdministrationAdministration
Monitoring,Monitoring,Testing & AuditsTesting & Audits
ConSec'06 7
AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities
ConSec'06 8
Leverage ResourcesLeverage Resources
Idea of ‘new’ analysisCombining identical tasksLarger _and_ smaller
ConSec'06 9
Business Impact Business Impact AssessmentAssessment
To identify impacts of losing organizational resources
InitialOver a period
of time
ConSec'06 10
Security Risk AnalysisSecurity Risk Analysis
ThreatsVulnerabilityImpactsCountermeasures
ConSec'06 11
AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities
ConSec'06 12
SimilaritiesSimilaritiesVulnerabilitiesLoss potentialRisk reduction/mitigationInformation sourcesOutside expertiseControls & safeguardsRaises awarenessProject Mngt & questionnaires
ConSec'06 13
AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities
Security Risk Analysis(SRA)
“Hard” decisions
Security Risk Analysis(SRA)
“Hard” decisions
Business Impact Assessment
(BIA)
“Softer” decisions
Business Impact Assessment
(BIA)
“Softer” decisions
Conceptual Conceptual DifferencesDifferences
To what lengths do we go to protect information resources?
How long can we tolerate not having access to IR?
DifferencesDifferences
SRASRA BIABIA
Weighs the losses if IR in the absence of security controls against the cost of implementing the control.
Weighs the intolerable effects of the loss to the organization against the cost of reacting to the loss over time.
DifferencesDifferences
SRASRA BIABIA
Evaluates vulnerabilities to an asset and probabilities of occurrence.
Evaluates the effect of an event over a period of time.
DifferencesDifferences
SRASRA BIABIA
Specific threats and causes.
Cause of threat is irrelevant.
DifferencesDifferences
SRASRA BIABIA
Protective and countermeasures.
Recovery strategy
DifferencesDifferences
SRASRA BIABIA
How can we be proactive?
How are we going to react and recover?
DifferencesDifferences
SRASRA BIABIA
Prevents and protects as much as is economical.
Provides information for an efficient and effective recovery plan.
DifferencesDifferences
SRASRA BIABIA
ConSec'06 22
AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities
ConSec'06 23
Business prioritiesBusiness priorities(BIA) business process focused -vs-(SRA) focus on individual applications ?Management review…re-prioritze‘New’ employee interview Buy-In
Senior managementBusiness process owners
ConSec'06 24
RememberRememberBe flexibleScopeCommunicationsResources
ConSec'06 25
Q U E S T I O N S ?Q U E S T I O N S ?Q U E S T I O N S ?
ConSec'06 26
Thank YouThank YouThank You
William A. Tompkins512 – 542 - 6787
William A. Tompkins512 – 542 - 6787
ConSec ‘06ConSec ConSec ‘‘0606