ConSec'06 1

Information AssuranceInformation AssuranceCombining Analyses

William Tompkins, CISSP, CBCPSeptember 2006

ConSec'06 2

William Tompkins is Information Security Officer at Teacher Retirement System of Texas. He has more than 23 years of technical, managerial and consulting experience in information technology and more than 15 in information security. He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional.

He was the Manager of Texas Department of Transportation’s Information Security Section and Project Manager of the Information SecurityProgram which was selected as Computer Security Program of the Year Computer Security Program of the Year 19941994 by CSI (Computer Security Institute).

Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education.

William TompkinsWilliam TompkinsWilliam Tompkins

ConSec'06 3

By the end of this sessionBy the end of this sessionyou will be able to you will be able to ……

Describe assessment differences and similaritiesIdentify opportunities to combine SRA & BIA processes

ConSec'06 4

AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities

ConSec'06 5

PhasesPhases

AssessmentDevelopmentImplementationMaintenance/Testing

ConSec'06 6

Define/UpdateDefine/UpdateEnvironment & AssetsEnvironment & Assets

Impact/RiskImpact/RiskAnalysisAnalysis

Risk ManagementRisk Management

Policy, Guidelines,Policy, Guidelines,Standards & ProceduresStandards & Procedures

Design &Design &ImplementationImplementation

AdministrationAdministration

Monitoring,Monitoring,Testing & AuditsTesting & Audits

ConSec'06 7

AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities

ConSec'06 8

Leverage ResourcesLeverage Resources

Idea of ‘new’ analysisCombining identical tasksLarger _and_ smaller

ConSec'06 9

Business Impact Business Impact AssessmentAssessment

To identify impacts of losing organizational resources

InitialOver a period

of time

ConSec'06 10

Security Risk AnalysisSecurity Risk Analysis

ThreatsVulnerabilityImpactsCountermeasures

ConSec'06 11

AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities

ConSec'06 12

SimilaritiesSimilaritiesVulnerabilitiesLoss potentialRisk reduction/mitigationInformation sourcesOutside expertiseControls & safeguardsRaises awarenessProject Mngt & questionnaires

ConSec'06 13

AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities

Security Risk Analysis(SRA)

“Hard” decisions

Security Risk Analysis(SRA)

“Hard” decisions

Business Impact Assessment

(BIA)

“Softer” decisions

Business Impact Assessment

(BIA)

“Softer” decisions

Conceptual Conceptual DifferencesDifferences

To what lengths do we go to protect information resources?

How long can we tolerate not having access to IR?

DifferencesDifferences

SRASRA BIABIA

Weighs the losses if IR in the absence of security controls against the cost of implementing the control.

Weighs the intolerable effects of the loss to the organization against the cost of reacting to the loss over time.

DifferencesDifferences

SRASRA BIABIA

Evaluates vulnerabilities to an asset and probabilities of occurrence.

Evaluates the effect of an event over a period of time.

DifferencesDifferences

SRASRA BIABIA

Specific threats and causes.

Cause of threat is irrelevant.

DifferencesDifferences

SRASRA BIABIA

Protective and countermeasures.

Recovery strategy

DifferencesDifferences

SRASRA BIABIA

How can we be proactive?

How are we going to react and recover?

DifferencesDifferences

SRASRA BIABIA

Prevents and protects as much as is economical.

Provides information for an efficient and effective recovery plan.

DifferencesDifferences

SRASRA BIABIA

ConSec'06 22

AgendaAgendaBasic phasesLeverage resourcesSimilaritiesDifferencesBusiness priorities

ConSec'06 23

Business prioritiesBusiness priorities(BIA) business process focused -vs-(SRA) focus on individual applications ?Management review…re-prioritze‘New’ employee interview Buy-In

Senior managementBusiness process owners

ConSec'06 24

RememberRememberBe flexibleScopeCommunicationsResources

ConSec'06 25

Q U E S T I O N S ?Q U E S T I O N S ?Q U E S T I O N S ?

ConSec'06 26

Thank YouThank YouThank You

William A. Tompkins512 – 542 - 6787

William.Tompkins@trs.state.tx.us

William A. Tompkins512 – 542 - 6787

William.Tompkins@trs.state.tx.us

ConSec ‘06ConSec ConSec ‘‘0606