Security/Risk management: Difference between revisions

Automated sync from https://github.com/mozilla/wikimo_opsec
(Automated sync from https://github.com/mozilla/wikimo_opsec)
Line 3: Line 3:
     <td style="min-width: 25em;">__TOC__</td>
     <td style="min-width: 25em;">__TOC__</td>
     <td style="vertical-align: top; padding-left: 1em;">
     <td style="vertical-align: top; padding-left: 1em;">
'''STATUS: READY'''
'''STATUS: NOT READY'''


The goal of this document is to help understanding how risk is handled by the Enterprise Information Security Team
The goal of this document is to help understanding how risk is handled by the Enterprise Information Security Team
Line 52: Line 52:
=== Standardized Levels ===
=== Standardized Levels ===


We measure risk, impact, probability, etc. based on a simple 4 levels scale [Risk_Management:Standard levels]. We
We measure risk, impact, probability, etc. based on a simple 4 level scale [Risk_Management:Standard levels]. We
use this to '''normalize''' risk measurements. Here's a summary on how it applies to risk.
use this to '''normalize''' risk measurements. Here's a summary on how it applies to risk.


Line 104: Line 104:
service. The higher the impact tied to a service, the more effective the security controls have to be. This ensure a
service. The higher the impact tied to a service, the more effective the security controls have to be. This ensure a
lower likelihood that the service will ever suffer the impact recorded, and thus lowers the service risk.
lower likelihood that the service will ever suffer the impact recorded, and thus lowers the service risk.
It also list the service risk assessed by an RRA, including impact and likelihood to different components.


Security controls are categorized by capability ("Inventory", "Vulnerability remediation", "Access control", "Data
Security controls are categorized by capability ("Inventory", "Vulnerability remediation", "Access control", "Data
recovery", etc.). This allows to also understand which security capabilities a service offers.
recovery", etc.). This allows to also understand which security capabilities a service offers.
* Current Capabilities Status: https://docs.google.com/spreadsheets/d/1qnjdWJiOleTLvWyeiW65gwnuElyRlMMIvvlFAnpPy3M/edit#gid=1307966807
* Open Risk Records: http://mzl.la/1EmxXSU
* Closed Risk Records: http://mzl.la/1EmxVdY


=== Impact ''data point'' ===
=== Impact ''data point'' ===
Line 133: Line 128:
|-
|-
| '''[Risk_management:Rapid_Risk_Analysis]'''
| '''[Risk_management:Rapid_Risk_Analysis]'''
| The likelihood recorded by the RRA is a best-effort metric that is gathered by asking standard questions. It generally
| The likelihood recorded by the RRA is a best-effort metric that is gathered by asking standard questions.It generally
catches high/maximum likelihood scenarios well, but is not accurate for medium/low scenarios. (i.e. an RRA low likelihood
catches high/maximum likelihood scenarios well, but is not accurate for medium/low scenarios.(i.e. an RRA low likelihood
may in fact be higher than estimated)
may in fact be higher than estimated)
|
|
Line 147: Line 142:
|-
|-
| '''Vulnerability data'''
| '''Vulnerability data'''
| Scanning results from the vulnerability management software. It is difficult to assess exposure through this mean. An
| Scanning results from the vulnerability management software. It is difficult to assess exposure through this mean.An
infrasec system user needs to be present. This also includes non-system vulnerabilities such as web application vulnerabilities.
infrasec system user needs to be present.
|
|
* MozDef, daily refresh via vmintgr.
* MozDef, daily refresh via vmintgr.
Line 197: Line 192:
== Reference documents ==
== Reference documents ==


* http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf (Introduction to modern risk analysis)
* http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf
* http://www.iso.org/iso/home/standards/iso31000.htm
* http://www.iso.org/iso/home/standards/iso31000.htm
* https://en.wikipedia.org/wiki/ISO/IEC_27001
* https://en.wikipedia.org/wiki/ISO/IEC_27001
* http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/
* http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/
* https://www.sans.org/critical-security-controls/controls (version 5)
* https://www.sans.org/critical-security-controls/controls (version 5)
32

edits