32
edits
Security/Risk management: Difference between revisions
Automated sync from https://github.com/mozilla/wikimo_opsec
Gdestuynder (talk | contribs) (→Risk records (Security controls and capabilities): link RR and caps) |
(Automated sync from https://github.com/mozilla/wikimo_opsec) |
||
| Line 3: | Line 3: | ||
<td style="min-width: 25em;">__TOC__</td> | <td style="min-width: 25em;">__TOC__</td> | ||
<td style="vertical-align: top; padding-left: 1em;"> | <td style="vertical-align: top; padding-left: 1em;"> | ||
'''STATUS: READY''' | '''STATUS: NOT READY''' | ||
The goal of this document is to help understanding how risk is handled by the Enterprise Information Security Team | The goal of this document is to help understanding how risk is handled by the Enterprise Information Security Team | ||
| Line 52: | Line 52: | ||
=== Standardized Levels === | === Standardized Levels === | ||
We measure risk, impact, probability, etc. based on a simple 4 | We measure risk, impact, probability, etc. based on a simple 4 level scale [Risk_Management:Standard levels]. We | ||
use this to '''normalize''' risk measurements. Here's a summary on how it applies to risk. | use this to '''normalize''' risk measurements. Here's a summary on how it applies to risk. | ||
| Line 104: | Line 104: | ||
service. The higher the impact tied to a service, the more effective the security controls have to be. This ensure a | service. The higher the impact tied to a service, the more effective the security controls have to be. This ensure a | ||
lower likelihood that the service will ever suffer the impact recorded, and thus lowers the service risk. | lower likelihood that the service will ever suffer the impact recorded, and thus lowers the service risk. | ||
Security controls are categorized by capability ("Inventory", "Vulnerability remediation", "Access control", "Data | Security controls are categorized by capability ("Inventory", "Vulnerability remediation", "Access control", "Data | ||
recovery", etc.). This allows to also understand which security capabilities a service offers. | recovery", etc.). This allows to also understand which security capabilities a service offers. | ||
=== Impact ''data point'' === | === Impact ''data point'' === | ||
| Line 133: | Line 128: | ||
|- | |- | ||
| '''[Risk_management:Rapid_Risk_Analysis]''' | | '''[Risk_management:Rapid_Risk_Analysis]''' | ||
| The likelihood recorded by the RRA is a best-effort metric that is gathered by asking standard questions. It generally | | The likelihood recorded by the RRA is a best-effort metric that is gathered by asking standard questions.It generally | ||
catches high/maximum likelihood scenarios well, but is not accurate for medium/low scenarios. (i.e. an RRA low likelihood | catches high/maximum likelihood scenarios well, but is not accurate for medium/low scenarios.(i.e. an RRA low likelihood | ||
may in fact be higher than estimated) | may in fact be higher than estimated) | ||
| | | | ||
| Line 147: | Line 142: | ||
|- | |- | ||
| '''Vulnerability data''' | | '''Vulnerability data''' | ||
| Scanning results from the vulnerability management software. It is difficult to assess exposure through this mean. An | | Scanning results from the vulnerability management software. It is difficult to assess exposure through this mean.An | ||
infrasec system user needs to be present | infrasec system user needs to be present. | ||
| | | | ||
* MozDef, daily refresh via vmintgr. | * MozDef, daily refresh via vmintgr. | ||
| Line 197: | Line 192: | ||
== Reference documents == | == Reference documents == | ||
* http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf | * http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf | ||
* http://www.iso.org/iso/home/standards/iso31000.htm | * http://www.iso.org/iso/home/standards/iso31000.htm | ||
* https://en.wikipedia.org/wiki/ISO/IEC_27001 | * https://en.wikipedia.org/wiki/ISO/IEC_27001 | ||
* http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/ | * http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/ | ||
* https://www.sans.org/critical-security-controls/controls (version 5) | * https://www.sans.org/critical-security-controls/controls (version 5) | ||