Focuses on information security assessments required for federal IT systems. Share ideas, practices, and independent consultant references.
DHS Risk Assessment plan
August 28, 2009 at 10:43 am #78842
News Story from Next.gov
DHS and industry group release plan for evaluating IT risk
By Jill R. Aitoro 08/27/2009
ATLANTA -- New recommendations released on Wednesday from the Homeland Security Department and a coalition of information technology firms provide tech developers and managers with a model for identifying and mitigating risk in IT solutions that serve companies in the critical infrastructure sector and other markets.
The IT Sector Baseline Risk Assessment evaluates threats posed by the primary functions of the IT sector to provide products and services; incident management capabilities; domain name services; Web-based content, information and communication services; and Internet routing, access and connection services. The assessment will address more closely identity management in the next version.
"The threats are becoming more sophisticated, sustained and determined, and the vulnerabilities are increasing as we continue to connect new and different devices to the network," said Robert Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks and executive member of the IT Sector Coordinating Council, which developed the assessment with DHS. "The ramifications have an impact that we need to pay greater attention to. This [assessment] maps these threats and vulnerabilities to the critical functions of the IT sector, to identify where gaps in protection exist and inform mitigation strategies."
The assessment was created as part of DHS' National Infrastructure Protection Plan, first developed under the Bush administration, which called upon different critical sectors to devise plans through public-private partnerships that address their unique characteristics and risks and suggest strategies to best mitigate those risks.
For example, risks associated with domain name services include a large-scale manmade denial-of-service attack that prevents access to the computer network, according to the IT risk assessment, and the mitigation strategy for that risk is to develop processes that ensure continuous monitoring and redundancy through backup capabilities. Risks associated with the manufacturing of products and services include weaknesses in the supply chain that allow viruses to be injected deliberately into software or firmware. The mitigation approach is to develop sourcing strategies that monitor the availability and quality of computer components and enforce timely response -- including product recalls -- when a security compromise is identified.
The second version of the assessment will include metrics that will help determine whether the mitigation strategies in place will improve the risk profile. No date has been set for the release of the next version.
"We don't just want another paperwork exercise; we want to measure whether we're actually reducing risk," Dix said.
Some security specialists questioned whether the risk assessment goes far enough to force public and private organizations to eliminate computer vulnerabilities.
"There are no actions required of industry or promised by industry -- except to write more reports and plans," said Alan Paller, director of the computer security training SANS Institute, who was in the early meetings to develop the assessment. "The industry groups were aware they could keep the government from asking industry to fix any of the security problems as long as they could point to a project where industry was going to help write a plan, or do an analysis of the problem."
Phil Reitinger, deputy undersecretary for DHS' National Protection and Programs Directorate, said the plan is a good start.
"It's a step forward, but it doesn't mean the problem is solved," he said in an interview with Nextgov. "The security environment is getting riskier; that makes it incumbent upon us to focus more on how we can make a difference -- to move from output-based metrics to outcome-based metrics. That's hard to do."
The Information Technology (IT) Sector provides both products and services that support the efficient operation of today’s global information-based society. These products and services are integral to the operations and services provided by other critical infrastructure and key resource (CIKR) sectors.
Threats to the IT Sector are complex and varied. In addition to the risks presented by natural hazards— such as catastrophic weather or seismic events—the IT Sector also faces threats from criminals, hackers, terrorists, and nation-states, all of whom have demonstrated a varying degree of capabilities and intentions to attack critical IT Sector functions. Additionally, manmade threats to the IT Sector are also rapidly evolving from simple automated worms and viruses to complex social engineering attacks that exploit known and unknown vulnerabilities in products and services developed by the IT Sector.
While existing security and response capabilities mitigate many of these threats, the IT Sector still faces Sector-wide risks to its ability to provide hardware, software, and services to other CIKR sectors. Due to the IT Sector’s high degree of interdependency with other CIKR sectors and the continuously evolving threat landscape, assessing vulnerabilities and estimating consequence is difficult. Therefore, these issues must be dealt in a collaborative and flexible framework that enables the public and private sectors to enhance the resiliency and security of the critical IT Sector functions.
The IT Sector Baseline Risk Assessment evaluates risk to the IT Sector and focuses on critical IT Sector functions.1 The assessment methodology is not intended to be guidance for individual entities’ risk management activities. Instead, the IT Sector’s Baseline Risk Assessment is intended to provide an all-hazards risk profile that IT Sector partners can use to inform resource allocation for research and development and other protective program measures to enhance the security and resiliency of the critical IT Sector functions. By increasing the awareness of risks across the public and private sector domains, the Baseline Risk Assessment serves as a foundation for ongoing national-level collaboration to enhance the security and resiliency of the critical IT Sector functions.
Critical IT Sector Functions
• Produce and provide IT products and services
Provide incident management capabilities
• Provide domain name resolution services
• Provide identity management and associated trust support services;
• Provide Internet-based content, information, and communications services
• Provide Internet routing, access, and connection services
The risk assessment is a baseline of national-level risk since this is an initial effort to assess IT Sector risks across all six critical functions. The assessment addresses those operational or strategic risks to the IT Sector infrastructure that are of national concern based upon the knowledge and subject matter expertise of those participating in the Sector’s risk assessment activities. This assessment does not address all threat scenarios faced by IT Sector entities or their users and customers. As noted in the assessment, there are areas that require additional collaborative study and further review. The document also presents potential mitigation strategies. These potential strategies are the activities that could be considered for implementation; they are not intended to name or mandate the establishment or enhancement of specific public or private sector programs.
You must be logged in to reply to this topic.