GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue,...
-
Upload
tyler-chapman -
Category
Documents
-
view
213 -
download
0
Transcript of GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue,...
GSA Office of Emergency Response and Recovery
Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response and RecoveryJune 2009, GSA Expo
GSA EXPO 2009
Office of Emergency Response and Recovery 2
What is Risk Based Planning?• The process of selecting and implementing
countermeasures or mitigation strategies to achieve an acceptable level of risk at an acceptable cost– Risk Management and Continuity planning begins with the
identification of critical assets (processes, functions, systems, information) that enable the execution of essential functions
• Once we ID these assets we then can work towards ensuring their resilency.
GSA EXPO 2009
Office of Emergency Response and Recovery 3
Purpose
• Provides a systematic approach to acquiring and analyzing the information necessary to support decision makers in the allocation of scarce continuity resources to ensure the protection of critical assets and capabilities.– Structured process – Not a exact science.
GSA EXPO 2009
Office of Emergency Response and Recovery 4
Continuity what's Changed ?• Old Think:
– Warning of Event– Single Use Assets– movement of people with data– Reliance on static plans – Not integrated into daily
operations– Singular view of threat– Avoided Risk
• New Think:– No warning of attack or event– Dual Use Assets – Routine Geographic
Dispersion of people, data and functions
– Integrated into daily business operations
• Capabilities based– Acknowledgment of diverse
threats.– Increased reliance on IT
Systems– Managed Risk
GSA EXPO 2009
Office of Emergency Response and Recovery 5
Risk Avoidance vs. Risk Management• Risk Avoidance
– Assumes an aggressive adversary in all scenarios
– Counters ALL possible vulnerabilities– Responds based on worst-case scenarios
• Risk Management– Integrates the process of assessing the threat,
the vulnerabilities, and the value of the asset to the owner
– Weighs the risk of compromise/loss against the cost of mitigation strategies.
Checklist
GSA EXPO 2009
Office of Emergency Response and Recovery 6
Risk Management at a Glance
AssessAssets
1
AssessThreats
2
AssessVulnerabilities
3
AssessRisks
4Determine
CountermeasureOptions
5
Make RMDecisions
Cost Analysis
Benefits Analysis
Monitor
Implement
Test & Eval
GSA EXPO 2009
Office of Emergency Response and Recovery 7
Five Step Process • 1: Identify Assets and Loss Impacts • 2: Identify and Characterize the Threat to Specific Assets • 3: Identify and Characterize Vulnerabilities • 4: Assess Risks and Determine Priorities for Asset
Protection • 5: Identify Countermeasures, Costs and tradeoffs.
GSA EXPO 2009
Office of Emergency Response and Recovery 8
Step #1: Identify Assets and Loss Impacts
• Determine valued assets requiring protection– (assets = processes, functions, systems, critical staff)
• Identify undesirable events and expected impacts– (event leading to the loss, damage, consequence to the asset)
• Value/prioritize assets based on consequence of loss– (based on the definitions, rate the impact).
GSA EXPO 2009
Office of Emergency Response and Recovery 9
What is an Asset? • Anything that has value to an essential function
– People, information, facilities, special equipment, systems, process, workflow
• An asset may have value to an adversary that differs from the owner,
• Continuity planning endeavors to increase the resiliency of assets that enable the organization’s ability to perform its essential functions. – Focusing on the assets, processes, systems, key information, and
critical staff that allow GSA to do its job and provide service and products to their customers.
GSA EXPO 2009
Office of Emergency Response and Recovery 10
Critical - Indicates that interruption to the asset//function would have grave consequences leading to loss of life, serious injury, or mission failure (50-100)
High - Indicates that interruption to the asset//function would have serious consequences resulting in loss of critical data, equipment, or facilities that could impair operations for a limited period of time (13-50)
Medium - Indicates that interruption to the asset//function would have moderate consequences resulting in loss of highly critical data, equipment, or facilities that could impair operations for a limited period of time (3-13)
Low - Indicates that interruption to the asset//function would have little or no impact on human life or continuity of operations (1-3).
Notional
Notional
GSA EXPO 2009
Office of Emergency Response and Recovery 11
People
Activities & Operations
Information
Equipment
Facilities
C
C
C
M
M
H
H
L
M
H
Critical Asset Undesirable Event & Impact
LinguisticRating
#Rating
Hazardous Weather loss of access
Loss of Power Loss of Production
Theft Loss of critical assets
Terrorism Loss of life // productivity
Disruption Schedule setback
Criminal activity Unsettled employees
Loss Mission failure; degraded
Poor OPSEC Operational disclosure
Unauthorized release Capability disclosures
Chemical SpillEnvironment
Example
GSA EXPO 2009
Office of Emergency Response and Recovery 12
Step #2 Identify and Characterize the Threat to Specific Assets • Identify threat categories and adversaries
• Assess intent of each adversary
• Assess capability of each adversary
• Determine frequency of past incidents
• Estimate threat relative to each critical asset.
GSA EXPO 2009
Office of Emergency Response and Recovery 13
What is a threat? VS. an adversary?
• What is a threat?– Any indication, circumstance, or event that can cause the
loss of, damage to, or the denial of an asset
• Who is an adversary?– Any entity that conducts, or has the capability and
intention to conduct, activities detrimental to interests or assets.
GSA EXPO 2009
Office of Emergency Response and Recovery 14
Types of threat• Foreign Intelligence Services
– Facility penetration– Non-access attack– Recruiting staff
• Terrorist Threats– Kidnapping– Bombing– Sabotage– CBRNE
• Natural Threats– Fire– Flood – Storms (wind, ice, snow)– Earthquake
• Criminal Threats– Fraud, theft, robbery– Arson– Vandalism– Computer hacking
• Insider Threats– Espionage – Misuse of equipment– Malicious acts by
disgruntled staff– Work place violence
• Military Threats– War– Insurrection– State sponsored activities
GSA EXPO 2009
Office of Emergency Response and Recovery 15
Understanding the threat:
CAPABILITYTO ACT
HISTORY
INTENT– Goals– Motivation
– Collection/action capability
– Necessary skills/resources
– History of successful attacks
– History of attempts
GSA EXPO 2009
Office of Emergency Response and Recovery 16
Low: Indicates little or no credible evidence of capability or intent, with no history of actual or planned threats against the assets.
Critical: Indicates that a definite threat exists against the assets and that the adversary has both the capability and intent to launch an attack, and that the subject or similar assets are targeted on a frequent or recurring basis
High: Indicates that a credible threat against the assets exists, based on our knowledge of the adversary’s capability and intent to attack the assets and based on related incidents having taken place at similar facilities
Medium: Indicates that there is a potential threat to the assets based on the adversary’s desire to compromise the assets and the possibility that the adversary could obtain the capability through a third party who has demonstrated the capability in related incidents
Example
GSA EXPO 2009
Office of Emergency Response and Recovery 17
Undesirable event / Impact#
Rating
Critical Asset
People
Activities & Operations
Information
Equipment
Facilities
ThreatCategory
ThreatRating
C
H
H
M
M
H
M
H
ML
Terrorist
FIS / Insider
Insider
Criminal
Weather
Weather
Terrorist
MilitantInsider / FIS
Hazardous Weather Transportation Problems
Loss of Power Loss of Production
Theft Loss of computers
Threat of Terrorism Loss of Production Time
Disruption Schedule setback
Criminal activity Employee injury
Loss Mission failure
Poor OPSEC Operational disclosure
Unauthorized release Capability disclosures
Criminal
Chemical Spill Facility Closure
Example
GSA EXPO 2009
Office of Emergency Response and Recovery 18
Step # 3: Identify and Characterize Vulnerabilities
• Identify vulnerabilities of specific assets related to undesirable events
• Identify existing countermeasures and their level of effectiveness in reducing vulnerabilities
• Estimate degree of vulnerability to each asset and threat
GSA EXPO 2009
Office of Emergency Response and Recovery 19
Step #4: Assess Risks and determine priorities for asset protection
• Estimate degree of impact relative to each valued asset
• Estimate likelihood of attack by a potential adversary • Estimate likelihood that a specific vulnerability will be
exploited• Determine relative degree of risk• Prioritize risks based on integrated assessment.
GSA EXPO 2009
Office of Emergency Response and Recovery 20
• Quantify the likelihood that an undesirable event will occur
• Determine the severity of the outcome of an undesirable event
• Prioritize the risks
Asset (Impact) x (.Threat x .Vulnerability) = Risk
Assess the Risks
GSA EXPO 2009
Office of Emergency Response and Recovery 21
Asset
Threat
Vulnerability
Impact of Unwanted
Event
Likelihood
RiskRisk
GSA EXPO 2009
Office of Emergency Response and Recovery 22
Impact x (.Threat x .Vulnerability) (1-100) (0-1.0) (0-1.0)
= Risk* You can build your own scale
Risk Assessment Formula
GSA EXPO 2009
Office of Emergency Response and Recovery 23
Terrorism Loss of Production
Loss Mission failure
Unauth. Release Disclosures
Theft Loss of Computers
Loss of Power Loss of Production
Hazardous Weather TransProb
Closure of facilityChemical spill
Disruption Schedule setback
Poor OPSEC Disclosure
C H H ( # )*
C
C
M
M
H
H
L
M
H
#
#
#
#
#
#
##
#
#
#
#
#
#
#
#
##
#
#
#
#
#
#
#
#
##
#
#
C
Critical Potential Undesirable Asset Asset Threat Threat Vuln. Vuln. RiskAssets Events Rating Value Rating Value Rating Value R / V
H
H
M
M
H
HM
M
L
H
M
M
M
M
M
M
L
L
H ( # )*
M ( # )*
L ( # )*
L ( # )*
L ( # )*
L ( # )*
M ( # )*
L ( # )*
M ( # )*
People
Information
Equipment
Facilities
Activities &Operations
Example
GSA EXPO 2009
Office of Emergency Response and Recovery 24
Step # 5: Identify Countermeasures, Costs and tradeoffs • Identify potential countermeasures or mitigation
strategies to reduce Vulnerabilities and/or Threats and / or Impacts.
• Identify countermeasures or mitigation strategies benefits in terms of risk reduction
• Identify countermeasure or mitigation strategy costs• Conduct countermeasure or mitigation strategy cost-
benefit analyses• Prioritize options and prepare a recommendation for
decision maker
GSA EXPO 2009
Office of Emergency Response and Recovery 25
• Countermeasures (mitigation strategies) – An action taken or a physical entity used to reduce or eliminate one
or more Vulnerability and or Threat and or Impact.
• Cost-Benefit Analysis– The part of the process in which costs / benefits of
countermeasure(s) are compared and the most appropriate alternative selected
– Cost: Tangible, operational, and other costs of countermeasure(s) – Benefit: Amount of risk reduction based on the overall effectiveness
of countermeasure(s)
Countermeasure Costs and Benefits
GSA EXPO 2009
Office of Emergency Response and Recovery 26
Undesirable Event Countermeasures Risk Level Reduced CostFrom/To
Natural Disaster Distribute Assets LOW/HIGH to LOW/MED
Terrorist Attack Emergency procedures HIGH/CRITICAL to physical preventions HIGH/MED
Loss of critical data IT resiliency LOW/MEDIUM to L/M
MEDIUM/MEDIUM to M/M
TOTAL COST:
Countermeasure Options
Example
GSA EXPO 2009
Office of Emergency Response and Recovery 27
• A structured yet flexible approach to understanding your threat and risk posture
• A process for developing effective business continuity & security countermeasures and options that consider cost & benefit
• A snapshot in time that provides an audit trail for performance improvement
• Supportable, Defendable and Repeatable.
Risk based planning provides:
GSA EXPO 2009
Office of Emergency Response and Recovery 28
Questions & Contact
• Darren J. Blue – Director Policy and Plans, Office of Emergency Response and
Recovery• [email protected].