Posted at 11.05.2018
The objective of this report being submitted to the worried users of the mother board including the President is two-fold; one to point out the huge benefits as well as challenges of using OCTAVE Allegro method and second, to provide suggestions to beat these problems.
This report explains RIT's approach towards creating a School Risk Control and Mitigation Plan, and the components involved with executing a risk assessment and vulnerability evaluation for the University. This document does not concentrate on how to carry out a security risk assessment but it offers a research guide so that the strategy and deliverables are aligned with respect to exterior as well as inner auditors. This article identifies the key challenges in implementation of the advised model and also suggests research needs that can help enhance the resilience of the University.
It has been advised that we use the OCTAVE Allegro way for Risk Assessment and Control which really is a streamlined process that targets the Information Investments. This strategy is systematic and will involve worksheets and questionnaires.
RIT's current coverage towards IT Security consists of administering the Information Assets open to the RIT community, with conformance to the Federal and State regulation. This policy guarantees that safeguarding these property against unintentional or unauthorized access, disclosure, changes; is of highest matter. This insurance plan also works towards assuring the integrity, confidentiality, supply, authenticity of information.
Currently the RIT Information Security Office provides cover and help against hazards and vulnerabilities with respect to web applications, or diligence, or any other technical aspects. RIT's Vulnerability Management Program employs various tools to regularly check for vulnerabilities and malicious content infringing upon RIT's network. We also have a reasonable notification policy set up which informs the worried person or authority in case there is issues. At the cheapest degree of security, RIT provides anti-virus software to the RIT community, cost free.
Our university or college is working towards mitigating all dangers to accomplish its objectives and also to ensure these risks are diagnosed, assessed, watched and controlled with regards to the defined level of tolerance. Also, we are working towards creating reliable contingency programs which might be invoked in case of risks being triggered. Our goal should be to deal with every risk within the amount of risk cravings or at least make it to the level where it can be managed. The Information Security Office at RIT goals, through effective risk evaluation, to maximize risk management but at or below acceptable levels.
The trustworthiness of the University will depend on the way it manages its Information Investments. RIT aspires to be one of the most notable organizations in U. S. that could pride itself structured after performance and effective risk management and control. RIT Information Security Office is designed that risk control strategy is never based on Acceptance but if the risks occur, there has to be appropriate contingency plan set up. We can not completely avoid risk which is inescapable but we can follow opportunities that action against more impressive range of risk because because of the process of risk management, we will be able bring down the risks to satisfactory levels.
The most important facet of risk management is to ensure that there is effective coordination between concerned resources and categories so that appropriate decisions can be produced and by use of proper control mechanisms and contingency strategies, dangers can be comprised or brought right down to acceptable levels.
So in every risk assessment can be an important process which gives an objective strategy towards IT security expenditure as well as proper way for decision making. Risk analysis can be viewed as for calculating future IT security through comparisons.
The key theory to governance and inside control of the University like RIT is reliable Risk Analysis and Management. Our target at RIT should be to implement a translucent but effective risk management at all levels so that any and/or all decisions made will have appropriate consideration of threats and vulnerabilities included. The Audit committee is in charge of the periodic overview of the potency of this control system put into place.
Having a successful IT security is determined by effective IT security programs, Risk Examination method, audits and budget. With regards to the opportunity of the security risk assessment, it is necessary that before we get started risk evaluation, we evaluate the several areas related to the IT Security Framework. These areas can include rules and plans, system service utilization and support, system/network integrity, intrusion detection and monitoring, physical security, security risk assessment and audit, security against computer virus and malicious code, and finally education and training. During the risk evaluation, these factors is highly recommended as a part of the questionnaire to assemble most recent information.
The RIT Information Security Office has conducted the next survey based on which we are able to evaluate the IT security framework at RIT. This study was conducted within the RIT community which included IT experts, staff as well as students. There were four major questions as part of the expanded questionnaire which I thought deemed appropriate to be one of them report.
Are the systems and applications under your use and responsibility whether centrally handled or local, secure?
Is RIT more secure than it was two years ago?
Has RIT used the federal and NYS federal government IT requirements?
How do you rate the efficiency of the IT security strategies at RIT?
The results of this survey showed excellent results with almost all of the responses in renewable but just marginally increased over the results as compared to those taken 2 yrs. But still the general consensus was that RIT being more anchored as compared to that being 2 yrs was that "nothing much has changed". THEREFORE I would support the thought of building up the IT Security Platform so that the users feel safe and guaranteed that the all information belongings worried to them are secure. As suggested by our President, I have explored further into OCTAVE Allegro and included certain valuable recommendations and plans concerning how we can start implementing this technique.
A company like RIT must regularly perform risk diagnosis of Information Belongings since there is a lot information that is looked after by the intra-network computer systems that such analysis must consider all security policies and strategies, including management's participation in the security steps, end-user training, security alarm systems and finally the main, the network infrastructure. I can relate to all of these requirements by utilizing a high-level approach including the OCTAVE Allegro technique because this strategy not only focuses on the technology but also the management of the security. OCTAVE means "Operationally Critical Risk, Property and Vulnerability Analysis" and Allegro is the hottest method that has been formulated just lately.
This is streamlined technique that can be carried out by including eight (8) steps split into four (4) stages. Below shown is the Octave Allegro Roadmap that can be helpful in understanding the concept of OCTAVE Allegro better.
Let me make an effort to summarize these steps in order make the complete concept of Allegro method clear. This will help me to indicate the challenges involved in implementing such a technique. 
Step 1 - Establish Risk Way of measuring Criteria
This criterion is made to gauge the risk if so when it is came to the realization. Allegro method defines five categories which can help identify the chance impact.
Step 2 - Develop Information Advantage Profile
This step consists of summarizing all possible possessions and characterizing them predicated on their properties and features. This can help later in Impact Area Prioritization.
Step 3 - Identify Information Advantage containers
This step simply consists of describing the location where these property are stored, carried or refined.
Step 4 - Identify Regions of Concern
This step will involve listing all possible conditions that are a menace to the property.
Step 5 - Identify Threat Scenarios
Threat can be scheduled to various factors just like a person using specialized or physical method, complex problems or any other related problem. Which means this step helps an organization determine which threat scenarios are more likely to be came to the realization.
Step 6 - Identify Risks
It is important to identify risks just because a threat which might involve a realtor can have multiple effects on an organization. So it is important to recognize and capture the actual aftermath of the risk.
Step 7 - Analyze Risks
This step will involve processing a quantitative measure of the impact of hazard to the business.
Step 8 - Choose Mitigation Approach
This step involves formulating another mitigation technique for the concerned dangers by taking under consideration the factors that have been analyzed and measured through the prior seven (7) steps.
What makes this technique worthy of all the target of this article is that apart from the proven fact that it is simple to implement, this method will not require an individual to be an expert to perform risk analysis. While Allegro method is mostly qualitative procedure which is more subjective, it also helps quantitative risk assessment based on certain computation.
OCTAVE Allegro strategy uses Information Advantage Profile worksheet as just how of representing gathered data which is much organized and better to understand as compared to the matrix representation.
Being the principle Information Officer (CIO) for RIT, I recognize that for a highly effective risk evaluation process, the management should also be involved which would include representation from any office of Dean for all those Schools as well as the Financial, Managerial and Facilities staff. I insist on such representation as the CIO or for that matter the RIT Information Security Office might not exactly know everything about the University. I intend to make a questionnaire which is based on the many risk examination checklist and deliver them to all the groups which is involved in this technique. This can help me and my office to comprehend the complete network and the essential areas of concern mixed up in process. Once all the people involved come with an agreement, we will then forward the leads to the table of directors.
The OCTAVE Allegro Information Resources Profiles may be used to list the safeguards to ensure that an individual (college student or personnel) information is secure. As the safeguards will mostly include security devices such firewalls, IDS/IPS, gain access to control lists, etc; it will also include user gain access to levels to the computer-based systems.
While OCATVE Allegro is relatively new process, it appeared to have progressed at a great pace. Several major organizations and also colleges have incorporated this technique as part of their IT Security Framework due many perks. OCTAVE Allegro method,
-- identifies information security risks which may prevent organization's reputation and hence the goal to accomplish excellence
-- makes the management of information risk of security assessments possible and more easier
-- will deescalate the organization's highest top priority information security hazards as it works from top to the bottom, meaning beginning with the high impact risk to lessen residual risks
-- is responsible for making sure that the organization's IT security Construction is in compliance with requirements or laws.
-- is advantageous as it uses the information and knowledge base from multiple levels of the organization
-- recognizes critical assets and also identifies the dangers and vulnerabilities to the people assets
-- is in charge in creating an effective risk mitigation strategy designs to aid the organization's priorities and goals
-- can be either qualitative as well as quantitative
-- is easy to use and does not require an individual to be an expert to do so
First of all, OCTAVE Allegro method was made for organizations with significantly less than 100 users, which is similar to Octave-S method to execute it for an organization like RIT where in fact the community spans over 10, 000 people, is likely to be a challenge. Growing the components of the method will involve long time and resources. I believe the possible solution to the is to make task-based groups within the organization and then assign tasks according to the know-how or relationship to their team. RIT has a huge network infrastructure which in itself takes a toll now and then with certain web services and applications experiencing downtime every so often. Also integrating the OCTAVE Allegro as the IT Security Construction would require certain modifications to the security infrastructure which may bring about more downtime. Therefore the first task at hand would be to ensure that the move from the existing security framework to a fresh some may be very smooth and successful. This is done by a organised approach towards Risk diagnosis process which will entail first understanding who will be accountable for what element in the process. It might be very important that all the groups and folks which are an integral part of this process to be completely involved during application of this method. I recommend that RIT Information Security Office under my guidance, indirectly coordinate and further supervise all the different departments involved.
Conducting risk assessment using OCTAVE Allegro or for example another method, might leave the establishment with a sense of definite security. This isn't true because the management needs to understand that risk assessment is merely a snapshot considered at particular case of energy whereas the rest of the situation around is constantly in the process of advancement. The major task that may come up out of the situation is that number of vulnerabilities will increase and finally the IT Security department will have to delve deeper to recognize those vulnerabilities that have been mitigated due to the incorrect sense of well-being after the risk diagnosis.
Apart from the overall risk established factors which are considered during risk examination, there's also other factors that effect the results of the chance assessment and finally the IT Security Platform. It's very essential to consider these factors during the process, if not control or impact them. These factors include university's legislation and rules, time constraints, technical and functional requirements, ethnical factors like working styles, and so many more.
There may be circumstances in which the existing university procedures are either incompatible with the new insurance policies or they can be out-dated. When this happens, it might be a good solution to rewrite such procedures keeping in mind the positives of the older countermeasures as well as the implementation information on Octave Allegro methodology.
One other obstacle which is generally associated with any risk evaluation methodology is the lack of reliable & most recent data. This might cause inconsistent determinations which are the requirement for information security risk assessment and therefore resulting in increased cost. So, to avoid such pointless costs it might be advisable to identify and analyze the process properly by relating all the departments and hence not rely on doubtful results.
Since OCTAVE Allegro method is a work-shop established approach requiring extensive resource commitment, the process towards its execution is going to be time-consuming. My project team has studied and analyzed the several OCTAVE methods with framework to the information security construction of the college or university and predicated on this study we have come to a bottom line that we would need to capture the info Resources at one place which would be very hard. So if the University or college plank and management is likely to be flexible and ready to give us a free-hand at the execution of the process, it can be implemented correctly but not without consuming certain amount of time. The exact timeframe can only just be dependant on conducting further intensive analysis of the complete network infrastructure. If there is urgency in getting the IT Security Platform overhauled and included with the Octave method, i quickly would personally recommend not like this now.
Training is one of the main parts for execution of OCTAVE Allegro or for example any OCTAVE method. Right personnel need to be trained so that they can carry out this technique of security diagnosis correctly and effectively.
If and when we do put into action the procedure of OCTAVE Allegro for security risk assessment, it could mean compliance with the Federal and NYS authorities requirements and legislation. So to ensure that all areas of this technique are completed with no problems; it might be recommended to schedule the audit considerably enough ahead of time. We'd need enough time to rectify the problems, or at least create an idea for the same. If the auditor (whether external or internal) identifies any vulnerabilities, the regulators (with the federal government) will most certainly wish to know if those vulnerabilities were dealt with or not and exactly how.
Whether we use the Information Asset profiling (OCTAVE Allegro) or simply use risk analysis matrix, all the records must be simple and readable. Because the Information Advantage Profiling involves multiple worksheet based mostly data, you won't be possible to add all the collected information (which is likely to be a whole lot) therefore there may be additional documents which should be referenced by the info Assets Profiles. This should be achieved to keep carefully the major documentation as easy and basic as is possible.
This article is the pre-guideline to applying OCTAVE Allegro methodology for Risk Diagnosis in a College or university. Through this statement I have tried to put together the issues that the chance examination team might face in making their deterministic results. This statement mentions the advisable characteristics that an Information Security Risk Assessment methodology should have. Such a strategy should:
-- be regular with overall IT risk diagnosis methodologies
-- take into consideration the systems and the components for figuring out the sources of vulnerabilities
-- give attention to technical risks rather than on dangers to IT systems
-- set up a basis for an inherently secure system
A major element of effective Information Security Framework is to truly have a pre-planned and systematic approach to evaluating Information Security hazards. So only by following such a organized procedure, can the University or college be able to understand its existing security construction. This is used as a standard for improvement in the foreseeable future.