GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response

GSA Office of Emergency Response and Recovery

Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response and RecoveryJune 2009, GSA Expo

GSA EXPO 2009

Office of Emergency Response and Recovery 2

What is Risk Based Planning?• The process of selecting and implementing

countermeasures or mitigation strategies to achieve an acceptable level of risk at an acceptable cost– Risk Management and Continuity planning begins with the

identification of critical assets (processes, functions, systems, information) that enable the execution of essential functions

• Once we ID these assets we then can work towards ensuring their resilency.

GSA EXPO 2009


Purpose

• Provides a systematic approach to acquiring and analyzing the information necessary to support decision makers in the allocation of scarce continuity resources to ensure the protection of critical assets and capabilities.– Structured process – Not a exact science.

GSA EXPO 2009


Continuity what's Changed ?• Old Think:

– Warning of Event– Single Use Assets– movement of people with data– Reliance on static plans – Not integrated into daily

operations– Singular view of threat– Avoided Risk

• New Think:– No warning of attack or event– Dual Use Assets – Routine Geographic

Dispersion of people, data and functions

– Integrated into daily business operations

• Capabilities based– Acknowledgment of diverse

threats.– Increased reliance on IT

Systems– Managed Risk

GSA EXPO 2009


Risk Avoidance vs. Risk Management• Risk Avoidance

– Assumes an aggressive adversary in all scenarios

– Counters ALL possible vulnerabilities– Responds based on worst-case scenarios

• Risk Management– Integrates the process of assessing the threat,

the vulnerabilities, and the value of the asset to the owner

– Weighs the risk of compromise/loss against the cost of mitigation strategies.

Checklist

GSA EXPO 2009


Risk Management at a Glance

AssessAssets

1

AssessThreats

2

AssessVulnerabilities

3

AssessRisks

4Determine

CountermeasureOptions

5

Make RMDecisions

Cost Analysis

Benefits Analysis

Monitor

Implement

Test & Eval

GSA EXPO 2009


Five Step Process • 1: Identify Assets and Loss Impacts • 2: Identify and Characterize the Threat to Specific Assets • 3: Identify and Characterize Vulnerabilities • 4: Assess Risks and Determine Priorities for Asset

Protection • 5: Identify Countermeasures, Costs and tradeoffs.

GSA EXPO 2009


Step #1: Identify Assets and Loss Impacts

• Determine valued assets requiring protection– (assets = processes, functions, systems, critical staff)

• Identify undesirable events and expected impacts– (event leading to the loss, damage, consequence to the asset)

• Value/prioritize assets based on consequence of loss– (based on the definitions, rate the impact).

GSA EXPO 2009


What is an Asset? • Anything that has value to an essential function

– People, information, facilities, special equipment, systems, process, workflow

• An asset may have value to an adversary that differs from the owner,

• Continuity planning endeavors to increase the resiliency of assets that enable the organization’s ability to perform its essential functions. – Focusing on the assets, processes, systems, key information, and

critical staff that allow GSA to do its job and provide service and products to their customers.

GSA EXPO 2009


Critical - Indicates that interruption to the asset//function would have grave consequences leading to loss of life, serious injury, or mission failure (50-100)

High - Indicates that interruption to the asset//function would have serious consequences resulting in loss of critical data, equipment, or facilities that could impair operations for a limited period of time (13-50)

Medium - Indicates that interruption to the asset//function would have moderate consequences resulting in loss of highly critical data, equipment, or facilities that could impair operations for a limited period of time (3-13)

Low - Indicates that interruption to the asset//function would have little or no impact on human life or continuity of operations (1-3).

Notional

Notional

GSA EXPO 2009


People

Activities & Operations

Information

Equipment

Facilities

C

C

C

M

M

H

H

L

M

H

Critical Asset Undesirable Event & Impact

LinguisticRating

#Rating

Hazardous Weather loss of access

Loss of Power Loss of Production

Theft Loss of critical assets

Terrorism Loss of life // productivity

Disruption Schedule setback

Criminal activity Unsettled employees

Loss Mission failure; degraded

Poor OPSEC Operational disclosure

Unauthorized release Capability disclosures

Chemical SpillEnvironment

Example

GSA EXPO 2009


Step #2 Identify and Characterize the Threat to Specific Assets • Identify threat categories and adversaries

• Assess intent of each adversary

• Assess capability of each adversary

• Determine frequency of past incidents

• Estimate threat relative to each critical asset.

GSA EXPO 2009


What is a threat? VS. an adversary?

• What is a threat?– Any indication, circumstance, or event that can cause the

loss of, damage to, or the denial of an asset

• Who is an adversary?– Any entity that conducts, or has the capability and

intention to conduct, activities detrimental to interests or assets.

GSA EXPO 2009


Types of threat• Foreign Intelligence Services

– Facility penetration– Non-access attack– Recruiting staff

• Terrorist Threats– Kidnapping– Bombing– Sabotage– CBRNE

• Natural Threats– Fire– Flood – Storms (wind, ice, snow)– Earthquake

• Criminal Threats– Fraud, theft, robbery– Arson– Vandalism– Computer hacking

• Insider Threats– Espionage – Misuse of equipment– Malicious acts by

disgruntled staff– Work place violence

• Military Threats– War– Insurrection– State sponsored activities

GSA EXPO 2009


Understanding the threat:

CAPABILITYTO ACT

HISTORY

INTENT– Goals– Motivation

– Collection/action capability

– Necessary skills/resources

– History of successful attacks

– History of attempts

GSA EXPO 2009


Low: Indicates little or no credible evidence of capability or intent, with no history of actual or planned threats against the assets.

Critical: Indicates that a definite threat exists against the assets and that the adversary has both the capability and intent to launch an attack, and that the subject or similar assets are targeted on a frequent or recurring basis

High: Indicates that a credible threat against the assets exists, based on our knowledge of the adversary’s capability and intent to attack the assets and based on related incidents having taken place at similar facilities

Medium: Indicates that there is a potential threat to the assets based on the adversary’s desire to compromise the assets and the possibility that the adversary could obtain the capability through a third party who has demonstrated the capability in related incidents

Example

GSA EXPO 2009


Undesirable event / Impact#

Rating

Critical Asset

People

Activities & Operations

Information

Equipment

Facilities

ThreatCategory

ThreatRating

C

H

H

M

M

H

M

H

ML

Terrorist

FIS / Insider

Insider

Criminal

Weather

Weather

Terrorist

MilitantInsider / FIS

Hazardous Weather Transportation Problems


Theft Loss of computers

Threat of Terrorism Loss of Production Time


Criminal activity Employee injury

Loss Mission failure

Poor OPSEC Operational disclosure

Unauthorized release Capability disclosures

Criminal

Chemical Spill Facility Closure

Example

GSA EXPO 2009


Step # 3: Identify and Characterize Vulnerabilities

• Identify vulnerabilities of specific assets related to undesirable events

• Identify existing countermeasures and their level of effectiveness in reducing vulnerabilities

• Estimate degree of vulnerability to each asset and threat

GSA EXPO 2009


Step #4: Assess Risks and determine priorities for asset protection

• Estimate degree of impact relative to each valued asset

• Estimate likelihood of attack by a potential adversary • Estimate likelihood that a specific vulnerability will be

exploited• Determine relative degree of risk• Prioritize risks based on integrated assessment.

GSA EXPO 2009


• Quantify the likelihood that an undesirable event will occur

• Determine the severity of the outcome of an undesirable event

• Prioritize the risks

Asset (Impact) x (.Threat x .Vulnerability) = Risk

Assess the Risks

GSA EXPO 2009


Asset

Threat

Vulnerability

Impact of Unwanted

Event

Likelihood

RiskRisk

GSA EXPO 2009


Impact x (.Threat x .Vulnerability) (1-100) (0-1.0) (0-1.0)

= Risk* You can build your own scale

Risk Assessment Formula

GSA EXPO 2009


Terrorism Loss of Production

Loss Mission failure

Unauth. Release Disclosures

Theft Loss of Computers


Hazardous Weather TransProb

Closure of facilityChemical spill


Poor OPSEC Disclosure

C H H ( # )*

C

C

M

M

H

H

L

M

H

#

#

#

#

#

#

##

#

#

#

#

#

#

#

#

##

#

#

#

#

#

#

#

#

##

#

#

C

Critical Potential Undesirable Asset Asset Threat Threat Vuln. Vuln. RiskAssets Events Rating Value Rating Value Rating Value R / V

H

H

M

M

H

HM

M

L

H

M

M

M

M

M

M

L

L

H ( # )*

M ( # )*

L ( # )*

L ( # )*

L ( # )*

L ( # )*

M ( # )*

L ( # )*

M ( # )*

People

Information

Equipment

Facilities

Activities &Operations

Example

GSA EXPO 2009


Step # 5: Identify Countermeasures, Costs and tradeoffs • Identify potential countermeasures or mitigation

strategies to reduce Vulnerabilities and/or Threats and / or Impacts.

• Identify countermeasures or mitigation strategies benefits in terms of risk reduction

• Identify countermeasure or mitigation strategy costs• Conduct countermeasure or mitigation strategy cost-

benefit analyses• Prioritize options and prepare a recommendation for

decision maker

GSA EXPO 2009


• Countermeasures (mitigation strategies) – An action taken or a physical entity used to reduce or eliminate one

or more Vulnerability and or Threat and or Impact.

• Cost-Benefit Analysis– The part of the process in which costs / benefits of

countermeasure(s) are compared and the most appropriate alternative selected

– Cost: Tangible, operational, and other costs of countermeasure(s) – Benefit: Amount of risk reduction based on the overall effectiveness

of countermeasure(s)

Countermeasure Costs and Benefits

GSA EXPO 2009


Undesirable Event Countermeasures Risk Level Reduced CostFrom/To

Natural Disaster Distribute Assets LOW/HIGH to LOW/MED

Terrorist Attack Emergency procedures HIGH/CRITICAL to physical preventions HIGH/MED

Loss of critical data IT resiliency LOW/MEDIUM to L/M

MEDIUM/MEDIUM to M/M

TOTAL COST:

Countermeasure Options

Example

GSA EXPO 2009


• A structured yet flexible approach to understanding your threat and risk posture

• A process for developing effective business continuity & security countermeasures and options that consider cost & benefit

• A snapshot in time that provides an audit trail for performance improvement

• Supportable, Defendable and Repeatable.

Risk based planning provides:

GSA EXPO 2009


Questions & Contact

• Darren J. Blue – Director Policy and Plans, Office of Emergency Response and

Recovery• [email protected].

mailto:[email protected]

Documents

GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response