Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

w-jira-risk-workflow Jira risk workflow

Presented at: https://open-security-summit.org/

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

w-jira-risk-workflow Jira risk workflow

  1. 1. JIRA Risk Workflow Prepared by: Goher Mohammad Date: 07/06/18 1
  2. 2. What is a Risk ? We started off trying to define a risk and a vulnerability so we could map those into Jira correctly
  3. 3. What is a Risk ? ● In our world today a Risk is the potential or actual consequence of a known vulnerability.
  4. 4. So before we create a Risk first we must define the vulnerability ● Vulnerabilities arise due to incidents, monitoring or testing. ● A vulnerability might be found as a result of: ○ A penetration test ○ An Incident ○ A network scan ○ A missing policy or process required by best practice or legal compliance ○ An industry news item
  5. 5. So a good vulnerability looks like this
  6. 6. And a bad one looks like this !
  7. 7. So now we have a good vulnerability we can create a good Risk
  8. 8. What else do we need to do when creating a Risk? ● A Risk should be linked to a Vuln as a parent of RISK is a parent of a Vulnerability & Vulnerability is a child of a Risk ● A Risk Owner ● From your risk and vuln we should know what brand it relates to and which service it effects or impacts on.
  9. 9. Whats next ? ● Risks will be reviewed by the Risk Function / steering committee and prioritised and rated. ● Risks will be reported and assigned to the correct business function ● Security will facility the remediation path.
  10. 10. Whats next ? THAT DIDN’T WORK SO WE BASED RISK WORKFLOWS FROM DATA JOURNEYS
  11. 11. Data Journeys/Threat Model
  12. 12. Mapping of risks built into security mapping for visibility across the network – from GDPR IT System VULN RISK Security Control Data Journey Data Touches Has VULN Has RISK Missing Data Source Threat Model Security Goal meets Business Goal Helps meet Project Mitigates Has RISK Used in identifies
  13. 13. Online Sanitized Jira and Neo4J for testing Jira On-line https://gdpr-patterns.atlassian.net/browse/GDPR-1 Neo4J Visualisation http://ec2-35-177-200-108.eu-west-2.compute.amazonaws.com:9004/user/dj-507_tm/

×