Assessing and Managing Security Risk in IT Systems
John McCumber (Symantec Corp.)
ABSTRACT
We outline a simple, yet thorough process which provides guidance in the
analysis and mitigation of risks in IT systems, based on the speaker's
recent book, "Assessing and Managing Security Risk in IT Systems: A
Structured Methodology". In this talk, we help practitioners and policy
makers apply the concepts of "McCumber's model", an alternative to existing
compliance-based security models that are, in the speaker's opinion,
out-dated, inaccurate and obsolete by the time systems are designed and
deployed. In contrast, our technology-independent methodology allows the
specification of security and privacy needs before systems are built. We
also discuss ways to allow systems developers, integrators, and security
specialists to design and evaluate their compliance with these demands; and
to allow IT systems designers and developers to address security
requirements in a structured, consistent manner. The model may be used as a
basis for demonstrating compliance and working out trade-offs with those who
establish requirements. An in-depth technical background is not necessary
to understand this talk, although technical people can work within the
models structure.
BIOGRAPHY
John McCumber is a strategic program manager in the Public Sector Group of Symantec Corporation. He is currently involved in research and development activities in support of leading edge government information assurance initiatives. John is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John also served in the Defense Information Systems Agency and on the Joint Staff at the Pentagon as Information Warfare Officer during the Persian Gulf War. In addition to his professional responsibilities at Symantec Corporation, John is currently a Professorial Lecturer in Information Security at George Washington University in Washington, DC and is a technical editor and a monthly columnist for Security Technology and Design magazine. John is the author of the textbook Assessing and Managing Security Risk in IT Systems: a Structured Methodology from Auerbach Publications. He lives in Oakton, Virginia and Cary, North Carolina.