Digital Security Seminar, Carleton University

Assessing and Managing Security Risk in IT Systems

John McCumber (Symantec Corp.)

ABSTRACT

We outline a simple, yet thorough process which provides guidance in the analysis and mitigation of risks in IT systems, based on the speaker's recent book, "Assessing and Managing Security Risk in IT Systems: A Structured Methodology". In this talk, we help practitioners and policy makers apply the concepts of "McCumber's model", an alternative to existing compliance-based security models that are, in the speaker's opinion, out-dated, inaccurate and obsolete by the time systems are designed and deployed. In contrast, our technology-independent methodology allows the specification of security and privacy needs before systems are built. We also discuss ways to allow systems developers, integrators, and security specialists to design and evaluate their compliance with these demands; and to allow IT systems designers and developers to address security requirements in a structured, consistent manner. The model may be used as a basis for demonstrating compliance and working out trade-offs with those who establish requirements. An in-depth technical background is not necessary to understand this talk, although technical people can work within the models structure.

BIOGRAPHY

John McCumber is a strategic program manager in the Public Sector Group of Symantec Corporation. He is currently involved in research and development activities in support of leading edge government information assurance initiatives. John is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John also served in the Defense Information Systems Agency and on the Joint Staff at the Pentagon as Information Warfare Officer during the Persian Gulf War. In addition to his professional responsibilities at Symantec Corporation, John is currently a Professorial Lecturer in Information Security at George Washington University in Washington, DC and is a technical editor and a monthly columnist for Security Technology and Design magazine. John is the author of the textbook Assessing and Managing Security Risk in IT Systems: a Structured Methodology from Auerbach Publications. He lives in Oakton, Virginia and Cary, North Carolina.