Pittsburgh, PA 15213-3890 Mission Assurance Analysis Protocol (MAAP) Sponsored by the U.S. Department of Defense 2004 by Carnegie Mellon University page 1
Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE JAN 2004 2. REPORT TYPE 3. DATES COVERED 00-00-2004 to 00-00-2004 4. TITLE AND SUBTITLE Mission Assurance Analysis Protocol (MAAP) 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 11. SPONSOR/MONITOR S REPORT NUMBER(S) 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 19 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
Example: Single Point of Control Mission Activity 1 Activity 2 Activity 4 Single point of management control oversees execution of all activities. Activity 3 2004 by Carnegie Mellon University page 2
Example: Multiple Points of Control Organization A Mission Organization B Activity 1 Organization C Activity 2 Organization D Activity 3 Organization E Activity 4 2004 by Carnegie Mellon University page 3
Example: Inherited Risk Mission Organization A Organization B Activity 1 Organization C Activity 2 Organization E s risk analysis only considers what happens within its organizational boundaries. However, Activity 4 inherits risk from activities performed earlier in the process. Organization D Activity 3 Organization E Inherited Risk Activity 4 2004 by Carnegie Mellon University page 4
Key Premise Most risk analysis techniques focus on a single entity (e.g., enterprise, system). These techniques are effective at handling environments where management control is centralized do not readily scale to environments where management control is distributed Distributed management of processes and technologies is now commonplace. New techniques are needed to handle the complexity inherent in distributed environments. 2004 by Carnegie Mellon University page 5
Definitions Mission is the set of objectives being pursued by a person or group. Risk is the possibility of suffering harm or loss. Operational risk is the possibility of direct or indirect loss resulting from failed or inadequate internal processes or from failures caused by people, technology, or external events. Operational risk tolerance is the maximum overall exposure to operational risk that will be accepted. 2004 by Carnegie Mellon University page 6
Operational Risk Analysis Issues Analysis of operational risk in distributed environments is often incomplete. Some sources of operational risk are excluded from the analysis. Interrelationships and dependencies among sources of operational risk are not typically established. The potential impact of a risk is often difficult to characterize in complex operational environments. 2004 by Carnegie Mellon University page 7
Operational Risk Management Issues Management of operational risk in distributed environments is often ineffective. Incomplete analysis of operational risk can lead to poor management decisions. Operational risk tolerance is not uniform across functional boundaries. There are insufficient means for communicating operational risks across functional boundaries. Ownership of complex operational risks can be ambiguous. 2004 by Carnegie Mellon University page 8
Mission Assurance Mission assurance is taking due care to reduce operational risk to the mission to an acceptable level. 2004 by Carnegie Mellon University page 9
Analyzing Mission Assurance - 1 Set the scope of the analysis according to the mission being pursued. Define and document an interrelated process model for achieving the mission. Identify the sequence of all value-added activities that must be performed when working toward the mission. Identify the actors responsible for performing each activity. Establish criteria for measuring operational risk. Define the tolerance for operational risk. 2004 by Carnegie Mellon University page 10
Analyzing Mission Assurance - 2 Select tools and techniques for data gathering and analysis. Collect operational risk data. Analyze operational risk to the mission. Take action to reduce operational risk to the mission within the defined tolerance. 2004 by Carnegie Mellon University page 11
Sources of Operational Risk Mission Design Execution Environment Event 2004 by Carnegie Mellon University page 12
Security and Mission Assurance The security attributes for information are derived from the performance attributes of work processes. The tolerance for operational risk establishes the criteria against which security risk must be evaluated. Security processes are work processes. Operational risk to security processes must be managed in the same way it is managed in other work process. 2004 by Carnegie Mellon University page 13
Mission Assurance Analysis Protocol (MAAP) Defines a set of objects, rules, and heuristics used to model and analyze processes and systems Provides an integrated view of operational risk Can be tailored to many different domains Focuses on assuring the completion of defined missions Addresses operational risk analysis issues 2004 by Carnegie Mellon University page 14
Implementing MAAP 2004 by Carnegie Mellon University page 15
A Common Basis for Analysis 2004 by Carnegie Mellon University page 16
Types of Analysis MAAP allows for different types of analysis based on the nature of the problems being solved. gap analysis qualitative analysis quantitative analysis 2004 by Carnegie Mellon University page 17
Proposed Development MAAP Definition and Description MAAP Toolkit 2004 by Carnegie Mellon University page 18
MAAP Project Status First pilot analyzing risk to an incident management capability is underway. The operational model has been developed. Analysis activities are beginning. Currently looking for a second pilot in another domain. software assurance operational security unique problems (e.g., operating weapons systems, critical infrastructure) complex missions requiring a comprehensive risk analysis 2004 by Carnegie Mellon University page 19