Académique Documents
Professionnel Documents
Culture Documents
RiskManagement
SteveKruse Sr.SolutionsPrincipal,RSA
Agenda:RequiredKnowledge*
WhatisITRisk?
* AligntheITriskmanagementprocesseswiththeenterprisebusinessriskmanagement framework(wherethisexists). EnsureaconsistentapplicationoftheriskmanagementframeworkacrosstheenterpriseIT environment.. EnsureaconsistentapplicationoftheriskmanagementframeworkacrosstheenterpriseIT environment. Ensurethatriskassessmentandmanagementisincludedthroughouttheinformationlife cycle. Defineriskmanagementstrategies,andprioritizeresponsestoidentifiedriskstomaintainrisk levelswithintheappetiteoftheenterprise Implementtimelyreportingonriskeventsandresponsestoappropriatelevelsof management(includingtheuseofkeyriskindicators,asappropriate). Establishmonitoringprocessesandpracticestoensurethecompletenessandeffectivenessof establishedriskmanagementprocesses.
WhatisanITRiskManagementFramework?
*
HowisRiskManaged?
* * * * *
HowisRiskCommunicated&Monitored?
CGEITEXAMPREP#3
WHATISITRISK?
SomeRiskCategories
ImportantpointtodefineITriskbeyondjustCIA Confidentiality,IntegrityAvailability typesofriskalso include: HazardriskLiabilitytorts,Propertydamage,Natural catastropheFinancialrisk,Pricingrisk Assetrisk,Currencyrisk,Liquidityrisk,Technology obsolescence OperationalriskCustomersatisfaction,Productfailure, Integrity StrategicrisksCompetition,Socialtrend,Capital availability,Reputationalrisk Securityrisks
CGEITEXAMPREP#3
InformationProperties
ITresponsibilitytodevelopandpreserve multipleinformationproperties(perCOBIT)
effectiveness efficiency confidentiality integrity availability reliability compliance
Security
Managingsecurityisonlypartofmanaging ITRisk
SOX BaselII:
InternalFraud ExternalFraud
EmploymentPractices
Clients,Products,andBusinessPractices
DamagetoPhysicalAssets
BusinessDisruptionsandSystemFailures ExecutionDeliveryandProcessManagement
CGEITEXAMPREP#3
U.K.OfficeofGovernmentandCommerce(OGC)
ManagementofRisk(M_o_R)Framework
StrategicLevel
Decisionson businessstrategy
ProgramLevel
ProjectLevel OperationalLevel
WHATISANITRISKMANAGEMENT FRAMEWORK?
8
CGEITEXAMPREP#3
ITRiskFrameworks
Intendedtoensuretheappropriaterecognition andtreatmentofrisk BestPractices Frameworksdefine
Requiredmanagementactivity Scope Rolesandresponsibilities Mechanisms|Methods Artifacts Assurancerequirements
10
RiskFrameworks
COSOERM
Appliestoallaspectsofenterpriserisk ITriskmanagedasaspecialcase SpecializedITriskframeworksshouldbeconsideredasaspecialcase
OCTAVE
CarnegieMellonsSoftwareEngineeringInstitutescontribution
ISO31000
Riskframeworkgenerallyapplied(operational,technical,enterprise) Supercedes AS/NZS4360:2004asexistinglegislatedstandardonrisk management
CGEITEXAMPREP#3
11
RiskArtifacts
RiskRegister
Captureallrelevantrisks OriginsinProjectManagement
OCTAVEThreatTree HeatMaps
SpecializedITriskframeworkappliedtoinformationsecurity
GapAssessment CurrentandDesiredStates
12
RiskRegister
Collectionofidentifiedrisks
TypicallyratedonImpactandLikelihoodestimates Expandsbeyondprojectstoenterpriseregisters
Risk number 1 2 3 4 5 Risk name Risk Owner Key issues Residual risk score Raw risk score Rank (based on residual score) Previous rank Status green/orange/ red
Likelihood of risk 1 Very low 2 Low 3 Medium 4 High 5 Very high If likelihood was assessed as very low (e.g. earthquake) it could be given a score of less than 1 such that even highest impact risks could attract on overall score of less than 5. Total residual risk score (likelihood x impact) and traffic light 16 Low (green traffic light) 8 12 Medium (green/orange light) 14 20 High (orange/red light) Over 20 Very high (red light)
*Register and rating methodology courtesy Cambridge University
CGEITEXAMPREP#3
13
OCTAVEThreatTree
Human Actors Using Physical Access Asset Access Actor Motive Outcome Impact Values ISO 17799 Clauses 9. incident Management 6. Comm. Management 3. Asset Classification Approach 4. Personnel Security 8. Sys. Development 10. Continuity Mgmt. 5. Physical Security 1. Security Policies 7. Access Control 2. Org. Security 11. Compliance Confidentiality Availability Probability
Integrity
inside
disclosure accidental modification interruption loss/destruction disclosure deliberate modification interruption loss/destruction
H L M H L L L H L L H M M
L M L L L M L L L L L L L
X X X X X X X X X X X X X
IP Data physical
disclosure accidental modification interruption outside loss/destruction disclosure deliberate modification interruption loss/destruction
Mitigate
Accept
14
HeatMap
Map current risks onto heat map to identify current risks and their potential likelihood and impact. Can be transposed from a risk register: Numbers from numbered risks are plotted on the map to quickly depict which risks are potentially most damaging if actualized
Likelihood and Impact VH H M L VL M L VL VL VL VL H M L VL VL L VH H M L VL M VH H M L VL H VH H M L VL VH
CGEITEXAMPREP#3
15
HeatMap
16
GapAnalysis CurrentandDesired
MaturityLevels ISO27002 Major Clauses SecurityPolicies OrganizationalSecurity AssetClassification PersonnelSecurity PhysicalSecurity CommunicationsManagement AccessControl SystemDevelopment IncidentManagement ContinuityManagement Compliance CurrentState DesiredState Adhoc Repeatable Defined Measured Optimized X O X O X O X O X O X O X O X O X O X O X O X O
CGEITEXAMPREP#3
HOWISRISKMANAGED?
17
18
CGEITEXAMPREP#3
10
HOWISRISKCOMMUNICATED& MONITORED?
19
20
CGEITEXAMPREP#3
11
InformationSecurityGovernance: GuidanceforBoards
Purposeofinfosecgovernance:
Alignmentw/businessstrategy(avoidfocusonpastwars) Riskmanagement Efficientuseofresources Monitoringandreportingofappropriateriskmetrics Optimizevalueofsecurityinvestments
Roles&responsibilities
Board
Defineglobalriskprofile Settone Resourceinfosec Obtainindependentassurancefromauditors(internalorexternal) Insistthatmanagementmakessecurityinvestmentsmeasurable&reportson securityprogrameffectiveness
21
InformationSecurityGovernance:GuidanceforBoards
Roles&responsibilities
Sr.Management
Oversightforsecurityandcontrolframework:policy,standards,practicesand procedures,measures Appropriateriskidentification Securityinfrastructure Monitoring Reviewsofeffectiveness IncorporationintoSDLC
22
CGEITEXAMPREP#3
12
23
RiskAwarenessandCulture
RiskAwareness
Thoseclosesttotheprocess/technology/program havethegreatestknowledgeofthe potentialrisks Again,thesecanbebusiness(nontechnical)risks Weasriskprofessionalsmusttapthatknowledge Whatkeepsyouupatnight?and otheropenendedquestions
Properawarenessfostersariskculture
OKtotalkaboutrisks OKtotakerisks OKtofail(ifmanagedappropriately)
24
CGEITEXAMPREP#3
13
25
26
Roles&responsibilities
Riskmustbecommunicatedthroughouttheorganization Variousorganizationstructuresproposed
ChiefRiskOfficer RiskManagersinBusinessUnits
ITGIrecommends
RiskManagementPlan subjecttoperiodicreview ITExecutiveCommitteetoreviewtheplan
Committeereviewspriorities Approvesallocationofresourcestomitigateprioritizedrisks
CGEITEXAMPREP#3
14
27
Monitoring,ReviewingandTrendingRisk
Managementofrisktakesalifecycleapproach Obtainassuranceofeffectiveness
28
PracticeQuestion
Whichofthefollowingwouldbeimplementedatthe highestlevelofanenterprise? A. Anenterpriseriskregister B. Ariskmanagementboard C. Ariskowner D. Ariskcouncil
CGEITEXAMPREP#3
15
29
Answer
Whichofthefollowingwouldbeimplementedatthe highestlevelofanenterprise?
A. B. C. D. Anenterpriseriskregisterisamanagementtoolthatisusedwithinthe contextoftheriskmanagementboard Ariskmanagementboardismadeupofmanagerswhoareresponsible forthereportingoftheenterprisesriskresponsetotheboard Althoughthehighestlevelofmanagementisresponsibleforrisk,therisk owneristiedtoalowlevelproject,program,orbusinessunit. Theriskcouncilisdefinedeitherbytheenterpriseboardorthe marketplaceitself.
Reference:ISACA;ITGovernancePracticesandCompetencies:Information Risks:WhoseBusinessAreThey?
CGEITEXAMPREP#3
16
RiskManagementSnapshot
Results from the April 2009 Archer Technologies Risk Management Working Group poll. Results from the September 2009 Archer Technologies Risk Management Working Group poll.
ArchersApproachtoGRC
Archer Policy Management
Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Governance Corporate Objectives Policies Control Standards Authoritative Sources Control Procedures Exception Requests
Risk Register
Loss Events
Compliance
Manual Scoping
Automated
Test Results
Testing
Enterprise Management
Facilities
Information
Applications
CGEITEXAMPREP#3
17
RiskManagementProcess
RiskRegister LossEvents Metrics QuarterlyRiskReviews QuestionLibrary Assessments Findings ExceptionRequests RemediationPlans
Question Library Risk Register Metrics
Assessments
Loss Events
Findings
Exception Requests
Remediation Plans
ATopDownRiskApproach
RiskRegister
RiskOwnership SourceInformation
Loss ImpactScore Events
LossAmounts LikelihoodScore
Quarterly RiskResponse Risk
CGEITEXAMPREP#3
18
FollowonTopDown
RiskRegister Metrics
HowtoCalculate ImpactedBusiness Processes Measurement Quarterly Frequency Financial Valuation Risk &Recovery Review Threshold Type and Summary Value OffsetTransactions Current Value Root Cause Analysis Date Measured Failed Controls Question
Library Violated Policies
TopDownContinued
RiskRegister Metrics
Loss Events
Statuses Submitter & Question Library Reviewer Review&Due Type &Status Dates PolicyReferences AnswerInheritance
CGEITEXAMPREP#3
19
ABottomUpRiskApproach
FraudAssessment
Remediation Plans Application Assessment
Assessments
BottomUpContinued
Status Authoritative SourceReferences ControlStandards ApprovalWorkflow FindingDescription
Remediation Plans Finding Response
RemediationStatus andDates
Exception Requests
Findings
Assessments
CGEITEXAMPREP#3
20
Status Status CostAnalysis Exception ApprovalWorkflow Declaration RelatedFindings Impacted Related Control Standards Vulnerabilities Related Configuration Compensating Check Results Controls
BottomUpRisk3
Findings
Assessments
RiskManagementReporting
Over140OutoftheBoxReports including:
RiskImpactandRatingSummary RisksbyInherentandResidualRating RisksbyCompanyObjective MetricStatusSummary NetTotalLossesbyBusinessUnitby Month OpenLossEventsbyBusinessUnit AllEventsbyBaselIICategories RiskAssessmentAverageResidualScores byBusinessUnit RiskFindingsbyStatus
CGEITEXAMPREP#3
21
END
41
ERM Components
ObjectiveSetting
Necessarypreconditionsofriskmanagement strategicobjectivesregarding operations,reportingandcompliance Positiveornegativeriskrelatedevents Impactandlikelihoodofidentifiedevents Avoidance,reduction,sharing,acceptance Controlsthatensurethatriskresponseiscompleted Processesthatlinktheabovecomponents Ensurethatalltheaboveprocessesworkeffectively
Eventidentification
CGEITEXAMPREP#3
22
CGEITEXAMPREP#3
23
45
COSOERM
EightComponentsandFourObjectivesCategories
EightComponents
InternalEnvironment ObjectiveSetting EventIdentification RiskAssessment RiskResponse ControlActivities InformationandCommunication Monitoring Operations Compliance
FourObjectivesCategories
Strategy FinancialReporting
COSOERMFramework
Objectives Categories
Component activity
46
CGEITEXAMPREP#3
24
47
COSOERMComponentActivity
Controlactivity
Policiesandproceduresthatensurethatriskresponseactivity carriedout
E.g.,(trivial)notthepasswordpolicy,buttheAD&Winlogonmechanismthat enforcesthepolicy
Informationandcommunication
Outputs,indicators,reportsthatcoordinateothercomponent activities
Monitoring
Processesneededtodeterminetheeffectivenessofalltheother ERMcomponents
48
OtherERMFrameworks
ISO31000 recentworkbytheInternational OrganizationforStandards(November,2009)
ReplacedAS/NZS4360:2004
RiskIT ISACAsown
LeverageselementsofGeorgeWestermansworkat MIT,JackJonesFAIRMethodology(HeatMaps) Balanceriskwithopportunity littletonoriskmeans fewernecessarycontrolstoidentifyandworktowards opportunities
CGEITEXAMPREP#3
25
RiskITFramework
RiskIT
Goal:ensureenterprisegovernanceofITrisk
ConnectsITriskwithbusinessobjectives AlignsITrelatedbusinessriskwithoverallenterpriserisk management
akintoITenabledbusinessinvestment/value
FrameworkspecializestheCOSOERMframeworktoITrisk
Emphasis(butnotexclusively)oninformationsecurityrisk
Frameworkprovides:
Riskmanagementgovernancepractices Endtoendprocessframework CatalogofgenericadverserelatedITrisk Tools&techniques Roles&responsibilities
50
CGEITEXAMPREP#3
26
51
RiskITComponents
52
RiskITProcessModel
CGEITEXAMPREP#3
27
53
RiskITProcessModel:Zoom
Foreachprocess, RISKITprovides:
Detailedcontrolactivities /objectives Inputs outputsforeachactivity RACIchart Goalsandmetrics(activity,process&domain) Maturitymodel
54
RiskITCompanionDocument
CGEITEXAMPREP#3
28
55
COSOERM:formoreinfo
COSO.org http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf http://www.coso.org/documents/COSO_ERM.ppt
http://www.coso.org/ERM-IntegratedFramework.htm
especially recommended for security professionals
56
COSOERMEntity&UnitLevelRisk
Entitywideplusunitspecificrisks Unitlevelrisk
Riskshouldbeconsideredandmanagedatalllevelsofbusiness
Followorganizationchart?
Entitylevelrisk
Riskimpactingmultiplebusinessunits Rollupofunitlevelriskwithmaterialimpact