Risk View - InfoSec intro


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk View - InfoSec intro

  1. 1. Rev2 <br />IT Information Security<br />Risk Management<br />February 26, 2010<br />
  2. 2. Today’s Discussion<br />Agenda<br />Rev2 Introduction<br />RiskView Framework<br />Examples<br />Next Steps<br />Goals<br />Introduce RiskViewTM<br />a decision support system which <br />helps identify and focus on business-<br />material risks<br />Understand your risk-management <br />focus areas & processes<br />2<br />
  3. 3. Rev2 Risk Management<br />InfoSec Risk<br />Supply Chain Risk<br />Service Delivery Risk<br />RiskView replaces ad-hoc processes with a<br />Fact-based, Scalable, Repeatable Framework<br />Identify under controlled risk via business views<br />Focus on the most material drivers<br />“What-if” controls testing<br />
  4. 4. But<br />Big Exposure<br />Plenty of Data<br />Info sec tools and services regularly identify 100,000’s vulnerabilities<br />Today<br />RiskView provides a fact-based, scalable, repeatable process<br />4<br />Most companies collect large vulnerability data sets, but face big material risk in information security. <br />Because…<br /><ul><li>Reactive response
  5. 5. Perception vs. facts
  6. 6. Wasted money
  7. 7. On-going vulnerability</li></ul>Value is limited by…<br /><ul><li>Data silos
  8. 8. Inconsistent data
  9. 9. Wrong metrics
  10. 10. Changing process
  11. 11. Inadequate tools</li></ul>How do you prioritize 1 Million vulnerabilities? <br />
  12. 12. Structure<br />Systems<br />Tools<br />Info Sec Risk Mgt <br />requires a formal strategy and organization approach<br />An on-going formal process is needed to meet goals and execute strategy<br />Special tools are required to consistently and efficiently analyze large data sets<br />Key Elements Include<br /><ul><li>Leadership– To coordinate across business units
  13. 13. Metrics—Consistent metrics for materiality of business impact
  14. 14. Risks and Policies—To identify risks and define policies to limit exposure
  15. 15. Compliance—Regular evaluations to learn policy compliance and violations
  16. 16. Risk Updates—Regular reviews for materiality score changes
  17. 17. Measures and Actions—Regular risk assessments with next steps to fix key findings
  18. 18. Risk Algorithm—To calculate materiality scores
  19. 19. Analytic Engine—To compare risks and identify drivers
  20. 20. Scenario Testing— To pre-test potential program changes
  21. 21. Visualization—To facilitate analysis and understanding</li></ul>Requirements<br />Effective risk management requires specialized structures, tools and systems that most companies lack<br />5<br />
  22. 22. Different Impacts<br />Asset Roles<br />Normalized Data<br />The Issue:<br /><ul><li>Risks are measured differently
  23. 23. How to compare them?</li></ul>The Solution:<br /><ul><li>Create a normalized risk score
  24. 24. Score based on materiality of adverse business impact </li></ul>Strategic Data<br />A fact-based risk program requires normalized data, with a range of impacts tied to specific assets. <br />The Issue:<br /><ul><li>Risks have different impacts
  25. 25. How evaluate risk types?</li></ul>The Solution:<br /><ul><li>Score vulnerabilities on the type of risk they present
  26. 26. Differentiate financial, legal, regulatory, reputational</li></ul>The Issue:<br /><ul><li>Risk impact varies based on where it occurs
  27. 27. How recognize differences?</li></ul>The Solution:<br /><ul><li>Score impact based on the specific asset at risk
  28. 28. Recognize differences in asset value </li></ul>Strategic Data supports a fact-based, scalable, repeatable process<br />6<br />
  29. 29. Materiality<br />We normalize risk scores based on business materiality.<br /><ul><li>The probability of a successful attempt is weighed versus its impact based on the asset’s business criticality. </li></ul>EXPLOITABILITY<br />SUSCEPTIBILITY<br />The probability of success<br />The probability of an attempt<br />BUSINESS MATERIALITY:<br />DOES IT MATTER? <br />IMPACT<br />The criticality of the intersected asset or business process<br />7<br />
  30. 30. What is RiskViewTM?<br />A software Risk Data Warehouse platform that collects vulnerability data <br />Business-specific modules with customizable views and analytics <br />Advanced Visualization to create a packaged decision support system<br />Highly-extensible platform, for fact-based, scalable, repeatable<br />Risk Management Decisions <br />8<br />
  31. 31. RiskView Features<br />Cost Types<br /><ul><li>Financial
  32. 32. Reputational
  33. 33. Regulatory
  34. 34. Legal</li></ul>Collect and Combine risks Enterprise wide<br />Normalized scoring based on Materiality<br />Impact Centric business views <br />Pre and post testing for “what if?” and “did it work?”<br />Advanced Visualization for easy analysis and interpretation<br />Fact-based—Scalable—Repeatable!<br />Business Views<br /><ul><li>Impact/Effect
  35. 35. Cause
  36. 36. Business Unit
  37. 37. Geography/Location
  38. 38. Process</li></ul>9<br />
  39. 39. 10<br />RiskView Examples<br />
  40. 40. Vertical View- InfoSec<br />11<br />
  41. 41. Horizontal View- Geography<br />12<br />
  42. 42. Business Unit View<br />13<br />
  43. 43. Filters = Focus<br />Not every vulnerability is equal in terms of materiality<br />Once aggregate material risk is identified and unacceptable <br /> levels detected, need to identify and profile drivers<br />Date Range<br />(trending)<br />What-if<br />(testing)<br />Materiality<br />(finding the “Critical Few”)<br />14<br />
  44. 44. Exploded View<br />15<br />
  45. 45. RiskView Benefits<br />Identify uncontrolled critical risks<br /><ul><li>Typically reduction is > 50%</li></ul>Save money<br /><ul><li>Improve risk with current budget; cut spending without added risk</li></ul>Identify common controls<br /><ul><li>For one client, a single control eliminated 70% of uncontrolled risk</li></ul>Improve staff productivity <br /><ul><li>Only one FTE week per quarter for analysis/administration
  46. 46. Analyze up to 200 million vulnerabilities in real-time</li></ul>Justify budgets and investments<br /><ul><li>Test program investments before decision and after execution</li></ul>Establish a fact-base for decision-making<br /><ul><li>Determine/assign organization accountabilities</li></ul>16<br />
  47. 47. Next Steps<br />Free Risk Evaluation <br />We will conduct a limited information security risk evaluation with RiskView<br /><ul><li>Load a set of data, aligned with your policies and procedures
  48. 48. Analyze and present the findings, along with implications/recommendations</li></ul>Requirements: <br /><ul><li>Aon resources: ~ 1 day for set-up, plus 1 hour for findings presentation
  49. 49. Rev2 time: ~ 2 weeks start to finish</li></ul>17<br />