Your SlideShare is downloading. ×
Risk View - InfoSec intro
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Risk View - InfoSec intro

622

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
622
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Rev2
    IT Information Security
    Risk Management
    February 26, 2010
  • 2. Today’s Discussion
    Agenda
    Rev2 Introduction
    RiskView Framework
    Examples
    Next Steps
    Goals
    Introduce RiskViewTM
    a decision support system which
    helps identify and focus on business-
    material risks
    Understand your risk-management
    focus areas & processes
    2
  • 3. Rev2 Risk Management
    InfoSec Risk
    Supply Chain Risk
    Service Delivery Risk
    RiskView replaces ad-hoc processes with a
    Fact-based, Scalable, Repeatable Framework
    Identify under controlled risk via business views
    Focus on the most material drivers
    “What-if” controls testing
  • 4. But
    Big Exposure
    Plenty of Data
    Info sec tools and services regularly identify 100,000’s vulnerabilities
    Today
    RiskView provides a fact-based, scalable, repeatable process
    4
    Most companies collect large vulnerability data sets, but face big material risk in information security.
    Because…
    • Reactive response
    • 5. Perception vs. facts
    • 6. Wasted money
    • 7. On-going vulnerability
    Value is limited by…
    • Data silos
    • 8. Inconsistent data
    • 9. Wrong metrics
    • 10. Changing process
    • 11. Inadequate tools
    How do you prioritize 1 Million vulnerabilities?
  • 12. Structure
    Systems
    Tools
    Info Sec Risk Mgt
    requires a formal strategy and organization approach
    An on-going formal process is needed to meet goals and execute strategy
    Special tools are required to consistently and efficiently analyze large data sets
    Key Elements Include
    • Leadership– To coordinate across business units
    • 13. Metrics—Consistent metrics for materiality of business impact
    • 14. Risks and Policies—To identify risks and define policies to limit exposure
    • 15. Compliance—Regular evaluations to learn policy compliance and violations
    • 16. Risk Updates—Regular reviews for materiality score changes
    • 17. Measures and Actions—Regular risk assessments with next steps to fix key findings
    • 18. Risk Algorithm—To calculate materiality scores
    • 19. Analytic Engine—To compare risks and identify drivers
    • 20. Scenario Testing— To pre-test potential program changes
    • 21. Visualization—To facilitate analysis and understanding
    Requirements
    Effective risk management requires specialized structures, tools and systems that most companies lack
    5
  • 22. Different Impacts
    Asset Roles
    Normalized Data
    The Issue:
    • Risks are measured differently
    • 23. How to compare them?
    The Solution:
    • Create a normalized risk score
    • 24. Score based on materiality of adverse business impact
    Strategic Data
    A fact-based risk program requires normalized data, with a range of impacts tied to specific assets.
    The Issue:
    • Risks have different impacts
    • 25. How evaluate risk types?
    The Solution:
    • Score vulnerabilities on the type of risk they present
    • 26. Differentiate financial, legal, regulatory, reputational
    The Issue:
    • Risk impact varies based on where it occurs
    • 27. How recognize differences?
    The Solution:
    • Score impact based on the specific asset at risk
    • 28. Recognize differences in asset value
    Strategic Data supports a fact-based, scalable, repeatable process
    6
  • 29. Materiality
    We normalize risk scores based on business materiality.
    • The probability of a successful attempt is weighed versus its impact based on the asset’s business criticality.
    EXPLOITABILITY
    SUSCEPTIBILITY
    The probability of success
    The probability of an attempt
    BUSINESS MATERIALITY:
    DOES IT MATTER?
    IMPACT
    The criticality of the intersected asset or business process
    7
  • 30. What is RiskViewTM?
    A software Risk Data Warehouse platform that collects vulnerability data
    Business-specific modules with customizable views and analytics
    Advanced Visualization to create a packaged decision support system
    Highly-extensible platform, for fact-based, scalable, repeatable
    Risk Management Decisions
    8
  • 31. RiskView Features
    Cost Types
    Collect and Combine risks Enterprise wide
    Normalized scoring based on Materiality
    Impact Centric business views
    Pre and post testing for “what if?” and “did it work?”
    Advanced Visualization for easy analysis and interpretation
    Fact-based—Scalable—Repeatable!
    Business Views
    9
  • 39. 10
    RiskView Examples
  • 40. Vertical View- InfoSec
    11
  • 41. Horizontal View- Geography
    12
  • 42. Business Unit View
    13
  • 43. Filters = Focus
    Not every vulnerability is equal in terms of materiality
    Once aggregate material risk is identified and unacceptable
    levels detected, need to identify and profile drivers
    Date Range
    (trending)
    What-if
    (testing)
    Materiality
    (finding the “Critical Few”)
    14
  • 44. Exploded View
    15
  • 45. RiskView Benefits
    Identify uncontrolled critical risks
    • Typically reduction is > 50%
    Save money
    • Improve risk with current budget; cut spending without added risk
    Identify common controls
    • For one client, a single control eliminated 70% of uncontrolled risk
    Improve staff productivity
    • Only one FTE week per quarter for analysis/administration
    • 46. Analyze up to 200 million vulnerabilities in real-time
    Justify budgets and investments
    • Test program investments before decision and after execution
    Establish a fact-base for decision-making
    • Determine/assign organization accountabilities
    16
  • 47. Next Steps
    Free Risk Evaluation
    We will conduct a limited information security risk evaluation with RiskView
    • Load a set of data, aligned with your policies and procedures
    • 48. Analyze and present the findings, along with implications/recommendations
    Requirements:
    • Aon resources: ~ 1 day for set-up, plus 1 hour for findings presentation
    • 49. Rev2 time: ~ 2 weeks start to finish
    17

×