Using Risk Management to Keep Your Boss out of Jail

Slide 1: Using Risk Management to Keep Your Boss Out of Jail Due Diligence and Fiduciary Duty Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Abstract • An effective risk management process is critical to successful business operations; not just protecting data assets, but also protecting the ability of the enterprise to meet its missions and objectives. In this open forum we will examine and discuss how risk analysis may support management’s due diligence needs, then discuss how management can furthermore meet its fiduciary duty to protect th organization's assets. t t the i ti ' t Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 1

Slide 2: Agenda –Risk Management • Risk Analysis • Risk Assessment • Risk Mitigation –Vulnerability assessment Vl bilit t Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Management • Risk management is made up of four distinct processes: risk analysis, risk assessment, risk mitigation and vulnerability assessment and controls evaluation evaluation. – Risk Management - The total cost to identify, control and minimize impact of uncertain events. The objective of risk management is to reduce risk to an acceptable level. Support of this process by senior management is a demonstration of their due diligence. – Risk Analysis - Is a technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Another term for this process is a project impact analysis (PIA) (PIA). Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 2

Slide 3: Risk Management – Risk Assessment - A where vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures are examined. Thi is a process to it i d This i t evaluate threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations. – Risk Mitigation - Is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become a reality in spite of all efforts. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Management – Vulnerability Assessment and Controls Evaluation - Systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such , y qy measures after implementation. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 3

Slide 4: Risk Management • Senior management must ensure that the enterprise has the capabilities needed to accomplish its mission or business objectives. As we will see, senior management of a department, business unit, group or other such entity is considered to be the functional owner of the enterprise’s assets and in their fiduciary duty, act in the best interest of the enterprise to implement reasonable and prudent safeguards and controls. Risk management is the tool that will assist them in the task. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Management • Risk Management as Part of the Business Process - The term “system development life cycle (SDLC)” seems to have been structured to meet the needs of the information technology organization and therefore anything associated to the SDLC must be an IT process. • Risk management is a business process and all business decisions should have a business development life cycle (BDLC). • BDLC allows for those elements that make up information technology development, but also takes into account normal business decisions. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 4

Slide 5: Risk Management SYSTEM DEVELOPMENT LIFE CYCLE PHASES CONSTRUCTION TEST MAINTENANCE ANALYSIS PHASE PHASE PHASE DESIGN PHASE PHASE P R REVIEW RISK PRE-SCREENING O FRAAP ANALYSIS PROCESS D FINDINGS U C T I SAFE- SAFEGAURDS SAFEGAURDS O GAURDS APPROVED IMPLEMENTED & CONDUCT N TESTED RISK BY REVIEW FRAAP Vulnerability ASSESSMENT OWNER Assessment ANNUAL CRITICALITY LIST BEGIN BCP BUSINESS APPROVED BCP REVIEW IMPACT BY PLAN ANALYSIS MANAGEMENT (BIA) BUILD INFORMATION Thomas R. ADEQUATE REVIEW Peltier CLASSIFICATION ACCESS ACCESS IDENTIFICATION CONTROL CONTROL Using Risk Management to Keep Your Boss out of Jail PROCESS LISTS 29 April 2008 Risk Analysis Due Diligence Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 5

Slide 6: Risk Analysis • Risk analysis is a technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal. • Another term for this process is a project impact analysis. • This process will require a cost-benefit analysis be conducted. • The cost-benefit process should incorporate the features and benefits of the asset or process under review. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Analysis • Part of the review will examine the costs of the project. • These costs include procurement and/or development. development • Operation and maintenance costs, which include: documentation development; user and infrastructure support training; and possible upgrades. • Other costs that must be factored into the analysis are conversion or migration costs. • All costs are examined both in dollars and staffing implications. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 6

Slide 7: Risk Analysis • While it is important to consider all of the elements of cost in deciding to move forward, procurement is just forward one variable. • The cost of not moving forward with the new project must be factored into the analysis process. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Analysis • What would be the impact to the enterprise if it was decided to delay or not approve the project? • How would not moving forward impact the competitive advantage of the organization? • How would this decision impact the ability to meet the mission of the enterprise? • How would strategic business partners, suppliers, vendors and other stakeholders b i th t k h ld be impacted? t d? Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 7

Slide 8: Risk Analysis • Another important factor to consider in this process is the impact of regulatory compliance issues. • The new project should, whenever possible, enhance regulatory requirements. • Sometimes a new idea or concept is drafted by a department, such as Marketing, and it gains support and management acceptance before the infrastructure, budget and security personnel get the opportunity to perform a project impact analysis. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Analysis • Whenever money or resources are to be spent, a risk analysis should be conducted. • This will provide the business reasons that should be used to justify the decision to move forward. • This is a way that management can demonstrate that due diligence has been performed. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 8

Slide 9: Risk Analysis • The output from the risk analysis process will be b used t i d twice. – The first time is when decisions need to be made. – Typically the only other time the results would be examined is when the enterprise is being examined by a third party and management is asked to show its decision- making process. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Analysis • For risk analysis and risk assessment the need to demonstrate due diligence is an important factors. • However, the over-riding reason to conduct these processes is that it makes good business sense. • The enterprise proceeds on certain paths based on need and the ability of the organization to meet those specific business or mission needs. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 9

Slide 10: Project Impact Analysis Questionnaire Issue Applicable Comments Y/N Identify any existing requirements in the baseline that conflict with the proposed change. Identify any other pending requirement changes that conflict with the proposed change. What are the consequences of not making the change? What are possible adverse side effects or other risks of making the proposed change? Will the proposed change adversely affect performance requirements or other quality attributes? Will the change affect any system component that affects critical properties such as safety and security, or involve a product change that triggers recertification of any kind? Is the proposed change feasible within known technical constraints and current staff skills? Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Project Impact Analysis Questionnaire Issue Applicable Comments Y/N Will the proposed change place unacceptable demands on any computer resources required for the development, test, or operating environments? Must any tools be acquired to implement and test the change? How will the proposed change affect the sequence, dependencies, effort, or duration of any tasks currently in the project plan? Will prototyping or other user input be required to verify the proposed change? How much effort that has already been invested i the project will be lost if this change is in th j t ill b l t thi h i accepted? Will the proposed change cause an increase in product unit cost, such as by increasing third- party product licensing fees? Thomas R. Peltier Will the change affect any marketing, manufacturing, training, or customer Management to Keep Your Boss out of Jail Using Risk support plans? 29 April 2008 10

Slide 11: Risk Analysis Report 1. Name of project and brief 5. Regulatory impact description 6. 6 Infrastructure impact 2. Project champion/owner 7. Maintenance cost 3. Business reason or need 8. Time line for project 4. Estimated cost of project – Money – Time – Resources Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment • Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization. organization – Risk Management encompasses seven primary steps: • Asset definition • Threat identification • Probability of occurrence • Impact analysis • Risk level identified • Control recommendations • Results documentation Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 11

Slide 12: Risk Assessment 1. Asset definition – the first step is to define the scope of the effort. In this step the boundaries of the asset to be analyzed. – The boundaries of the system, application, platform or business process are to be established. – Include all related information (hardware, software, interfaces, data, persons, and information). – Asset mission Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment 1. Asset definition (continued) – To gather the relevant information, you can use any of the following techniques: • Questionnaires • On-site interviews • Document review (policy statement, legislation, requirements, directives etc ) requirements directives, etc.) • Scanning tools (network mapping) Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 12

Slide 13: Risk Assessment 2. Threat identification – a threat is the potential for a particular event to successfully exercise a particular vulnerability. tt f ll i ti l l bilit – Threat – an undesirable event that could impact the business objectives or mission of the risk assessment asset. – Vulnerability – a weakness in a system or control that can be exploited to violate the system’s intended behavior. – Impact – the effect or result of an event occurring that affects the business objective or mission of the enterprise – Probability – the likelihood that an event will occur Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment • Common threat categories – Natural threats – floods earthquakes, tornadoes, landslides, floods, earthquakes tornadoes landslides avalanches, electrical storms, and other such events. – Human threats – events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent information entry) or deliberate actions (network based attacks, malicious software, unauthorized access to confidential information) information). – Environmental threats – long-term power failure, pollution, chemicals, liquid leakage. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 13

Slide 14: Risk Assessment • Create a complete list of threats – Brainstorming – Checklist – Historical data – Annual rates of occurrence • Law enforcement • Insurance underwriters • National weather centers Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Source Motivation Threat External Hacker Challenge •System hacking Ego •Social engineering Game-playing •Dumpster diving Internal hacker Deadline •Trap-door Financial problems •Fraud Disenchantment •Poor documentation Cracker Destruction of information •Spoofing Monetary gain •System intrusion Unauthorized data alteration •Impersonation •Denial of service attack Terrorist (environmental) Revenge •System attack Greenmail •Social engineering Strident cause •Letter bombs •Viruses •Denial of service Poorly trained employees Unintentional errors •Corruption of data Programming errors •Malicious code introduced Data entry errors R. Peltier Thomas •System bugs Using Risk Management to Keep Your Boss out of Jail •Unauthorized access 29 April 2008 14

Slide 15: Risk Assessment 3. Probability of occurrence – To derive an overall likelihood that indicates the probability that a potential threat may be exercised within the risk assessment asset it will be necessary to define probability categories: Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment Term Definition Probability A measure of how likely a threat may occur. Threshold Level High Very likely that the threat will occur within the next year. Medium Possible that the threat will occur within the next year. Low Highly unlikely that the threat will occur within the next year. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 15

Slide 16: Risk Assessment 4. The next major step is measuring the level of risk a threat poses is to determine the impact if the threat were to occur. • Before obtaining the impact value, it is necessary to ensure that the scope has defined: – The mission – The level of controls to be considered (usually this step would be done as if no controls were in place). • This step can then be repeated with existing or selected controls are in place to see if the risk level is reduced to an acceptable level. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment Term Definition The effect of a threat being carried out on an asset – expressed in Impact p g p tangible or intangible terms Threshold Level High Entire mission or business is impacted. Medium Loss limited to single business unit or business objective. L Low Bi Business as usual. l Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 16

Slide 17: Risk Assessment 5. The purpose of this step is to assign the risk level based on the results of the probability and impact review – The likelihood that a give threat may occur – The magnitude of the impact should a threat occur – The adequacy of the controls in place or selected Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment IMPACT P Low Medium High R O B High A b I Medium L I T Low Y Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 17

Slide 18: Risk Assessment Color Risk Level Action High Requires immediate action Medium May require action, must continue to monitor Low No action required at this time Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Regulatory Health & Safety Category Image Revenue Expense Compliance •Significant, sustained negative •Criminal penalties •Increase in costs International or or fines greater than •Irrevocable direct national media (i.e., maintenance, $10M •Loss of life or limb 5 exposure loss of revenue labor, supplier fees, Severe •Major regulatory •Loss of alliance greater than $10M etc.) greater than sanctions, criticism, partners (e.g., Nestle) $10M actions •Loss of operating participants •Ongoing negative Ongoing •Increase in costs I i t •Irrevocable direct •Severe injuries, regional or national •Penalties or fines of (i.e., maintenance, 4 media exposure loss of revenue $2M- requires Major $2M-$10M labor, supplier fees, •Key alliances are $10M hospitalization etc.) $2M-$10M threatened •Ongoing (but less •Increase in costs •Irrevocable direct •Penalties or fines of •Cuts and burses, than 2 weeks) (i.e., maintenance, 3 loss of revenue Moderate negative local media $500K-$2M labor, supplier fees, requires first aid $500K-$2M exposure etc.) $500K-$2M •Degradation in •Increase in costs •Irrevocable direct •Major exposure to quality of service or •Penalties or fines of (i.e., maintenance, 2 products loss of revenue unsafe work or Minor $100K-$500K labor, supplier fees, •Limited negative Limited $100K-$500K $100K $500K building environment etc.) $100K-$500K t ) $100K $500K local media exposure •Increase in costs •- Little or no •Reputation •Irrevocable direct (i.e., maintenance, negative impact •Penalties or fines of inconsistent with 1 loss of revenue less labor, supplier fees, - Minor exposure to Insignificant desired brand image less than $100K than $100K etc.) less than unsafe work •No press coverage $100K environment Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 18

Slide 19: Risk Assessment Category Weight Grade Score 5.0 Impact to Employee or Student Health and Safety: 0 1 2 3 4 5 Impact to Image: 4.5 0 1 2 3 4 5 Legal and/or Regulatory Compliance Impact: 4.0 0 1 2 3 4 5 Impact to Revenue: 3.5 0 1 2 3 4 5 Impact to Cast Productivity: 3.0 0 1 2 3 4 5 Risk Rating: Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment During this step, the risk assessment team will determine which security controls generally could dt i hi h it tl ll ld best reduced threat risk level to a more acceptable level. There are a number of sources for standards that can assist the risk assessment team in establishing an effective set of controls. These sources might include some of the following: Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 19

Slide 20: Risk Assessment – Information Technology – Code of Practice for Information Security Management (ISO/IEC 27002) – Security Technologies for Manufacturing and Control Systems (ISA- TR99.00.01-2004) – Integrating Electronic Security into Manufacturing and Control Systems g g y g y Environment (ISA-TR99.00.02-2004) – Federal Information Processing Standards Publications (FIPS Pubs) – National Institute of Standards and Technology – CobiT® Security Baseline – Health Insurance Portability and Accountability Act (HIPAA) – The Basel Accords – Privacy Act of 1974 – Gramm Leach Bliley Act (GLBA) –Sb Sarbanes O l A t (SOX) Oxley Act – Information Security for Banking and Finance (ISO/TR 13569) – FFEIC Examination Guidelines Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment 6. Controls recommendations – During this step the controls that could mitigate or eliminate the identified risks, as appropriate to the organization s operations, organization’s are identified. – The goal of the recommended controls is to reduce the level of risk to an acceptable level. – The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks: • Effectiveness of recommended controls • Legislation and regulation • Operational impact • Safety and reliability Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 20

Slide 21: Risk Assessment • The expenditure on controls must be balanced against business harm. g • The risk assessment technique should be applied across the enterprise. • The output from the risk assessment will lead the enterprise to identify controls and safeguards that cou d educe e eve of e occurrence. could reduce the level o threat occu e ce. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Cost – Benefit Analysis • To allocate resources and implement cost-effective controls, organization’s, after identifying all possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit analysis. • This process should be conducted for each new or enhanced control to determine if the control recommended is appropriate for the organization. • A cost-benefit analysis should determine the impact of implementing the new or enhanced control and then determine the impact of not implementing the control. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 21

Slide 22: Cost – Benefit Analysis • Remember that one of the long-term costs of any control is the requirement to maintain its effectiveness. It is, therefore, necessary to factor this cost into the benefit requirement of any control. When performing a cost- benefit b fit analysis it will be necessary to consider the cost of implementation li ill b t id th t fi l t ti based on some of the following: – Costs of implementation including initial outlay for hardware and software. – Reduction in operational effectiveness. – Implementation of additional policies and procedures to support the new controls – Cost of possibly hiring additional staff or at a minimum, training existing staff in the new controls – The cost of education support personnel to maintain the effectiveness of the control Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Assessment 7. Results Documentation – Once the risk assessment has been completed, the results p , should be documented in an official report or briefing. – A risk assessment management report that helps senior management, the business owner, make decisions on policy, procedural, budget and system and management changes. – Unlike an audit or investigation report, which looks for report wrongdoing, a risk assessment report should not be presented in an Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 22

Slide 23: Risk Mitigation Acceptable Level of Risk Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Mitigation • Risk Mitigation – Risk mitigation is a systematic methodology used by senior g y gy y management to reduce mission risk. – Risk mitigation can be achieved through any of the following options: • Risk Assumption – to accept the potential risk and continue operating or to implement controls to lower the risk to an acceptable level. • Risk Avoidance – to avoid the risk by eliminating the risk cause and/or consequences (such as forgoing certain functions of the system or shut down the system when risks are identified). Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 23

Slide 24: Risk Mitigation • Risk Mitigation (continued) – Risk mitigation can be achieved through any of the following options: g g y gp • Risk Limitation – to limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (such as use of avoidance, assurance, detective or recovery controls). • Risk Planning – to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls. • Risk Transference – to transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Risk Mitigation • The business objectives and mission of an organization should be considered in selecting any of these risk mitigation options. • It may not be practical to address all identified risks, so priority should be given t the th t id tifi d i th risk i to th threats identified in the i k level determination process. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 24

Slide 25: Control Categories Control CONTROLS Category Avoidance Encryption and authentication System security architecture Facilitated risk analysis and assessment process Information awareness program Information security program Interruption prevention Policies and standards Public key infrastructure Thomas R. Peltier Secure application architecture Using Risk Management to Keep Your Boss out of Jail Secure communications plans 29 April 2008 Control Categories Assurance CONTROLS Application security review Standards testing Penetration testing g Periodic perimeter scans Vulnerability assessment Detection CONTROLS Intrusion detection Remote intrusion monitoring Recovery CONTROLS Business continuity planning Business impact analysis Crisis management planning Disaster recovery planning Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail Incident response procedures Investigation tools 2008 29 April 25

Slide 26: Control Categories Security Category CONTROLS Management Risk assessment Security planning System and service acquisition procedures Control vulnerability assessment Processing authorization Operational CONTROLS Personnel security Physical and environmental controls Continuity planning Configuration management g g Hardware and software maintenance System integrity Media protection Incident response Thomas R. Peltier Security awareness program Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Control Categories Technical CONTROLS Identification and authentication Logical access control Audit trails and logs Communication protection System protection Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 26

Slide 27: Residual Risk • The risk remaining after the implementation of new or enhanced controls is the residual risk. • Practically no system is risk free, and not all implemented controls can eliminate the risk they are intended to address or reduce the risk level to zero. Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Source GAO/AIMD 98-68 Summary • Risk Management is made up of four key elements: l t – Risk Analysis – Risk Assessment – Risk Mitigation – Compliance Checking or Vulnerability Assessment Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 27

Slide 28: Conclusion Comments? Questions? Rebuttals? Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 Using Risk Management to Keep Your Boss Out of Jail Due Diligence and Fiduciary Duty Thomas R. Peltier Using Risk Management to Keep Your Boss out of Jail 29 April 2008 28