Mastering Information Technology Risk Management


Published on

This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Training slides on InformationTechnology Risk Management
  • Image credit:
  • Requirements definition is concerned with identifying and specifying the requirements of the system chosen for development during the feasibility study. Requirements include descriptions of what a system should do, how users will interact with a system, conditions under which the system will operate and the information criteria the system should meet. CobiT’s framework principles for information criteria shows that this includes issues associated with effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. The requirements definition phase deals with these issues.To accomplish the above in the requirements definition phase:Identify and consult stakeholders to determine their expectations.Analyze requirements to detect and correct conflicts and determine priorities.Identify system bounds and how the system should interact with its environment. Convert user requirements into system requirements (e.g., an interactive user interface prototype that demonstrates screen look and feel).Record requirements in a structured format. Historically, requirements have been recorded in a written requirements specification, possibly supplemented by some schematic models. Commercial requirements management tools now are available that allow requirements and related information to be stored in a multiuser database.Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable. Because of the high cost of rectifying requirements problems in downstream development phases, effective requirements reviews have a large payoff. Resolve conflicts between stakeholders.Resolve conflicts between the requirements set and the resources that are available.IS auditors are involved at this stage to determine whether adequate security requirements have been defined to address, at a minimum, the confidentiality, integrity and availability requirements of the system. This includes whether adequate audit trails are defined as part of the system, as these affect the auditor’s ability to identify issues for proper follow-up.
  • Mastering Information Technology Risk Management

    1. 1. Mastering Information Technology Risk Management Goutama Bachtiar Technology Advisor, Auditor, Consultant May 2013
    2. 2. Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia,, Forbes Indonesia, DetikINET and InfoKomputer among others
    3. 3. Risk Management
    4. 4. Definition • Risk is the effect of uncertainty on objectives, whether positive or negative • Risk Management: Identification, assessment, and prioritization of risks • Involves coordination and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities ValueConsult IT Risk Management 4
    5. 5. Sources • Uncertainty in financial markets • Project failures (at any phase in design, development, production, or sustainment life-cycles) • Legal liabilities • Credit risk • Accidents • Natural causes and disasters • Deliberate attack from an adversary • Uncertain or unpredictable root-cause • Others… ValueConsult IT Risk Management 5
    6. 6. Ideal Risk Management • Prioritizing risks with the greatest loss (or impact) and the greatest probability of occurrence • Risks with lower probability of occurrence and lower loss are handled in descending order • In practice the process of assessing overall risk can be difficult • Balancing resources used to mitigate between risks with high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled ValueConsult IT Risk Management 6
    7. 7. Intangible Risk Management • Identifying a new type of a risk with 100% probability of occurring but is ignored by organization due to lack of identification ability • For example, when deficient knowledge is applied to a situation, a knowledge risk materializes • Relationship risk appears when ineffective collaboration occurs • Directly reduce productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, bran d value, and earnings quality • Allows risk management to create immediate value from risk identification and reduction that reduce productivity ValueConsult IT Risk Management 7
    8. 8. Risk Management Methodology • Identify and characterize threats • Assess vulnerability of critical assets to specific threats • Determine likelihood and impact of the risks • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy ValueConsult IT Risk Management 8
    9. 9. Risk Management Principles • Create value • Resources expended to mitigate risk should be less than the consequence of inaction (the gain should exceed the pain) • be an integral part of organizational processes • be part of decision making process • explicitly address uncertainty and assumptions • be systematic and structured ValueConsult IT Risk Management 9
    10. 10. Risk Management Principles (cont’d) • • • • • • be based on the best available information be tailorable take human factors into account be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement • be continually or periodically re-assessed ValueConsult IT Risk Management 10
    11. 11. Risk Management Process • ISO 31000 1. Establishing the context • identification of risk in a selected domain of interest • planning the remainder of the process • mapping out – the social scope of risk management – the identity and objectives of stakeholders – the basis upon which risks will be evaluated, constraints. • defining a framework for the activity and an agenda for identification • developing an analysis of risks involved in the process • mitigation or solution of risks using available technological, human and organizational resources. 2. 3. ValueConsult Identification: source and problem analysis Assessment IT Risk Management 11
    12. 12. Risk Options • Design a new business process with adequate built-in risk control and containment measures from the start • Periodically re-assess risks accepted in ongoing processes as a normal feature of business operations and modify mitigation measures • Transfer risks to an external agency (insurance company, etc) • Avoid risks altogether (i.e. closing down a particular high-risk business unit/department) ValueConsult IT Risk Management 12
    13. 13. Risk Response • Avoidance Eliminate, withdraw from or not become involved • Reduction Optimize, Mitigate • Sharing Transfer , outsource or insure • Retention Accept and budget ValueConsult IT Risk Management 13
    14. 14. Risk Management Plan • Select appropriate controls or countermeasures to measure each risk • Propose applicable and effective security controls for managing the risks • Contain a schedule for control implementation and responsible persons for those actions • Approval from the appropriate level of management for risk mitigation ValueConsult IT Risk Management 14
    15. 15. Risk Management Plan (cont’d) • According to ISO/IEC 27001, after risk assessment prepare a Risk Treatment Plan (document the decisions about how each of the identified risks should be handled) • Mitigation of risks often means selection of security controls; it should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the standard have been selected, and why • Implementation follows all of the planned methods for mitigating the effect of the risks ValueConsult IT Risk Management 15
    16. 16. Risk Management Plan (cont’d) • Initial risk management plans will never be perfect • Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced • Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: – To evaluate whether the previously selected security controls are still applicable and effective – To evaluate the possible risk level changes in the business environment ValueConsult IT Risk Management 16
    17. 17. Risk Management Challenges • Prioritizing risk management processes too highly could keep an organization from ever completing a project or even getting started • Do differentiate between risk and uncertainty -- Risk can be measured by impacts x probability • If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur • Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably • Unlikely events do occur but if risk is unlikely enough to occur it may be better to simply retain risk and deal with the result if loss does occur • Qualitative risk assessment is subjective and lacks consistency • Primary justification for a formal risk assessment process is legal and bureaucratic ValueConsult IT Risk Management 17
    18. 18. Enterprise Risk Management
    19. 19. Definition • Methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives • Its framework involves – Identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities) – Assessing them in terms of likelihood and magnitude of impact – Determining a response strategy – Monitoring progress and assurance ValueConsult IT Risk Management 19
    20. 20. Definition (cont’d) • In short, ERM is also a risk-based approach to managing an company, corporation, enterprise’s integrating concepts of internal control, Sarbanes-Oxley Act for U.S corps and Strategic Planning ValueConsult IT Risk Management 20
    21. 21. Benefits • Identifying and addressing risk and opportunities proactively • Company or business will protect and create value for their stakeholders such as owners, employees, customers, regulators, an d society in general ValueConsult IT Risk Management 21
    22. 22. ERM Framework • Known as Risk Response Strategy: – Avoidance: exiting the activities giving rise to risk – Reduction: taking action to reduce the likelihood or impact related to the risk – Alternative Actions: deciding and considering other feasible steps to minimize risks – Share or Insure: transferring or sharing a portion of the risk, to finance it – Accept: no action is taken, due to a cost or benefit decision ValueConsult IT Risk Management 22
    23. 23. Risk Types and Examples • Hazard risk Liability torts, Property damage, Natural catastrophe • Financial risk Pricing risk, Asset risk, Currency risk, Liquidity risk • Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk • Strategic risks Competition, Social trend, Capital availability ValueConsult IT Risk Management 23
    24. 24. ERM Processes • Establishing Context Understanding current conditions the organization operates on an internal, external and risk management context • Identifying Risks Documenting material threats to organization’s achievement of its objectives and representation of areas the organization may exploit for competitive advantage • Analyzing/Quantifying Risks Creating probability distributions of outcomes for each material risk ValueConsult IT Risk Management 24
    25. 25. ERM Processes (cont’d) • Integrating Risks Aggregating all risk distributions, reflecting correlations and portfolio effects, formulating results of impact on company key performance metrics • Assessing or Prioritizing Risks Determining contribution of each risk to aggregate risk profile, and doing prioritization • Treating or Exploiting Risks Crafting strategies for controlling and exploiting various risks • Monitoring and Reviewing Measuring and monitoring risk environment and performance of risk management strategies ValueConsult IT Risk Management 25
    26. 26. ERM Objectives • Companies manage risks and have various departments or functions ("risk functions") that identify and manage particular risks • Each risk function varies in capability and how it coordinates with other risk functions • Main goal and challenge is improving this capability, coordination, integration of output to provide a unified picture of risk for stakeholders and improving organization's ability to manage enterprise risks effectively ValueConsult IT Risk Management 26
    27. 27. ERM Challenges • Identifying executive sponsors • Establishing a common risk language or glossary • Describing the enterprise’s risk appetite (take or not) • Identifying and describing risks in risk inventory • Implementing risk-ranking methodology to prioritize risks within and across functions • Setting up Risk Committee and or Chief Risk Officer to coordinate certain activities of entire risk functions ValueConsult IT Risk Management 27
    28. 28. ERM Challenges (cont’d) • Establishing ownership for particular risks and responses • Calculating Cost-Benefit Analysis of risk management effort. • Developing action plans to ensure risks are appropriately managed • Developing consolidated reporting for various stakeholders • Monitoring results of actions taken in mitigating risk • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities • Developing technical ERM framework that enables secure participation by third parties and remote employees ValueConsult IT Risk Management 28
    29. 29. Risk Functions • Strategic planning Identifying external threats and competitive opportunities, along with strategic initiatives to address them • Marketing Understanding target customer to ensure product or service alignment with its requirements • Compliance & Ethics Monitoring compliance with code of conduct and directing fraud investigations • Accounting / Financial compliance Complying with Sarbanes-Oxley which identifies financial reporting risks ValueConsult IT Risk Management 29
    30. 30. Risk Functions (cont’d) • Law Department Managing litigation and analyzing emerging legal trends that impact the organization • Insurance Ensuring proper insurance coverage for the organization • Treasury Ensuring cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange • Operational Quality Assurance Verifying operational output is tolerable ValueConsult IT Risk Management 30
    31. 31. Risk Functions (cont’d) • Operations management Ensuring business runs day-to-day and related barriers are surfaced for resolution • Credit Ensuring any credit provided to customers is appropriate to their ability to pay • Customer service Ensuring customer complaints are handled promptly and root causes are reported to operations for resolution • Internal audit Evaluating effectiveness of entire risk functions and recommending improvements ValueConsult IT Risk Management 31
    32. 32. Internal Audit Role • Beside IT Audit, they play an important role in evaluating organization risk management processes and advocating continued improvement • Should not take any direct responsibility for making risk management decisions for the enterprise or managing risk management function • Perform an annual risk assessment of the enterprise • Develop audit engagements plan • Involves review of various risk assessments performed by enterprise: strategic plans, competitive benchmarking, and SOX top-down risk assessment • Considering prior audits, and interviewing variety of senior management ValueConsult IT Risk Management 32
    33. 33. IT Risk Management
    34. 34. IT Risk Concept • Part of business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise • Consists of IT-related events that could potentially impact the business • Occur both uncertain frequency and magnitude • It creates challenges in meeting strategic goals and objectives • Due to IT’s importance to the overall business, IT risk should be treated like other key business risks. ValueConsult IT Risk Management 34
    35. 35. Risk IT Framework • Framework – Integrate the management of IT risk with the overall ERM – Compare assessed IT risk with risk appetite and risk tolerance of the organization – Understand how to manage the risk ValueConsult IT Risk Management 35
    36. 36. Risk IT Categories  IT Benefit/Value enabler Missed opportunity to increase business value by IT enabled or improved processes  IT Program/Project delivery Related to the management of IT related projects intended to enable or improve business  IT Operation and Service Delivery Day by day IT operations and service delivery that can bring issues, inefficiency to the business operations of an organization ValueConsult IT Risk Management 36
    37. 37. Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) ValueConsult IT Risk Management 37
    38. 38. IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. ValueConsult IT Risk Management 38
    39. 39. IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) ValueConsult IT Risk Management 39
    40. 40. ISACA Risk IT
    41. 41. ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. ValueConsult IT Risk Management 41
    42. 42. Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. ValueConsult IT Risk Management 42
    43. 43. IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems ValueConsult IT Risk Management 43
    44. 44. Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. ValueConsult IT Risk Management 44
    45. 45. Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. ValueConsult IT Risk Management 45
    46. 46. Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) ValueConsult IT Risk Management 46
    47. 47. Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary 47
    48. 48. IT Risk Communication • IT risk communication flows are: – Expectation • what the organization expects as final result • what are the expected behavior of employee and management • Encompasses strategy, policies, procedures, awareness training – Capability • It indicates how the organization is able to manage the risk – Status • Information of the actual status of IT risk • Encompasses risk profile of the organization, Key Risk Indicator, events, root cause of loss events ValueConsult IT Risk Management 48
    49. 49. IT Risk Communication (cont’d) • An effective information should be       Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis ValueConsult IT Risk Management 49
    50. 50. Risk IT Three Domains ValueConsult IT Risk Management 50
    51. 51. Risk Governance • Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return • RG1 Establish and Maintain a Common Risk View RG1.1 Perform enterprise IT risk assessment RG1.2 Propose IT risk tolerance thresholds RG1.3 Approve IT risk tolerance RG1.4 Align IT risk policy RG1.5 Promote IT risk aware culture RG1.6 Encourage effective communication of IT risk ValueConsult IT Risk Management 51
    52. 52. Risk Governance (cont’d) • RG2 Integrate With ERM RG2.1 Establish and maintain accountability for IT risk management RG2.2 Coordinate IT risk strategy and business risk strategy RG2.3 Adapt IT risk practices to enterprise risk practices RG2.4 Provide adequate resources for IT risk management RG2.5 Provide independent assurance over IT risk management ValueConsult IT Risk Management 52
    53. 53. Risk Governance (cont’d) • RG3 Make Risk-aware Business Decisions RG3.1 Gain management buy in for the IT risk analysis approach RG3.2 Approve IT risk analysis RG3.3 Embed IT risk consideration in strategic business decision making RG3.4 Accept IT risk RG3.5 Prioritize IT risk response activities ValueConsult IT Risk Management 53
    54. 54. Risk Evaluation • Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms • RE1 Collect Data RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors ValueConsult IT Risk Management 54
    55. 55. Risk Evaluation (cont’d) • RE3 Maintain Risk Profile RE3.1 Map IT resources to business processes RE3.2 Determines business criticality of IT resources RE3.3 Understand IT capabilities RE3.4 Update risk scenario components RE3.5 Maintain the IT risk register and iT risk map RE3.6 Develop IT risk indicators ValueConsult IT Risk Management 55
    56. 56. Risk Evaluation (cont’d) • RE2 Analyze Risk RE2.1 Define IT risk analysis scope RE2.2 Estimate IT risk RE2.3 Identify risk response options RE2.4 Perform a peer review of IT risk analysis ValueConsult IT Risk Management 56
    57. 57. Risk Response • Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities • RR1 Articulate Risk RR1.1 Communicate IT risk analysis results RR1.2 Report IT risk management activities and state of compliance RR1.3 Interpret independent IT assessment findings RR1.4 Identify IT related opportunities ValueConsult IT Risk Management 57
    58. 58. Risk Response (cont’d) • RR2 Manage Risk RR2.1 Inventory controls RR2.2 Monitor operational alignment with risk tolerance thresholds RR2.3 Respond to discovered risk exposure and opportunity RR2.4 Implement controls RR2.5 Report IT risk action plan progress ValueConsult IT Risk Management 58
    59. 59. Risk Response (cont’d) • RR3 React to Events RR3.1 Maintain incident response plans RR3.2 Monitor IT risk RR3.3 Initiate incident response RR3.4 Communicate lessons learned from risk events ValueConsult IT Risk Management 59
    60. 60. Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. ValueConsult IT Risk Management 61
    61. 61. Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk ValueConsult Management IT Risk 62
    62. 62. Risk IT Evaluation • The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events • Risk IT prescribe different methods – – – – – – COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman COSO Factor Analysis of Information Risk ValueConsult IT Risk Management 63
    63. 63. Risk IT Scenarios • The hearth of risk evaluation process • Scenarios can be derived in two different and complementary ways: – A top-down approach from the overall business objectives to the most likely risk scenarios that can impact them – A bottom-up approach where a list of generic risk scenarios are applied to the organization situation – Each risk scenarios is analyzed determining frequency and impact, based on the risk factors ValueConsult IT Risk Management 64
    64. 64. Risk IT Response • Risk avoidance, exiting the activities that give rise to the risk • Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk • Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance • Risk acceptance: deliberately running the risk that has been identified, documented and measured • Key risk indicators: metrics capable of showing that organization is subject or has a high probability of being subject to a risk exceeding the defined risk appetite ValueConsult IT Risk Management 65
    65. 65. Relationship with ISACA Frameworks • Risk IT Framework complements ISACA’s COBIT • COBIT provides a comprehensive framework for the control and governance of businessdriven information-technology-based (ITbased) solutions and services • COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk ValueConsult IT Risk Management 66
    66. 66. Relationship with ISACA Frameworks (cont’d) • Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk • Val IT allows business managers to get business value from IT investments, by providing a governance framework • VAL IT can be used to evaluate the actions determined by Risk management process ValueConsult IT Risk Management 67
    67. 67. Relationship With Other Frameworks • Risk IT accept Factor Analysis of Information Risk terminology and evaluation process • ISO 27005 For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard • ISO 31000 The Risk IT Practitioner Guide appendix 2 • COSO The Risk IT Practitioner Guide appendix 4 ValueConsult IT Risk Management 68
    68. 68. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards ValueConsult IT Risk Management 69
    69. 69. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan ValueConsult IT Risk Management 70
    70. 70. CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: ValueConsult IT Risk Management 71
    71. 71. CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation ValueConsult IT Risk Management 72
    72. 72. CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department ValueConsult IT Risk Management 73
    73. 73. CERT OCTAVE ValueConsult IT Risk Management 74
    74. 74. CERT OCTAVE ValueConsult IT Risk Management 75
    75. 75. Software Risk Management
    76. 76. Understanding Risks in the Systems Development Life Cycle Business Application Development Alternative Software Development Strategies Information Systems Maintenance Practices Project Management Practices System Development Tools and Productivity Aids Software Development Process Improvement Practices Auditing Systems Development, Acquisition and Maintenance ValueConsult IT Risk Management 77
    77. 77. Business Application Development An Individual Application or Project is Initiated by • A new opportunity that relates to new or existing business process • A problem that relates to an existing business process • A new opportunity that will enable the organization to take advantage of technology • A problem with the current technology Traditional Systems Development Life Cycle Phases • Phase 1—Feasibility • Phase 2—Requirements definition • Phase 3—Design • Phase 4—Development • Phase 5—Implementation ValueConsult IT Risk Management 78
    78. 78. Business Application Development Roles and Responsibilities of Groups and Individuals • • • • • • • • • • Senior management User management Project Steering committee Project Sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance ValueConsult IT Risk Management 79
    79. 79. Business Application Development Risks Associated with Software Development • Potential risks exist when poor or inadequate SDLC methodologies are utilized • Systems designed using a poor methodology may not meet the users needs and often exceed limits of financial resources • Merely following a methodology does not ensure success of a development project ValueConsult IT Risk Management 80
    80. 80. Business Application Development Structured Analysis, Design, and Development Techniques • Develop system context diagrams • Perform hierarchical data flow/control flow decomposition • Develop control transformations • Develop mini-specifications • Develop data dictionaries • Define all external events—inputs from external environment • Define single transformation data flow diagrams from each external event ValueConsult IT Risk Management 81
    81. 81. Traditional System Development Life Cycle (SDLC) Approach Phase 1 - Feasibility Study • Define a time frame • Determine an optimum alternative/solution in meeting business needs and general information resource requirements or estimates • Determine if an existing system can correct the situation with slight or no modification • Determine if a vendor product offers a solution • Determine the approximate cost • Determine if the solution fits the business strategy ValueConsult IT Risk Management 82
    82. 82. Business Application Development Phase 2 - Requirements Definition • Identify and consult stakeholders to determine their expectations • Analyze requirements to detect and correct conflicts and determine priorities • Identify system bounds and how the system should interact with its environment • Convert user requirements into system requirements • Record requirements in a structured format • Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable • Resolve conflicts between stakeholders • Resolve conflicts between the requirements set and the resources that are available ValueConsult IT Risk Management 83
    83. 83. Traditional System Development Life Cycle (SDLC) Approach Software Acquisition • • • • • • • Decision made to acquire not develop Occurs after Requirements phase Request for proposal (RFP) contents Topics of discussion with users about vendors Contract contents Contract management Integrated Resource Management Systems • Fully integrated corporate solution • SAP, Peoplesoft, Oracle Financials, etc. • Impact on way the corporation does business • Need to conduct a impact and risk assessment ValueConsult IT Risk Management 84
    84. 84. Traditional System Development Life Cycle (SDLC) Approach Phase 3 - Design • User involvement • Key design activities • Software baselining • End of design phase Phase 4 - Development • Key activities • Programming methods and techniques • On-line programming facilities (Integrated Development Environment - IDE) • Programming languages • High-level • Object-oriented • Scripting [such as SH(SHELL), PERL, TCL, Python, JAVAScript and VB Script] • Low-level assembler • Fourth generation • Decision support or expert systems • Program debugging ValueConsult IT Risk Management 85
    85. 85. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing • Elements of a software testing process • Test plan • Conduct and report test results • Address outstanding issues • General testing levels • Unit testing • Interface or integration testing • System testing • Final acceptancce testing ValueConsult IT Risk Management 86
    86. 86. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing (continued) • Other types of testing - related terminology • Alpha and beta testing • Pilot testing • Whitebox testing • Blackbox testing • Function/validation testing • Regression testing • Parallel testing • Sociability testing • Automated applicating testing ValueConsult IT Risk Management 87
    87. 87. Traditional System Development Life Cycle (SDLC) Approach Phase 5 - Implementation • Planning for implementation • Formal plan • Data conversion • Acceptance testing • Certification and accreditation process Post-Implementation Review • Assess adequacy • Evaluate projected cost benefits • Develop recommendations • Develop an action plan • Assess the development project process ValueConsult IT Risk Management 88
    88. 88. Alternative Software Development Strategies Data-Oriented System Development Object-Oriented System Development ComponentBased Development Web-Based Application Development Prototyping Rapid Application Development (RAD) Agile Development Reengineering Reverse Engineering ValueConsult IT Risk Management 89
    89. 89. Logical Access Exposures and Controls Remote access security risks include: Remote access security controls include: Denial of service Policy and standards Malicious third parties Proper authorizations Misconfigured communications software Identification and authentication mechanisms Misconfigured devices on the corporate computing infrastructure Encryption tools and techniques, such as the use of VPN Host systems not secured appropriately System and network management Physical security issues over remote users’ computers ValueConsult IT Risk Management 90
    90. 90. Logical Access Exposures and Controls Remote access using personal digital assistants (PDAS) control issues to address include: • • • • • • • • Compliance Approval Standard PDA applications Due care PDA applications Synchronization Encryption Virus detection and control ValueConsult IT Risk Management 91
    91. 91. Logical Access Exposures and Controls Authorization Issues • Access issues with mobile technology • These devices should be strictly controlled both by policy and by denial of use. Possible actions include: • Banning all use of transportable drives in the security policy • Where no authorized used of USB ports exists, disabling use with a logon script which removes them form the system directory • If they are considered necessary for business use, encrypting all data transported or saved by these devices • Audit logging in monitoring system access • provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID ValueConsult IT Risk Management 92
    92. 92. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Access rights to system logs • A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. Audit logging in monitoring system access • Tools for audit trails (logs) analysis • Audit reduction tools • Trends/variance-detection tools • Attack signature-detection tools ValueConsult IT Risk Management 93
    93. 93. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Cost consideration • Audit concerns • Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application • Violations (such as attempting computer file access that is not authorized) and/or use of incorrect passwords • Restrict and monitor access to computer features that bypass cost consideration • Generally, only system software programmers should have access to: • Bypass label processing (BLP) • System exits • Special system logon IDs ValueConsult IT Risk Management 94
    94. 94. Risk in Change Control and Management
    95. 95. Information Systems Maintenance Practices Change Management Process Overview - POSB Lucky Draw Fraud Case • Deploying changes • Documentation • Testing program changes • Emergency changes • Deploying changes back into production • Change exposures (unauthorized changes) ValueConsult IT Risk Management 96
    96. 96. Information Systems Maintenance Practices Configuration Management Library Control Software • Executable and source code integrity • Source code comparison System Change Procedures and the Program Migration Process • Evaluate the adequacy of the organization’s procedures • Identify system changes • Review documentation • Evaluate adequacy of procedures ValueConsult IT Risk Management 97
    97. 97. Network Risk Management
    98. 98. Network Infrastructure Security LAN Security • Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. LAN risk and issues • Dial-up access controls ValueConsult IT Risk Management 99
    99. 99. Network Infrastructure Security Client-Server Security • Control techniques in place • Securing access to data or application • Use of network monitoring devices • Data encryption techniques • Authentication systems • Use of application level access control programs Client/server risks and issues • Access controls may be weak in a client-server environment. • Change control and change management procedures. • The loss of network availability may have a serious impact on the business or service. • Obsolescence of the network components • The use of modems to connect the network to other networks • e connection of the network to public switched telephone networks may be weak • Changes to systems or data • Access to confidential data and data modification may be unauthorized • Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing ValueConsult IT Risk Management 100
    100. 100. Network Infrastructure Security Internet Threats and Security Passive attacks • Network analysis • Eavesdropping (Video: Wireshark Wireless Password Sniffing) • Traffic analysis Active attacks • • • • • • • • • Brute-force attack Masquerading Packet replay Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing ValueConsult IT Risk Management 101
    101. 101. Network Infrastructure Security Internet Threats and Security • Threat impact • Loss of income • Increased cost of recovery • Increased cost of retrospectively securing systems • Loss of information • Loss of trade secrets • Damage to reputation • Legal and regulatory noncompliance • Failure to meet contractual commitments • Legal action by customers for loss of confidential data ValueConsult IT Risk Management 102
    102. 102. Network Infrastructure Security Internet Threats and Security • Causal factors for internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls • Internet security controls Firewall Security Systems • Firewall general features • Firewall types • Router packet filtering • Application firewall systems • Stateful inspection ValueConsult IT Risk Management 103
    103. 103. Network Infrastructure Security Firewall Security Systems • Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Firewall issues • • • • • • A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies ValueConsult IT Risk Management 104
    104. 104. Network Infrastructure Secuity Intrusion Detection Systems (IDS) An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. • Network-based IDSs • Host-based IDSs Components: • Sensors that are responsible for collecting data • Analyzers that receive input from sensors and determine intrusive activity • An administration console • A user interface ValueConsult IT Risk Management 105
    105. 105. Network Infrastructure Security Types of Intrusion Detection Systems (IDS) • Signature-based • Statistical-based • Neural networks Features • • • • • • Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management ValueConsult IT Risk Management 106
    106. 106. Network Infrastructure Security Intrusion Detection Systems (IDS) • Limitations: • Weaknesses in the policy definition • Application-level vulnerabilities • Backdoors into applications • Weaknesses in identification and authentication schemes ValueConsult IT Risk Management 107
    107. 107. Network Infrastructure Security Encryption • Key elements of encryption systems • Encryption algorithm • Encryption key • Key length • Private key cryptographic systems • Public key cryptographic systems • Elliptical curve cryptosystem (ECC) • Quantum cryptography • Digital signatures ValueConsult IT Risk Management 108
    108. 108. Network Infrastructure Security Encryption (Continued) • Digital signatures • Data integrity • Authentication • Nonrepudiation • Replay protection • Public key infrastructure • Digital certificates • Certificate authority (CA) • Registration authority (RA) • Certificate revocation list • Certification practice statement (CPS) ValueConsult IT Risk Management 109
    109. 109. Network Infrastructure Security Encryption (Continued) • Use of encryption in OSI protocols • Secure sockets layer (SSL) • Secure Hypertext Transfer Protocol (S/HTTP) • IP security • SSH • Secure multipurpose Internet mail extensions (S/MIME) • Secure electronic transactions (SET) ValueConsult IT Risk Management 110
    110. 110. Project Risk Management
    111. 111. PRM Processes • Planning how risk is managed within particular project • Plans include risk management tasks, responsibilities, activities and budget • Assigning a healthy skepticism risk officer responsible for foreseeing potential project problems • Maintaining live project risk database (risk profile) • Each risk should have these attributes: opening date, title, short description, probability and importance ValueConsult IT Risk Management 112
    112. 112. PRM Processes (cont’d) • Creating anonymous risk reporting channel • Each team member should have the possibility to report risks that he/she foresees in the project • Preparing mitigation plans for risks that are chosen to be mitigated • Identify how the risk will be handled – what, when, by whom and how will it be done to avoid it or minimize consequences if it becomes a liability • Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management ValueConsult IT Risk Management 113
    113. 113. Q&A QUESTION & ANSWER ValueConsult IT Risk Management 114
    114. 114. THANK YOU! THANK YOU ValueConsult IT Risk Management 115