Keynote Message Enterprise businesses today – a consistent target rich environment. As companies grow, so does the external and internal attack surface exposure. Using risk management approaches aid in successfully identifying mitigation actions to associated risk.
Enterprise Risk Management The rising importance of ERM and the Information Security Practice Harry Contreras – CISSP/6Sigma IT Security Manager – at a Fortune 500 company
Managing Enterprise Risks What is driving ERM adoption today?
The Definition of ERM Enterprise Risk Management Risk management is fundamental to management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has presented the definition that has been widely referenced and accepted. Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives. 1 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework: Executive Summary , 2004
*Standard & Poor’s (S&P) Enterprise Risk Management (ERM) Analysis for Credit Ratings of Non-Financial Companies
Managing Enterprise Risks Who is watching for this activity? *Request for Comment (November, 2007) S&P has proposed a rating criteria for this ERM assessment approach.
Definitions - what are we dealing with here? Risks, Threats and Vulnerability Not all threats pose the same level of risk. Risk (noun) – Possibility of loss or injury. Someone or something that creates or suggests a hazard. The chance that an investment will lose value. Threat (noun) – An expression of intention to inflict evil, injury or damage. An indication of something impending. Vulnerability (noun) – Is a state or defect of situation or an asset that could be exploited to create loss or harm. Operational Risk (OR) – The Basel Committee on Banking Supervision defines OR as "the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.“ 1 Examples of OR include: fraud either by external parties or employees; workplace safety and employment practices; client, product and business practices; damage to physical assets; business disruption and system failures; and losses from failed transaction processing or from trade with vendors.
Limiting the Scope What are Enterprise Business Risks? Economic risks – Oil prices/energy, supply interruptions. US current account deficit or fall in US$. Fiscal crises caused by demographic shift. Asset prices rise, excessive indebtedness. Environmental risks – Climate changes. Loss of freshwater services. Natural catastrophes, tropical storms, Earthquakes or inland flooding. Geopolitical risks – International terrorism, Interstate or civil wars. Instability of failed or failing states. Transnational crime. Societal risks – Pandemics, infectious diseases in the developing world. Chronic diseases in the developed world. Liability regimes. Technical risks – Breakdown of critical information infrastructure (CII). Emergence of risks identified in technologies implemented as products, services, or processes within the enterprise. Global or Macro Level Risks
Interpreting Business Risk Where does IT Risk come from? Marketplace – Where a company operates will shape its business environment including political, regulatory, market forces and any labor conditions it faces. Financial model – How a company structures its financial strategy will shape its risk tolerance for the changing money market conditions it faces. Operational Model – How a company chooses to define the way it operates will determine how it functions and business units work together. Organizational Model – How a company is organized to deploy, develop and retain its people for continuity of internal services. “ Volatility” is the catalyst for risk – The condition where things can change rapidly, dramatically, and sometimes unexpectedly. Risks impact the business across multiple enterprise structures
Limiting the Scope What falls within IT Risk Issues? Operational - Risks arising from internal business operations that are generally mitigated through internal controls or processes. Hazard – Risks arising from adverse events that result in property damage and liabilities. Some of these are generally insurable. Strategic – Risks arising from external competition, market environment, and regulatory events that can damage or enhance a company’s growth track and shareholder valuation. Financial – Risks arising from fluctuations in financial market prices that generally are hedged using financial instruments. Human Capital – Risks arising from challenges to personnel, leadership and systems used to attract, develop motivate and retain the resource labor pool. The information security triad of Confidentiality, Integrity and Availability directly map to the aforementioned areas of risk .
Interpreting Business Risk Who and How to make the determinations
Aspects of Quantifying Risk To understand which risks matter.
Review the following risk considerations:
Risk realization – Real vs. Perceived Risk
Addressing the FUD factor (Fear, Uncertainty and Doubt)
Has this risk been realized in the past?
Can costs for this risk be quantified?
Is it repeatable and preventable?
Burden of Risk – associated material and immaterial costs
What is the decision tipping point for consideration of this risk?
The Classic Risk Formulations Interpreting risk and communicating decision actions.
Risk = Loss X Threat X Frequency
Loss is the economic value of lost revenue due to a security issue
Threat is the likelihood (as a probability) that an event would happen
Frequency is how often such an event would happen
Threat X Vulnerability = Risk
This still expresses validity today
There are many variations on this theme
More importantly is how to apply this to your organization’s ERM Program consistently and with the concurrence of the business
Risk Ranking Ranking Risk - Likelihood and Impact Associating Risk to Action Imperatives. Axis 1 - Likelihood Axis 2 – Business Impact An *industry example of a risk assessment matrix for ranking risk. *Marsh Risk Consulting Practice - Operational Risk Focus
What to do with Identified IT Risks Options for handling IT Risks Burying you head in the sand – not an option. Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs. Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography. Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource). Mitigate or Reduce the risk. The identified risk(s) are core to the business and the implementation of controls are applied to reduce likelihood and impact to the business. Ignore the risk. A identified option of choice to consciously do nothing. It carries with it the potential for catastrophic business impact and serious legal repercussions.
Analyzing IT Risk Evaluation of Impact to Assets
ERM Analysis Process:
Threat and vulnerability identification
Determination of likelihood for the threats
Asset impact on the InfoSec CIA triad
Enterprise Businesses Today A continuous “target rich” environment
The What, When, Why, How and Who
What = Identify risks to the business
When = Prioritize actions
Why = Cost justification
How = Solution/Mitigation approach
Who = Assign actions to carry out
Approaches to IT Risk Management How can this be accomplished?
Industry Approaches Today
The traditional “Delphi Method”
Developing a matrix of identified risks and attributes
InfoSec efforts & investments aligned with business problem solutions
Business Goals and Objective The overall business deliverable
Aligning IT Risks to Business Problems Applying Secure and Compliant solutions
Critical Success Factors:
Did you close the deal?
Is it going to be funded?
Will the solution fit the business model?
Does business leadership support it?
Can metrics be derived?
Were you successful in assigning actions?
A Never Ending Process Annual “Best Practice” Activity As companies embrace ERM approaches and Practice this activity at least annually, then they should observe an improving risk index year over year. This activity raises awareness corporately on the risk tolerance state of the enterprise. Institutionalizing a successful and repeatable InfoSec process to protect the enterprise.
“ Security as an Ecosystem*” - Why less is Best -
Whether solutions are products or processes;
Lifecycle of business Capex and Opex to sustain solutions from turn-up to retirement *Quotation taken from published InfoSec industry article
Security will always be a challenge since threats and
vulnerabilities are always changing. The key task for security
managers is to make sure that, based on your limited budget,
you are focusing in on the correct items.
In spending any money on security you should always ask
what is the risk I am reducing;
is it the highest priority risk; and
is it the most cost effective way to reduce the risk?
* Dr. Cole prepared this commentary for the SANS NewsBites Vol.10 Num. 23 – March 21, 2008. IT Security Practitioner - *Commentary Dr. Eric Cole – SANS, Author & Fellow
IT Security Practitioner - *Commentary Marcus Sachs – Director, SANS ISC “ Security is about risk management.” “ There’s no way to patch every vulnerability, so which ones do you go after? One good approach is [to look at] which ones the threats are most likely to go after.” “ There is no such thing as perfect security. Just try to manage it to get to some acceptable level of risk that you are willing to live with.” * Information Security Magazine, February, 2008