Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Management 101


Published on

Published in: Business, Economy & Finance

Risk Management 101

  1. 1. Risk Management 101 Barry Caplin Chief Information Security Officer MN Department of Human Services MN Government IT Symposium Thurs. Dec. 13, 2007 Session 74
  2. 2. Agenda <ul><li>In the beginning… </li></ul><ul><li>Definitions – Threat, Vulnerability, Risk </li></ul><ul><li>Types of Risk </li></ul><ul><li>Risk Management components </li></ul><ul><li>Frameworks and standards </li></ul><ul><li>Information Risk Management at DHS </li></ul>
  3. 3. In The Beginning…
  4. 4. In The Beginning… There were Humans…
  5. 5. In The Beginning… And Beasts…
  6. 6. And the concept of Risk was born...
  7. 7. Risk <ul><li>Always been with us </li></ul><ul><li>Viewed as a negative </li></ul><ul><li>Attempt to reduce </li></ul>
  8. 8. Magic?
  9. 9. Definitions
  10. 10. Threat <ul><li>Defn : Source or warning of probable impending danger (Actor) - wikipedia </li></ul><ul><li>Direct/Intended – malicious hacker, thief, malware </li></ul><ul><li>Indirect/Unintended – user, weather </li></ul><ul><li>Person or Thing </li></ul><ul><li>Task : Must analyze assets and environment to determine threats </li></ul>
  11. 11. Vulnerability <ul><li>Defn : the state of being exposed; liable to succumb – </li></ul><ul><li>Measures – physical, financial, operational </li></ul><ul><li>Task : Must analyze vulnerability to identified threats </li></ul>
  12. 12. Impact <ul><li>Defn : to effect, influence or alter – </li></ul><ul><li>Measures – cost, time delays, damage </li></ul><ul><li>Task : determine impact of action of threat to which we are vulnerable </li></ul>
  13. 13. Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
  14. 14. Risk <ul><li>Defn : Exposure to the chance of injury or loss (Event) – </li></ul><ul><li>Based on action of threat </li></ul><ul><li>Components: </li></ul><ul><ul><li>Probability of occurrence </li></ul></ul><ul><ul><li>Impact of event </li></ul></ul><ul><li>Task : Identification and Disposition </li></ul><ul><li>Accept (or Ignore) </li></ul><ul><li>Mitigate </li></ul><ul><li>Transfer </li></ul>
  15. 15. Types of Risk <ul><li>Prof. John Adams, University College London </li></ul><ul><li>UK risk expert </li></ul><ul><li>Direct – directly perceived – obvious </li></ul><ul><li>Scientific – determined via science </li></ul><ul><li>Virtual Risk – everything else! </li></ul>
  16. 16. D irectly perceived
  17. 17. Types of Risk Perceived through science
  18. 18. Types of Risk <ul><li>Virtual Risk </li></ul><ul><li>What we are all involved in! </li></ul><ul><li>Project risk/Operational risk </li></ul><ul><li>Physical/Data security risk </li></ul><ul><li>Terrorism/Homeland Security </li></ul><ul><li>Weather </li></ul>
  19. 19. Virtual Risk <ul><li>Virtual Risk </li></ul><ul><li>Difficult to “prove” </li></ul><ul><li>Experts don’t know or do not agree </li></ul><ul><li>We don’t know what we don’t know </li></ul>
  20. 20. Risk Management A discipline for living with the possibility that future events may cause adverse effects.
  21. 21. Risk Management <ul><li>The iterative framework and processes for: </li></ul><ul><li>Identifying threats (imagining virtual threats) </li></ul><ul><li>Assessing </li></ul><ul><li>Evaluating options </li></ul><ul><li>Acting. </li></ul>
  22. 22. Identify Threats <ul><li>Research </li></ul><ul><li>Survey </li></ul><ul><li>Brainstorm </li></ul>
  23. 23. Assess <ul><li>Threat Assessment </li></ul><ul><li>Vulnerability Assessment </li></ul><ul><li>Impact Assessment </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Qualitative – subjective scoring </li></ul><ul><li>Quantitative – objective or measured values </li></ul>
  24. 24. Disposition of Risk <ul><li>Accept (or Ignore) – what is the? </li></ul><ul><li>Mitigate – what is the cost? </li></ul><ul><li>Transfer – via contract or insurance – what terms? Cost? </li></ul>
  25. 25. Economics of Risk Management <ul><li>Cost of control < Cost of loss </li></ul><ul><li>Cost of compliance (pain) < </li></ul><ul><li>Cost of circumvention (gain) </li></ul>
  26. 26. Ineffective Risk Mitigation
  27. 27. Evaluate and Act <ul><li>Risk Management Committee or SMT </li></ul><ul><li>Document decisions </li></ul><ul><li>Get it done! </li></ul>
  28. 28. Frameworks for Risk Management <ul><li>CarnegieMellon (CMU SEI) – software </li></ul><ul><li>NIST/FISMA – information systems </li></ul><ul><li>CRESP – Consortium for Risk Evaluation with Stakeholder Participation - nuclear </li></ul><ul><li>COSO – Committee Of Sponsoring Organizations – info systems </li></ul><ul><li>COBIT – Control Objectives for IT </li></ul><ul><li>SOMAP – Security Officers Management & Analysis Project – Open Information Security RM Handbook </li></ul><ul><li>OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation </li></ul><ul><li>Commercial - many </li></ul>
  29. 29. Treasury Board of Canada <ul><li>Integrated Risk Management Framework – 2001 </li></ul><ul><li>“ Risk-Smart” Workforce and Environment </li></ul><ul><li>4 Elements: </li></ul><ul><ul><li>Develop Risk Profile </li></ul></ul><ul><ul><li>Establish organizational function </li></ul></ul><ul><ul><li>Practice and integrate </li></ul></ul><ul><ul><li>Ensure continuous learning </li></ul></ul><ul><li> </li></ul>
  30. 30. Security and Risk Management <ul><li>Security is a subset of Risk Management </li></ul><ul><li>RM -> Security Solutions -> Compliance </li></ul><ul><li>Security/Business balance </li></ul><ul><li>Act on appropriate risks </li></ul><ul><li>Consider the “costs” </li></ul>
  31. 31. At DHS <ul><li>Information Risk Management at DHS </li></ul><ul><li>Based on elements of NIST, COBIT and OCTAVE </li></ul><ul><li>SLM – Security Lifecycle Management </li></ul><ul><li>Information Policy, Awareness and Compliance </li></ul><ul><li>Business Continuity Planning </li></ul>
  32. 32. Resources <ul><li>Information Risk Management at DHS </li></ul><ul><li>CMU SEI – </li></ul><ul><li>COBIT – /cobit </li></ul><ul><li>COSO – </li></ul><ul><li>CRESP – </li></ul><ul><li>NIST/FISMA – </li></ul><ul><li>SOMAP – </li></ul><ul><li>OCTAVE – /octave </li></ul><ul><li>Prof. John Adams – john- </li></ul>
  33. 33. Discussion?