Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mastering Information Technology
Risk Management

Goutama Bachtiar
Technology Advisor, Auditor, Consultant
www.linkedin.co...
Trainer Profile
 15 years of working experience with exposure in
advisory, consulting, audit, training and education,
sof...
Risk Management
Definition
• Risk is the effect of uncertainty on objectives,
whether positive or negative
• Risk Management: Identificati...
Sources
• Uncertainty in financial markets
• Project failures (at any phase in design, development,
production, or sustain...
Ideal Risk Management
• Prioritizing risks with the greatest loss (or impact)
and the greatest probability of occurrence
•...
Intangible Risk Management
• Identifying a new type of a risk with 100% probability of
occurring but is ignored by organiz...
Risk Management Methodology
• Identify and characterize threats
• Assess vulnerability of critical assets to specific
thre...
Risk Management Principles
• Create value
• Resources expended to mitigate risk should be
less than the consequence of ina...
Risk Management Principles (cont’d)
•
•
•
•
•
•

be based on the best available information
be tailorable
take human facto...
Risk Management Process
• ISO 31000
1.

Establishing the context
• identification of risk in a selected domain of interest...
Risk Options
• Design a new business process with adequate
built-in risk control and containment measures
from the start
•...
Risk Response
• Avoidance
Eliminate, withdraw from or not become involved
• Reduction
Optimize, Mitigate
• Sharing
Transfe...
Risk Management Plan
• Select appropriate controls or
countermeasures to measure each risk
• Propose applicable and effect...
Risk Management Plan (cont’d)
• According to ISO/IEC 27001, after risk
assessment prepare a Risk Treatment Plan
(document ...
Risk Management Plan (cont’d)
• Initial risk management plans will never be perfect
• Practice, experience, and actual los...
Risk Management Challenges
• Prioritizing risk management processes too highly could keep an
organization from ever comple...
Enterprise Risk Management
Definition
• Methods and processes used by organizations to
manage risks and seize opportunities related to
the achievemen...
Definition (cont’d)
• In short, ERM is also a risk-based approach to
managing an company, corporation,
enterprise’s integr...
Benefits
• Identifying and addressing risk and
opportunities proactively
• Company or business will protect and create
val...
ERM Framework
• Known as Risk Response Strategy:
– Avoidance: exiting the activities giving rise to risk
– Reduction: taki...
Risk Types and Examples
• Hazard risk
Liability torts, Property damage, Natural
catastrophe
• Financial risk
Pricing risk,...
ERM Processes
• Establishing Context
Understanding current conditions the organization
operates on an internal, external a...
ERM Processes (cont’d)
• Integrating Risks
Aggregating all risk distributions, reflecting correlations and
portfolio effec...
ERM Objectives
• Companies manage risks and have various
departments or functions ("risk functions") that
identify and man...
ERM Challenges
• Identifying executive sponsors
• Establishing a common risk language or glossary
• Describing the enterpr...
ERM Challenges (cont’d)
• Establishing ownership for particular risks and responses
• Calculating Cost-Benefit Analysis of...
Risk Functions
• Strategic planning
Identifying external threats and competitive opportunities,
along with strategic initi...
Risk Functions (cont’d)
• Law Department
Managing litigation and analyzing emerging legal trends
that impact the organizat...
Risk Functions (cont’d)
• Operations management
Ensuring business runs day-to-day and related barriers are
surfaced for re...
Internal Audit Role
• Beside IT Audit, they play an important role in evaluating
organization risk management processes an...
IT Risk Management
IT Risk Concept
• Part of business risk associated with the use,
ownership, operation, involvement, influence and
adoption...
Risk IT Framework
• Framework
– Integrate the management of IT risk with the
overall ERM
– Compare assessed IT risk with r...
Risk IT Categories
 IT Benefit/Value enabler
Missed opportunity to increase business value by IT
enabled or improved proc...
Risk Assessment

ISACA Risk IT

Information Security Risk Management for
ISO 27001

IT Risk Assessment
Frameworks
CRAMM In...
IT Risk ASSESSMENT
•Definition of risk assessment

The potential that a given threat will exploit vulnerabilities of
an as...
IT Risk ASSESSMENT
Components of risk assessment
• Threats to, and vulnerabilities
of, processes and/or assets (including
...
ISACA Risk IT
ISACA Risk IT
Risk IT: A Balance is Essential
• Risk and value are two sides of the same coin.
• Risk is inherent to all e...
Risk IT Extends Val IT and COBIT
Risk IT complements and
extends COBIT and Val IT
to make a more complete
IT governance gu...
IT-related Risk Management
Risk IT is not limited to information security. It covers all ITrelated risks, including:

• La...
Guiding Principles of Risk IT
 Always connect to enterprise objectives.
 Align the management of IT-related business ris...
Guiding Principles of Risk IT
 Establish the right tone from the top while defining
and enforcing personal accountability...
Key Risk IT Content: The “What”
• Key content of the Risk IT framework includes:
• Risk management essentials
•
In Risk Go...
Key Risk IT Content: The “What”
• Process model sections that contain:
• Descriptions
• Input-output tables

• RACI (Respo...
IT Risk Communication
• IT risk communication flows are:
– Expectation
• what the organization expects as final result
• w...
IT Risk Communication (cont’d)
• An effective information should be







Clear
Concise
Useful
Timely
Aimed at the ...
Risk IT Three Domains

ValueConsult

IT Risk Management

50
Risk Governance
• Ensure that IT risk management practices are
embedded in the enterprise, enabling it to secure
optimal r...
Risk Governance (cont’d)
• RG2 Integrate With ERM
RG2.1 Establish and maintain accountability for IT risk
management
RG2.2...
Risk Governance (cont’d)
• RG3 Make Risk-aware Business Decisions
RG3.1 Gain management buy in for the IT risk
analysis ap...
Risk Evaluation
• Ensure that IT-related risks and opportunities
are identified, analyzed and presented in
business terms
...
Risk Evaluation (cont’d)
• RE3 Maintain Risk Profile
RE3.1 Map IT resources to business processes
RE3.2 Determines busines...
Risk Evaluation (cont’d)
• RE2 Analyze Risk
RE2.1 Define IT risk analysis scope
RE2.2 Estimate IT risk
RE2.3 Identify risk...
Risk Response
• Ensure that IT-related risk issues, opportunities
and events are addressed in a cost-effective
manner and ...
Risk Response (cont’d)
• RR2 Manage Risk
RR2.1 Inventory controls
RR2.2 Monitor operational alignment with risk
tolerance ...
Risk Response (cont’d)
• RR3 React to Events
RR3.1 Maintain incident response plans
RR3.2 Monitor IT risk
RR3.3 Initiate i...
Risk/Response Definition
The purpose of defining a risk
response is to bring risk in line
with the defined risk tolerance
...
Risk IT Benefits and Outcomes
Accurate view on current and near-future IT-related events

End-to-end guidance on how to ma...
Risk IT Evaluation
• The link between IT risk scenarios and ultimate
business impact needs to be established to
understand...
Risk IT Scenarios
• The hearth of risk evaluation process
• Scenarios can be derived in two different and
complementary wa...
Risk IT Response
• Risk avoidance, exiting the activities that give rise to
the risk
• Risk mitigation, adopting measures ...
Relationship with ISACA Frameworks
• Risk IT Framework complements ISACA’s
COBIT
• COBIT provides a comprehensive framewor...
Relationship with ISACA Frameworks (cont’d)
• Risk IT sets good practices for the ends by
providing a framework for enterp...
Relationship With Other Frameworks
• Risk IT accept Factor Analysis of Information
Risk terminology and evaluation process...
Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27000 Family of Standards
• ISO/IEC 27001 based o...
Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27005
• Information security risk management
stan...
CRAMM Information security risk
toolkit
• Provides staged and disciplined approach towards IT
risk assessment

Source: htt...
CRAMM Information security risk
toolkit
Asset identification and valuation
•
•
•
•

Physical
Software
Data
Location

Threa...
CERT OCTAVE
Operationally Critical Threat, Asset, and
Vulnerability Evaluation Framework by
Software Engineering Institute...
CERT OCTAVE

ValueConsult

IT Risk Management

74
CERT OCTAVE

ValueConsult

IT Risk Management

75
Software Risk Management
Understanding Risks in the Systems
Development Life Cycle
Business Application
Development

Alternative Software
Developme...
Business Application Development
An Individual Application or Project is Initiated by
• A new opportunity that relates to ...
Business Application Development
Roles and Responsibilities of Groups and
Individuals
•
•
•
•
•
•
•
•
•
•

Senior manageme...
Business Application Development
Risks Associated with Software Development
• Potential risks exist when poor or inadequat...
Business Application Development
Structured Analysis, Design, and Development
Techniques
• Develop system context diagrams...
Traditional System Development Life
Cycle (SDLC) Approach
Phase 1 - Feasibility Study
• Define a time frame
• Determine an...
Business Application Development
Phase 2 - Requirements Definition
• Identify and consult stakeholders to determine their
...
Traditional System Development Life
Cycle (SDLC) Approach
Software Acquisition
•
•
•
•
•
•
•

Decision made to acquire not...
Traditional System Development Life
Cycle (SDLC) Approach
Phase 3 - Design
• User involvement
• Key design activities
• So...
Traditional System Development Life
Cycle (SDLC) Approach
Phase 4 - Development (continued)
• Testing
• Elements of a soft...
Traditional System Development Life
Cycle (SDLC) Approach
Phase 4 - Development (continued)
• Testing (continued)
• Other ...
Traditional System Development Life
Cycle (SDLC) Approach
Phase 5 - Implementation
• Planning for implementation
• Formal ...
Alternative Software Development
Strategies
Data-Oriented
System
Development

Object-Oriented
System
Development

Componen...
Logical Access Exposures
and Controls
Remote access security
risks include:

Remote access security
controls include:

Den...
Logical Access Exposures
and Controls
Remote access using personal digital
assistants (PDAS) control issues to
address inc...
Logical Access Exposures
and Controls
Authorization Issues
• Access issues with mobile technology
• These devices should b...
Logical Access Exposures
and Controls
Authorization Issues
• Audit logging in monitoring system access
• Access rights to ...
Logical Access Exposures
and Controls
Authorization Issues
• Audit logging in monitoring system access
• Cost consideratio...
Risk in Change Control and
Management
Information Systems Maintenance
Practices
Change Management Process Overview
- POSB Lucky Draw Fraud Case
• Deploying chan...
Information Systems Maintenance
Practices
Configuration Management
Library Control Software
• Executable and source code i...
Network Risk Management
Network Infrastructure
Security

LAN Security
• Local area networks facilitate the storage
and retrieval of programs and d...
Network Infrastructure
Security
Client-Server Security
• Control techniques in place
• Securing access to data or applicat...
Network Infrastructure
Security
Internet Threats and Security
Passive attacks
• Network analysis
• Eavesdropping (Video: W...
Network Infrastructure
Security
Internet Threats and Security
• Threat impact
• Loss of income
• Increased cost of recover...
Network Infrastructure
Security
Internet Threats and Security
• Causal factors for internet attacks
• Availability of tool...
Network Infrastructure
Security
Firewall Security Systems
• Examples of firewall implementations
• Screened-host firewall
...
Network Infrastructure
Secuity
Intrusion Detection Systems (IDS)
An IDS works in conjunction with routers and firewalls by...
Network Infrastructure
Security
Types of Intrusion Detection Systems (IDS)
• Signature-based
• Statistical-based
• Neural ...
Network Infrastructure
Security
Intrusion Detection Systems (IDS)
• Limitations:
• Weaknesses in the policy definition
• A...
Network Infrastructure
Security
Encryption
• Key elements of encryption systems
• Encryption algorithm
• Encryption key
• ...
Network Infrastructure
Security
Encryption (Continued)
• Digital signatures
• Data integrity
• Authentication
• Nonrepudia...
Network Infrastructure
Security
Encryption (Continued)
• Use of encryption in OSI protocols
• Secure sockets layer (SSL)
•...
Project Risk Management
PRM Processes
• Planning how risk is managed within particular project
• Plans include risk management tasks, responsibili...
PRM Processes (cont’d)
• Creating anonymous risk reporting channel
• Each team member should have the possibility to
repor...
Q&A
QUESTION & ANSWER

ValueConsult

IT Risk Management

114
THANK YOU!
THANK YOU

ValueConsult

IT Risk Management

115
Upcoming SlideShare
Loading in …5
×

Mastering Information Technology Risk Management

7,499 views

Published on

This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.

  • Be the first to comment

Mastering Information Technology Risk Management

  1. 1. Mastering Information Technology Risk Management Goutama Bachtiar Technology Advisor, Auditor, Consultant www.linkedin.com/in/goutama May 2013
  2. 2. Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia, e27.co, Forbes Indonesia, DetikINET and InfoKomputer among others
  3. 3. Risk Management
  4. 4. Definition • Risk is the effect of uncertainty on objectives, whether positive or negative • Risk Management: Identification, assessment, and prioritization of risks • Involves coordination and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities ValueConsult IT Risk Management 4
  5. 5. Sources • Uncertainty in financial markets • Project failures (at any phase in design, development, production, or sustainment life-cycles) • Legal liabilities • Credit risk • Accidents • Natural causes and disasters • Deliberate attack from an adversary • Uncertain or unpredictable root-cause • Others… ValueConsult IT Risk Management 5
  6. 6. Ideal Risk Management • Prioritizing risks with the greatest loss (or impact) and the greatest probability of occurrence • Risks with lower probability of occurrence and lower loss are handled in descending order • In practice the process of assessing overall risk can be difficult • Balancing resources used to mitigate between risks with high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled ValueConsult IT Risk Management 6
  7. 7. Intangible Risk Management • Identifying a new type of a risk with 100% probability of occurring but is ignored by organization due to lack of identification ability • For example, when deficient knowledge is applied to a situation, a knowledge risk materializes • Relationship risk appears when ineffective collaboration occurs • Directly reduce productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, bran d value, and earnings quality • Allows risk management to create immediate value from risk identification and reduction that reduce productivity ValueConsult IT Risk Management 7
  8. 8. Risk Management Methodology • Identify and characterize threats • Assess vulnerability of critical assets to specific threats • Determine likelihood and impact of the risks • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy ValueConsult IT Risk Management 8
  9. 9. Risk Management Principles • Create value • Resources expended to mitigate risk should be less than the consequence of inaction (the gain should exceed the pain) • be an integral part of organizational processes • be part of decision making process • explicitly address uncertainty and assumptions • be systematic and structured ValueConsult IT Risk Management 9
  10. 10. Risk Management Principles (cont’d) • • • • • • be based on the best available information be tailorable take human factors into account be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement • be continually or periodically re-assessed ValueConsult IT Risk Management 10
  11. 11. Risk Management Process • ISO 31000 1. Establishing the context • identification of risk in a selected domain of interest • planning the remainder of the process • mapping out – the social scope of risk management – the identity and objectives of stakeholders – the basis upon which risks will be evaluated, constraints. • defining a framework for the activity and an agenda for identification • developing an analysis of risks involved in the process • mitigation or solution of risks using available technological, human and organizational resources. 2. 3. ValueConsult Identification: source and problem analysis Assessment IT Risk Management 11
  12. 12. Risk Options • Design a new business process with adequate built-in risk control and containment measures from the start • Periodically re-assess risks accepted in ongoing processes as a normal feature of business operations and modify mitigation measures • Transfer risks to an external agency (insurance company, etc) • Avoid risks altogether (i.e. closing down a particular high-risk business unit/department) ValueConsult IT Risk Management 12
  13. 13. Risk Response • Avoidance Eliminate, withdraw from or not become involved • Reduction Optimize, Mitigate • Sharing Transfer , outsource or insure • Retention Accept and budget ValueConsult IT Risk Management 13
  14. 14. Risk Management Plan • Select appropriate controls or countermeasures to measure each risk • Propose applicable and effective security controls for managing the risks • Contain a schedule for control implementation and responsible persons for those actions • Approval from the appropriate level of management for risk mitigation ValueConsult IT Risk Management 14
  15. 15. Risk Management Plan (cont’d) • According to ISO/IEC 27001, after risk assessment prepare a Risk Treatment Plan (document the decisions about how each of the identified risks should be handled) • Mitigation of risks often means selection of security controls; it should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the standard have been selected, and why • Implementation follows all of the planned methods for mitigating the effect of the risks ValueConsult IT Risk Management 15
  16. 16. Risk Management Plan (cont’d) • Initial risk management plans will never be perfect • Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced • Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: – To evaluate whether the previously selected security controls are still applicable and effective – To evaluate the possible risk level changes in the business environment ValueConsult IT Risk Management 16
  17. 17. Risk Management Challenges • Prioritizing risk management processes too highly could keep an organization from ever completing a project or even getting started • Do differentiate between risk and uncertainty -- Risk can be measured by impacts x probability • If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur • Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably • Unlikely events do occur but if risk is unlikely enough to occur it may be better to simply retain risk and deal with the result if loss does occur • Qualitative risk assessment is subjective and lacks consistency • Primary justification for a formal risk assessment process is legal and bureaucratic ValueConsult IT Risk Management 17
  18. 18. Enterprise Risk Management
  19. 19. Definition • Methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives • Its framework involves – Identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities) – Assessing them in terms of likelihood and magnitude of impact – Determining a response strategy – Monitoring progress and assurance ValueConsult IT Risk Management 19
  20. 20. Definition (cont’d) • In short, ERM is also a risk-based approach to managing an company, corporation, enterprise’s integrating concepts of internal control, Sarbanes-Oxley Act for U.S corps and Strategic Planning ValueConsult IT Risk Management 20
  21. 21. Benefits • Identifying and addressing risk and opportunities proactively • Company or business will protect and create value for their stakeholders such as owners, employees, customers, regulators, an d society in general ValueConsult IT Risk Management 21
  22. 22. ERM Framework • Known as Risk Response Strategy: – Avoidance: exiting the activities giving rise to risk – Reduction: taking action to reduce the likelihood or impact related to the risk – Alternative Actions: deciding and considering other feasible steps to minimize risks – Share or Insure: transferring or sharing a portion of the risk, to finance it – Accept: no action is taken, due to a cost or benefit decision ValueConsult IT Risk Management 22
  23. 23. Risk Types and Examples • Hazard risk Liability torts, Property damage, Natural catastrophe • Financial risk Pricing risk, Asset risk, Currency risk, Liquidity risk • Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk • Strategic risks Competition, Social trend, Capital availability ValueConsult IT Risk Management 23
  24. 24. ERM Processes • Establishing Context Understanding current conditions the organization operates on an internal, external and risk management context • Identifying Risks Documenting material threats to organization’s achievement of its objectives and representation of areas the organization may exploit for competitive advantage • Analyzing/Quantifying Risks Creating probability distributions of outcomes for each material risk ValueConsult IT Risk Management 24
  25. 25. ERM Processes (cont’d) • Integrating Risks Aggregating all risk distributions, reflecting correlations and portfolio effects, formulating results of impact on company key performance metrics • Assessing or Prioritizing Risks Determining contribution of each risk to aggregate risk profile, and doing prioritization • Treating or Exploiting Risks Crafting strategies for controlling and exploiting various risks • Monitoring and Reviewing Measuring and monitoring risk environment and performance of risk management strategies ValueConsult IT Risk Management 25
  26. 26. ERM Objectives • Companies manage risks and have various departments or functions ("risk functions") that identify and manage particular risks • Each risk function varies in capability and how it coordinates with other risk functions • Main goal and challenge is improving this capability, coordination, integration of output to provide a unified picture of risk for stakeholders and improving organization's ability to manage enterprise risks effectively ValueConsult IT Risk Management 26
  27. 27. ERM Challenges • Identifying executive sponsors • Establishing a common risk language or glossary • Describing the enterprise’s risk appetite (take or not) • Identifying and describing risks in risk inventory • Implementing risk-ranking methodology to prioritize risks within and across functions • Setting up Risk Committee and or Chief Risk Officer to coordinate certain activities of entire risk functions ValueConsult IT Risk Management 27
  28. 28. ERM Challenges (cont’d) • Establishing ownership for particular risks and responses • Calculating Cost-Benefit Analysis of risk management effort. • Developing action plans to ensure risks are appropriately managed • Developing consolidated reporting for various stakeholders • Monitoring results of actions taken in mitigating risk • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities • Developing technical ERM framework that enables secure participation by third parties and remote employees ValueConsult IT Risk Management 28
  29. 29. Risk Functions • Strategic planning Identifying external threats and competitive opportunities, along with strategic initiatives to address them • Marketing Understanding target customer to ensure product or service alignment with its requirements • Compliance & Ethics Monitoring compliance with code of conduct and directing fraud investigations • Accounting / Financial compliance Complying with Sarbanes-Oxley which identifies financial reporting risks ValueConsult IT Risk Management 29
  30. 30. Risk Functions (cont’d) • Law Department Managing litigation and analyzing emerging legal trends that impact the organization • Insurance Ensuring proper insurance coverage for the organization • Treasury Ensuring cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange • Operational Quality Assurance Verifying operational output is tolerable ValueConsult IT Risk Management 30
  31. 31. Risk Functions (cont’d) • Operations management Ensuring business runs day-to-day and related barriers are surfaced for resolution • Credit Ensuring any credit provided to customers is appropriate to their ability to pay • Customer service Ensuring customer complaints are handled promptly and root causes are reported to operations for resolution • Internal audit Evaluating effectiveness of entire risk functions and recommending improvements ValueConsult IT Risk Management 31
  32. 32. Internal Audit Role • Beside IT Audit, they play an important role in evaluating organization risk management processes and advocating continued improvement • Should not take any direct responsibility for making risk management decisions for the enterprise or managing risk management function • Perform an annual risk assessment of the enterprise • Develop audit engagements plan • Involves review of various risk assessments performed by enterprise: strategic plans, competitive benchmarking, and SOX top-down risk assessment • Considering prior audits, and interviewing variety of senior management ValueConsult IT Risk Management 32
  33. 33. IT Risk Management
  34. 34. IT Risk Concept • Part of business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise • Consists of IT-related events that could potentially impact the business • Occur both uncertain frequency and magnitude • It creates challenges in meeting strategic goals and objectives • Due to IT’s importance to the overall business, IT risk should be treated like other key business risks. ValueConsult IT Risk Management 34
  35. 35. Risk IT Framework • Framework – Integrate the management of IT risk with the overall ERM – Compare assessed IT risk with risk appetite and risk tolerance of the organization – Understand how to manage the risk ValueConsult IT Risk Management 35
  36. 36. Risk IT Categories  IT Benefit/Value enabler Missed opportunity to increase business value by IT enabled or improved processes  IT Program/Project delivery Related to the management of IT related projects intended to enable or improve business  IT Operation and Service Delivery Day by day IT operations and service delivery that can bring issues, inefficiency to the business operations of an organization ValueConsult IT Risk Management 36
  37. 37. Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) ValueConsult IT Risk Management 37
  38. 38. IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. ValueConsult IT Risk Management 38
  39. 39. IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) ValueConsult IT Risk Management 39
  40. 40. ISACA Risk IT
  41. 41. ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. ValueConsult IT Risk Management 41
  42. 42. Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. ValueConsult IT Risk Management 42
  43. 43. IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems ValueConsult IT Risk Management 43
  44. 44. Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. ValueConsult IT Risk Management 44
  45. 45. Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. ValueConsult IT Risk Management 45
  46. 46. Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) ValueConsult IT Risk Management 46
  47. 47. Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary 47
  48. 48. IT Risk Communication • IT risk communication flows are: – Expectation • what the organization expects as final result • what are the expected behavior of employee and management • Encompasses strategy, policies, procedures, awareness training – Capability • It indicates how the organization is able to manage the risk – Status • Information of the actual status of IT risk • Encompasses risk profile of the organization, Key Risk Indicator, events, root cause of loss events ValueConsult IT Risk Management 48
  49. 49. IT Risk Communication (cont’d) • An effective information should be       Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis ValueConsult IT Risk Management 49
  50. 50. Risk IT Three Domains ValueConsult IT Risk Management 50
  51. 51. Risk Governance • Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return • RG1 Establish and Maintain a Common Risk View RG1.1 Perform enterprise IT risk assessment RG1.2 Propose IT risk tolerance thresholds RG1.3 Approve IT risk tolerance RG1.4 Align IT risk policy RG1.5 Promote IT risk aware culture RG1.6 Encourage effective communication of IT risk ValueConsult IT Risk Management 51
  52. 52. Risk Governance (cont’d) • RG2 Integrate With ERM RG2.1 Establish and maintain accountability for IT risk management RG2.2 Coordinate IT risk strategy and business risk strategy RG2.3 Adapt IT risk practices to enterprise risk practices RG2.4 Provide adequate resources for IT risk management RG2.5 Provide independent assurance over IT risk management ValueConsult IT Risk Management 52
  53. 53. Risk Governance (cont’d) • RG3 Make Risk-aware Business Decisions RG3.1 Gain management buy in for the IT risk analysis approach RG3.2 Approve IT risk analysis RG3.3 Embed IT risk consideration in strategic business decision making RG3.4 Accept IT risk RG3.5 Prioritize IT risk response activities ValueConsult IT Risk Management 53
  54. 54. Risk Evaluation • Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms • RE1 Collect Data RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors ValueConsult IT Risk Management 54
  55. 55. Risk Evaluation (cont’d) • RE3 Maintain Risk Profile RE3.1 Map IT resources to business processes RE3.2 Determines business criticality of IT resources RE3.3 Understand IT capabilities RE3.4 Update risk scenario components RE3.5 Maintain the IT risk register and iT risk map RE3.6 Develop IT risk indicators ValueConsult IT Risk Management 55
  56. 56. Risk Evaluation (cont’d) • RE2 Analyze Risk RE2.1 Define IT risk analysis scope RE2.2 Estimate IT risk RE2.3 Identify risk response options RE2.4 Perform a peer review of IT risk analysis ValueConsult IT Risk Management 56
  57. 57. Risk Response • Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities • RR1 Articulate Risk RR1.1 Communicate IT risk analysis results RR1.2 Report IT risk management activities and state of compliance RR1.3 Interpret independent IT assessment findings RR1.4 Identify IT related opportunities ValueConsult IT Risk Management 57
  58. 58. Risk Response (cont’d) • RR2 Manage Risk RR2.1 Inventory controls RR2.2 Monitor operational alignment with risk tolerance thresholds RR2.3 Respond to discovered risk exposure and opportunity RR2.4 Implement controls RR2.5 Report IT risk action plan progress ValueConsult IT Risk Management 58
  59. 59. Risk Response (cont’d) • RR3 React to Events RR3.1 Maintain incident response plans RR3.2 Monitor IT risk RR3.3 Initiate incident response RR3.4 Communicate lessons learned from risk events ValueConsult IT Risk Management 59
  60. 60. Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. ValueConsult IT Risk Management 61
  61. 61. Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk ValueConsult Management IT Risk 62
  62. 62. Risk IT Evaluation • The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events • Risk IT prescribe different methods – – – – – – COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman COSO Factor Analysis of Information Risk ValueConsult IT Risk Management 63
  63. 63. Risk IT Scenarios • The hearth of risk evaluation process • Scenarios can be derived in two different and complementary ways: – A top-down approach from the overall business objectives to the most likely risk scenarios that can impact them – A bottom-up approach where a list of generic risk scenarios are applied to the organization situation – Each risk scenarios is analyzed determining frequency and impact, based on the risk factors ValueConsult IT Risk Management 64
  64. 64. Risk IT Response • Risk avoidance, exiting the activities that give rise to the risk • Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk • Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance • Risk acceptance: deliberately running the risk that has been identified, documented and measured • Key risk indicators: metrics capable of showing that organization is subject or has a high probability of being subject to a risk exceeding the defined risk appetite ValueConsult IT Risk Management 65
  65. 65. Relationship with ISACA Frameworks • Risk IT Framework complements ISACA’s COBIT • COBIT provides a comprehensive framework for the control and governance of businessdriven information-technology-based (ITbased) solutions and services • COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk ValueConsult IT Risk Management 66
  66. 66. Relationship with ISACA Frameworks (cont’d) • Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk • Val IT allows business managers to get business value from IT investments, by providing a governance framework • VAL IT can be used to evaluate the actions determined by Risk management process ValueConsult IT Risk Management 67
  67. 67. Relationship With Other Frameworks • Risk IT accept Factor Analysis of Information Risk terminology and evaluation process • ISO 27005 For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard • ISO 31000 The Risk IT Practitioner Guide appendix 2 • COSO The Risk IT Practitioner Guide appendix 4 ValueConsult IT Risk Management 68
  68. 68. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards ValueConsult IT Risk Management 69
  69. 69. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan ValueConsult IT Risk Management 70
  70. 70. CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: http://www.cramm.com/overview/howitworks.htm ValueConsult IT Risk Management 71
  71. 71. CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation ValueConsult IT Risk Management 72
  72. 72. CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department ValueConsult IT Risk Management 73
  73. 73. CERT OCTAVE ValueConsult IT Risk Management 74
  74. 74. CERT OCTAVE ValueConsult IT Risk Management 75
  75. 75. Software Risk Management
  76. 76. Understanding Risks in the Systems Development Life Cycle Business Application Development Alternative Software Development Strategies Information Systems Maintenance Practices Project Management Practices System Development Tools and Productivity Aids Software Development Process Improvement Practices Auditing Systems Development, Acquisition and Maintenance ValueConsult IT Risk Management 77
  77. 77. Business Application Development An Individual Application or Project is Initiated by • A new opportunity that relates to new or existing business process • A problem that relates to an existing business process • A new opportunity that will enable the organization to take advantage of technology • A problem with the current technology Traditional Systems Development Life Cycle Phases • Phase 1—Feasibility • Phase 2—Requirements definition • Phase 3—Design • Phase 4—Development • Phase 5—Implementation ValueConsult IT Risk Management 78
  78. 78. Business Application Development Roles and Responsibilities of Groups and Individuals • • • • • • • • • • Senior management User management Project Steering committee Project Sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance ValueConsult IT Risk Management 79
  79. 79. Business Application Development Risks Associated with Software Development • Potential risks exist when poor or inadequate SDLC methodologies are utilized • Systems designed using a poor methodology may not meet the users needs and often exceed limits of financial resources • Merely following a methodology does not ensure success of a development project ValueConsult IT Risk Management 80
  80. 80. Business Application Development Structured Analysis, Design, and Development Techniques • Develop system context diagrams • Perform hierarchical data flow/control flow decomposition • Develop control transformations • Develop mini-specifications • Develop data dictionaries • Define all external events—inputs from external environment • Define single transformation data flow diagrams from each external event ValueConsult IT Risk Management 81
  81. 81. Traditional System Development Life Cycle (SDLC) Approach Phase 1 - Feasibility Study • Define a time frame • Determine an optimum alternative/solution in meeting business needs and general information resource requirements or estimates • Determine if an existing system can correct the situation with slight or no modification • Determine if a vendor product offers a solution • Determine the approximate cost • Determine if the solution fits the business strategy ValueConsult IT Risk Management 82
  82. 82. Business Application Development Phase 2 - Requirements Definition • Identify and consult stakeholders to determine their expectations • Analyze requirements to detect and correct conflicts and determine priorities • Identify system bounds and how the system should interact with its environment • Convert user requirements into system requirements • Record requirements in a structured format • Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable • Resolve conflicts between stakeholders • Resolve conflicts between the requirements set and the resources that are available ValueConsult IT Risk Management 83
  83. 83. Traditional System Development Life Cycle (SDLC) Approach Software Acquisition • • • • • • • Decision made to acquire not develop Occurs after Requirements phase Request for proposal (RFP) contents Topics of discussion with users about vendors Contract contents Contract management Integrated Resource Management Systems • Fully integrated corporate solution • SAP, Peoplesoft, Oracle Financials, etc. • Impact on way the corporation does business • Need to conduct a impact and risk assessment ValueConsult IT Risk Management 84
  84. 84. Traditional System Development Life Cycle (SDLC) Approach Phase 3 - Design • User involvement • Key design activities • Software baselining • End of design phase Phase 4 - Development • Key activities • Programming methods and techniques • On-line programming facilities (Integrated Development Environment - IDE) • Programming languages • High-level • Object-oriented • Scripting [such as SH(SHELL), PERL, TCL, Python, JAVAScript and VB Script] • Low-level assembler • Fourth generation • Decision support or expert systems • Program debugging ValueConsult IT Risk Management 85
  85. 85. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing • Elements of a software testing process • Test plan • Conduct and report test results • Address outstanding issues • General testing levels • Unit testing • Interface or integration testing • System testing • Final acceptancce testing ValueConsult IT Risk Management 86
  86. 86. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing (continued) • Other types of testing - related terminology • Alpha and beta testing • Pilot testing • Whitebox testing • Blackbox testing • Function/validation testing • Regression testing • Parallel testing • Sociability testing • Automated applicating testing ValueConsult IT Risk Management 87
  87. 87. Traditional System Development Life Cycle (SDLC) Approach Phase 5 - Implementation • Planning for implementation • Formal plan • Data conversion • Acceptance testing • Certification and accreditation process Post-Implementation Review • Assess adequacy • Evaluate projected cost benefits • Develop recommendations • Develop an action plan • Assess the development project process ValueConsult IT Risk Management 88
  88. 88. Alternative Software Development Strategies Data-Oriented System Development Object-Oriented System Development ComponentBased Development Web-Based Application Development Prototyping Rapid Application Development (RAD) Agile Development Reengineering Reverse Engineering ValueConsult IT Risk Management 89
  89. 89. Logical Access Exposures and Controls Remote access security risks include: Remote access security controls include: Denial of service Policy and standards Malicious third parties Proper authorizations Misconfigured communications software Identification and authentication mechanisms Misconfigured devices on the corporate computing infrastructure Encryption tools and techniques, such as the use of VPN Host systems not secured appropriately System and network management Physical security issues over remote users’ computers ValueConsult IT Risk Management 90
  90. 90. Logical Access Exposures and Controls Remote access using personal digital assistants (PDAS) control issues to address include: • • • • • • • • Compliance Approval Standard PDA applications Due care PDA applications Synchronization Encryption Virus detection and control ValueConsult IT Risk Management 91
  91. 91. Logical Access Exposures and Controls Authorization Issues • Access issues with mobile technology • These devices should be strictly controlled both by policy and by denial of use. Possible actions include: • Banning all use of transportable drives in the security policy • Where no authorized used of USB ports exists, disabling use with a logon script which removes them form the system directory • If they are considered necessary for business use, encrypting all data transported or saved by these devices • Audit logging in monitoring system access • provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID ValueConsult IT Risk Management 92
  92. 92. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Access rights to system logs • A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. Audit logging in monitoring system access • Tools for audit trails (logs) analysis • Audit reduction tools • Trends/variance-detection tools • Attack signature-detection tools ValueConsult IT Risk Management 93
  93. 93. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Cost consideration • Audit concerns • Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application • Violations (such as attempting computer file access that is not authorized) and/or use of incorrect passwords • Restrict and monitor access to computer features that bypass cost consideration • Generally, only system software programmers should have access to: • Bypass label processing (BLP) • System exits • Special system logon IDs ValueConsult IT Risk Management 94
  94. 94. Risk in Change Control and Management
  95. 95. Information Systems Maintenance Practices Change Management Process Overview - POSB Lucky Draw Fraud Case • Deploying changes • Documentation • Testing program changes • Emergency changes • Deploying changes back into production • Change exposures (unauthorized changes) ValueConsult IT Risk Management 96
  96. 96. Information Systems Maintenance Practices Configuration Management Library Control Software • Executable and source code integrity • Source code comparison System Change Procedures and the Program Migration Process • Evaluate the adequacy of the organization’s procedures • Identify system changes • Review documentation • Evaluate adequacy of procedures ValueConsult IT Risk Management 97
  97. 97. Network Risk Management
  98. 98. Network Infrastructure Security LAN Security • Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. LAN risk and issues • Dial-up access controls ValueConsult IT Risk Management 99
  99. 99. Network Infrastructure Security Client-Server Security • Control techniques in place • Securing access to data or application • Use of network monitoring devices • Data encryption techniques • Authentication systems • Use of application level access control programs Client/server risks and issues • Access controls may be weak in a client-server environment. • Change control and change management procedures. • The loss of network availability may have a serious impact on the business or service. • Obsolescence of the network components • The use of modems to connect the network to other networks • e connection of the network to public switched telephone networks may be weak • Changes to systems or data • Access to confidential data and data modification may be unauthorized • Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing ValueConsult IT Risk Management 100
  100. 100. Network Infrastructure Security Internet Threats and Security Passive attacks • Network analysis • Eavesdropping (Video: Wireshark Wireless Password Sniffing) • Traffic analysis Active attacks • • • • • • • • • Brute-force attack Masquerading Packet replay Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing ValueConsult IT Risk Management 101
  101. 101. Network Infrastructure Security Internet Threats and Security • Threat impact • Loss of income • Increased cost of recovery • Increased cost of retrospectively securing systems • Loss of information • Loss of trade secrets • Damage to reputation • Legal and regulatory noncompliance • Failure to meet contractual commitments • Legal action by customers for loss of confidential data ValueConsult IT Risk Management 102
  102. 102. Network Infrastructure Security Internet Threats and Security • Causal factors for internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls • Internet security controls Firewall Security Systems • Firewall general features • Firewall types • Router packet filtering • Application firewall systems • Stateful inspection ValueConsult IT Risk Management 103
  103. 103. Network Infrastructure Security Firewall Security Systems • Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Firewall issues • • • • • • A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies ValueConsult IT Risk Management 104
  104. 104. Network Infrastructure Secuity Intrusion Detection Systems (IDS) An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. • Network-based IDSs • Host-based IDSs Components: • Sensors that are responsible for collecting data • Analyzers that receive input from sensors and determine intrusive activity • An administration console • A user interface ValueConsult IT Risk Management 105
  105. 105. Network Infrastructure Security Types of Intrusion Detection Systems (IDS) • Signature-based • Statistical-based • Neural networks Features • • • • • • Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management ValueConsult IT Risk Management 106
  106. 106. Network Infrastructure Security Intrusion Detection Systems (IDS) • Limitations: • Weaknesses in the policy definition • Application-level vulnerabilities • Backdoors into applications • Weaknesses in identification and authentication schemes ValueConsult IT Risk Management 107
  107. 107. Network Infrastructure Security Encryption • Key elements of encryption systems • Encryption algorithm • Encryption key • Key length • Private key cryptographic systems • Public key cryptographic systems • Elliptical curve cryptosystem (ECC) • Quantum cryptography • Digital signatures ValueConsult IT Risk Management 108
  108. 108. Network Infrastructure Security Encryption (Continued) • Digital signatures • Data integrity • Authentication • Nonrepudiation • Replay protection • Public key infrastructure • Digital certificates • Certificate authority (CA) • Registration authority (RA) • Certificate revocation list • Certification practice statement (CPS) ValueConsult IT Risk Management 109
  109. 109. Network Infrastructure Security Encryption (Continued) • Use of encryption in OSI protocols • Secure sockets layer (SSL) • Secure Hypertext Transfer Protocol (S/HTTP) • IP security • SSH • Secure multipurpose Internet mail extensions (S/MIME) • Secure electronic transactions (SET) ValueConsult IT Risk Management 110
  110. 110. Project Risk Management
  111. 111. PRM Processes • Planning how risk is managed within particular project • Plans include risk management tasks, responsibilities, activities and budget • Assigning a healthy skepticism risk officer responsible for foreseeing potential project problems • Maintaining live project risk database (risk profile) • Each risk should have these attributes: opening date, title, short description, probability and importance ValueConsult IT Risk Management 112
  112. 112. PRM Processes (cont’d) • Creating anonymous risk reporting channel • Each team member should have the possibility to report risks that he/she foresees in the project • Preparing mitigation plans for risks that are chosen to be mitigated • Identify how the risk will be handled – what, when, by whom and how will it be done to avoid it or minimize consequences if it becomes a liability • Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management ValueConsult IT Risk Management 113
  113. 113. Q&A QUESTION & ANSWER ValueConsult IT Risk Management 114
  114. 114. THANK YOU! THANK YOU ValueConsult IT Risk Management 115

×