ERM Presentation


Published on

Enterprise Risk Management Overview of InfoSec Risk Assessment

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Keynote Message Enterprise businesses today – a consistent target rich environment. As companies grow, so does the external and internal attack surface exposure. Using risk management approaches aid in successfully identifying mitigation actions to associated risk.
  • ERM Presentation

    1. 1. Enterprise Risk Management The rising importance of ERM and the Information Security Practice Harry Contreras – CISSP/6Sigma IT Security Manager – at a Fortune 500 company
    2. 2. <ul><li>Industry Observations </li></ul><ul><li>*Forecast slowdown for IT spending </li></ul><ul><li>Interlocking IT security spending with identified business priorities </li></ul><ul><li>Changing regulatory landscape for businesses </li></ul><ul><li>Business threat environment expands </li></ul><ul><li>Rising interest in simplifying security management </li></ul>What is driving ERM? Aligning security solutions to business problems * Forrester Research, Inc.
    3. 3. <ul><li>Internal Influences </li></ul><ul><li>Impact to the business operations </li></ul><ul><li>Analysis of overall IT risk situation </li></ul><ul><li>Prioritization of IT risk mitigating actions </li></ul><ul><li>Managed approach to enterprise investment </li></ul><ul><li>External Influences </li></ul><ul><li>Observation of Best Effort/Practice applied </li></ul><ul><li>Requirements are legislated or industry regs </li></ul><ul><li>How outsiders will assess business operations </li></ul>Managing Enterprise Risks What is driving ERM adoption today?
    4. 4. The Definition of ERM Enterprise Risk Management Risk management is fundamental to management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has presented the definition that has been widely referenced and accepted. Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives. 1 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework: Executive Summary , 2004
    5. 5. <ul><li>External Observers </li></ul><ul><li>IT Audit practices </li></ul><ul><li>Compliance assessment organizations </li></ul><ul><li>*Standard & Poor’s (S&P) Enterprise Risk Management (ERM) Analysis for Credit Ratings of Non-Financial Companies </li></ul>Managing Enterprise Risks Who is watching for this activity? *Request for Comment (November, 2007) S&P has proposed a rating criteria for this ERM assessment approach.
    6. 6. Definitions - what are we dealing with here? Risks, Threats and Vulnerability Not all threats pose the same level of risk. Risk (noun) – Possibility of loss or injury. Someone or something that creates or suggests a hazard. The chance that an investment will lose value. Threat (noun) – An expression of intention to inflict evil, injury or damage. An indication of something impending. Vulnerability (noun) – Is a state or defect of situation or an asset that could be exploited to create loss or harm. Operational Risk (OR) – The Basel Committee on Banking Supervision defines OR as &quot;the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.“ 1 Examples of OR include: fraud either by external parties or employees; workplace safety and employment practices; client, product and business practices; damage to physical assets; business disruption and system failures; and losses from failed transaction processing or from trade with vendors.
    7. 7. Limiting the Scope What are Enterprise Business Risks? Economic risks – Oil prices/energy, supply interruptions. US current account deficit or fall in US$. Fiscal crises caused by demographic shift. Asset prices rise, excessive indebtedness. Environmental risks – Climate changes. Loss of freshwater services. Natural catastrophes, tropical storms, Earthquakes or inland flooding. Geopolitical risks – International terrorism, Interstate or civil wars. Instability of failed or failing states. Transnational crime. Societal risks – Pandemics, infectious diseases in the developing world. Chronic diseases in the developed world. Liability regimes. Technical risks – Breakdown of critical information infrastructure (CII). Emergence of risks identified in technologies implemented as products, services, or processes within the enterprise. Global or Macro Level Risks
    8. 8. Interpreting Business Risk Where does IT Risk come from? Marketplace – Where a company operates will shape its business environment including political, regulatory, market forces and any labor conditions it faces. Financial model – How a company structures its financial strategy will shape its risk tolerance for the changing money market conditions it faces. Operational Model – How a company chooses to define the way it operates will determine how it functions and business units work together. Organizational Model – How a company is organized to deploy, develop and retain its people for continuity of internal services. “ Volatility” is the catalyst for risk – The condition where things can change rapidly, dramatically, and sometimes unexpectedly. Risks impact the business across multiple enterprise structures
    9. 9. Limiting the Scope What falls within IT Risk Issues? Operational - Risks arising from internal business operations that are generally mitigated through internal controls or processes. Hazard – Risks arising from adverse events that result in property damage and liabilities. Some of these are generally insurable. Strategic – Risks arising from external competition, market environment, and regulatory events that can damage or enhance a company’s growth track and shareholder valuation. Financial – Risks arising from fluctuations in financial market prices that generally are hedged using financial instruments. Human Capital – Risks arising from challenges to personnel, leadership and systems used to attract, develop motivate and retain the resource labor pool. The information security triad of Confidentiality, Integrity and Availability directly map to the aforementioned areas of risk .
    10. 10. Interpreting Business Risk Who and How to make the determinations <ul><li>Business Risk Assessment </li></ul><ul><li>Engage key stakeholders in the following: </li></ul><ul><ul><li>Conduct a facilitated risk assessment workshop </li></ul></ul><ul><ul><li>Review and assess “in-scope” risk environments </li></ul></ul><ul><ul><li>Assess Operational, Hazard, Strategic, Financial risks </li></ul></ul><ul><ul><li>Compile inventory of identified risks </li></ul></ul><ul><ul><li>Develop summary of results report </li></ul></ul><ul><ul><li>Quantification, Business Impact Scoring </li></ul></ul><ul><ul><li>Correlate solution costs to targeted risks </li></ul></ul><ul><ul><li>Prioritization and Assignment of actions </li></ul></ul>
    11. 11. Aspects of Quantifying Risk To understand which risks matter. <ul><li>Review the following risk considerations: </li></ul><ul><ul><li>Risk realization – Real vs. Perceived Risk </li></ul></ul><ul><ul><ul><li>Addressing the FUD factor (Fear, Uncertainty and Doubt) </li></ul></ul></ul><ul><ul><ul><li>Has this risk been realized in the past? </li></ul></ul></ul><ul><ul><ul><li>Can costs for this risk be quantified? </li></ul></ul></ul><ul><ul><ul><li>Is it repeatable and preventable? </li></ul></ul></ul><ul><ul><li>Burden of Risk – associated material and immaterial costs </li></ul></ul><ul><ul><li>Risk validation </li></ul></ul><ul><ul><ul><li>What is the decision tipping point for consideration of this risk? </li></ul></ul></ul>
    12. 12. The Classic Risk Formulations Interpreting risk and communicating decision actions. <ul><ul><li>Risk = Loss X Threat X Frequency </li></ul></ul><ul><ul><ul><li>Loss is the economic value of lost revenue due to a security issue </li></ul></ul></ul><ul><ul><ul><li>Threat is the likelihood (as a probability) that an event would happen </li></ul></ul></ul><ul><ul><ul><li>Frequency is how often such an event would happen </li></ul></ul></ul><ul><li>Threat X Vulnerability = Risk </li></ul><ul><ul><ul><li>This still expresses validity today </li></ul></ul></ul><ul><ul><ul><li>There are many variations on this theme </li></ul></ul></ul><ul><ul><ul><li>More importantly is how to apply this to your organization’s ERM Program consistently and with the concurrence of the business </li></ul></ul></ul>
    13. 13. Risk Ranking Ranking Risk - Likelihood and Impact Associating Risk to Action Imperatives. Axis 1 - Likelihood Axis 2 – Business Impact An *industry example of a risk assessment matrix for ranking risk. *Marsh Risk Consulting Practice - Operational Risk Focus
    14. 14. What to do with Identified IT Risks Options for handling IT Risks Burying you head in the sand – not an option. Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs. Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography. Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource). Mitigate or Reduce the risk. The identified risk(s) are core to the business and the implementation of controls are applied to reduce likelihood and impact to the business. Ignore the risk. A identified option of choice to consciously do nothing. It carries with it the potential for catastrophic business impact and serious legal repercussions.
    15. 15. Analyzing IT Risk Evaluation of Impact to Assets <ul><li>ERM Analysis Process: </li></ul><ul><ul><ul><li>Asset identification </li></ul></ul></ul><ul><ul><ul><li>Asset valuation </li></ul></ul></ul><ul><ul><ul><li>Threat and vulnerability identification </li></ul></ul></ul><ul><ul><ul><li>Control identification </li></ul></ul></ul><ul><ul><ul><li>Determination of likelihood for the threats </li></ul></ul></ul><ul><ul><ul><li>Asset impact on the InfoSec CIA triad </li></ul></ul></ul><ul><ul><ul><li>Risk determination </li></ul></ul></ul><ul><ul><ul><li>Control recommendation </li></ul></ul></ul>
    16. 16. Enterprise Businesses Today A continuous “target rich” environment <ul><li>ERM Analysis: </li></ul><ul><li>The What, When, Why, How and Who </li></ul><ul><ul><ul><ul><li>What = Identify risks to the business </li></ul></ul></ul></ul><ul><ul><ul><ul><li>When = Prioritize actions </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Why = Cost justification </li></ul></ul></ul></ul><ul><ul><ul><ul><li>How = Solution/Mitigation approach </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Who = Assign actions to carry out </li></ul></ul></ul></ul>
    17. 17. Approaches to IT Risk Management How can this be accomplished? <ul><li>Industry Approaches Today </li></ul><ul><ul><li>The traditional “Delphi Method” </li></ul></ul><ul><ul><ul><li>Developing a matrix of identified risks and attributes </li></ul></ul></ul><ul><ul><li>Six Sigma – Failure Modes Effects Analysis </li></ul></ul><ul><ul><li>Microsoft-The Security Risk Management Guide </li></ul></ul><ul><ul><li>ISO 17799/2005 InfoSec Practice Guideline </li></ul></ul><ul><ul><ul><li>ISO/IEC TR 13335-5 InfoSec Management Spec </li></ul></ul></ul><ul><ul><li>Information Security Forum (ISF) </li></ul></ul><ul><ul><ul><li>Information Risk Reference Guide - IRRG </li></ul></ul></ul>
    18. 18. High Security in a perfect world. Minimal security defenses needed to defend from outsiders . Security in the real world . Maximum security defenses needed to defend from outsiders and insiders . Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Investment Investment Low Illustration of Risk Mitigation Relationship to Defense Efforts and Results Risk Modeling to Security “Buy-Down” Concept The Business Security Umbrella Model - Risk Scale to Security Spend. ©
    19. 19. High Security in a perfect world. Minimal security defenses needed to defend from outsiders . Security in the real world . Maximum security defenses needed to defend from outsiders and insiders . Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Investment Investment Low Illustration of Risk Mitigation Relationship to Defense Efforts and Results Risk Modeling to Security “Buy-Down” Concept The Business Security Umbrella Model - Risk Scale to Security Spend. ©
    20. 20. <ul><li>Objectives </li></ul><ul><li>Justified business cost to address IT Risks </li></ul><ul><li>Mitigation through proportioned budget spend </li></ul><ul><li>Deriving a measurable IT Risk Index </li></ul><ul><li>Goals </li></ul><ul><li>Timing and right-sizing of IT spend allocations </li></ul><ul><li>InfoSec efforts & investments aligned with business problem solutions </li></ul>Business Goals and Objective The overall business deliverable
    21. 21. Aligning IT Risks to Business Problems Applying Secure and Compliant solutions <ul><li>Critical Success Factors: </li></ul><ul><ul><ul><li>Did you close the deal? </li></ul></ul></ul><ul><ul><ul><li>Is it going to be funded? </li></ul></ul></ul><ul><ul><ul><li>Will the solution fit the business model? </li></ul></ul></ul><ul><ul><ul><li>Does business leadership support it? </li></ul></ul></ul><ul><ul><ul><li>Can metrics be derived? </li></ul></ul></ul><ul><ul><ul><li>Were you successful in assigning actions? </li></ul></ul></ul>
    22. 22. A Never Ending Process Annual “Best Practice” Activity As companies embrace ERM approaches and Practice this activity at least annually, then they should observe an improving risk index year over year. This activity raises awareness corporately on the risk tolerance state of the enterprise. Institutionalizing a successful and repeatable InfoSec process to protect the enterprise.
    23. 23. “ Security as an Ecosystem*” - Why less is Best - <ul><li>Whether solutions are products or processes; </li></ul><ul><ul><ul><ul><li>Procurement issues/costs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Integration issues/costs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Implementation issues/costs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Operations issues/costs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Support issues/costs </li></ul></ul></ul></ul>Lifecycle of business Capex and Opex to sustain solutions from turn-up to retirement *Quotation taken from published InfoSec industry article
    24. 24. <ul><li>An *editorial note by Dr. Cole; </li></ul><ul><li>Security will always be a challenge since threats and </li></ul><ul><li>vulnerabilities are always changing.  The key task for security </li></ul><ul><li>managers is to make sure that, based on your limited budget, </li></ul><ul><li>you are focusing in on the correct items.   </li></ul><ul><li>In spending any money on security you should always ask </li></ul><ul><li>three questions: </li></ul><ul><li>what is the risk I am reducing; </li></ul><ul><li>is it the highest priority risk; and </li></ul><ul><li>is it the most cost effective way to reduce the risk? </li></ul>* Dr. Cole prepared this commentary for the SANS NewsBites Vol.10 Num. 23 – March 21, 2008. IT Security Practitioner - *Commentary Dr. Eric Cole – SANS, Author & Fellow
    25. 25. IT Security Practitioner - *Commentary Marcus Sachs – Director, SANS ISC “ Security is about risk management.” “ There’s no way to patch every vulnerability, so which ones do you go after? One good approach is [to look at] which ones the threats are most likely to go after.” “ There is no such thing as perfect security. Just try to manage it to get to some acceptable level of risk that you are willing to live with.” * Information Security Magazine, February, 2008
    26. 26. <ul><li>All risks cannot be mitigated out of existence.   </li></ul><ul><li>With effective risk identification, assessment and mitigation approaches, businesses can benefits from the following outcomes. </li></ul><ul><ul><ul><ul><ul><li>Competitive advantage </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Efficiency </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Resilience </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Confidence </li></ul></ul></ul></ul></ul>“ There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.”   John F. Kennedy Presentation Summary
    27. 27. Presentation Conclusion Question and Answers This material copyrighted – 2008.
    28. 28. <ul><li>Information Security Forum (ISF) – Information Risk Reference Guide – IRRG </li></ul><ul><li>May, 2006 </li></ul><ul><li>Available to companies participating in the international ISF organization. </li></ul><ul><li>Microsoft – Security Risk Management Guide v1.2 </li></ul><ul><li>March 15, 2006 Microsoft Corporation. All rights reserved. </li></ul><ul><li>Download and On-line Locations for the Security Risk Management Guide </li></ul><ul><ul><li>- Download Center: http:// =32050 </li></ul></ul><ul><ul><li>- TechNet online: http:// =30794 </li></ul></ul><ul><li>ISO/IEC17799/2005 - Information Security Standard </li></ul><ul><li>- ISO/IEC 13335-3 Guidelines for the Management of IT Security </li></ul><ul><li> </li></ul><ul><li>The Burton Group – In Depth Research Overview / Directory and Security Strategies </li></ul><ul><li>Risk Aggregation: The unintended consequence. </li></ul><ul><li>April, 2004 </li></ul><ul><li>Information Security Audit & Controls Association (ISACA) – In Depth Research Overview </li></ul><ul><li>The Convergence of Physical and Information Security in the Context of Enterprise Risk Management </li></ul><ul><li>2007 =36010 </li></ul><ul><li>Marsh – Risk Consulting Practice – Risk Focus </li></ul><ul><li>- A Closer Look: Establishing an effective Operational Risk Management Program </li></ul><ul><li>© 2004, Marsh, Inc. </li></ul><ul><li> </li></ul>ERM Presentation Hand-Out How to obtain additional information?