Uploaded byiasaglobal
3,996 views

Building Risk Management into Enterprise Architecture

This presentation discusses how enterprise architects can utilize risk management for developing and operating enterprise architecture, focusing on frameworks like TOGAF 9 and the FAIR taxonomy. It covers types of enterprise risks, risk management processes, and the importance of integrating risk management into governance and architecture phases. Additionally, it explores applying risk analysis methods and assessing risks at various stages of architecture development.

Embed presentation

Downloaded 164 times
11/16/13 1 William Estrem Abstract This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 2
11/16/13 2 What we will cover • What is Risk Management? • How is Risk Management treated in Enterprise Architecture? • What are some types of Enterprise Risk Management? • Can we define a Business Capability for Risk Management? • What are the FAIR Taxonomy and Risk Analysis Standards? • Can FAIR and other standards be used together to improve Enterprise Risk Management Capability? © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 3 Risk is a natural part of the business landscape. If left unmanaged, the uncertainty can spread like weeds. If managed effectively, losses can be avoided and benefits obtained. Source: RiskIT. IT Governance Institute 4 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 3 A Fine Balance Between Risk and Reward • Enterprise Risk Management – Aligning risk appetite and strategy – Enhancing risk response decisions – Reducing operational surprises and losses – Identifying and managing multiple and cross-enterprise risks – Seizing opportunities – Improving deployment of capital Source: Enterprise Risk Management – Integrated Framework, COSO. (2004). © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 5 Levels of Risk • According to the TOGAF standard, there are two levels of risk that should be considered, namely: – Initial Level of Risk: Risk categorization prior to determining and implementing mitigating actions. – Residual Level of Risk: Risk categorization after implementation of mitigating actions (if any). © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 6
11/16/13 4 Risk Management Process Classify Identify Evaluate Respond Monitor © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 7 General Risk Management Approach • Define the risk assessment approach of the organization • Identify the risks • Analyze and evaluate the risks • Identify and evaluate options for the treatment of risks • Select control objectives and controls for the treatment of risks • Obtain management approval of the proposed residual risks Source: ISO 27001 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 8
11/16/13 5 Some Types of Enterprise Risk Financial Risk Market Risk Operation Risk Safety Risk Information Risk Design Risk Product Risk © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 9 Risk Spectrum challenges based upon stakeholder concerns • Commercial and Economic Risk • Risk of Loss of Goodwill or negative effect on Reputation • Risk to Personal Safety • Risk of Disruption to Activities and Financial Loss • Risk on the Management of Business Operations • Risk on the Operations of Public Service • Legal and Regulatory Obligations • Risk to technology, information and intellectual property How do we take in to consideration this wide range of risk areas in Enterprise Architecture planning activities? © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 10
11/16/13 6 Enterprise Risk Management and Corporate Governance The governing board should manage enterprise risk by: • Ascertaining that there is transparency about the significant risks to the enterprise • Being aware that the final responsibility for risk management rests with the board • Being conscious that the system of internal control put in place to manage risks often has the capacity to generate cost-efficiency • Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited • Insisting that risk management be embedded in the operation of the enterprise Source: Board Briefing on IT Governance. IT Governance InsNtute 2nd EdiNon. 2004 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 11 Risk Management Approaches • COSO – Financial Reporting – Internal Audit • FAIR – Information Security • RiskIT – IT Risk • ISO 31000 – Risk Management General Principles and Guidelines • CRAMM – UK OGC General Risk Management Framework • ISO 27000 – ISO Series on Information Security Standards • NIST 800 – US standards for Computer Security • OCTAVE – CERT Strategic Information Risk Assessment • OGC’s – Management of Risk (MoR) • UK CESG – Good Practice Guides © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 12
11/16/13 7 Risk Assessment Viewpoints • Objectivist, or frequentist, view – Probabilities obtained from repetitive historical data • Subjectivist, or Bayesian, view. – – Risk is, in part, a judgment of the observer, or a property of the observation process, and not solely a function of the physical world. – Objective data complemented by other information. Borison, A. Hamm, G. 2010. How to Manage Risk (After Risk Management Has Failed). Sloan Management Review. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 13 Factor Analysis of Information Risk • The Risk Analysis Standard is intended to be used with the Risk Taxonomy Standard, which defines the FAIR taxonomy for the factors that drive information security risk. • Together, these two standards comprise a body of knowledge in the area of FAIR-based information security risk analysis. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 14
11/16/13 8 Risk Analysis using FAIR • Stage 1: – Identify scenario components – Identify the asset at risk – Identify the threat community • Stage 2: – Evaluate Loss Event Frequency (LEF) – Estimate probable Threat Event Frequency (TEF) – Estimate Threat Capability (TCap) – Estimate Control Strength (CS) – Derive Vulnerability (Vuln) – Derive Loss Event Frequency (LEF) • Stage 3: – Evaluate Probable Loss Magnitude (PLM) – Estimate worst-case loss Estimate – Probable Loss Magnitude (PLM) • Stage 4: – Derive and articulate risk © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 15 FAIR Taxonomy Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 16
11/16/13 9 Broader Applicability? Although the concepts and standards within the FAIR Standard were not developed with the intention of being applied towards other risk types, experience has demonstrated that they can be effectively applied to other risk types. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 17 Risk and the TOGAF Standard • Risk already plays an important part in the TOGAF standard be we recognize that there are perhaps improvements and innovations to add. • Over the next set of slides we will look more closely at Risk within the ADM © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 18
11/16/13 10 Loss, Threat and Vulnerability and the EA Context • Enterprise Architects should work with specialist resources to determine the true cost of any loss, but to help determine this the architect has to provide the context. • Context is defined via the Content Metamodel through the development of Building Blocks • Each Building Block can be examined through ADM techniques that will provide specific information and support for more detailed Risk Management understanding • Use Building Blocks to: – define the variety of asset types – assess the threat to the assets and vulnerability – determine the relationships between assets and their interdependencies © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 19 TOGAF viewpoints that support Risk Analysis • Viewpoints enable the Architect to build context for a risk model and assessment: – Location Catalog – Business Service / Function Catalog – Interface Catalog – Business Service / Information Diagram – Application and User Location Diagram – Solution Concept Diagram – System Use-Case Diagram – including Mis-Use Cases – Role / System Matrix – System / Data Matrix – System / Organisation Matrix – Application Interaction Matrix – Business Interaction Matrix – System Technology Matrix © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 20
11/16/13 11 Applying Risk Methods to the ADM ADM Requirements Risk Analysis Method Control Preliminary To define approach and methods in accordance with customer or programme Vision To define the risk landscape to a programme or enterprise requirements Strategic Threat Scenarios, Risk Spectrum Business Architecture To formalize the risk model defined in the vision stage against the business and the applicaNon at later stages TacNcal Threat Scenarios InformaNon System Architecture To apply to informaNon arch FAIR, SANS, ISO, NIST, OCTAVE Technology Architecture To apply to tech arch FAIR, SANS, ISO, NIST, OCTAVE OpportuniNes SoluNon To check and agree risk FAIR, SANS, ISO, NIST, OCTAVE MigraNon Planning Programme Management RISK CRAMM, ARM ImplementaNon Governance Programme Management RISK CRAMM. ARM EA Change Management Programme Management RISK Scenarios, CRAMM, ARM Risk Management 21 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 22 In the Preliminary stage: • Establish relaNonship with Enterprise Risk Management • Appoint the architects responsible for risk management and analysis Determine and agree standards and controls to support Risk Management • Scope the part of the organisaNon impacted and under change • Assess appeNte / tolerance to risk • Discuss with key stakeholders the impact of the architecture change to the business and potenNal commercial and economic risks associated • Understand the secondary losses such as loss of goodwill or reputaNon A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 12 23 In the Architecture Vision phase: • Understand Stakeholder Concerns and subsequent miNgaNons • Use threat scenarios to analyze the vision described by Business Scenario • Assess readiness for TransformaNon and therefore idenNfying transformaNon risk and miNgaNon • Measure against maturity model assessments and approach to requirement management • IdenNfy iniNal risk management requirements A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 24 In the Business Architecture phase: • methods at this stage which are able to support risk management and analysis: • Capability Assessment • Gap analysis • Business principles, business goals, and business drivers AcNviNes at this stage will help ascertain risk to Commercial and Economic aspects of the organisaNon as well as risks to business operaNons and public service operaNons if applicable. Building Blocks and views of LocaNon, FuncNon, Process, Business Services can be analyzed using threat scenarios, threat sources and threat actors. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 13 In the InformaNon Systems Architecture phase the key acNvity is to determine any risk to applicaNon systems and the data they hold. 25 The CIA triad (confidenNality, integrity and availability) is one of the core principles of informaNon security. This will help the Architect determine Legal and Regulatory ObligaNons and Data and applicaNon vulnerability. This is one of the key phases where FAIR is applicable. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. The Technology Architecture phase defines the infrastructure services. It is important that the Risk analysis and assessments are drawing to conclusions and there is now an understanding of the risks to the project and enterprise. The Technology Architecture ocen hosts the Security Architecture in relaNon to the project and the Enterprise. This view should be developed in conjuncNon with Security OperaNons so new Threats and VulnerabiliNes can be considered . The analysis and assessment of Risk during the Technology Architecture phase has close connecNons with the approach taken in Phase C. 26 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 14 The OpportuniNes and SoluNon Phase is the stage at which the soluNon is designed and all risk references and miNgaNons acknowledged and gaps addressed. Enterprise Risk Management is prepared to adopt any accepted risks to the following: • Risk 27 on Personal Safety • Risk of DisrupNon to AcNviNes/Financial Loss • Risk on the Management of Business OperaNons • Risk on the OperaNons of Public Service • Legal and Regulatory ObligaNons While risk control may ocen prove to have a negaNve impact on soluNons it is important that Security OperaNons are able to acknowledge this and adjust security posture and monitoring to accommodate. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 28 In the MigraNon Planning phase, it is important to prioriNze the MigraNon Projects through the Conduct of a Cost/ Benefit Assessment and Risk ValidaNon In this acNvity the architect reviews the risks documented in the Gaps, SoluNons, and Dependencies Report and ensures that the risks for the project arNfacts have been miNgated as much as possible. The risks idenNfied through Phases A to D and all the required analysis and assessment support the development of the ImplementaNon and MigraNon Plan so not to increase or trigger those risks. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 15 The ImplementaNon Governance Phase establishes the connecNon between architecture and implementaNon organizaNon. At this stage emphasis switches from risks within the conceptual Architecture soluNon to risks to the physical environment and operaNons. Phase G must ensure that all parNes involved – Programme Governance, EA Governance and Enterprise Risk Management all conduct regular reviews of Risk Management during implementaNon. This is important during the transiNon with the Business unit(s) involved. 29 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. The Architecture Change Management phase ensures that the architecture achieves its original target business value. This includes managing changes to the architecture in a cohesive and architected way. This phase examines the range of possible risks across the Risk Spectrum. In response to idenNfied need launch appropriate intervenNons such as ADM cycles or implementaNon projects. 30 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 16 Transition of conceptual risk into operational controlled risk Those areas of risk defined by EA must transition into an area of control under general Enterprise Risk Management where risk is already baselined: – Business Planning – Operations Management – Project and Programme Management © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 31 32 CapabilityPlanning Business Planning Operations Management Enterprise Architecture Portfolio/Project Management Business Direction Runsthe Enterprise Structured Direction Delivers New Risks idenNfied or Key Risk indicator changed Project Management Governance Delivers Architectural Governance Architectural Direction Resources Solution Development Risk Baseline Managed Risk Baseline Changed Risk MiNgated and controlled © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 17 FAIR Taxonomy Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 33 Risk Impact Corporate Risk Impact Assessment © 2013 Metaplexity Associates® LLC - All Rights Reserved 34 Effect Frequency Frequent Likely Occasional Seldom Unlikely Catastrophic E E H H M CriNcal E H H H M Marginal H M M M L Negligible M L L L L
11/16/13 18 Risk Assessment Risk Idenficaon and Migaon Assessment Worksheet © 2013 Metaplexity Associates® LLC - All Rights Reserved 35 Risk ID Risk IniNal Risk MiNgaNon Residual Risk Effect Frequency Impact Effect Frequency Impact 23 Lost Laptop Marginal Occasional Medium Remote Wipe Hard Drive 24 Stolen Root Password CriNcal Seldom High Two Factor Auth Business Impact Assessment Reference Tables 36 Likelihood 4 4 8 12 16 3 3 6 9 12 2 4 6 8 1 1 2 3 4 1 2 3 4 Impact Red 8-16 Risks that require action to reduce the category (likelihood and / impact) to amber and then green Amber 4-6 Risks that require action to ensure that the effectiveness of existing control measures are monitored and improvements made if required to reduce the category to green Green 1-3 Risks that should be monitored to ensure that existing control measures continue to work and are effective Primary Loss Magnitude (LM) Primary Risk VH M H VH VH VH H L M H VH VH M VL L M H VH L VL VL L M H VL VL VL VL L M VL L M H VH Primary Loss Event Frequency (LEF) © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 19 FAIR entities Modeled with ArchiMate © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 37 Using FAIR to assess a Insider Attack 38 Risk – Insider Afack LEF – Frequency Low to Med TEF – Unknown to Low Contact Frequency – Regular through reconnaissance or scanning Probability of AcNon – Med to High if Asset is of high value Vulnerability – based upon security and asset configuraNons Threat Capability – Significant to Limited Resistance Strength – based upon security capability Loss Magnitude – Med to High Primary Loss Factors Asset Loss Factors – using ConfidenNality, Integrity and Availability Model Threat Loss Factor – derived from our Threat Assessment or CAPEC Secondary Loss Factors OrganizaNon Loss Factors – built from our Business Impact Assessment External Loss Factors – built from our Business Impact Assessment © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13 20 Risks when an asset’s lifecycle is extended and operates without Vendor support 39 Risk – System Failure Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. Summary • Risk Management protects the value by reducing the magnitude and frequency of risks and vulnerabilities. • There are various types of enterprise risks that need to be managed. • TOGAF provides a basic framework for Enterprise Risk Management. • The FAIR framework and Risk Management framework provide a more sophisticated approach. • A Business Capability for Risk Management could apply the FAIR standard to improve Risk Analysis. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 40

More Related Content

PDF
A Universe of Knowledge Graphs
byNeo4j
 
PPTX
Accenture Regulatory Reporting As A Service
byaccenture
 
PPTX
Implementing Effective Enterprise Architecture
byLeo Shuster
 
PPTX
A tailored enterprise architecture maturity model
byPaul Sullivan
 
PDF
Security-by-Design in Enterprise Architecture
byThe Open Group SA
 
PDF
ArchiMate 3.0: A New Standard for Architecture
byIver Band
 
PPTX
How to Articulate the Value of Enterprise Architecture
bycccamericas
 
PDF
ArchiMate application and data architecture layer - Simplify the models
byCOMPETENSIS
 
A Universe of Knowledge Graphs
byNeo4j
 
Accenture Regulatory Reporting As A Service
byaccenture
 
Implementing Effective Enterprise Architecture
byLeo Shuster
 
A tailored enterprise architecture maturity model
byPaul Sullivan
 
Security-by-Design in Enterprise Architecture
byThe Open Group SA
 
ArchiMate 3.0: A New Standard for Architecture
byIver Band
 
How to Articulate the Value of Enterprise Architecture
bycccamericas
 
ArchiMate application and data architecture layer - Simplify the models
byCOMPETENSIS
 

What's hot

PPTX
Data Governance Workshop
byCCG
 
PDF
The ArchiMate Language for Enterprise and Solution Architecture
byIver Band
 
PDF
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
PDF
Creating Enterprise Value from Business Architecture
byiasaglobal
 
PPTX
Introduction to Enterprise architecture and the steps to perform an Enterpris...
byPrashanth Panduranga
 
PPTX
A Summary of TOGAF's Architecture Capability Framework
byPaul Sullivan
 
PDF
Robotic Process Automation | Accenture
byaccenture
 
PPTX
Modelling Security Architecture
bynarenvivek
 
PPTX
Enterprise Architecture for Dummies
bySebastien Juras
 
PPTX
Integrating Strategy and Risk Management
byAndrew Smart
 
PPTX
Design Architecture Review Board (ARB) to Enable Digital Strategy
byMohan K.
 
PDF
EA Intensive Course "Building Enterprise Architecture" by mr.danairat
bySoftware Park Thailand
 
PPTX
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
PPT
Technical Risk Management
byGlen Alleman
 
PPTX
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
PPTX
Enterprise Architecture basics
byMahdi Ameri
 
PPTX
Enterprise Architecture, Project Management & Digital Transformation
byRiaz A. Khan, OpenCA, TOGAF
 
PPTX
Practical Enterprise Architecture in Medium-size Corporation using TOGAF
byMichael Sukachev
 
PPT
Implementing an Information Security Program
byRaymond Cunningham
 
Data Governance Workshop
byCCG
 
The ArchiMate Language for Enterprise and Solution Architecture
byIver Band
 
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
Creating Enterprise Value from Business Architecture
byiasaglobal
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
byPrashanth Panduranga
 
A Summary of TOGAF's Architecture Capability Framework
byPaul Sullivan
 
Robotic Process Automation | Accenture
byaccenture
 
Modelling Security Architecture
bynarenvivek
 
Enterprise Architecture for Dummies
bySebastien Juras
 
Integrating Strategy and Risk Management
byAndrew Smart
 
Design Architecture Review Board (ARB) to Enable Digital Strategy
byMohan K.
 
EA Intensive Course "Building Enterprise Architecture" by mr.danairat
bySoftware Park Thailand
 
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
Technical Risk Management
byGlen Alleman
 
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
Enterprise Architecture basics
byMahdi Ameri
 
Enterprise Architecture, Project Management & Digital Transformation
byRiaz A. Khan, OpenCA, TOGAF
 
Practical Enterprise Architecture in Medium-size Corporation using TOGAF
byMichael Sukachev
 
Implementing an Information Security Program
byRaymond Cunningham
 

Similar to Building Risk Management into Enterprise Architecture

DOCX
Risk Management Insight FAIR(FACTOR ANA
bytroutmanboris
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
byboadverna
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
byadkinspaige22
 
PPT
ERM Presentation
byH Contrex
 
PPTX
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
byAronson LLC
 
PDF
Understanding enterprise risk management and fair
byiaemedu
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
bytarifarmarie
 
PPTX
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Enterprise Risk Management Notes Summary
bybnanom
 
PDF
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
bygertrudebellgrove
 
DOCX
Risk Management Insight FAIR(FACTOR ANA.docx
bygertrudebellgrove
 
DOCX
Risk Management Insight FAIR(FACTOR ANA.docx
bymadlynplamondon
 
PDF
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PDF
Risk management premier
byRahul Bhan (CA, CIA, MBA)
 
PDF
Risk Management Premier
byRahul Bhan (CA, CIA, MBA)
 
PDF
Risk Offering Summary
bydgeoghegan
 
PPTX
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 
Risk Management Insight FAIR(FACTOR ANA
bytroutmanboris
 
Risk Management Insight FAIR(FACTOR AN.docx
byboadverna
 
Risk Management Insight FAIR(FACTOR AN.docx
byadkinspaige22
 
ERM Presentation
byH Contrex
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
byAronson LLC
 
Understanding enterprise risk management and fair
byiaemedu
 
Risk Management Insight FAIR(FACTOR AN.docx
bytarifarmarie
 
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Enterprise Risk Management Notes Summary
bybnanom
 
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Risk Management Insight FAIR(FACTOR AN.docx
bygertrudebellgrove
 
Risk Management Insight FAIR(FACTOR ANA.docx
bygertrudebellgrove
 
Risk Management Insight FAIR(FACTOR ANA.docx
bymadlynplamondon
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
Security architecture frameworks
byJohn Arnold
 
Risk management premier
byRahul Bhan (CA, CIA, MBA)
 
Risk Management Premier
byRahul Bhan (CA, CIA, MBA)
 
Risk Offering Summary
bydgeoghegan
 
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 

More from iasaglobal

PDF
Adam boczek 2015 agile architecture in 10 steps v1.0
byiasaglobal
 
PDF
Adam boczek 2015 agile architecture in 10 steps v1.0
byiasaglobal
 
PDF
Adam boczek 2013 bitkom software summit agile architecture v1.3
byiasaglobal
 
PDF
Essentials of enterprise architecture tools
byiasaglobal
 
PDF
Understanding business strategy cutting edge paradigm
byiasaglobal
 
PDF
Information and data relevance to business
byiasaglobal
 
PDF
Case study value of it strategy in hi tech industry
byiasaglobal
 
PDF
Max Poliashenko - Enterprise Product Architecture
byiasaglobal
 
PDF
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
byiasaglobal
 
PDF
Michael Jay Freer - Information Obfuscation
byiasaglobal
 
PDF
Scott Whitmire - Just What is Architecture Anyway
byiasaglobal
 
PDF
Board of Education Vision 2013-2014
byiasaglobal
 
PDF
Sean Kenney - Solving Parallel Software Challenges with Patterns
byiasaglobal
 
PDF
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
byiasaglobal
 
PDF
Stephen Cohen - The Impact of Ethics on the Architect
byiasaglobal
 
PDF
William Martinez - Evolution Game
byiasaglobal
 
PDF
Paul Preiss - Enterprise Architecture in Transformation
byiasaglobal
 
PDF
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
byiasaglobal
 
PDF
Roger Sessions - The Snowman Architecture
byiasaglobal
 
PDF
Strategic Portfolio Management for IT
byiasaglobal
 
Adam boczek 2015 agile architecture in 10 steps v1.0
byiasaglobal
 
Adam boczek 2015 agile architecture in 10 steps v1.0
byiasaglobal
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
byiasaglobal
 
Essentials of enterprise architecture tools
byiasaglobal
 
Understanding business strategy cutting edge paradigm
byiasaglobal
 
Information and data relevance to business
byiasaglobal
 
Case study value of it strategy in hi tech industry
byiasaglobal
 
Max Poliashenko - Enterprise Product Architecture
byiasaglobal
 
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
byiasaglobal
 
Michael Jay Freer - Information Obfuscation
byiasaglobal
 
Scott Whitmire - Just What is Architecture Anyway
byiasaglobal
 
Board of Education Vision 2013-2014
byiasaglobal
 
Sean Kenney - Solving Parallel Software Challenges with Patterns
byiasaglobal
 
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
byiasaglobal
 
Stephen Cohen - The Impact of Ethics on the Architect
byiasaglobal
 
William Martinez - Evolution Game
byiasaglobal
 
Paul Preiss - Enterprise Architecture in Transformation
byiasaglobal
 
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
byiasaglobal
 
Roger Sessions - The Snowman Architecture
byiasaglobal
 
Strategic Portfolio Management for IT
byiasaglobal
 

Recently uploaded

PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
final.pdf
byomarbishtawi04
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 

Building Risk Management into Enterprise Architecture

  • 1.
    11/16/13 1 WilliamEstrem Abstract This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 2
  • 2.
    11/16/13 2 Whatwe will cover • What is Risk Management? • How is Risk Management treated in Enterprise Architecture? • What are some types of Enterprise Risk Management? • Can we define a Business Capability for Risk Management? • What are the FAIR Taxonomy and Risk Analysis Standards? • Can FAIR and other standards be used together to improve Enterprise Risk Management Capability? © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 3 Risk is a natural part of the business landscape. If left unmanaged, the uncertainty can spread like weeds. If managed effectively, losses can be avoided and benefits obtained. Source: RiskIT. IT Governance Institute 4 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 3.
    11/16/13 3 AFine Balance Between Risk and Reward • Enterprise Risk Management – Aligning risk appetite and strategy – Enhancing risk response decisions – Reducing operational surprises and losses – Identifying and managing multiple and cross-enterprise risks – Seizing opportunities – Improving deployment of capital Source: Enterprise Risk Management – Integrated Framework, COSO. (2004). © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 5 Levels of Risk • According to the TOGAF standard, there are two levels of risk that should be considered, namely: – Initial Level of Risk: Risk categorization prior to determining and implementing mitigating actions. – Residual Level of Risk: Risk categorization after implementation of mitigating actions (if any). © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 6
  • 4.
    11/16/13 4 RiskManagement Process Classify Identify Evaluate Respond Monitor © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 7 General Risk Management Approach • Define the risk assessment approach of the organization • Identify the risks • Analyze and evaluate the risks • Identify and evaluate options for the treatment of risks • Select control objectives and controls for the treatment of risks • Obtain management approval of the proposed residual risks Source: ISO 27001 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 8
  • 5.
    11/16/13 5 SomeTypes of Enterprise Risk Financial Risk Market Risk Operation Risk Safety Risk Information Risk Design Risk Product Risk © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 9 Risk Spectrum challenges based upon stakeholder concerns • Commercial and Economic Risk • Risk of Loss of Goodwill or negative effect on Reputation • Risk to Personal Safety • Risk of Disruption to Activities and Financial Loss • Risk on the Management of Business Operations • Risk on the Operations of Public Service • Legal and Regulatory Obligations • Risk to technology, information and intellectual property How do we take in to consideration this wide range of risk areas in Enterprise Architecture planning activities? © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 10
  • 6.
    11/16/13 6 EnterpriseRisk Management and Corporate Governance The governing board should manage enterprise risk by: • Ascertaining that there is transparency about the significant risks to the enterprise • Being aware that the final responsibility for risk management rests with the board • Being conscious that the system of internal control put in place to manage risks often has the capacity to generate cost-efficiency • Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited • Insisting that risk management be embedded in the operation of the enterprise Source: Board Briefing on IT Governance. IT Governance InsNtute 2nd EdiNon. 2004 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 11 Risk Management Approaches • COSO – Financial Reporting – Internal Audit • FAIR – Information Security • RiskIT – IT Risk • ISO 31000 – Risk Management General Principles and Guidelines • CRAMM – UK OGC General Risk Management Framework • ISO 27000 – ISO Series on Information Security Standards • NIST 800 – US standards for Computer Security • OCTAVE – CERT Strategic Information Risk Assessment • OGC’s – Management of Risk (MoR) • UK CESG – Good Practice Guides © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 12
  • 7.
    11/16/13 7 RiskAssessment Viewpoints • Objectivist, or frequentist, view – Probabilities obtained from repetitive historical data • Subjectivist, or Bayesian, view. – – Risk is, in part, a judgment of the observer, or a property of the observation process, and not solely a function of the physical world. – Objective data complemented by other information. Borison, A. Hamm, G. 2010. How to Manage Risk (After Risk Management Has Failed). Sloan Management Review. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 13 Factor Analysis of Information Risk • The Risk Analysis Standard is intended to be used with the Risk Taxonomy Standard, which defines the FAIR taxonomy for the factors that drive information security risk. • Together, these two standards comprise a body of knowledge in the area of FAIR-based information security risk analysis. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 14
  • 8.
    11/16/13 8 RiskAnalysis using FAIR • Stage 1: – Identify scenario components – Identify the asset at risk – Identify the threat community • Stage 2: – Evaluate Loss Event Frequency (LEF) – Estimate probable Threat Event Frequency (TEF) – Estimate Threat Capability (TCap) – Estimate Control Strength (CS) – Derive Vulnerability (Vuln) – Derive Loss Event Frequency (LEF) • Stage 3: – Evaluate Probable Loss Magnitude (PLM) – Estimate worst-case loss Estimate – Probable Loss Magnitude (PLM) • Stage 4: – Derive and articulate risk © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 15 FAIR Taxonomy Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 16
  • 9.
    11/16/13 9 BroaderApplicability? Although the concepts and standards within the FAIR Standard were not developed with the intention of being applied towards other risk types, experience has demonstrated that they can be effectively applied to other risk types. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 17 Risk and the TOGAF Standard • Risk already plays an important part in the TOGAF standard be we recognize that there are perhaps improvements and innovations to add. • Over the next set of slides we will look more closely at Risk within the ADM © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 18
  • 10.
    11/16/13 10 Loss,Threat and Vulnerability and the EA Context • Enterprise Architects should work with specialist resources to determine the true cost of any loss, but to help determine this the architect has to provide the context. • Context is defined via the Content Metamodel through the development of Building Blocks • Each Building Block can be examined through ADM techniques that will provide specific information and support for more detailed Risk Management understanding • Use Building Blocks to: – define the variety of asset types – assess the threat to the assets and vulnerability – determine the relationships between assets and their interdependencies © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 19 TOGAF viewpoints that support Risk Analysis • Viewpoints enable the Architect to build context for a risk model and assessment: – Location Catalog – Business Service / Function Catalog – Interface Catalog – Business Service / Information Diagram – Application and User Location Diagram – Solution Concept Diagram – System Use-Case Diagram – including Mis-Use Cases – Role / System Matrix – System / Data Matrix – System / Organisation Matrix – Application Interaction Matrix – Business Interaction Matrix – System Technology Matrix © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 20
  • 11.
    11/16/13 11 ApplyingRisk Methods to the ADM ADM Requirements Risk Analysis Method Control Preliminary To define approach and methods in accordance with customer or programme Vision To define the risk landscape to a programme or enterprise requirements Strategic Threat Scenarios, Risk Spectrum Business Architecture To formalize the risk model defined in the vision stage against the business and the applicaNon at later stages TacNcal Threat Scenarios InformaNon System Architecture To apply to informaNon arch FAIR, SANS, ISO, NIST, OCTAVE Technology Architecture To apply to tech arch FAIR, SANS, ISO, NIST, OCTAVE OpportuniNes SoluNon To check and agree risk FAIR, SANS, ISO, NIST, OCTAVE MigraNon Planning Programme Management RISK CRAMM, ARM ImplementaNon Governance Programme Management RISK CRAMM. ARM EA Change Management Programme Management RISK Scenarios, CRAMM, ARM Risk Management 21 © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 22 In the Preliminary stage: • Establish relaNonship with Enterprise Risk Management • Appoint the architects responsible for risk management and analysis Determine and agree standards and controls to support Risk Management • Scope the part of the organisaNon impacted and under change • Assess appeNte / tolerance to risk • Discuss with key stakeholders the impact of the architecture change to the business and potenNal commercial and economic risks associated • Understand the secondary losses such as loss of goodwill or reputaNon A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 12.
    11/16/13 12 23 In the Architecture Vision phase: • Understand Stakeholder Concerns and subsequent miNgaNons • Use threat scenarios to analyze the vision described by Business Scenario • Assess readiness for TransformaNon and therefore idenNfying transformaNon risk and miNgaNon • Measure against maturity model assessments and approach to requirement management • IdenNfy iniNal risk management requirements A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 24 In the Business Architecture phase: • methods at this stage which are able to support risk management and analysis: • Capability Assessment • Gap analysis • Business principles, business goals, and business drivers AcNviNes at this stage will help ascertain risk to Commercial and Economic aspects of the organisaNon as well as risks to business operaNons and public service operaNons if applicable. Building Blocks and views of LocaNon, FuncNon, Process, Business Services can be analyzed using threat scenarios, threat sources and threat actors. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 13.
    11/16/13 13 In the InformaNon Systems Architecture phase the key acNvity is to determine any risk to applicaNon systems and the data they hold. 25 The CIA triad (confidenNality, integrity and availability) is one of the core principles of informaNon security. This will help the Architect determine Legal and Regulatory ObligaNons and Data and applicaNon vulnerability. This is one of the key phases where FAIR is applicable. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. The Technology Architecture phase defines the infrastructure services. It is important that the Risk analysis and assessments are drawing to conclusions and there is now an understanding of the risks to the project and enterprise. The Technology Architecture ocen hosts the Security Architecture in relaNon to the project and the Enterprise. This view should be developed in conjuncNon with Security OperaNons so new Threats and VulnerabiliNes can be considered . The analysis and assessment of Risk during the Technology Architecture phase has close connecNons with the approach taken in Phase C. 26 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 14.
    11/16/13 14 The OpportuniNes and SoluNon Phase is the stage at which the soluNon is designed and all risk references and miNgaNons acknowledged and gaps addressed. Enterprise Risk Management is prepared to adopt any accepted risks to the following: • Risk 27 on Personal Safety • Risk of DisrupNon to AcNviNes/Financial Loss • Risk on the Management of Business OperaNons • Risk on the OperaNons of Public Service • Legal and Regulatory ObligaNons While risk control may ocen prove to have a negaNve impact on soluNons it is important that Security OperaNons are able to acknowledge this and adjust security posture and monitoring to accommodate. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 28 In the MigraNon Planning phase, it is important to prioriNze the MigraNon Projects through the Conduct of a Cost/ Benefit Assessment and Risk ValidaNon In this acNvity the architect reviews the risks documented in the Gaps, SoluNons, and Dependencies Report and ensures that the risks for the project arNfacts have been miNgated as much as possible. The risks idenNfied through Phases A to D and all the required analysis and assessment support the development of the ImplementaNon and MigraNon Plan so not to increase or trigger those risks. A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 15.
    11/16/13 15 The ImplementaNon Governance Phase establishes the connecNon between architecture and implementaNon organizaNon. At this stage emphasis switches from risks within the conceptual Architecture soluNon to risks to the physical environment and operaNons. Phase G must ensure that all parNes involved – Programme Governance, EA Governance and Enterprise Risk Management all conduct regular reviews of Risk Management during implementaNon. This is important during the transiNon with the Business unit(s) involved. 29 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved. The Architecture Change Management phase ensures that the architecture achieves its original target business value. This includes managing changes to the architecture in a cohesive and architected way. This phase examines the range of possible risks across the Risk Spectrum. In response to idenNfied need launch appropriate intervenNons such as ADM cycles or implementaNon projects. 30 A Architecture H Vision Architecture Change Management G Implementaon Governance C Informaon Systems Architectures Requirements Management B Business Architecture E Opportunies Soluons F Migraon Planning Preliminary D Technology Architecture © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 16.
    11/16/13 16 Transitionof conceptual risk into operational controlled risk Those areas of risk defined by EA must transition into an area of control under general Enterprise Risk Management where risk is already baselined: – Business Planning – Operations Management – Project and Programme Management © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 31 32 CapabilityPlanning Business Planning Operations Management Enterprise Architecture Portfolio/Project Management Business Direction Runsthe Enterprise Structured Direction Delivers New Risks idenNfied or Key Risk indicator changed Project Management Governance Delivers Architectural Governance Architectural Direction Resources Solution Development Risk Baseline Managed Risk Baseline Changed Risk MiNgated and controlled © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 17.
    11/16/13 17 FAIRTaxonomy Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 33 Risk Impact Corporate Risk Impact Assessment © 2013 Metaplexity Associates® LLC - All Rights Reserved 34 Effect Frequency Frequent Likely Occasional Seldom Unlikely Catastrophic E E H H M CriNcal E H H H M Marginal H M M M L Negligible M L L L L
  • 18.
    11/16/13 18 RiskAssessment Risk Idenficaon and Migaon Assessment Worksheet © 2013 Metaplexity Associates® LLC - All Rights Reserved 35 Risk ID Risk IniNal Risk MiNgaNon Residual Risk Effect Frequency Impact Effect Frequency Impact 23 Lost Laptop Marginal Occasional Medium Remote Wipe Hard Drive 24 Stolen Root Password CriNcal Seldom High Two Factor Auth Business Impact Assessment Reference Tables 36 Likelihood 4 4 8 12 16 3 3 6 9 12 2 4 6 8 1 1 2 3 4 1 2 3 4 Impact Red 8-16 Risks that require action to reduce the category (likelihood and / impact) to amber and then green Amber 4-6 Risks that require action to ensure that the effectiveness of existing control measures are monitored and improvements made if required to reduce the category to green Green 1-3 Risks that should be monitored to ensure that existing control measures continue to work and are effective Primary Loss Magnitude (LM) Primary Risk VH M H VH VH VH H L M H VH VH M VL L M H VH L VL VL L M H VL VL VL VL L M VL L M H VH Primary Loss Event Frequency (LEF) © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 19.
    11/16/13 19 FAIRentities Modeled with ArchiMate © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 37 Using FAIR to assess a Insider Attack 38 Risk – Insider Afack LEF – Frequency Low to Med TEF – Unknown to Low Contact Frequency – Regular through reconnaissance or scanning Probability of AcNon – Med to High if Asset is of high value Vulnerability – based upon security and asset configuraNons Threat Capability – Significant to Limited Resistance Strength – based upon security capability Loss Magnitude – Med to High Primary Loss Factors Asset Loss Factors – using ConfidenNality, Integrity and Availability Model Threat Loss Factor – derived from our Threat Assessment or CAPEC Secondary Loss Factors OrganizaNon Loss Factors – built from our Business Impact Assessment External Loss Factors – built from our Business Impact Assessment © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
  • 20.
    11/16/13 20 Riskswhen an asset’s lifecycle is extended and operates without Vendor support 39 Risk – System Failure Loss Event Frequency Threat Event Frequency Contact Frequency Probability of AcNon Vulnerability Threat Capability Resistance Strength Loss Magnitude Primary Loss Factors Asset Loss Factors Threat Loss Factor Secondary Loss Factors OrganizaNon Loss Factors External Loss Factors © 2013 - Metaplexity Associates® LLC - All Rights Reserved. Summary • Risk Management protects the value by reducing the magnitude and frequency of risks and vulnerabilities. • There are various types of enterprise risks that need to be managed. • TOGAF provides a basic framework for Enterprise Risk Management. • The FAIR framework and Risk Management framework provide a more sophisticated approach. • A Business Capability for Risk Management could apply the FAIR standard to improve Risk Analysis. © 2013 - Metaplexity Associates® LLC - All Rights Reserved. 40