Most companies collect large amounts of vulnerability data but face significant information security risks. RiskView provides a fact-based, scalable, and repeatable framework to help organizations identify and prioritize the most material security risks from their data. It normalizes risk scores based on the potential business impact and helps focus remediation efforts on the risks that matter most. The presentation introduces RiskView and its features for collecting, analyzing, and visualizing security risk data to support risk management decisions.

1. Rev2 IT Information SecurityRisk ManagementFebruary 26, 2010

2. Today’s DiscussionAgendaRev2 IntroductionRiskView FrameworkExamplesNext StepsGoalsIntroduce RiskViewTMa decision support system which helps identify and focus on business-material risksUnderstand your risk-management focus areas & processes2

3. Rev2 Risk ManagementInfoSec RiskSupply Chain RiskService Delivery RiskRiskView replaces ad-hoc processes with aFact-based, Scalable, Repeatable FrameworkIdentify under controlled risk via business viewsFocus on the most material drivers“What-if” controls testing

4. ButBig ExposurePlenty of DataInfo sec tools and services regularly identify 100,000’s vulnerabilitiesTodayRiskView provides a fact-based, scalable, repeatable process4Most companies collect large vulnerability data sets, but face big material risk in information security. Because…Reactive response

5. Perception vs. facts

6. Wasted money

7. On-going vulnerabilityValue is limited by…Data silos

8. Inconsistent data

9. Wrong metrics

10. Changing process

11. Inadequate toolsHow do you prioritize 1 Million vulnerabilities?

12. StructureSystemsToolsInfo Sec Risk Mgt requires a formal strategy and organization approachAn on-going formal process is needed to meet goals and execute strategySpecial tools are required to consistently and efficiently analyze large data setsKey Elements IncludeLeadership– To coordinate across business units

13. Metrics—Consistent metrics for materiality of business impact

14. Risks and Policies—To identify risks and define policies to limit exposure

15. Compliance—Regular evaluations to learn policy compliance and violations

16. Risk Updates—Regular reviews for materiality score changes

17. Measures and Actions—Regular risk assessments with next steps to fix key findings