building risk management into enterprise architecture
Post on 28-Nov-2014
108 Views
Preview:
DESCRIPTION
TRANSCRIPT
11/16/13
1
William Estrem
Abstract
This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard.
2 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
2
What we will cover
• What is Risk Management? • How is Risk Management treated in Enterprise
Architecture? • What are some types of Enterprise Risk Management? • Can we define a Business Capability for Risk
Management? • What are the FAIR Taxonomy and Risk Analysis
Standards? • Can FAIR and other standards be used together to
improve Enterprise Risk Management Capability?
3 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Risk is a natural part of the business landscape.
If left unmanaged, the uncertainty can spread like weeds.
If managed effectively, losses can be avoided and benefits obtained.
4
Source: RiskIT. IT Governance Institute
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
3
A Fine BalanceBetween Risk and Reward
• Enterprise Risk Management – Aligning risk appetite and strategy
– Enhancing risk response decisions – Reducing operational surprises and losses – Identifying and managing multiple and cross-
enterprise risks – Seizing opportunities
– Improving deployment of capital
Source: Enterprise Risk Management – Integrated Framework, COSO. (2004). 5 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Levels of Risk
• According to the TOGAF standard, there are two levels of risk that should be considered, namely: – Initial Level of Risk: Risk categorization prior to
determining and implementing mitigating actions. – Residual Level of Risk: Risk categorization after
implementation of mitigating actions (if any).
6 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
4
Risk Management Process
Classify Identify Evaluate Respond Monitor
7 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
General Risk Management Approach
• Define the risk assessment approach of the organization
• Identify the risks • Analyze and evaluate the risks • Identify and evaluate options for the treatment of
risks • Select control objectives and controls for the
treatment of risks • Obtain management approval of the proposed
residual risks
Source: ISO 27001
8 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
5
Some Types of Enterprise Risk
Financial Risk
Market
Risk Operation
Risk Safety
Risk Information
Risk Design
Risk
Product
Risk
9 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Risk Spectrum challenges based upon stakeholder concerns
• Commercial and Economic Risk • Risk of Loss of Goodwill or negative effect on Reputation • Risk to Personal Safety • Risk of Disruption to Activities and Financial Loss • Risk on the Management of Business Operations • Risk on the Operations of Public Service • Legal and Regulatory Obligations • Risk to technology, information and intellectual property
How do we take in to consideration this wide range of risk areas in Enterprise Architecture planning activities?
10 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
6
Enterprise Risk Management and Corporate Governance
The governing board should manage enterprise risk by: • Ascertaining that there is transparency about the significant
risks to the enterprise • Being aware that the final responsibility for risk
management rests with the board • Being conscious that the system of internal control put in
place to manage risks often has the capacity to generate cost-efficiency
• Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited
• Insisting that risk management be embedded in the operation of the enterprise
Source: Board Briefing on IT Governance. IT Governance InsNtute 2nd EdiNon. 2004
11 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Risk Management Approaches
• COSO – Financial Reporting – Internal Audit • FAIR – Information Security • RiskIT – IT Risk • ISO 31000 – Risk Management General Principles and
Guidelines • CRAMM – UK OGC General Risk Management
Framework • ISO 27000 – ISO Series on Information Security Standards • NIST 800 – US standards for Computer Security • OCTAVE – CERT Strategic Information Risk Assessment • OGC’s – Management of Risk (MoR) • UK CESG – Good Practice Guides
12 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
7
Risk AssessmentViewpoints
• Objectivist, or frequentist, view – Probabilities obtained from repetitive historical
data
• Subjectivist, or Bayesian, view. – – Risk is, in part, a judgment of the observer, or a
property of the observation process, and not solely a function of the physical world.
– Objective data complemented by other information.
Borison, A. Hamm, G. 2010. How to Manage Risk (After Risk Management Has Failed). Sloan Management Review.
13 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Factor Analysis of Information Risk
• The Risk Analysis Standard is intended to be used with the Risk Taxonomy Standard, which defines the FAIR taxonomy for the factors that drive information security risk.
• Together, these two standards comprise a body of knowledge in the area of FAIR-based information security risk analysis.
14 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
8
Risk Analysis using FAIR • Stage 1:
– Identify scenario components – Identify the asset at risk – Identify the threat community
• Stage 2: – Evaluate Loss Event Frequency (LEF) – Estimate probable Threat Event Frequency (TEF) – Estimate Threat Capability (TCap) – Estimate Control Strength (CS) – Derive Vulnerability (Vuln) – Derive Loss Event Frequency (LEF)
• Stage 3: – Evaluate Probable Loss Magnitude (PLM) – Estimate worst-case loss Estimate – Probable Loss Magnitude (PLM)
• Stage 4: – Derive and articulate risk
15 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
FAIR Taxonomy
Risk
Loss Event Frequency
Threat Event Frequency
Contact Frequency
Probability of AcNon
Vulnerability
Threat Capability
Resistance Strength
Loss Magnitude
Primary Loss Factors
Asset Loss Factors
Threat Loss Factor
Secondary Loss Factors
OrganizaNon Loss Factors
External Loss Factors
16 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
9
Broader Applicability?
Although the concepts and standards within the FAIR Standard were not developed with the intention of being applied towards other risk types, experience has demonstrated that they can be effectively applied to other risk types.
17 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Risk and the TOGAF Standard
• Risk already plays an important part in the TOGAF standard be we recognize that there are perhaps improvements and innovations to add.
• Over the next set of slides we will look more closely at Risk within the ADM
18 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
10
Loss, Threat and Vulnerability and the EA Context
• Enterprise Architects should work with specialist resources to determine the true cost of any loss, but to help determine this the architect has to provide the context.
• Context is defined via the Content Metamodel through the development of Building Blocks
• Each Building Block can be examined through ADM techniques that will provide specific information and support for more detailed Risk Management understanding
• Use Building Blocks to: – define the variety of asset types – assess the threat to the assets and vulnerability – determine the relationships between assets and their
interdependencies
19 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
TOGAF viewpoints that support Risk Analysis
• Viewpoints enable the Architect to build context for a risk model and assessment: – Location Catalog – Business Service / Function Catalog – Interface Catalog – Business Service / Information Diagram – Application and User Location Diagram – Solution Concept Diagram – System Use-Case Diagram – including Mis-Use Cases – Role / System Matrix – System / Data Matrix – System / Organisation Matrix – Application Interaction Matrix – Business Interaction Matrix – System Technology Matrix
20 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
11
Applying Risk Methods to the ADM ADM Requirements Risk Analysis Method Control
Preliminary To define approach and methods in accordance with customer or programme
Vision To define the risk landscape to a programme or enterprise requirements
Strategic Threat Scenarios, Risk Spectrum
Business Architecture To formalize the risk model defined in the vision stage against the business and the applicaNon at later stages
TacNcal Threat Scenarios
InformaNon System Architecture
To apply to informaNon arch FAIR, SANS, ISO, NIST, OCTAVE
Technology Architecture
To apply to tech arch FAIR, SANS, ISO, NIST, OCTAVE
OpportuniNes & SoluNon
To check and agree risk FAIR, SANS, ISO, NIST, OCTAVE
MigraNon Planning Programme Management RISK CRAMM, ARM
ImplementaNon Governance
Programme Management RISK CRAMM. ARM
EA Change Management
Programme Management RISK Scenarios, CRAMM, ARM
21
Risk M
anagem
ent
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
22
In the Preliminary stage: • Establish relaNonship with Enterprise Risk
Management • Appoint the architects responsible for
risk management and analysis Determine and agree standards and controls to support Risk Management
• Scope the part of the organisaNon impacted and under change
• Assess appeNte / tolerance to risk • Discuss with key stakeholders the impact
of the architecture change to the business and potenNal commercial and economic risks associated
• Understand the secondary losses such as loss of goodwill or reputaNon
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
12
23
In the Architecture Vision phase: • Understand Stakeholder Concerns and
subsequent miNgaNons • Use threat scenarios to analyze the vision
described by Business Scenario • Assess readiness for TransformaNon and
therefore idenNfying transformaNon risk and miNgaNon
• Measure against maturity model assessments and approach to requirement management
• IdenNfy iniNal risk management requirements
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
24
In the Business Architecture phase: • methods at this stage which are able to
support risk management and analysis: • Capability Assessment • Gap analysis • Business principles, business goals,
and business drivers
AcNviNes at this stage will help ascertain risk to Commercial and Economic aspects of the organisaNon as well as risks to business operaNons and public service operaNons if applicable.
Building Blocks and views of LocaNon, FuncNon, Process, Business Services can be analyzed using threat scenarios, threat sources and threat actors.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
13
25
In the InformaNon Systems Architecture phase the key acNvity is to determine any risk to applicaNon systems and the data they hold.
The CIA triad (confidenNality, integrity and availability) is one of the core principles of informaNon security. This will help the Architect determine Legal and Regulatory ObligaNons and Data and applicaNon vulnerability.
This is one of the key phases where FAIR is applicable.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
26
The Technology Architecture phase defines the infrastructure services. It is important that the Risk analysis and assessments are drawing to conclusions and there is now an understanding of the risks to the project and enterprise.
The Technology Architecture ocen hosts the Security Architecture in relaNon to the project and the Enterprise. This view should be developed in conjuncNon with Security OperaNons so new Threats and VulnerabiliNes can be considered .
The analysis and assessment of Risk during the Technology Architecture phase has close connecNons with the approach taken in Phase C.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
14
27
The OpportuniNes and SoluNon Phase is the stage at which the soluNon is designed and all risk references and miNgaNons acknowledged and gaps addressed.
Enterprise Risk Management is prepared to adopt any accepted risks to the following: • Risk on Personal Safety • Risk of DisrupNon to AcNviNes/Financial
Loss • Risk on the Management of Business
OperaNons • Risk on the OperaNons of Public Service • Legal and Regulatory ObligaNons
While risk control may ocen prove to have a negaNve impact on soluNons it is important that Security OperaNons are able to acknowledge this and adjust security posture and monitoring to accommodate.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
28
In the MigraNon Planning phase, it is important to prioriNze the MigraNon Projects through the Conduct of a Cost/Benefit Assessment and Risk ValidaNon
In this acNvity the architect reviews the risks documented in the Gaps, SoluNons, and Dependencies Report and ensures that the risks for the project arNfacts have been miNgated as much as possible.
The risks idenNfied through Phases A to D and all the required analysis and assessment support the development of the ImplementaNon and MigraNon Plan so not to increase or trigger those risks.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
15
29
The ImplementaNon Governance Phase establishes the connecNon between architecture and implementaNon organizaNon. At this stage emphasis switches from risks within the conceptual Architecture soluNon to risks to the physical environment and operaNons.
Phase G must ensure that all parNes involved – Programme Governance, EA Governance and Enterprise Risk Management all conduct regular reviews of Risk Management during implementaNon. This is important during the transiNon with the Business unit(s) involved.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
30
The Architecture Change Management phase ensures that the architecture achieves its original target business value. This includes managing changes to the architecture in a cohesive and architected way.
This phase examines the range of possible risks across the Risk Spectrum. In response to idenNfied need launch appropriate intervenNons such as ADM cycles or implementaNon projects.
A Architecture
Vision H Architecture
Change Management
G
Implementa>on
Governance
C Informa>on
Systems Architectures
Requirements Management
B Business
Architecture
E Opportuni>es
& Solu>ons
F Migra>on Planning
Preliminary
D Technology Architecture
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
16
Transition of conceptual risk into operational controlled risk
Those areas of risk defined by EA must transition into an area of control under general Enterprise Risk Management where risk is already baselined:
– Business Planning – Operations Management – Project and Programme Management
31 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
32
Capability�Planning
OperationsManagement
BusinessPlanning
EnterpriseArchitecture
Portfolio/ProjectManagement
BusinessDirection
Runs�theEnterprise
StructuredDirection
DeliversProject
ManagementGovernance
Delivers
ArchitecturalGovernance
ArchitecturalDirection
ResourcesSolution
Development
Risk Baseline Managed
Risk Baseline Changed
Risk MiNgated and controlled
New Risks idenNfied or Key Risk indicator changed
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
17
FAIR Taxonomy
Risk
Loss Event Frequency
Threat Event Frequency
Contact Frequency
Probability of AcNon
Vulnerability
Threat Capability
Resistance Strength
Loss Magnitude
Primary Loss Factors
Asset Loss Factors
Threat Loss Factor
Secondary Loss Factors
OrganizaNon Loss Factors
External Loss Factors
33 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Risk Impact
© 2013 Metaplexity Associates® LLC - All Rights Reserved 34
Corporate Risk Impact Assessment
Effect
Frequency
Frequent Likely Occasional Seldom Unlikely
Catastrophic E E H H M
CriNcal E H H H M
Marginal H M M M L
Negligible M L L L L
11/16/13
18
Risk Assessment
© 2013 Metaplexity Associates® LLC - All Rights Reserved 35
Risk Iden>fica>on and Mi>ga>on Assessment Worksheet
Risk ID Risk
IniNal Risk
MiNgaNon
Residual Risk
Effect Frequency Impact Effect Frequency Impact
23 Lost Laptop
Marginal Occasional Medium Remote Wipe Hard Drive
24 Stolen Root Password
CriNcal Seldom High Two Factor Auth
Business Impact AssessmentReference Tables
36
Like
lihoo
d
4 4 8 12 16
3 3 6 9 12
2 4 6 8
1 1 2 3 4
1 2 3 4 Impact
Red 8-16 Risks that require action to reduce the category (likelihood and / impact) to amber and then green
Amber 4-6 Risks that require action to ensure that the effectiveness of existing control measures are monitored and improvements made if required to reduce the category to green
Green 1-3 Risks that should be monitored to ensure that existing control measures continue to work and are effective
PrimaryLossMagnitude(LM)
Primary Risk
VH M H VH VH VH
H L M H VH VH
M VL L M H VH
L VL VL L M H
VL VL VL VL L M
VL L M H VH
Primary Loss Event Frequency (LEF)
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
19
FAIR entities Modeled with ArchiMate
37 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Using FAIR to assess a Insider Attack
38
Risk – Insider Afack
LEF – Frequency Low to Med
TEF – Unknown to Low
Contact Frequency –
Regular through reconnaissance or scanning
Probability of AcNon – Med to High if Asset is of high value
Vulnerability – based upon security and
asset configuraNons
Threat Capability – Significant to Limited
Resistance Strength – based upon security capability
Loss Magnitude – Med to High
Primary Loss Factors
Asset Loss Factors – using ConfidenNality, Integrity and Availability Model
Threat Loss Factor – derived from our Threat
Assessment or CAPEC
Secondary Loss Factors
OrganizaNon Loss Factors – built from our Business
Impact Assessment
External Loss Factors – built
from our Business Impact
Assessment
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
11/16/13
20
Risks when an asset’s lifecycle is extended and operates without Vendor support
39
Risk – System Failure
Loss Event Frequency
Threat Event Frequency
Contact Frequency
Probability of AcNon
Vulnerability
Threat Capability
Resistance Strength
Loss Magnitude
Primary Loss Factors
Asset Loss Factors
Threat Loss Factor
Secondary Loss Factors
OrganizaNon Loss Factors
External Loss Factors
© 2013 - Metaplexity Associates® LLC - All Rights Reserved.
Summary
• Risk Management protects the value by reducing the magnitude and frequency of risks and vulnerabilities.
• There are various types of enterprise risks that need to be managed.
• TOGAF provides a basic framework for Enterprise Risk Management.
• The FAIR framework and Risk Management framework provide a more sophisticated approach.
• A Business Capability for Risk Management could apply the FAIR standard to improve Risk Analysis.
40 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.
top related