it risk management tice morgan, cissp [email protected]
TRANSCRIPT
Introduction
• Realizing opportunities for gains– Minimize vulnerabilities or attack vectors– Mitigate or compensate for losses
• Consisting of phases– Continuous performance improvement– Fostering awareness for decision-making
Definition of Scope/Framework
• Defines the parameters in which risks are managed
• Includes the definitions and assumptions– Internal environments– External environments
• Core processes
• Competitive areas
• Valuable assets
Consistent approach
• Clarify and gain common understanding of organization objectives
• Identify the environment in which Risk Management objectives are set
• Specifying the scope and objectives for the Risk Management program– Applicable restrictions or specific conditions– What outcomes are required
Criteria
• Develop the set of criteria against which the risk will be measured
• Define the key elements for structuring the risk identification and assessment process
• Develop the reporting mechanics and presentation of findings
• Determine roles and responsibilities
Define the External Environment
• Some examples of external environments:– The local market, the business, competition
and customers– Financials, in some cases political
environment– The law (local and/or international
implications)– Social and cultural conditions– External stakeholders, business partners or
third party services
External regulation
• Sarbanes – Oxley
• Payment Card Industry (PCI)
• EU Directive
• Privacy
• Environmental Protection Agency
• Federal Trade Commission
• Location specific (i.e. China)
Specific external examples
• Third party services• External auditors• Business partners• Supply chains• Vendors• Remote users• Virtual workforces• Most importantly, Customers…
Define the Internal Environment
• Some examples of internal environments– Core business process– Key business drivers– Organization strengths, weaknesses
• Opportunities and threats
– Internal stakeholders– Organizational structure and culture– Assets
• People, systems, process and capital
– Goals/objectives and the strategies required to achieve them– Architecture of the environment (keep it in context…)– Tactical solutions based on emerging technology/trends– Baselines, Policy, and the procedural aspects as such
Environment Defined
• Regulatory requirements applicable to your organization
• Process in which external and internal services are to be assessed
• We have the criteria to assess these environments
• We can organize the information based on business impact and resource criticality
• We can develop the timeline in which to assess• Associate a lifecycle for the assessment process
Generate the risk management context
• Provide a balance between costs, benefits and opportunities.
• Set the scope and boundary of the Risk Management process
• Define:– Organization, process, project or activity to be assessed– Duration of the project, activity or function (Prioritization)– Scope of Risk Management activities to be carried out, specify
inclusions and exclusions (assessment process)– Roles and responsibilities of various parts of the organization
participating (Stakeholders)– Project or activity dependencies, how they pertain to other parts
of the organization (generals)
Risk Criteria
• Must be decided and agreed upon
• Usually based:– Operational– Technical– Financial– Regulatory– Legal– Social or Environmental
• Related to organization– Policy and procedure– Evaluation mechanisms
• Impact criteria and the kinds of consequences for consideration
• Likelihood of occurrence• Rules that determine
– Further treatment/mitigation
– At what risk level do certain functions interject
Asset Identification
• Sometimes known as resource characterization
• Initial step in the Risk Management process
• Criticality of the resources typically defined
• Sets the stage for the rest of the process– Frequency of assessments– Level of assessment
Asset considerations
• Systems• People• Process• Capital• Time• Importance• Availability of information• Integrity of information• Information itself
• Technical ability of assessment team
• Stakeholders and requirements for participation
• Portal environment or mechanism for information collection
• Must have a mechanism to effect change– This is throughout the
entire process
Policy and Procedure
• I wanted to bring this up now as a discussion point– Policy development is paramount to the
process– Within the COBIT framework, we have the
foundation for compliance efforts– The Risk Management process must evaluate
the policy aspects and impacts to the organization
Little more on Policy
• IT Policy should create a consistent and symbiotic approach to business requirements
• When you deal with risk, it is important to understand that technical controls will not solve all of the risks
• Policy can be your instrument of awareness– Clear concise policy statements become the baseline
for configurations, operations, and managerial aspects of risk management
– As an example…
Lets consider security tenets
• 1a) We must identify users
• 1b) We must authenticate users
• 1c) We must authorize users
• 2a) We must maintain confidentiality (information)
• 2b) We must maintain the integrity (information)
• 3) Ensure the availability of resources or information
• 4) We must be able to control access to information
• 5a) We must audit activity• 5b) We must be able to
report on critical elements• 6) We must be able to
control changes
Back to resource characterization
• We have defined the internal and external environment
• We know the assets for the resource
• We must now characterize the assets
• Security tenets are defined so we have our baselines
• We have classified the data
• Cost conscience so we are only going to apply the controls that prove most cost effective– Ahh, but how do we do
that…
What threats do we have
• This is the most subjective aspect of Risk Management
• Each organization will understand threats differently
• Historical data can be paramount in easing this process
• This is where a teamed approach can provide the most benefit
We can now start the risk assessment process
• Lets consider the threats applicable to the resource
• We must also evaluate the vulnerabilities as well
• What policy guidance do we have, we must consider policy as a tool for threat identification
• What elements of the team can we leverage
Common Threats
• Origin of the threat• Activity, event,
incident• Consequence or
impact• Reason for
occurrence• Protections• Time and Place of
occurrence
• Intentional or not• Natural disaster,
unauthorized disclosure, theft
• Penalties, availability• Design, human error,
procedure breakdown• Detection, training• Environmental
conditions
How we can develop this
• Team-based brainstorming– Different experiences, across the org
• Structured techniques, flow charting– Design reviews, operational modeling
• “What-if” scenarios, less clearly defined– Strategic risks, worst case scenarios
• Compliance, baselines– Industry best practice, frameworks, internal experience… Key
considerations• Regulatory requirements
– Industry specific, market specific• Encompass – Operational, technical or human threats
– Intentional or non-intentional actions
Vulnerability identification
• Focus more technical aspects generally– System or OS specific items
• Must consider design elements– SDLC improvement
• Must help drive operational considerations• Typically, or should I say hopefully..
– Automation based– Must be kept up to date– Proactive versus reactive
How do we do it?• Free vulnerability assessment
applications• Who performs the role
– Technical aptitude• Analysis of relevant identified
vulnerabilities• Scope the scans, too much at
one time is not a good thing• Frequency, and address
critical findings• Reporting characteristics• Information dissemination
– Paramount with in house SD• Must learn from these
exercises
• Nessus is highly recommended if in house
• Appliance based require little management
• If you can afford it, have it 3rd party managed– Consider PCI
• Maintain statistical information if feasible
• Demonstration of progress helps justify expenditure
• Keep it clean and high level• Classify and protect the
documents, these are your vulnerabilities after all
Analysis
• This is the phase, after threats and vulnerabilities are identified, in which we assess the nature and impact.
• We must understand the level of risk• What will require treatment• What is the most cost effective
methodology• Assess the appropriateness of treatment
options as well
Summarize
• Performed thorough examination of the risk sources– These are the threats and vulnerabilities
• The positive or negative consequences– Positive can be considered savings– Negative can be considered losses– The balance act…
• What is the likelihood of occurrence, and the factors that affect them
• Lastly, what aspects are in place that minimize– Derivatives from a wider set of standards, controls or best
practices– Selected according to applicability or from previous risk
treatment activities– The perspective correlated from an organizational risk stance
Information and Technique• Past experiences or data• Reliable, proven practices
– Frameworks, peer review• Research and analysis• Experiments or prototypes• Economic or engineering
disciplines• Specialists and expert advice
• Interviews with experts in the area of interest– Questionnaires– Consultants
• Existing modeling techniques– Market Research– Technical write-ups– Trend data– Statistical records
• Simulations– Response exercises– Past experience– Activity analysis
• Industry practice– SANS, COBIT, NIST
Qualitative or Quantitative?
• Qualitative analysis, magnitude and likelihood of potential consequences are presented and described in detail– Scales adjusted to suit circumstances– Different descriptions may be used for different risks
• Quantitative uses numerical values that are assigned to impact and likelihood– Derived from a variety of sources– Quality is dependant upon accuracy of the assigned
values– Validity of statistical model must be evaluated
Descriptive
• Qualitative– Initial assessment to
identify risks– Subject to further, detailed
analysis– Non-tangible risks are to be
considered• Reputation, culture, image
– Used most often• Lack of adequate
information• Lack of numerical data• Lack of resources
• Quantitative– Extrapolation of studies– Statistical data to back– Consequences expressed
in various terms• Monetary• Technical• Operational• Human
– Lots of up front work– Framework must be
established– More of an end state
• Experience through the process
Risk evaluation
• Decisions must be made concerning which risks need treatment– This is the start of your prioritization process– Consider that evaluation may require additional analysis
• Up-front considerations can minimize additional analysis
– Keep notes, learn from these exercises– Consider the organization objectives within context– Get the low hanging fruit, quick gains keep momentum and
demonstrate progress
• Related thresholds if possible, consider for future– Consequences– Likelihood– Cumulative impacts on events that occur simultaneously
Identified, now treatment options
• By definition– Risk treatment is the process of selecting and
implementing of measures to modify risk– These can include
• Avoidance• Mitigation• Transferring• Accepting
• Identify the options of risk treatment
Options, options… Options everywhere
• We are attempting to identify alternative appropriate actions for managing these risks
• Considering the evaluation and assessment of their results or impact
• The specification and implementation of treatment plans• We may even realize some opportunities, they do
sometimes have a positive impact– Examples include:
• Positive outcomes• Modify likelihood to increase beneficial outcomes• Sharing the risk with business partners or third parties
– We could all use more resources these days right?
Negative risks.. Most common
• We may stop, postpone, or divert resources for a project
• Reduce the likelihood of negative implications
• Modify consequences to reduce loss
• Share the risk internally or purchase insurance
• We may just accept the risk or residual implicatios
• Risk Avoidance
• Risk Mitigation
• Risk Transference
• Risk Acceptance
Cost Benefit Analysis
• In general, always general…– Costs of managing a risk compared to
benefits obtained or expected
• Consider the context, very important– Direct and indirect costs– Benefits, tangible or non-tangible– Must be measured in some type of terms
• Financials is most useful• Time is also of essence in today’s market
Some details to consider
• More than one options can be considered
• Weigh these options• Assess the business
need– This can assist with
justification
• Prioritize our actions
• Resource intensive• Clearly defined up-
front if possible• What about business
cases• We are trying to
garner management support
• Discuss in realistic terms
Can’t mitigate everything
• More than one option considered– Insurance or other means of risk financing– Consider the liabilities and what is important
• Technical options can be costly– Consider future looking scenarios– Are there any projects down the pipe that can help
• Again, prioritization is key– Develop a clear action plan– Communicate this plan with stakeholders– Garner support, discuss your options
• Seek final approval or justification
The executive buy in scheme
• We must be effective, therefore we must communicate properly
• Reporting is key here, timely updates result in timely decision making
• Iterative, you must understand your audience when selling the plan and consider updates where required
• Consider the long term objectives when possible as further support
• Proactive is always better than reactive• Try and discuss these within the context of a tactical
approach (1-3 year plans prove most effective)
The action plan
• Defines how the risk management process effects the resource– This is embedded in the foundation, meaning
what lessons can we learn and what should be updated or changed based on the exercise
• Details specific actions, functions, areas of responsibility and change management procedures– These can be separate plans, but should be
consistently applied across the organization
Awareness and Commitment
• Must obtain active, ongoing support from senior leadership teams– This includes the development and implementation of
the risk management plans
• If possible, appoint a senior manager to lead and sponsor the initiatives
• Obtain involvement of all senior managers where applicable, this eases the execution of the plan
• Have a risk management policy….
Risk Management policy• Objectives and rationale for managing risk• Links between the policy and organizations strategic plans• Extent and types of risk the organization will take
– Consider the evaluation and balance of threats and opportunities• Define the process used for managing particular or recurring risks• Accountability, this is key…• Where possible, outline the support and expertise available to assist in risk
management• Provide a statement on how risk management performance will be
measured and reported• Obtain commitment to periodic review of the risk management system
(iteration, security is a process not a product)• Obtain a statement of commitment to the policy by directors and the
organization’s executives• Ultimately, we are demonstrating to internal and external environments the
commitment to risk management• We are clearly specifying roles and accountability at a personnel level
Ultimate responsibility
• This should be done by the Directors and Senior leadership teams
• We are specifying those accountable for the management of particular risks– This includes implementation, treatment options, and
the maintenance of controls– Establishing performance measurement and reporting
processes
• Further facilitated by ensuring appropriate levels of recognition, rewards, approvals, and sanctions.
Lastly, but not least
• Senior management must identify the requirements and allocate the necessary resource for risk management– People, skills, process/procedures, information
systems and associated architectures, budget and other resources for specific risk treatment activities
• Implementation of action plans is concerned with the actions to be performed to reduce the identified risks.– This work is conducted by the technical IT staff, that is
considered outside of the risk management process
Residual risks
• Residual risk is the risk that remains after the options have been identified and actions plans implemented– This includes initially unidentified risks as well as all
risks previously identified and evaluated but not designated for treatment at that time
• Very important for the organizations management and all other decision makers to be well informed about the nature and extent of residual risk– For this purpose, all residual risks will be documented
and subjected to monitor and review procedures.
Risk acceptance• This is almost always an executive management responsibility• Risk acceptance concerns the communication of residual risks to
the decision makers• Once accepted, residual risks are considered as risk that the
management of the organization knowingly takes.• The level and extent of accepted risks compromise one of ht major
parameters of the risk management process– The higher the accepted residual risks, the less the work involved in
managing risks (and inversely)• This does not mean that once accepted the risks will not change
– Within the recurring phases and activities of the risk management program, the severity of these risks will be measured over time
– In the event of a new assertion or changing technical condition, risks that have been accepted may need reconsideration
– Remember we are dealing with an iterative process, one that will require monitoring and review
Monitoring and review
• This is perhaps the most critical factor affecting the efficiency and effectiveness of the program
• The intent is to ensure that specific management action plans remain relevant and practical
• The business environment changes often– Factors including likelihood and consequences of a
risk are very likely to change– This holds true for costs of options
• It is therefore necessary to repeat the risk management cycle regularly
The records…
• Irrespective of being an extremely valuable information asset for the organization… The records of such processes are an important aspect of good corporate governance, provided of course that they are in line with:– The legal, regulatory and business needs for records– The cost of creating and maintaining such records– The benefits of re-using information– The accuracy of the information and its general acceptance
within the corporate culture
• FINALLY!!!!– Risk management records along with all relevant documentation
contain extremely critical and confidential information that should be treated with the appropriate classification requirements