View
221
Download
4
Tags:
Embed Size (px)
Citation preview
ENTERPRISE RISK MANAGEMENT
Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc.
Moderator: Illena Armstrong, editor-in-chief, SC Magazine
Understand current risk challenges and roadblocks affecting risk management
How to manage Information Security
Overview of an Information Security Risk Management Lifecycle
Overview of Risk Assessment Methodology
Walk through of Risk Process Flows and the Use of Technology
Objectives of this session
Why is risk difficult to manage?
There is no single, common definition of what “risk” is or means. Risk means different things to different groups with little to zero
alignment or mapping (ex. credit risk, market risk, insurance risk, operational risk, security risk, health risk, hazard risks, etc.)
No common or defined method and approach for managing risk. Risk identification is complex, and managing risk is even more
complex.
A unified approach (reducing complexity) to operational risk and security risk has numerous benefits and efficiencies, but the road to get there is not simple.
Risk management is often performed in silos (especially security risk management).
3
Lack of clear, well defined business objectives
Lack of established governance
Lack of effective follow-up and tools
Lack of accountability
Lack of risk definitions
Lack of common understanding in managing risks
Lack of standardized risk management approach / method
4
Challenges
Solutions
5
Security Metrics - Program Framework, KRIs, KPIs
Security Governance
Security Controls
Security Services
Strategic Planning
Legal & Regulatory Compliance
Security in Enterprise
Architecture
Risk Assessment
Access Controls (IAM)
Audit
Compliance
Process & Procedures
Risk TreatmentGovernance Exceptions
I & IT Asset Management
Service Architecture
Security Management Metrics (How well security is managed)
Security Posture Metrics (How well security is being implemented)
Security Risk Management Processes
Incident Manag. (ESPIM)
Anti-Virus
Vulnerability & Patch
Management
Cryptographic Controls
Monitoring
Configuration Management
ISMS Program/Plan
eHO Service Definitions
Service Classifications
Third Part Contracts & Agreements
Security Awareness &
Training
Key Risk Indicator Groups(KRIs)
Key Performance
Indicator Groups (KPIs)
Change Management
Network Security
Application Security
HR On Boarding & Exiting
Physical & Environmental
Security Within the PLC and
DLC
Benefits The benefits of the security metrics program
include:
improved understanding of the organization’s security strengths and weaknesses.
improved identification, prevention, and mitigation of security issues and risks.
meeting regulatory requirements as well as demonstrating to other governance bodies our ability and commitment to maintain a secure environment.
improved decision making, planning, and prioritization of security activities.
improved allocation of security efforts, resources, and funding.
Approach
Information security risk management approach focuses on the following:
The use of common definitions and terms The use of a defined risk management lifecycle Threat and Risk Assessments that clearly focus on how
risks impact business objectives The utilization of tools to manage risks across the
organization Alignment with other business units such as Enterprise
Risk Management, Privacy, SecOps, Audit……..
8
Security Specific - Risk definition
There is no one standard/universal definition for security risk.
However, all security risk definitions should include elements of:– time (e.g. the risk is a future event that has not yet occurred) – potential for loss or harm (to a valuable asset) – harm is caused by threats (which take advantage of an asset’s vulnerabilities (weakness)
Suggested security risk definition:
The potential for a threat to exploit an asset weakness, which will negatively impact the ability for an organization
to meet its business objectives.
9
Assessing technology vulnerabilities
Enforcing security policyFocusing on the perimeterProtecting infrastructureTracking security incidents Quantitative Approach
From managing IT function silos…
Assessing business riskPartnering to influence behavior
Focus within the perimeterProtect organization dataOptimize risk mitigation Qualitative Analysis
… to a business centric approach to risk mitigation
Infrastructure
Information
Why Information Risks
10
Risk Management – Project vs. Business Risk
Project Risks
Are problems, gaps, limitations, etc. that may impact the project
Business Risks
Are events that may occur in the future. If and when they occur, they may cause loss or harm to organization’s ability to meet its business objectives Schedule delay
Budget overrun Scope creep Incomplete deliverables Resource constrains Potential escalations Internal reputation
Contractual commitments missed
Poor service delivery Poor asset management System unreliable Slow system uptake Privacy & security risks Client dissatisfaction
Project Issues
Are problems, gaps, tech’gy limitations, etc. that exist today. Issues may contribute to Risks.
Lack of documentation No security requirements No security architecture Undefined R&Rs or
accountabilities No separation of duties Insufficient access control No hardening req’s Vendor agreements and
SLAs do not include security requirements
Insufficient logging, audit and monitoring controls
Maturity
ImpactEffort
11
Security Risk Management
Information Security Risk Management is the coordinated direction and control of activities to ensure that security risks are identified, analyzed, understood, addressed, and managed to meet business goals and objectives.
These activities include the identification, assessment, and appropriate management of current and emerging security risks that could cause loss or harm to persons, business operations, information systems or other assets.
12
Risk Assessment Methodology
13
Business & Control ObjectivesBusiness Objectives
What the business wants to achieve (goals)
Security Control Objectives
What must be accomplished so that business objectives are met
Security Controls
Safeguards that must be in place to achieve the security control
objectives
Threat Risk Assessments
Take into consideration how security risks will
impact each of these areas and ultimately how security risks impact business
objectives.
14
Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
Assess Risk
Source COSO15
Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation
Risk Assessment
16Source - (NIST SP800-30)
Security Risk Management Model
Security Risks
Security Requirements
Asset Values & Impacts
exploit
exposeincreaseincreaseprotect against
reduce impact
haveincreaseinfluencemet by
determine
Assets
• Computers• Files & folders• Test results• Prescriptions
Threats• Hackers• Viruses• Spyware• Fire
Vulnerabilities
• Un-patched systems• Old anti-virus• Weak passwords• Unlocked cabinets
SecurityControls
• Policy• Passwords• Anti-virus• Backups
17
Risk Acceptance Process
Security risk acceptance is the deliberate decision by the appropriate level of management to accept an identified security risk for the purposes of meeting business objectives.– Risk owners may accept risks that lie below the
approved Risk Tolerance Levels.– However, if a risk owner wishes to accept a risk
above the risk tolerance line, they must escalate the risk by submitting a Risk Escalation Approval Form, and obtaining appropriate approvals to proceed with the risk acceptance.
18
Determine Risk Appetite
Risk appetite is the amount of risk — at a Board Level — an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
Source COSO19
Level Definition
High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability
Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
Likelihood
20
Level Definition
High 1. highly costly loss of major tangible assets or resources2. significantly violate, harm, or impede an organization’s mission,
reputation, or interest
Medium 1. may result in the costly loss of tangible assets or resources2. violate, harm, or impede an organization’s mission, reputation,
or interest;
Low 1. may result in the loss of some tangible assets or resources2. noticeably affect an organization’s mission, reputation, or
interest.
Impact Analysis
21
Risk Tolerance LevelsImpact
Very High VH
High H
Medium M
Low L
Very Low
VL L M H VH
Very Low
Low Medium High Very High
Likelihood
Level Risk Levels
Unacceptable Risk
High Risk (Dynamic and manageable)
Medium Risk (Dynamic and manageable)
Low / Tolerable Risk
Very Low / Tolerable Risk
Risk Escalation is required when the risk owner chooses to accept a risk that is rated above the risk tolerance line.
Default Risk Tolerance Line
Showtime
23
Information Security Risk Management Lifecycle
24
Security Risk Management Lifecycle
Phase 1 Establish the Context
Phase 2 Asset Identification & Valuation
Phase 3Threat & Vulnerability
Assessment
Phase 4Treat the Risk
MonitorTrack
& Report
Risk Assessment
Risk Treatment
25
Tracking & Managing Process The objective of this process is to improve
management of security issues and risks The primary purpose of this process is to ensure
that all those with responsibility for identifying or managing security issues and risks know: their responsibilities how each affected Business Unit interacts with others to
achieve effective management of security issues and risks the work flow to achieve effective management of identified
issues/risks
26
The FUN stuffProcess Flows
27
Risk Management – Process Overview
Summary of the Process
InfoSec: identifies a risk & notifies the risk owner and the project team
Risk owner: develops a risk treatment plan to address the risk with the assistance of InfoSec
InfoSec: enters the risk and the treatment plan into its risk management tracking tool
Risk Owner: implements the risk treatment plan
InfoSec: follows up with the risk owner (or their delegate) to periodically monitor the progress of the treatment plan
InfoSec: provides executive level reports on a monthly and quarterly basis to report on the status of risk and risk treatment plans
28
Risk Tracking – Documenting
29
Risk Tracking – Monitoring
30
Risk Tracking – Reporting
31
Technology
32
Tools for Monitoring & Tracking
Example with dummy data
Dash Board
33
Tools for Monitoring & Tracking
Sensitive info has been blocked.
34
Tools for Monitoring & TrackingExample with dummy data
35
Sample Factors that can decrease risk
Effective policies and standards Awareness programs Reliance on proven and tested controls Consistency of processes, technology and controls Appropriate Segregation of Duties Customers Regulations/Compliance Audits Knowing what your risks are
36
Discussion / Q&A
37
Contact Info:
Bobby Singh
Director, Information Security & Risk Mgt
416.935.6691