IT Risk Assessments A Holistic View...• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned

IT Risk Assessments A Holistic View

Erwin Martinez

CIO, BC Ferries

BC Security Day

November 9, 2016

2

IT Risk Assessments A Holistic View

Agenda

• External Models and Expert Perspectives

• IT System of Management –

The Context of IT Risk Management

• IT Risk Assessment

• Wrap-up and Questions

3

External Models and Expert Perspectives

IT Risk Definitions

• ISACA - The Risk IT Framework. IT risk is business risk – specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned event involving a failure or misuse of IT to threaten an enterprise objective.

• The Canadian Institute of Chartered Accounts' Information Technology Control Guidelines. Risk can broadly be defined as anything that will prevent the enterprise from meeting its objectives. Risk also arises from the use of technologies, including computers and communications.

Information Security Risk Definition

• NIST 800-30 – Guide for Conducting Risk Assessments. Information Security Risk is the risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.

4


IT Risk Definitions

• ISACA - The Risk IT Framework. IT risk is business risk – specifically, the business risk associated with the use, ownership, operation, involvement, influence and

adoption of IT within an enterprise.

• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned event involving a failure or

misuse of IT to threaten an enterprise objective.

• The Canadian Institute of Chartered Accounts' Information Technology Control Guidelines. Risk can broadly be defined as anything that will prevent the enterprise

from meeting its objectives. Risk also arises from the use of technologies,

including computers and communications.

Information Security Risk Definition

• NIST 800-30 – Guide for Conducting Risk Assessments. Information Security Risk is the risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or

destruction of information and/or information systems.

Same definitions, but with the emphasis on nouns, objects.

5


Other Viewpoints on Risk

• Mark Zuckerberg. The biggest risk is not taking any risk... In a world that’s

changing really quickly, the only strategy that is guaranteed to fail is not taking

risks.

• Warren Buffett. Risk comes from not knowing what you're doing.

• Stanley Kubrick. Any time you take a chance you better be sure the rewards are

worth the risk...

• Ray Kroc. If you're not a risk taker, you should get the hell out of business.

• Erica Jong. If you don't risk anything, you risk even more.

• Jeffrey R. Immelt. I have learned that nothing is certain except for the need to

have strong risk management, a lot of cash, the willingness to invest even when

the future is unclear, and great people.

• Theodore Roosevelt. Risk is like fire: If controlled it will help you; if uncontrolled

it will rise up and destroy you.

• Lee Iacocca. Even a correct decision is wrong when it was taken too late.

• Mike Tyson. Everyone has a plan 'till they get punched in the mouth.

• Wayne Gretzky. You'll always miss 100% of the shots you don't take.

6


7


Prevent

Detect

Recover

8


COBIT 5 – APO12 Manage Risk

• Process Description: Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.

• IT Goals

• IT compliance and support for business compliance with external laws and regulations

• Managed IT-related business risk

• Transparency of IT costs, benefits and risk

• Security of information, processing infrastructure and applications

• Delivery of programs delivering benefits, on time, on budget, and meeting requirements and quality standards

• Process Goals

• IT-related risk is identified, analyzed, managed and reported

• A current and complete risk profile exists

• All significant risk management actions are managed and under control

• Risk management actions are implemented effectively

• Management Practices

1. Collect data

2. Analyze risk

3. Maintain a risk profile

4. Articulate risk

5. Define a risk management action portfolio

6. Respond to risk

COBIT 5 is not prescriptive. It tells you what to do, not how to do it.

9


Four dimensions of enterprise IT risk (Westerman)

• Availability. Keeping existing processes running, and recovering from

interruptions.

• Access. Ensuring that people have appropriate access to information and facilities they need, but that unauthorized people do not gain access.

• Accuracy. Providing accurate, timely and complete information that meets requirements of management, staff, customers, suppliers and regulators.

• Agility. Implementing new strategic initiatives, such as acquiring a firm, completing a major business process redesign or launching a new

product/service.

Westerman adds “Agility” to the traditional AIC security triad model of Availability, Integrity, Confidentiality.

10


The Causes of IT Risk (Westerman & Hunter)

• Ineffective IT Governance. The absence of appropriate structures and processes for business involvement in IT investments and decisions.

• Uncontrolled Complexity. Not managing product quality components: stability, performance, compatibility, usability, reliability, security, maintainability, portability. (ISO/IEC 25010)

• Inattention to Risk. Missing or inadequate

knowledge, poor infrastructure management, employee ignorance/negligence, systems blind to dangerous activities / systems lacking automated controls.

11


Ten ways business executives can improve IT risk management (Westerman & Hunter)

1. Treat IT risk as business risk.

2. Consider risks in terms of four As: Access, Availability, Accuracy, Agility.

3. Plug any holes in the foundation and be ready for the unforeseen

events.

4. Simplify the foundation.

5. Create risk governance structure and process.

6. Give every employee appropriate awareness of the risks,

vulnerabilities, and policies that matter most to them.

7. Create a risk aware culture.

8. Measure effectiveness.

9. Look forward.

10. Lead by example.

12

IT System of Management – The Context of IT Risk Management

13

ERM review Consolidate and review risks across all divisions

Divisions risk to objectives

IT Risk Assessment

Part of the Corporate Risk Assessment Program

Division Self Risk Assessment

Strategic Objectives

Business Plans

Review of risks to

business plan

objectives

Communication and Consultation

Risk identification

Risk Assessment

Risk treatment

DSRA/ quarterly review of Enterprise risks

Enterprise Risk Management

Quarterly review / Prioritize Enterprise Risks

Strategic Risk themes / External Events Input

Identification of Emerging risks

Executive Management

Validate Enterprise Risks

Identify Emerging Risks

Risk treatment

DSRA/ quarterly review of Enterprise risks

Monitoring and Review

Committees of the Board of Directors

Consolidated Risk Report

14

Risk Analysis

IT Risk Assessment

• Persons • Spaces and

Places • Entry point

hardware • Commercial off

the shelf software

• Customized software

• Outsourced software and services

• Security infrastructure

• Technology infrastructure and networks

• Non-technology

• Theft • Intrusion / Hack /

Unauthorized Access / Virus & Malware Infection / Sabotage

• Loss • Deliberate

Misuse / Misappropriation

• Employee Error / Maleficence

• Technical Malfunction / Failure / Crash / Service Disruption / Performance Degradation

• Natural and/or Externally Imposed Disaster / Disaster Recovery Scenario

• Loss of money and/or assets

• Loss of data or data corruption

• Violation of regulation or law

• Damage to reputation and image

• Business process and/or service outage, disruption, or delay

• Harm to persons • Damage to

property, facility, object

• Damage to hardware / technology

Existing… • Preventative

Controls • Detective

Controls • Responsive /

Recovery-oriented controls

To be added… • Preventative

Controls • Detective

Controls • Responsive /

Recovery-oriented controls

• Residual Risk Assessment: • Red = urgent

need to add controls to make risk acceptable

• Yellow = beneficial to add additional controls, but risk is currently within tolerance

• Green = risk within tolerance, but could be improved

• Description of actions required to improve residual risk.

Risk Objects Risk

Scenarios Risk

Implications

Likelihood & Consequence

Scoring

Controls in Place

Potential Controls

Risk Assessment and Action

Plan

• Likelihood on a 1 to 5 point scale. “How likely is it that this bad thing will actually happen?

• Consequence on a 1 to 5 point scale. “How bad will things be if this risk manifests?”

15

IT Risk Assessment

Purpose:

To perform an “Enterprise Information Technology risk assessment” NOT an “IT Department risk assessment”.

In Scope:

“IT outside of IT”

Out of Scope:

In-flight projects (i.e. change not yet delivered into production)

People risk on recruitment, capacity, KSA (knowledge, skills, abilities), retention, succession planning, etc.

Physical security

16

IT Risk Assessment

Four Phase Approach:

1. Risk Objects definition and Project Organization

2. Risks scenarios and scoring

3. Controls

4. Action Plan

17

Risk Analysis

IT Risk Assessment

Phase 1 Phase 2 Phase 3 Phase 4

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

18

IT Risk Assessment

Scope:

Definition of the break down of the Enterprise Information Technology in risk objects

• Target: around 50 risk objects.

• Break down typically created from inventory of applications and a few workshops with SMEs.

Project organization:

• Project schedule, budget

• Staffing

• Project governance

• Slide deck: “IT Risk Assessment 101”

• Identification of the people involved in the workshops for phases 2 and 3

Phase 1: The Risk Objects

Phase 1

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

19

IT Risk Assessment

What is a Risk Object?

• A Risk Object is an identified area where a risk may be present.

• Risk Objects include IT Assets (including facilities), Systems, Services, Employees, Customers, Vendors.

• In certain scenarios, a Risk Object has the potential for damage (Risk Implication).

• Risk Objects are the things that pose hazards, the sources of danger, the entities to which harmful consequences are conceptually attached. (Steven Hilgartner)

• A Risk Object is a thing, used by us, around us; often used to do our job.

20

IT Risk Assessment

What is a Risk Object?

Noun

Verb Process Risk

21

IT Risk Assessment

What is the benefit of using Risk Objects as the foundation for the IT Risk Assessment?

• Risk Objects are tangible, and therefore feasible to identify with completeness.

• Risk Objects allow the consideration of risks that are within and outside of our control.

• Risk Objects improve our ability to find blind spots in our risk profile.

• Risk Objects lend themselves well to follow-up actions to improve risk posture since the actions will be directed at the tangible risk objects.

22

IT Risk Assessment

Persons

Spaces and p

laces

Non-tech

nology

Devices

Applicatio

ns

Security

Infra

struct

ure &

Network

Risk Objects

1 IT Employee & IT Contractor

2 User/Business/Executive user/

3 Vendor person / Service provider/ Maintenance

4 Customer

5 Data Centre Room access

6 Disaster Site and PPE access

7 Office building/facility

8 Terminals

9 Vessels

10 Workspace paper documents

11 User devices - Desktop Computers

12 User devices - Mobile

13 Multipurpose printer/Fax/Scan / Copier

14 Personal PC / Devices used for Remote Access

15 Third party devices on BCF Network

16 Point of Sale

17 Kiosks

18 Customer Service

19 Customer communication

20 Terminal Operations Applications

21 Vessel Operations

22 Catering Operations Applications

23 Financial Management

24 Human Resources Management

25 Learning Management

26 Supplier Management

27 Inventory and Maintenance Management

Examples of Risk Objects

23

IT Risk Assessment

Persons

Spaces and p

laces

Non-tech

nology

Devices

Applicatio

ns

Security

Infra

struct

ure &

Network

Risk Objects

28 Occupational Safety & Health

29 Crew Scheduling

30 Time Collection

31 Payroll

32 Audit Compliance

33 Project & Portfolio Management

34 Business Intelligence

35 internal communication and collaboration

36 Security of peole and assets management

37 Cloud/hosted applications, services

38 COTS Desktop applications

39 IT Support Systems

40 IT Management Systems

41 Email System (MS Exchange)

42 Endpoint Protection (Anti-virus/Anti-Malware)

43 Firewalls / Web Application Firewalls

44 Security Monitoring / IDS

45 Remote Access system / VPN/ Token

46 Internet Network

47 BCF Wireless Network

48 BCF Public Wireless Network

49 Wide Area Network (WAN)

50 Local Area Network & Cabling

51 Servers

52 Databases / Information Repositories

53 Storage

54 Telecommunication Devices, Systems, VM

55 Backup Devices and Systems

Examples of Risk Objects

24

IT Risk Assessment

Performed in Workshops Scope: Identification of risks, impacts by risk object Scoring on likelihood, consequence, velocity for each risk object Invitees: ideally, representation from all different IT groups (application,

Infrastructure, Security, Business) (Profile: Team Lead, Senior, SMEs) High-level estimate: 5-7 risk objects analyzed in a 2-hour workshop.

Phase 2: The risks and their impacts

Phase 2

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

25

IT Risk Assessment

Risk Object

Risk Scenario Risk Implication/ Potential Damage

Comments/ Key Discussion

Inherent Risk Rating

L (1-5)

C (1-5)

LxC V (1-3)

Velocity

Risk Rating

Servers - Large scale outage, Business Continuity & Resiliency - System reliability on hardware and operating systems - Violation of corporate governance & regulatory complianceData theft - Unauthorized access to confidential corporate data - Intentional or unintentional damage due to privileged access - Lapsed maintenance and/or support - Aging equipment

- Unauthorized access to confidential corporate data

- Downtime, loss of revenue

- Fines for violation or regulations

- Reputational damage - Criminal misuse of

customer data - Inconvenience to

Customers - Inability to get service

and/or parts

Impact can vary depending on how large scale the outage is. Not all servers are mission critical.

3.5 3 10.5 1 Medium

Example for the “Server” risk object

26

IT Risk Assessment

Performed in Workshops

Scope: Identification and analysis of the controls and their efficiency Identification of missing controls (Additional) Scoring on likelihood, consequence, velocity and efficiency of

the controls for each risk object Invitees: ideally, SMEs specific for each risk object (Profile: Team Leads,

Seniors, SMEs, Managers) High-level estimate: up to 5 risk objects analyzed in a 2-hour workshop.

Phase 3: The Controls

Phase 3

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

27

IT Risk Assessment

Control Descriptions

Risk Object Preventative Detective Recovery CE

(1-5) Control Rating

Servers - For System Admins and Super User Accounts

- some unique ID’s and password implemented Policy implemented for account lock out after failed logins

- Access restricted to limited number of people

- Contacts in place with Vendors for maintenance and support

- Servers are located in a physically secured and environmentally controlled locations (data centers)

- Regular patching performed

- Formal review of any major outages

- Regular reviews with infrastructure vendors

- Some server monitoring procedures in place

- Support personnel notified and procedures in place for incident response for operational issues

- Tripwire security software installed on all SAM servers for monitoring incident detection

2.5 Control Needs Improve-ment

Example for the “Server” Risk Object

28

IT Risk Assessment

Risk Object

Residual Risk Rating

Potential Controls

L (1-5)

C (1-5)

LxC Risk

Rating

Servers 4 3 12 High A) Improve Server hardening standards. Some standards have been defined in infrastructure design documents.

B) Develop Security monitoring requirements (Also referred to in Risk Object #28 Security ID’s)

C) Develop and implement an overall IT Infrastructure access and account management process to ensure access requirements/rights are properly requested, approved, added, changed, removed and reviewed.

Example for the “Server” Risk Object

29

IT Risk Assessment

Performed in workshops and

• Will require some prioritization

• May trigger several initiatives/projects

• Ideally, shared with the Business Units

• Will influence the technological roadmaps

• May influence the business roadmaps

Phase 4: Risk Assessment and Action Plan

Phase 4

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

30

IT Risk Assessment

Secondary Risks

• Lower likelihood, but could

have significant impact on

business objectives

• Important the controls continue

to operate as intended to

mitigate risk of occurrence

Low Priority Risks

• Significant monitoring not

necessary

• Periodically reassess

Secondary Risks

• Lesser significance, but more

likely to occur

• In aggregation, risks could

potentially threaten achievement

of objectives

• Reassess often to monitor

changing conditions (i.e.

movement to higher significance)

Key Risks

• Critical risks that potentially

threaten the achievement of

business objectives

Hig

h

High

Lo

w

Low

CO

NS

EQ

UE

NC

E

LIKELIHOOD

Risk Profile Interpretation

31

IT Risk Assessment

Risk - Moderate

Risk - Low

Risk – Moderate to High Risk – High

Risk – Moderate to High Risk - Moderate

Risk - Moderate Risk – Low to Moderate

Risk – Low to Moderate

LIKELIHOOD

CO

NS

EQ

UE

NC

E

2.5

2.5 0 5

5

Rare Unlikely Possible Likely Almost Certain

Insignificant

Catastrophic

Major

Minor

Moderate

Risk Map – Inherent Risk Profile (i.e. likelihood of identified risk occurring assuming no mitigating controls are in place):

# Risk Object

17 Core Business Systems


30 Internet Network

35 Databases / Information repositories


6 Third Party Data Centre Room

29 Remote access system / VPN/ Token

34 Servers

5 Data Centre Room



37 Data Centre UPS, environnent Control, etc…


16 Non-Core Business systems

27 Building Security Fob Systems

2 User/Business/Executive user

22 Anti-virus /Anti- Malware

8 Employee Home Office

20 Email encryption

10 Client devices - Desktop computers

14 Core Business systems


15 IT support systems


11 Client devices - Mobile


3 Vendor Person / Service Provider/ Maintenance

13 Personal PC / Devices used for remote access

18 Client operating System (Windows. Mac)

21 Email Filtering

24 Firewalls


26 MS Active Directory

28 Surveillance systems

32 Wireless Network

36 Storage


39 MS Office (excluding Outlook)

23 Website Filtering

17

19

30 35

1

6

29

34

5

31 33

23

39

37

7

16

27

2

22

8

20 10

14 12 15

25 11 21 9 3

18

24 38

26 28

32 36 40

32

IT Risk Assessment

Risk - Moderate

Risk - Low

Risk – Moderate to High Risk – High

Risk – Moderate to High Risk - Moderate

Risk - Moderate Risk – Low to Moderate

Risk – Low to Moderate

LIKELIHOOD

CO

NS

EQ

UE

NC

E

2.5

2.5 0 5

5

Rare Unlikely Possible Likely Almost Certain

Insignificant

Catastrophic

Major

Minor

Moderate

Risk Map – Residual Risk Profile (i.e. likelihood of identified risk occurring assuming mitigating controls are in place):

# Risk Object

17 Core Business Systems


30 Internet Network

35 Databases / Information repositories


6 Third Party Data Centre Room

29 Remote access system / VPN/ Token

34 Servers

5 Data Centre Room



37 Data Centre UPS, environnent Control, etc…


16 Non-Core Business systems

27 Building Security Fob Systems

2 User/Business/Executive user

22 Anti-virus /Anti- Malware

8 Employee Home Office

20 Email encryption

10 Client devices - Desktop computers

14 Core Business systems



11 Client devices - Mobile


3 Vendor Person / Service Provider/ Maintenance

15 IT support systems

13 Personal PC / Devices used for remote access

18 Client operating System (Windows. Mac)

21 Email Filtering

24 Firewalls


26 MS Active Directory

28 Surveillance systems

32 Wireless Network

36 Storage


39 MS Office (excluding Outlook)

23 Website Filtering

17

19

30

35

1

6

29

34

5

31 33

23

39

37

7

16

27

2

22

8

20

10

12 15

25 11

21

36

3

18

24

38

26

28

32

9

40

14

33

IT Risk Assessment

Risk Analysis

An Annual Process

Risk Objects Risk

Scenarios Risk

Implications


Scoring

Controls in Place

Potential Controls


Plan

34

Wrap Up and Questions

Documents

IT Risk Assessments A Holistic View...• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned