Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
IT Risk Assessments A Holistic View
Erwin Martinez
CIO, BC Ferries
BC Security Day
November 9, 2016
2
IT Risk Assessments A Holistic View
Agenda
• External Models and Expert Perspectives
• IT System of Management –
The Context of IT Risk Management
• IT Risk Assessment
• Wrap-up and Questions
3
External Models and Expert Perspectives
IT Risk Definitions
• ISACA - The Risk IT Framework. IT risk is business risk – specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned event involving a failure or misuse of IT to threaten an enterprise objective.
• The Canadian Institute of Chartered Accounts' Information Technology Control Guidelines. Risk can broadly be defined as anything that will prevent the enterprise from meeting its objectives. Risk also arises from the use of technologies, including computers and communications.
Information Security Risk Definition
• NIST 800-30 – Guide for Conducting Risk Assessments. Information Security Risk is the risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
4
External Models and Expert Perspectives
IT Risk Definitions
• ISACA - The Risk IT Framework. IT risk is business risk – specifically, the business risk associated with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise.
• Westerman & Hunter, authors of IT Risk – Turning Business Threats Into Competitive Advantage. IT risk is the potential for an unplanned event involving a failure or
misuse of IT to threaten an enterprise objective.
• The Canadian Institute of Chartered Accounts' Information Technology Control Guidelines. Risk can broadly be defined as anything that will prevent the enterprise
from meeting its objectives. Risk also arises from the use of technologies,
including computers and communications.
Information Security Risk Definition
• NIST 800-30 – Guide for Conducting Risk Assessments. Information Security Risk is the risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or
destruction of information and/or information systems.
Same definitions, but with the emphasis on nouns, objects.
5
External Models and Expert Perspectives
Other Viewpoints on Risk
• Mark Zuckerberg. The biggest risk is not taking any risk... In a world that’s
changing really quickly, the only strategy that is guaranteed to fail is not taking
risks.
• Warren Buffett. Risk comes from not knowing what you're doing.
• Stanley Kubrick. Any time you take a chance you better be sure the rewards are
worth the risk...
• Ray Kroc. If you're not a risk taker, you should get the hell out of business.
• Erica Jong. If you don't risk anything, you risk even more.
• Jeffrey R. Immelt. I have learned that nothing is certain except for the need to
have strong risk management, a lot of cash, the willingness to invest even when
the future is unclear, and great people.
• Theodore Roosevelt. Risk is like fire: If controlled it will help you; if uncontrolled
it will rise up and destroy you.
• Lee Iacocca. Even a correct decision is wrong when it was taken too late.
• Mike Tyson. Everyone has a plan 'till they get punched in the mouth.
• Wayne Gretzky. You'll always miss 100% of the shots you don't take.
6
External Models and Expert Perspectives
7
External Models and Expert Perspectives
Prevent
Detect
Recover
8
External Models and Expert Perspectives
COBIT 5 – APO12 Manage Risk
• Process Description: Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.
• IT Goals
• IT compliance and support for business compliance with external laws and regulations
• Managed IT-related business risk
• Transparency of IT costs, benefits and risk
• Security of information, processing infrastructure and applications
• Delivery of programs delivering benefits, on time, on budget, and meeting requirements and quality standards
• Process Goals
• IT-related risk is identified, analyzed, managed and reported
• A current and complete risk profile exists
• All significant risk management actions are managed and under control
• Risk management actions are implemented effectively
• Management Practices
1. Collect data
2. Analyze risk
3. Maintain a risk profile
4. Articulate risk
5. Define a risk management action portfolio
6. Respond to risk
COBIT 5 is not prescriptive. It tells you what to do, not how to do it.
9
External Models and Expert Perspectives
Four dimensions of enterprise IT risk (Westerman)
• Availability. Keeping existing processes running, and recovering from
interruptions.
• Access. Ensuring that people have appropriate access to information and facilities they need, but that unauthorized people do not gain access.
• Accuracy. Providing accurate, timely and complete information that meets requirements of management, staff, customers, suppliers and regulators.
• Agility. Implementing new strategic initiatives, such as acquiring a firm, completing a major business process redesign or launching a new
product/service.
Westerman adds “Agility” to the traditional AIC security triad model of Availability, Integrity, Confidentiality.
10
External Models and Expert Perspectives
The Causes of IT Risk (Westerman & Hunter)
• Ineffective IT Governance. The absence of appropriate structures and processes for business involvement in IT investments and decisions.
• Uncontrolled Complexity. Not managing product quality components: stability, performance, compatibility, usability, reliability, security, maintainability, portability. (ISO/IEC 25010)
• Inattention to Risk. Missing or inadequate
knowledge, poor infrastructure management, employee ignorance/negligence, systems blind to dangerous activities / systems lacking automated controls.
11
External Models and Expert Perspectives
Ten ways business executives can improve IT risk management (Westerman & Hunter)
1. Treat IT risk as business risk.
2. Consider risks in terms of four As: Access, Availability, Accuracy, Agility.
3. Plug any holes in the foundation and be ready for the unforeseen
events.
4. Simplify the foundation.
5. Create risk governance structure and process.
6. Give every employee appropriate awareness of the risks,
vulnerabilities, and policies that matter most to them.
7. Create a risk aware culture.
8. Measure effectiveness.
9. Look forward.
10. Lead by example.
12
IT System of Management – The Context of IT Risk Management
13
ERM review Consolidate and review risks across all divisions
Divisions risk to objectives
IT Risk Assessment
Part of the Corporate Risk Assessment Program
Division Self Risk Assessment
Strategic Objectives
Business Plans
Review of risks to
business plan
objectives
Communication and Consultation
Risk identification
Risk Assessment
Risk treatment
DSRA/ quarterly review of Enterprise risks
Enterprise Risk Management
Quarterly review / Prioritize Enterprise Risks
Strategic Risk themes / External Events Input
Identification of Emerging risks
Executive Management
Validate Enterprise Risks
Identify Emerging Risks
Risk treatment
DSRA/ quarterly review of Enterprise risks
Monitoring and Review
Committees of the Board of Directors
Consolidated Risk Report
14
Risk Analysis
IT Risk Assessment
• Persons • Spaces and
Places • Entry point
hardware • Commercial off
the shelf software
• Customized software
• Outsourced software and services
• Security infrastructure
• Technology infrastructure and networks
• Non-technology
• Theft • Intrusion / Hack /
Unauthorized Access / Virus & Malware Infection / Sabotage
• Loss • Deliberate
Misuse / Misappropriation
• Employee Error / Maleficence
• Technical Malfunction / Failure / Crash / Service Disruption / Performance Degradation
• Natural and/or Externally Imposed Disaster / Disaster Recovery Scenario
• Loss of money and/or assets
• Loss of data or data corruption
• Violation of regulation or law
• Damage to reputation and image
• Business process and/or service outage, disruption, or delay
• Harm to persons • Damage to
property, facility, object
• Damage to hardware / technology
Existing… • Preventative
Controls • Detective
Controls • Responsive /
Recovery-oriented controls
To be added… • Preventative
Controls • Detective
Controls • Responsive /
Recovery-oriented controls
• Residual Risk Assessment: • Red = urgent
need to add controls to make risk acceptable
• Yellow = beneficial to add additional controls, but risk is currently within tolerance
• Green = risk within tolerance, but could be improved
• Description of actions required to improve residual risk.
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
• Likelihood on a 1 to 5 point scale. “How likely is it that this bad thing will actually happen?
• Consequence on a 1 to 5 point scale. “How bad will things be if this risk manifests?”
15
IT Risk Assessment
Purpose:
To perform an “Enterprise Information Technology risk assessment” NOT an “IT Department risk assessment”.
In Scope:
“IT outside of IT”
Out of Scope:
In-flight projects (i.e. change not yet delivered into production)
People risk on recruitment, capacity, KSA (knowledge, skills, abilities), retention, succession planning, etc.
Physical security
16
IT Risk Assessment
Four Phase Approach:
1. Risk Objects definition and Project Organization
2. Risks scenarios and scoring
3. Controls
4. Action Plan
17
Risk Analysis
IT Risk Assessment
Phase 1 Phase 2 Phase 3 Phase 4
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
18
IT Risk Assessment
Scope:
Definition of the break down of the Enterprise Information Technology in risk objects
• Target: around 50 risk objects.
• Break down typically created from inventory of applications and a few workshops with SMEs.
Project organization:
• Project schedule, budget
• Staffing
• Project governance
• Slide deck: “IT Risk Assessment 101”
• Identification of the people involved in the workshops for phases 2 and 3
Phase 1: The Risk Objects
Phase 1
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
19
IT Risk Assessment
What is a Risk Object?
• A Risk Object is an identified area where a risk may be present.
• Risk Objects include IT Assets (including facilities), Systems, Services, Employees, Customers, Vendors.
• In certain scenarios, a Risk Object has the potential for damage (Risk Implication).
• Risk Objects are the things that pose hazards, the sources of danger, the entities to which harmful consequences are conceptually attached. (Steven Hilgartner)
• A Risk Object is a thing, used by us, around us; often used to do our job.
20
IT Risk Assessment
What is a Risk Object?
Noun
Verb Process Risk
21
IT Risk Assessment
What is the benefit of using Risk Objects as the foundation for the IT Risk Assessment?
• Risk Objects are tangible, and therefore feasible to identify with completeness.
• Risk Objects allow the consideration of risks that are within and outside of our control.
• Risk Objects improve our ability to find blind spots in our risk profile.
• Risk Objects lend themselves well to follow-up actions to improve risk posture since the actions will be directed at the tangible risk objects.
22
IT Risk Assessment
Persons
Spaces and p
laces
Non-tech
nology
Devices
Applicatio
ns
Security
Infra
struct
ure &
Network
Risk Objects
1 IT Employee & IT Contractor
2 User/Business/Executive user/
3 Vendor person / Service provider/ Maintenance
4 Customer
5 Data Centre Room access
6 Disaster Site and PPE access
7 Office building/facility
8 Terminals
9 Vessels
10 Workspace paper documents
11 User devices - Desktop Computers
12 User devices - Mobile
13 Multipurpose printer/Fax/Scan / Copier
14 Personal PC / Devices used for Remote Access
15 Third party devices on BCF Network
16 Point of Sale
17 Kiosks
18 Customer Service
19 Customer communication
20 Terminal Operations Applications
21 Vessel Operations
22 Catering Operations Applications
23 Financial Management
24 Human Resources Management
25 Learning Management
26 Supplier Management
27 Inventory and Maintenance Management
Examples of Risk Objects
23
IT Risk Assessment
Persons
Spaces and p
laces
Non-tech
nology
Devices
Applicatio
ns
Security
Infra
struct
ure &
Network
Risk Objects
28 Occupational Safety & Health
29 Crew Scheduling
30 Time Collection
31 Payroll
32 Audit Compliance
33 Project & Portfolio Management
34 Business Intelligence
35 internal communication and collaboration
36 Security of peole and assets management
37 Cloud/hosted applications, services
38 COTS Desktop applications
39 IT Support Systems
40 IT Management Systems
41 Email System (MS Exchange)
42 Endpoint Protection (Anti-virus/Anti-Malware)
43 Firewalls / Web Application Firewalls
44 Security Monitoring / IDS
45 Remote Access system / VPN/ Token
46 Internet Network
47 BCF Wireless Network
48 BCF Public Wireless Network
49 Wide Area Network (WAN)
50 Local Area Network & Cabling
51 Servers
52 Databases / Information Repositories
53 Storage
54 Telecommunication Devices, Systems, VM
55 Backup Devices and Systems
Examples of Risk Objects
24
IT Risk Assessment
Performed in Workshops Scope: Identification of risks, impacts by risk object Scoring on likelihood, consequence, velocity for each risk object Invitees: ideally, representation from all different IT groups (application,
Infrastructure, Security, Business) (Profile: Team Lead, Senior, SMEs) High-level estimate: 5-7 risk objects analyzed in a 2-hour workshop.
Phase 2: The risks and their impacts
Phase 2
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
25
IT Risk Assessment
Risk Object
Risk Scenario Risk Implication/ Potential Damage
Comments/ Key Discussion
Inherent Risk Rating
L (1-5)
C (1-5)
LxC V (1-3)
Velocity
Risk Rating
Servers - Large scale outage, Business Continuity & Resiliency - System reliability on hardware and operating systems - Violation of corporate governance & regulatory complianceData theft - Unauthorized access to confidential corporate data - Intentional or unintentional damage due to privileged access - Lapsed maintenance and/or support - Aging equipment
- Unauthorized access to confidential corporate data
- Downtime, loss of revenue
- Fines for violation or regulations
- Reputational damage - Criminal misuse of
customer data - Inconvenience to
Customers - Inability to get service
and/or parts
Impact can vary depending on how large scale the outage is. Not all servers are mission critical.
3.5 3 10.5 1 Medium
Example for the “Server” risk object
26
IT Risk Assessment
Performed in Workshops
Scope: Identification and analysis of the controls and their efficiency Identification of missing controls (Additional) Scoring on likelihood, consequence, velocity and efficiency of
the controls for each risk object Invitees: ideally, SMEs specific for each risk object (Profile: Team Leads,
Seniors, SMEs, Managers) High-level estimate: up to 5 risk objects analyzed in a 2-hour workshop.
Phase 3: The Controls
Phase 3
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
27
IT Risk Assessment
Control Descriptions
Risk Object Preventative Detective Recovery CE
(1-5) Control Rating
Servers - For System Admins and Super User Accounts
- some unique ID’s and password implemented Policy implemented for account lock out after failed logins
- Access restricted to limited number of people
- Contacts in place with Vendors for maintenance and support
- Servers are located in a physically secured and environmentally controlled locations (data centers)
- Regular patching performed
- Formal review of any major outages
- Regular reviews with infrastructure vendors
- Some server monitoring procedures in place
- Support personnel notified and procedures in place for incident response for operational issues
- Tripwire security software installed on all SAM servers for monitoring incident detection
2.5 Control Needs Improve-ment
Example for the “Server” Risk Object
28
IT Risk Assessment
Risk Object
Residual Risk Rating
Potential Controls
L (1-5)
C (1-5)
LxC Risk
Rating
Servers 4 3 12 High A) Improve Server hardening standards. Some standards have been defined in infrastructure design documents.
B) Develop Security monitoring requirements (Also referred to in Risk Object #28 Security ID’s)
C) Develop and implement an overall IT Infrastructure access and account management process to ensure access requirements/rights are properly requested, approved, added, changed, removed and reviewed.
Example for the “Server” Risk Object
29
IT Risk Assessment
Performed in workshops and
• Will require some prioritization
• May trigger several initiatives/projects
• Ideally, shared with the Business Units
• Will influence the technological roadmaps
• May influence the business roadmaps
Phase 4: Risk Assessment and Action Plan
Phase 4
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
30
IT Risk Assessment
Secondary Risks
• Lower likelihood, but could
have significant impact on
business objectives
• Important the controls continue
to operate as intended to
mitigate risk of occurrence
Low Priority Risks
• Significant monitoring not
necessary
• Periodically reassess
Secondary Risks
• Lesser significance, but more
likely to occur
• In aggregation, risks could
potentially threaten achievement
of objectives
• Reassess often to monitor
changing conditions (i.e.
movement to higher significance)
Key Risks
• Critical risks that potentially
threaten the achievement of
business objectives
Hig
h
High
Lo
w
Low
CO
NS
EQ
UE
NC
E
LIKELIHOOD
Risk Profile Interpretation
31
IT Risk Assessment
Risk - Moderate
Risk - Low
Risk – Moderate to High Risk – High
Risk – Moderate to High Risk - Moderate
Risk - Moderate Risk – Low to Moderate
Risk – Low to Moderate
LIKELIHOOD
CO
NS
EQ
UE
NC
E
2.5
2.5 0 5
5
Rare Unlikely Possible Likely Almost Certain
Insignificant
Catastrophic
Major
Minor
Moderate
Risk Map – Inherent Risk Profile (i.e. likelihood of identified risk occurring assuming no mitigating controls are in place):
# Risk Object
17 Core Business Systems
19 Email System (MS Exchange)
30 Internet Network
35 Databases / Information repositories
1 IT Employee & IT Contractor
6 Third Party Data Centre Room
29 Remote access system / VPN/ Token
34 Servers
5 Data Centre Room
31 Wide Area Network (WAN)
33 Local Area Network & Cabling
37 Data Centre UPS, environnent Control, etc…
7 Office building/facility
16 Non-Core Business systems
27 Building Security Fob Systems
2 User/Business/Executive user
22 Anti-virus /Anti- Malware
8 Employee Home Office
20 Email encryption
10 Client devices - Desktop computers
14 Core Business systems
12 Multipurpose printer/Fax/Scan / Copier
15 IT support systems
25 Security Monitoring / IDS
11 Client devices - Mobile
9 Workspace paper documents
3 Vendor Person / Service Provider/ Maintenance
13 Personal PC / Devices used for remote access
18 Client operating System (Windows. Mac)
21 Email Filtering
24 Firewalls
38 Telecommunication Devices, Systems, VM
26 MS Active Directory
28 Surveillance systems
32 Wireless Network
36 Storage
40 Backup Devices and Systems
39 MS Office (excluding Outlook)
23 Website Filtering
17
19
30 35
1
6
29
34
5
31 33
23
39
37
7
16
27
2
22
8
20 10
14 12 15
25 11 21 9 3
18
24 38
26 28
32 36 40
32
IT Risk Assessment
Risk - Moderate
Risk - Low
Risk – Moderate to High Risk – High
Risk – Moderate to High Risk - Moderate
Risk - Moderate Risk – Low to Moderate
Risk – Low to Moderate
LIKELIHOOD
CO
NS
EQ
UE
NC
E
2.5
2.5 0 5
5
Rare Unlikely Possible Likely Almost Certain
Insignificant
Catastrophic
Major
Minor
Moderate
Risk Map – Residual Risk Profile (i.e. likelihood of identified risk occurring assuming mitigating controls are in place):
# Risk Object
17 Core Business Systems
19 Email System (MS Exchange)
30 Internet Network
35 Databases / Information repositories
1 IT Employee & IT Contractor
6 Third Party Data Centre Room
29 Remote access system / VPN/ Token
34 Servers
5 Data Centre Room
31 Wide Area Network (WAN)
33 Local Area Network & Cabling
37 Data Centre UPS, environnent Control, etc…
7 Office building/facility
16 Non-Core Business systems
27 Building Security Fob Systems
2 User/Business/Executive user
22 Anti-virus /Anti- Malware
8 Employee Home Office
20 Email encryption
10 Client devices - Desktop computers
14 Core Business systems
12 Multipurpose printer/Fax/Scan / Copier
25 Security Monitoring / IDS
11 Client devices - Mobile
9 Workspace paper documents
3 Vendor Person / Service Provider/ Maintenance
15 IT support systems
13 Personal PC / Devices used for remote access
18 Client operating System (Windows. Mac)
21 Email Filtering
24 Firewalls
38 Telecommunication Devices, Systems, VM
26 MS Active Directory
28 Surveillance systems
32 Wireless Network
36 Storage
40 Backup Devices and Systems
39 MS Office (excluding Outlook)
23 Website Filtering
17
19
30
35
1
6
29
34
5
31 33
23
39
37
7
16
27
2
22
8
20
10
12 15
25 11
21
36
3
18
24
38
26
28
32
9
40
14
33
IT Risk Assessment
Risk Analysis
An Annual Process
Risk Objects Risk
Scenarios Risk
Implications
Likelihood & Consequence
Scoring
Controls in Place
Potential Controls
Risk Assessment and Action
Plan
34
Wrap Up and Questions