Upload
vudien
View
214
Download
0
Embed Size (px)
Citation preview
15/08/2016
1
Why Integrated Enterprise Risk Management Is Essential
(Session 2304)
Monday, September 12, 2016 4:30 PM - 5:30 PM
Orlando, FL
Doug Powell, CPP, PSP
J. Kelly Stewart, CPP
LEARNING OBJECTIVES
• Understand why Critical Infrastructure security risk management requires an Enterprise, or End-to-End view of security risk
• Understand how IT, OT and Physical (traditional) security risk need to be COMPLETELY INTEGRATED.
• Identify a new methodology that utilizes Governance, Risk and Compliance.
THE ISSUE
• Understand why Critical Infrastructure security risk management requires an Enterprise, or End-to-End view of security risk
• Understand how IT, OT and Physical (traditional) security risk need to be COMPLETELY INTEGRATED.
• Identify a new methodology that utilizes Governance, Risk and Compliance.
15/08/2016
2
THE NEED FOR CHANGE
• Security Risk Management (SRM) still holds a predominantly “physical” tone in most organizations.
• IT Security Risk Management has received considerable attention over the past decade.
• Operational Technology (OT) security risk management is almost non-existent.
• There is no Integrated Approach to managing critical risk infrastructure.
WHY GRC?
• Critical Infrastructure security risk management requires an Enterprise, or End- to-End view of security risk
• We can no longer silo security risk and believe we are adequately protecting our infrastructure
• An integrated view of security risk is loooooong overdue
• Physical security practices also protect IT assets
• IT assets also form part of the physical security infrastructure
• But IT and Physical Security practices contribute to OT security program management
• IT, OT and Physical (traditional) security risk is COMPLETELY INTEGRATED
• Why would we manage security risk across any of these domains independently?
• How can we provide assurance to the organization (executive or Board) that security risk is being managed effectively and completely without a single risk view for ALL security risk?
• An Enterprise Security Risk Management (ESRM) view is required.
ESRM INTERDEPENDANCIES
• Does IT and Physical Security Risk exist independent of each other?
• No!
• Consider the substation example.
15/08/2016
3
A SECURITY MANAGEMENT PROGRAM MODEL
Security Program Development
Governance Model Enterprise Security Risk
Management
Risks Identified & Prioritized
Mitigation Plan/ Strategic Plan
Physical Security
Upgrades
Personnel Management
Issues
Access Control Program
Policy & Standards Development
Reporting Requirements
Metrics Development
Incident Management
Security Program/Compliance
Management
IT/OT Security Development
Liaison Management
Corrective Actions/Gaps/
Emerging Threats
T r a i n i n g & A w a r e n e s s
Tr
ai
ni
ng
&
A
wa
re
ne
ss
Tr
ai
ni
ng
&
A
wa
re
ne
ss
GOVERNACE, RISK & COMPLIANCE ISSUES
CRITICAL FACTORS
GOVERNANCE
RISK
COMPLIANCE
Executive Sponsorship
Well-Defined list of Risk
Management Stakeholders
Organizational Maturity
regarding Risk Management
Open Communication
& Teamwork
Holistic View of the Process & Organization
Risk Methodology
15/08/2016
4
ROADMAP FOR ACHIEVING ESRM/GRC
Service Governance
Risk Compliance
Process
People
Data
Infrastructure
Policy, Standards, Guidelines,
Procedures, Gap Analysis
Awareness, Rolls &
Responsibilities, Teamwork,
Communication
Data Governance, Ownership,
Classification, Convergence
Security Baseline
Risk Assessment Framework
Independent Security
Assessments, Contractual
Compliance
Data Risk Assessment,
Risk Mitigation
Comprehensive Risk, Threat, &
Vulnerability Assessment
Integrated SM, Metrics, KPI’s
periodic Audits, Exec. Reports
Access Reviews, Collaboration,
Communication, Process
Review
Security configuration &
compliance, SLA’s service
Data Protection, PII compliance
ISO 31000, ISO 31010, ISO 27000, HIPAA, PCI DSS, SAS 70, ASIS/ANSI/RIMS RA Standard, ASIS/ANSI SPC.1-2009 Organizational Resilience, ASIS/ANSI SCRM.1-2014 Supply Chain Risk Management, ASIS/ASIS SPC.2-2014 Auditing Management Systems: Risk, Resilience, Security, and Continuity – Guidance for Application
THE ESRM LANDSCAPE TODAY
BOARD LEVEL RISKS vs. SECURITY PROGRAM
15/08/2016
5
BOARD LEVEL RISKS vs. SECURITY PROGRAM
GRC METHODOLOGY IS CRITICAL TO SUCCESS
GRC COMPONENTS
ENTERPRISE RISK MANAGEMENT PROCESS
15/08/2016
6
The External Context
The Internal Context
The Risk Management Context
Develop Criteria and Define the Structure
What Can Happen, When, Where, How, & Why
Asset Identification, Valuation and Characterization
Threat/Opportunity, Vulnerability/Capability & Criticality/Impact Analysis
Identify Existing Controls
Determine Likelihood
Determine Consequences
Determine Level of Risk
Compare the Criteria – Set the Principles
Consider Tolerance and Acceptability
Identify and Assess Options
Avoid? Share? Exploit? Reduce? Accept?
Prepare and Implement Treatment Options
Analyze & Evaluate Residual Risk
Co
mm
un
ica
tio
n &
Co
ns
ult
ati
on
Mo
nito
r & R
evie
w
Establishing the Context
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Treat Risk
Risk Treatment
No
Yes
Risk Assessment Process
Metal Theft
Unresolved Critical Defects
Theft of HV Transformer
Theft of explosive
charges
Terrorist caused dam breach – T1
Environmental Risk
Safety Risk
Financial Risk
ENTERPRISE RISK PLOTTING
APPLYING QUALITATIVE RISK MITIGATION
Malware
Privacy Breach
Workplace
Violence
Loss of Permission to
Operate
Fatality
Additional Scope in
the magnitude of
$100M – $1B
Undesirable
Event
Preventative Measures
1
1
1
2
2
2
3
4
4
4
Recovery Measures
5
5
FUNDAMENTAL PROTECTION, END-TO-END (IT, OT and Physical): • Access Control
• Physical Barriers • Situational Awareness • Cultural adaptation Audit
• Surveillance & Monitoring • Intelligence
• Security zones • Effective Response….
Clear Governance, effective Standards and Best Practices
15/08/2016
7
NORMALIZING RISK DEFINITION
• Before risks can be effectively managed, we must agree on a common definition of risk that is clearly understood by the board, management, faculty, and staff.
• Replace old definitions of risk and risk management
Old Language Risk
• Negative Outcomes
Risk Management
• Ensuring the Organization
was adequately protected in
the event of Catastrophe
New Language Risk
• Any issue that affects the organization’s ability to
meet its objectives
Enterprise Security Risk Management
• Encompasses all of the operational, financial,
compliance, strategic, and reputation issues
encountered in attempt to achieve objectives
Adapting GRC Methodology
• The GRC management framework provides a good foundation for integrated security risk management
• GRC sets a useful risk management and assessment framework
• Governance and Compliance gaps frame the majority, if not all security risk concerns
• But GRC is far too narrow in its current design
• Physical risk assessment is much more detailed and follows a different methodology
• Can be adapted to GRC and automated
• Yet, neither method really allows for situational awareness inputs
• Changing environments need to be part of the ongoing assessment
ADAPTING TO GRC METHODOLOGY
• The GRC management framework provides a good foundation for
integrated security risk management
• GRC sets a useful risk management and assessment framework
• Governance and Compliance gaps frame the majority, if not all security risk concerns
• But GRC is far too narrow in its current design
• Physical risk assessment is much more detailed and follows a different methodology
• Can be adapted to GRC and automated
• Yet, neither method really allows for situational awareness inputs
• Changing environments need to be part of the ongoing assessment
15/08/2016
8
GRC – GOVERNANCE, RISK & COMPLIANCE
Wherever Risk Management is considered:
• Correct GOVERNANCE is an Imperative to Risk Management
• Loss of GOVERNANCE leads to Loss of Compliance
• Compliance, traditionally, has been viewed as a Regulatory Framework
• Compliance in an Enterprise Security Framework must use Compliance in terms of every policy and standard that supports its objectives.
• Critical Step: Define all requisite Standards
THANK YOU!
J Kelly Stewart, MBA: [email protected]
Doug Powell CPP, PSP: [email protected]