Upload
cswinney
View
645
Download
4
Tags:
Embed Size (px)
Citation preview
© Rev2 Networks, Inc—Confidential
Rev2
IT Information Security
Risk Management
February 26, 2010
© Rev2 Networks, Inc—Confidential
Goals
Introduce RiskViewTM
a decision support system which helps identify and focus on business-material risks
Understand your risk-management focus areas & processes
Agenda
1. Rev2 Introduction
2. RiskView Framework
3. Examples
4. Next Steps
Today’s Discussion
2
© Rev2 Networks, Inc—Confidential
Rev2 Risk Management
InfoSec Risk Supply Chain Risk Service Delivery Risk
RiskView replaces ad-hoc processes with a
Fact-based, Scalable, Repeatable Framework
Identify under controlled risk via business views
Focus on the most material drivers
“What-if” controls testing
© Rev2 Networks, Inc—Confidential
Today
Plenty of Data But Big Exposure
Info sec tools and
services regularly identify
100,000’s vulnerabilities
RiskView provides a fact-based, scalable, repeatable process
4
Most companies collect large vulnerability data sets, but
face big material risk in information security.
Value is limited by…
Data silos
Inconsistent data
Wrong metrics
Changing process
Inadequate tools
Because…
Reactive response
Perception vs. facts
Wasted money
On-going vulnerability
How do you prioritize 1 Million vulnerabilities?
© Rev2 Networks, Inc—Confidential
Requirements
Effective risk management requires specialized structures,
tools and systems that most companies lack
Structure Systems Tools
Info Sec Risk Mgt requires a formal strategy and organization approach
An on-going formal
process is needed to meet
goals and execute strategy
Special tools are required to
consistently and efficiently
analyze large data sets
Leadership – To coordinate
across business units
Metrics—Consistent metrics for
materiality of business impact
Risks and Policies—To identify
risks and define policies to limit
exposure
Compliance—Regular
evaluations to learn policy
compliance and violations
Risk Updates—Regular
reviews for materiality score
changes
Measures and Actions—
Regular risk assessments with
next steps to fix key findings
Risk Algorithm—To calculate
materiality scores
Analytic Engine —To compare
risks and identify drivers
Scenario Testing— To pre-test
potential program changes
Visualization —To facilitate
analysis and understanding
Key Elements Include
5
© Rev2 Networks, Inc—Confidential
Strategic Data
Normalized Data Different Impacts Asset Roles
The Issue:
Risks are measured
differently
How to compare them?
The Solution:
Create a normalized risk
score
Score based on materiality
of adverse business impact
A fact-based risk program requires normalized data,
with a range of impacts tied to specific assets.
Strategic Data supports a fact-based, scalable, repeatable process
The Issue:
Risks have different
impacts
How evaluate risk types?
The Solution:
Score vulnerabilities on the
type of risk they present
Differentiate financial, legal,
regulatory, reputational
The Issue:
Risk impact varies based
on where it occurs
How recognize differences?
The Solution:
Score impact based on the
specific asset at risk
Recognize differences in
asset value
6
© Rev2 Networks, Inc—Confidential
Materiality
The probability of an
attempt
The probability of
success
The criticality of the intersected asset
or business process
7
SUSCEPTIBILITY
IMPACT
BUSINESS
MATERIALITY:
DOES IT
MATTER?
EXPLOITABILITY
We normalize risk scores based on business materiality.
The probability of a successful attempt is weighed versus its
impact based on the asset’s business criticality.
© Rev2 Networks, Inc—Confidential
What is RiskViewTM?
• A software Risk Data
Warehouse platform that
collects vulnerability data
• Business-specific modules
with customizable views and
analytics
• Advanced Visualization to
create a packaged decision
support system
Highly-extensible platform, for fact-based, scalable, repeatable
Risk Management Decisions
8
© Rev2 Networks, Inc—Confidential
RiskView Features
Business Views
Impact/Effect
Cause
Business Unit
Geography/Location
Process
Cost Types
Financial
Reputational
Regulatory
Legal
– Collect and Combine risks Enterprise wide
– Normalized scoring based on Materiality
– Impact Centric business views
– Pre and post testing for ―what if?‖ and ―did it work?‖
– Advanced Visualization for easy analysis and interpretation
Fact-based—Scalable—Repeatable!
9
© Rev2 Networks, Inc—Confidential 10
RiskView Examples
© Rev2 Networks, Inc—Confidential
Vertical View- InfoSec
11
© Rev2 Networks, Inc—Confidential 12
Horizontal View- Geography
© Rev2 Networks, Inc—Confidential
Business Unit View
13
© Rev2 Networks, Inc—Confidential
Filters = Focus
Not every vulnerability is equal in terms of materiality
Once aggregate material risk is identified and unacceptable
levels detected, need to identify and profile drivers
14
Materiality(finding the “Critical Few”)
What-if(testing)
Date Range(trending)
© Rev2 Networks, Inc—Confidential
Exploded View
15
© Rev2 Networks, Inc—Confidential
RiskView Benefits
16
Identify uncontrolled critical risks
Typically reduction is > 50%
Save money
Improve risk with current budget; cut spending without added risk
Identify common controls
For one client, a single control eliminated 70% of uncontrolled risk
Improve staff productivity
Only one FTE week per quarter for analysis/administration
Analyze up to 200 million vulnerabilities in real-time
Justify budgets and investments
Test program investments before decision and after execution
Establish a fact-base for decision-making
Determine/assign organization accountabilities
© Rev2 Networks, Inc—Confidential
Next Steps
Free Risk Evaluation
17
We will conduct a limited information
security risk evaluation with RiskView
Load a set of data, aligned with your
policies and procedures
Analyze and present the findings, along
with implications/recommendations
Requirements:
Aon resources: ~ 1 day for set-up, plus
1 hour for findings presentation
Rev2 time: ~ 2 weeks start to finish