Building Risk Management into Enterprise Architecture

11/16/13

1

William Estrem

Abstract

This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard.

2 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.

11/16/13

2

What we will cover

•  What is Risk Management? •  How is Risk Management treated in Enterprise

Architecture? •  What are some types of Enterprise Risk Management? •  Can we define a Business Capability for Risk

Management? •  What are the FAIR Taxonomy and Risk Analysis

Standards? •  Can FAIR and other standards be used together to

improve Enterprise Risk Management Capability?


Risk is a natural part of the business landscape.

If left unmanaged, the uncertainty can spread like weeds.

If managed effectively, losses can be avoided and benefits obtained.

4

Source: RiskIT. IT Governance Institute

© 2013 - Metaplexity Associates® LLC - All Rights Reserved.

11/16/13

3

A Fine BalanceBetween Risk and Reward

•  Enterprise Risk Management – Aligning risk appetite and strategy

– Enhancing risk response decisions – Reducing operational surprises and losses –  Identifying and managing multiple and cross-

enterprise risks – Seizing opportunities

–  Improving deployment of capital

Source: Enterprise Risk Management – Integrated Framework, COSO. (2004). 5 © 2013 - Metaplexity Associates® LLC - All Rights Reserved.

Levels of Risk

•  According to the TOGAF standard, there are two levels of risk that should be considered, namely: –  Initial Level of Risk: Risk categorization prior to

determining and implementing mitigating actions. – Residual Level of Risk: Risk categorization after

implementation of mitigating actions (if any).


11/16/13

4

Risk Management Process

Classify Identify Evaluate Respond Monitor


General Risk Management Approach

•  Define the risk assessment approach of the organization

•  Identify the risks •  Analyze and evaluate the risks •  Identify and evaluate options for the treatment of

risks •  Select control objectives and controls for the

treatment of risks •  Obtain management approval of the proposed

residual risks

Source: ISO 27001


11/16/13

5

Some Types of Enterprise Risk

Financial Risk

Market

Risk Operation

Risk Safety

Risk Information

Risk Design

Risk

Product

Risk


Risk Spectrum challenges based upon stakeholder concerns

•  Commercial and Economic Risk •  Risk of Loss of Goodwill or negative effect on Reputation •  Risk to Personal Safety •  Risk of Disruption to Activities and Financial Loss •  Risk on the Management of Business Operations •  Risk on the Operations of Public Service •  Legal and Regulatory Obligations •  Risk to technology, information and intellectual property

How do we take in to consideration this wide range of risk areas in Enterprise Architecture planning activities?


11/16/13

6

Enterprise Risk Management and Corporate Governance

The governing board should manage enterprise risk by: •  Ascertaining that there is transparency about the significant

risks to the enterprise •  Being aware that the final responsibility for risk

management rests with the board •  Being conscious that the system of internal control put in

place to manage risks often has the capacity to generate cost-efficiency

•  Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited

•  Insisting that risk management be embedded in the operation of the enterprise

Source: Board Briefing on IT Governance. IT Governance InsNtute 2nd EdiNon. 2004


Risk Management Approaches

•  COSO – Financial Reporting – Internal Audit •  FAIR – Information Security •  RiskIT – IT Risk •  ISO 31000 – Risk Management General Principles and

Guidelines •  CRAMM – UK OGC General Risk Management

Framework •  ISO 27000 – ISO Series on Information Security Standards •  NIST 800 – US standards for Computer Security •  OCTAVE – CERT Strategic Information Risk Assessment •  OGC’s – Management of Risk (MoR) •  UK CESG – Good Practice Guides


11/16/13

7

Risk AssessmentViewpoints

•  Objectivist, or frequentist, view – Probabilities obtained from repetitive historical

data

•  Subjectivist, or Bayesian, view. – – Risk is, in part, a judgment of the observer, or a

property of the observation process, and not solely a function of the physical world.

– Objective data complemented by other information.

Borison, A. Hamm, G. 2010. How to Manage Risk (After Risk Management Has Failed). Sloan Management Review.


Factor Analysis of Information Risk

•  The Risk Analysis Standard is intended to be used with the Risk Taxonomy Standard, which defines the FAIR taxonomy for the factors that drive information security risk.

•  Together, these two standards comprise a body of knowledge in the area of FAIR-based information security risk analysis.


11/16/13

8

Risk Analysis using FAIR •  Stage 1:

–  Identify scenario components –  Identify the asset at risk –  Identify the threat community

•  Stage 2: –  Evaluate Loss Event Frequency (LEF) –  Estimate probable Threat Event Frequency (TEF) –  Estimate Threat Capability (TCap) –  Estimate Control Strength (CS) –  Derive Vulnerability (Vuln) –  Derive Loss Event Frequency (LEF)

•  Stage 3: –  Evaluate Probable Loss Magnitude (PLM) –  Estimate worst-case loss Estimate –  Probable Loss Magnitude (PLM)

•  Stage 4: –  Derive and articulate risk


FAIR Taxonomy

Risk

Loss Event Frequency

Threat Event Frequency

Contact Frequency

Probability of AcNon

Vulnerability

Threat Capability

Resistance Strength

Loss Magnitude

Primary Loss Factors

Asset Loss Factors

Threat Loss Factor

Secondary Loss Factors

OrganizaNon Loss Factors

External Loss Factors


11/16/13

9

Broader Applicability?

Although the concepts and standards within the FAIR Standard were not developed with the intention of being applied towards other risk types, experience has demonstrated that they can be effectively applied to other risk types.


Risk and the TOGAF Standard

•  Risk already plays an important part in the TOGAF standard be we recognize that there are perhaps improvements and innovations to add.

•  Over the next set of slides we will look more closely at Risk within the ADM


11/16/13

10

Loss, Threat and Vulnerability and the EA Context

•  Enterprise Architects should work with specialist resources to determine the true cost of any loss, but to help determine this the architect has to provide the context.

•  Context is defined via the Content Metamodel through the development of Building Blocks

•  Each Building Block can be examined through ADM techniques that will provide specific information and support for more detailed Risk Management understanding

•  Use Building Blocks to: –  define the variety of asset types –  assess the threat to the assets and vulnerability –  determine the relationships between assets and their

interdependencies


TOGAF viewpoints that support Risk Analysis

•  Viewpoints enable the Architect to build context for a risk model and assessment: –  Location Catalog –  Business Service / Function Catalog –  Interface Catalog –  Business Service / Information Diagram –  Application and User Location Diagram –  Solution Concept Diagram –  System Use-Case Diagram – including Mis-Use Cases –  Role / System Matrix –  System / Data Matrix –  System / Organisation Matrix –  Application Interaction Matrix –  Business Interaction Matrix –  System Technology Matrix


11/16/13

11

Applying Risk Methods to the ADM ADM Requirements Risk Analysis Method Control

Preliminary To define approach and methods in accordance with customer or programme

Vision To define the risk landscape to a programme or enterprise requirements

Strategic Threat Scenarios, Risk Spectrum

Business Architecture To formalize the risk model defined in the vision stage against the business and the applicaNon at later stages

TacNcal Threat Scenarios

InformaNon System Architecture

To apply to informaNon arch FAIR, SANS, ISO, NIST, OCTAVE

Technology Architecture

To apply to tech arch FAIR, SANS, ISO, NIST, OCTAVE

OpportuniNes & SoluNon

To check and agree risk FAIR, SANS, ISO, NIST, OCTAVE

MigraNon Planning Programme Management RISK CRAMM, ARM

ImplementaNon Governance

Programme Management RISK CRAMM. ARM

EA Change Management

Programme Management RISK Scenarios, CRAMM, ARM

21

Risk M

anagem

ent


22

In the Preliminary stage: •  Establish relaNonship with Enterprise Risk

Management •  Appoint the architects responsible for

risk management and analysis Determine and agree standards and controls to support Risk Management

•  Scope the part of the organisaNon impacted and under change

•  Assess appeNte / tolerance to risk •  Discuss with key stakeholders the impact

of the architecture change to the business and potenNal commercial and economic risks associated

•  Understand the secondary losses such as loss of goodwill or reputaNon

A Architecture

Vision H Architecture

Change Management

G

Implementa>on

Governance

C Informa>on

Systems Architectures

Requirements Management

B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary

D Technology Architecture


11/16/13

12

23

In the Architecture Vision phase: •  Understand Stakeholder Concerns and

subsequent miNgaNons •  Use threat scenarios to analyze the vision

described by Business Scenario •  Assess readiness for TransformaNon and

therefore idenNfying transformaNon risk and miNgaNon

•  Measure against maturity model assessments and approach to requirement management

•  IdenNfy iniNal risk management requirements

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



24

In the Business Architecture phase: •  methods at this stage which are able to

support risk management and analysis: •  Capability Assessment •  Gap analysis •  Business principles, business goals,

and business drivers

AcNviNes at this stage will help ascertain risk to Commercial and Economic aspects of the organisaNon as well as risks to business operaNons and public service operaNons if applicable.

Building Blocks and views of LocaNon, FuncNon, Process, Business Services can be analyzed using threat scenarios, threat sources and threat actors.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



11/16/13

13

25

In the InformaNon Systems Architecture phase the key acNvity is to determine any risk to applicaNon systems and the data they hold.

The CIA triad (confidenNality, integrity and availability) is one of the core principles of informaNon security. This will help the Architect determine Legal and Regulatory ObligaNons and Data and applicaNon vulnerability.

This is one of the key phases where FAIR is applicable.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



26

The Technology Architecture phase defines the infrastructure services. It is important that the Risk analysis and assessments are drawing to conclusions and there is now an understanding of the risks to the project and enterprise.

The Technology Architecture ocen hosts the Security Architecture in relaNon to the project and the Enterprise. This view should be developed in conjuncNon with Security OperaNons so new Threats and VulnerabiliNes can be considered .

The analysis and assessment of Risk during the Technology Architecture phase has close connecNons with the approach taken in Phase C.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



11/16/13

14

27

The OpportuniNes and SoluNon Phase is the stage at which the soluNon is designed and all risk references and miNgaNons acknowledged and gaps addressed.

Enterprise Risk Management is prepared to adopt any accepted risks to the following: •  Risk on Personal Safety •  Risk of DisrupNon to AcNviNes/Financial

Loss •  Risk on the Management of Business

OperaNons •  Risk on the OperaNons of Public Service •  Legal and Regulatory ObligaNons

While risk control may ocen prove to have a negaNve impact on soluNons it is important that Security OperaNons are able to acknowledge this and adjust security posture and monitoring to accommodate.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



28

In the MigraNon Planning phase, it is important to prioriNze the MigraNon Projects through the Conduct of a Cost/Benefit Assessment and Risk ValidaNon

In this acNvity the architect reviews the risks documented in the Gaps, SoluNons, and Dependencies Report and ensures that the risks for the project arNfacts have been miNgated as much as possible.

The risks idenNfied through Phases A to D and all the required analysis and assessment support the development of the ImplementaNon and MigraNon Plan so not to increase or trigger those risks.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



11/16/13

15

29

The ImplementaNon Governance Phase establishes the connecNon between architecture and implementaNon organizaNon. At this stage emphasis switches from risks within the conceptual Architecture soluNon to risks to the physical environment and operaNons.

Phase G must ensure that all parNes involved – Programme Governance, EA Governance and Enterprise Risk Management all conduct regular reviews of Risk Management during implementaNon. This is important during the transiNon with the Business unit(s) involved.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



30

The Architecture Change Management phase ensures that the architecture achieves its original target business value. This includes managing changes to the architecture in a cohesive and architected way.

This phase examines the range of possible risks across the Risk Spectrum. In response to idenNfied need launch appropriate intervenNons such as ADM cycles or implementaNon projects.

A Architecture


Change Management

G

Implementa>on

Governance

C Informa>on



B Business

Architecture

E Opportuni>es

& Solu>ons

F Migra>on Planning

Preliminary



11/16/13

16

Transition of conceptual risk into operational controlled risk

Those areas of risk defined by EA must transition into an area of control under general Enterprise Risk Management where risk is already baselined:

– Business Planning – Operations Management – Project and Programme Management


32

Capability�Planning

OperationsManagement

BusinessPlanning

EnterpriseArchitecture

Portfolio/ProjectManagement

BusinessDirection

Runs�theEnterprise

StructuredDirection

DeliversProject

ManagementGovernance

Delivers

ArchitecturalGovernance

ArchitecturalDirection

ResourcesSolution

Development

Risk Baseline Managed

Risk Baseline Changed

Risk MiNgated and controlled

New Risks idenNfied or Key Risk indicator changed


11/16/13

17

FAIR Taxonomy

Risk



Contact Frequency


Vulnerability

Threat Capability

Resistance Strength

Loss Magnitude


Asset Loss Factors

Threat Loss Factor





Risk Impact

© 2013 Metaplexity Associates® LLC - All Rights Reserved 34

Corporate Risk Impact Assessment

Effect

Frequency

Frequent Likely Occasional Seldom Unlikely

Catastrophic E E H H M

CriNcal E H H H M

Marginal H M M M L

Negligible M L L L L

11/16/13

18

Risk Assessment

© 2013 Metaplexity Associates® LLC - All Rights Reserved 35

Risk Iden>fica>on and Mi>ga>on Assessment Worksheet

Risk ID Risk

IniNal Risk

MiNgaNon

Residual Risk

Effect Frequency Impact Effect Frequency Impact

23 Lost Laptop

Marginal Occasional Medium Remote Wipe Hard Drive

24 Stolen Root Password

CriNcal Seldom High Two Factor Auth

Business Impact AssessmentReference Tables

36

Like

lihoo

d

4 4 8 12 16

3 3 6 9 12

2 4 6 8

1 1 2 3 4

1 2 3 4 Impact

Red 8-16 Risks that require action to reduce the category (likelihood and / impact) to amber and then green

Amber 4-6 Risks that require action to ensure that the effectiveness of existing control measures are monitored and improvements made if required to reduce the category to green

Green 1-3 Risks that should be monitored to ensure that existing control measures continue to work and are effective

PrimaryLossMagnitude(LM)

Primary Risk

VH M H VH VH VH

H L M H VH VH

M VL L M H VH

L VL VL L M H

VL VL VL VL L M

VL L M H VH

Primary Loss Event Frequency (LEF)


11/16/13

19

FAIR entities Modeled with ArchiMate


Using FAIR to assess a Insider Attack

38

Risk – Insider Afack

LEF – Frequency Low to Med

TEF – Unknown to Low

Contact Frequency –

Regular through reconnaissance or scanning

Probability of AcNon – Med to High if Asset is of high value

Vulnerability – based upon security and

asset configuraNons

Threat Capability – Significant to Limited

Resistance Strength – based upon security capability

Loss Magnitude – Med to High


Asset Loss Factors – using ConfidenNality, Integrity and Availability Model

Threat Loss Factor – derived from our Threat

Assessment or CAPEC


OrganizaNon Loss Factors – built from our Business

Impact Assessment

External Loss Factors – built

from our Business Impact

Assessment


11/16/13

20

Risks when an asset’s lifecycle is extended and operates without Vendor support

39

Risk – System Failure



Contact Frequency


Vulnerability

Threat Capability

Resistance Strength

Loss Magnitude


Asset Loss Factors

Threat Loss Factor





Summary

•  Risk Management protects the value by reducing the magnitude and frequency of risks and vulnerabilities.

•  There are various types of enterprise risks that need to be managed.

•  TOGAF provides a basic framework for Enterprise Risk Management.

•  The FAIR framework and Risk Management framework provide a more sophisticated approach.

•  A Business Capability for Risk Management could apply the FAIR standard to improve Risk Analysis.
