it risk management, planning and mitigation
Post on 01-Jan-2016
43 Views
Preview:
DESCRIPTION
TRANSCRIPT
(c) 2007 Charles G. Gray 1
IT Risk Management,Planning and Mitigation
TCOM 5253 / MSIS 4253
Introduction to Risk Management
30 August 2007
Charles G. Gray
(c) 2007 Charles G. Gray 2
Underlying Premise of this Course
• All risk cannot be eliminated. It can only be managed to an acceptable level.
• Residual risk is what is left over after you have done all that you can.
(c) 2007 Charles G. Gray 3
What is “Risk”?• Potential for damage to, or loss of:
– People– Facilities– Equipment and materials– Information– Activities and operations– Corporate “reputation”– Any activity with “positive value” to the owner
(c) 2007 Charles G. Gray 5
Notes on Previous Slide• Source – CERT (Computer Emergency
Response Team) Co-ordination Center, Carnegie Mellon University, January 2004
• Incident – A reported security attack that may involve
one site or thousands of sites
• Vulnerability– An identified weakness in a software program
(usually followed by a patch)
(c) 2007 Charles G. Gray 7
Definitions• Threat
– A potential cause of an unwanted impact to a system or organization
– Intention and capability of an adversary to undertake actions detrimental to an asset owner
• Vulnerability – Any weakness, administrative process, act or
physical exposure that makes an “asset” susceptible to exploit by a threat or adversary
(c) 2007 Charles G. Gray 9
Some Examples
• Eli Lilly – disclosed names of 600 Prozac users, resulting in:– 20-year consent decree with FTC– Annual independent review of security (which they
must pay for)
• Card Systems Solutions (June 2005)– 40 million Visa, MasterCard, AmEx, Discover cards– Millions of cards had to be reissued– Visa and AmEx terminated their contracts– 20-year consent decree with FTC– Bi-annual independent audit for 20 years– Potential liability for millions of $$ in private suits
(c) 2007 Charles G. Gray 10
New Risk Categories Emerging• Business interconnectedness (Extranets)
– Suppliers, partners, customers (Wal-Mart)– Increased dependencies and exposures
• Regulatory compliance– Sarbanes-Oxley (and many other) rules– New regulatory schemes aimed at reducing abuses
and punishing abusers
• Consumer demand for privacy protection– HIPPA and other new privacy laws
• Rising cost of IT failures (Comair- cancelled all flights Christmas day 2005)
(c) 2007 Charles G. Gray 11
Risk Management Defined
• A systematic, analytical process to consider the likelihood that a threat will harm an asset or individual and to identify actions to reduce the risk and mitigate the consequences of an attack.
• All risk cannot be eliminated – but it can be reduced by enhancing protection from known potential threats
(Source: GAO Testimony, R. G. Decker, 12 October 2001)
(c) 2007 Charles G. Gray 12
Risk Analysis• Convert risk data into risk decision-making
information
• Planning is the key to successful risk mitigation
• Develop actions (plans) to address individual risks– Prioritize risk actions– Create an integrated risk management plan
(c) 2007 Charles G. Gray 13
Some Organizations Involved• National Institute for Standards and Technology
– Risk Management Guide for IT Systems– Security Self-Assessment Guide for IT Systems
• Committee on National Security Systems• International Organization for Standards (ISO)
– IT Code of Practice for IT security management• ISO 17799
• IETF (RFC 2828) Terms and Definitions• IT Governance Institute
– Control Objectives for Information and Related Technology (CobiT)
(c) 2007 Charles G. Gray 14
Control Objectives for IT (COBIT)
• To research, develop, publicize and promote an authoritative, up-to-date international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors
(c) 2007 Charles G. Gray 15
COBIT• Currently in its fourth edition (Dec 2005)• Help to decide the level of security and
control that is necessary to protect a company’s assets
• 34 high-level objectives• 215 control objectives in four domains
– Plan and Organize– Acquire and Implement– Deliver and Support– Monitor and Evaluate
(c) 2007 Charles G. Gray 16
“Selling” the Risk Management Concept
• Prepare an impact statement for each asset (easier said than done)
– Clear and concise– Show relative importance of one or more
assets– Explain how Risk Management can help to
protect each asset– Identify threats and adversaries
• Intent, capability and motivation
(c) 2007 Charles G. Gray 17
The RM Steering Committee
• Senior management– CEO, COO, CFO
• CIO– Information System Security Officer (ISSO)
• Business and functional managers
• System and information owners
• Network architects and planners
• Risk assessment professionals
(c) 2007 Charles G. Gray 18
The Risk Management Team• CIO (The “Champion”)
– ISSO (The team leader??)
• IT Security practitioners– Network/system/database administrators– Computer specialists– Security analysts
• Policy developers (must include HR)• Security and IT auditors• Systems administrators• Representatives from selected business
partners
(c) 2007 Charles G. Gray 19
Critical Success Factors
• Executive sponsorship
• Well-defined list of stakeholders
• Organizational maturity
• Atmosphere of open communication
• Spirit of teamwork
• Holistic view of the organization
• Risk Management Team authority– Must be able to implement security measures
(c) 2007 Charles G. Gray 20
Executive Sponsorship• Unambiguous and enthusiastic support• Delegation of authority to act• Support for participation by all staff as
required• Allocate sufficient resources• Energetic support for the risk management
process• Participation in the review and findings of
the risk management team
(c) 2007 Charles G. Gray 21
Stakeholders• Who has a “vested interest” in the
outcome of the risk management process?
• Core team and executive sponsors
• “Owners” of business assets that will be evaluated
• Business partners, suppliers
Could customers or stockholders ever participate as “stakeholders”?
(c) 2007 Charles G. Gray 22
Organizational Maturity• Is there any existing risk management
process?– Formal?– Informal/ad hoc?– Recent poll found 42% of respondents had no
documented security policy• 18% of those who do have a policy provide no
employee training
• Responds to only specific threats or security issues?
• Don’t try to do too much at one time
(c) 2007 Charles G. Gray 23
Open Communications
• Balance “need-to-know” with “free-flow” of information– Compartmentalization
• Free flow of information within the team and between stakeholders
• Reduces misunderstandings and wasted effort
• All team members can contribute
• Reduces uncertainties
(c) 2007 Charles G. Gray 24
Teamwork• Relationships between team members are
critical– Strong team spirit enhances the success of
the process
• Strong teamwork with the business unit “owners” and other stakeholders
• Demonstrate the business value of the risk management team to individual managers
(c) 2007 Charles G. Gray 25
Holistic View of the Organization• “What is good for the goose, is good for
the gander” NOT!
• Consider benefit/effect of RM on the entire organization– Balance all business unit needs
• Overcome the “NIMBY” syndrome– “I’m not changing” (unless it makes my
operation better)– Overcome preconceived “solutions”
(c) 2007 Charles G. Gray 26
Authority to Act• Authority to make changes must be
delegated from senior management• Implement controls for risk mitigation• Empowered to meet the commitments
assigned• Resources adequate for the mission• Team is responsible for their decisions
– Understand the limits of their authority– Escalation path for issues outside the
authority
(c) 2007 Charles G. Gray 27
Integrate IT and Corporate RM• IT RM must be incorporated into the
overall enterprise RM plan• A security or technical incident can “jump
over” the IT wall and become a corporate problem, affecting:– Customer retention– Company stock price– Regulatory scrutiny– Corporate image / reputation– Future business lost
(c) 2007 Charles G. Gray 28
Coping with IT Risk• Transfer
– Buy insurance
• Acceptance– Willing assumption of known risk– Usually known as “self insurance”
• Avoidance– May mean dropping a product or exiting a market
(e.g., asbestos insulation)
• Mitigation– Reduction of risk or its consequences– The only viable strategy for IT RM
(c) 2007 Charles G. Gray 29
Summary• Defined “risk”, “threat”, “vulnerability”• Tremendous growth in security “incidents”• Worldwide spending on security growing• New risk categories are emerging• Numerous organizations are involved in RM• The RM team must have senior
management support• A number of critical success factors• IT and corporate RM must be integrated
top related