simon oxley managing director citicus limited, london information risk and compliance management an...
Post on 19-Dec-2015
219 Views
Preview:
TRANSCRIPT
Simon OxleyManaging DirectorCiticus Limited, Londonwww.citicus.com
Information risk and compliance management
An approach based on real-world statistics
Page 2Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Citicus in risk and compliance management
Founders worked with the Information Security Forum, notably on risk assessment/management projects (eg SPRINT, Security Status Survey, FIRM)
Citicus was formed in 2000 to automate the FIRM methodology and extend it to a full risk and compliance management capability
Continuing relationship with the ISF (eg on IRAM and FIRM development)
RecognitionSelected customersPartners
Page 3Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Governance and compliance initiatives
The regulatory pressure is increasing through a bewildering range of initiatives:
Treadway
Basel 2OECD
Cadbury
Hemple
Turnbull
Higgs
HIPAA
Sarbox
GLBA
FFIEC
COSO
A common theme is risk management
ISO27001
Page 4Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
How information risk influences other business risks
Borrowings and investment positions
Projected rates of interest Projected cash flows External developments
Sales forecasts Forecast
expenditure Actual sales and
expenditure Key variances
Information risk status reports
Identity of key assets (equipment, facilities and employees)
Status of continuity arrangements
Market riskMarket risk (ie factors beyond the
control of management such as interest and currency
rates)
Financial riskFinancial risk (eg uncertainties about projected
earnings or expenditure)
Operational riskOperational risk (eg information risk information risk, theft, fraud, loss of facilities or key
employees).
Information riskInformation risk is
an increasingly important
component of operational risk
Information risk intensifies all business risks,
since information is needed to manage
each one
Information needed to manage each risk
Page 5Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
What is ‘information risk’ exactly?
Information risk is the chance or possibility of harm being caused to your organization as a result of a loss of the confidentiality, integrity or availability of information
Probability of suffering harmNature and level of harm
The 3 key properties of information to be protected
Exists in varying forms: held in people’s heads communicated face-to-
face recorded in deeds and
other securities entered into, stored,
processed, transmitted and presented via ITThe method of protection
depends on the form taken by information
Page 6Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
The chance or possibility of suffering incidents is high
135
259
0
100
200
300
Avera
ge n
um
ber
of
inci
dents
su
ffere
d o
ver
a y
ear
Citicus analysis of some 210,000 incidents affecting 844 information resources covered by the Information Security Forum’s 2000-2002 Security Status Survey.
Information resources with controls in good,
all-round condition
Information resources with controls NOT in
good, all-round condition
The average number of incidents suffered a year is halved when controls are in ‘good, all-round condition’
Page 7Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Controls that are in ‘good, all-round condition’ reduce the probability of experiencing MAJOR incidents by more than a factor of three
Analysis of incidents affecting 654 information resources covered by the Information Security Forum’s 2003-2004 Security Status Survey.
58%
0%
25%
50%
75%
% o
f in
form
ati
on
reso
urc
es
that
suff
ere
d a
m
ajo
r in
cid
en
t over
a
year
Good controls slash the odds of suffering major incidents
Information resources with controls in good,
all-round condition
Information resources with controls NOT in
good, all-round condition
10%
Page 8Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Good controls lead to big savings
$0.74m
$0.05m
$0m
$0.5m
$1.0m
Avera
ge fi
nanci
al im
pact
of
wors
t-ca
se in
ciden
ts
suff
ere
d o
ver
a y
ear
Analysis of 244 worst-case incidents for which financial data was provided covered by the Information Security Forum’s 2000-2002 Security Status Survey
Information resources with controls in good,
all-round condition
Information resources with controls NOT in
good, all-round condition
Controls that are in ‘good, all-round condition’ dramatically reduce the financial impact of worst-case incidents
These statistics clearly show that the frequency and impact of incidents affecting IT systems can be managed down by getting controls into good all-round condition.
This is an attainable target, although most typical systems have significant weaknesses that can be identified and corrected with little effort.
Page 9Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Detect incidents that slip through
Prevent incidents
happening, as far as possible
Facilitate recovery
from incidents
Loss of confidentiality, integrity or availability of information
Business (including security)
requirementsThreats to the confidentiality, integrity or availability of information:
unintentional
deliberate
Impact on the
business
Business system
InformationPR
EV
EN
TIO
N
REC
OV
ER
Y
Policies and standardsOwnershipOrganisationRisk identificationAwarenessService agreements
User capabilitiesIT capabilitiesSystem configurationData back-upContingency
arrangementsPhysical security
Arrangements for protecting information - grouped into ‘FIRM control areas’
Access to informationChange managementProblem managementSpecial controlsAudit/review
DETEC
TIO
N
Getting information risk under control
Page 10Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
What drives risk down is not statistics, it’s behaviour ‘on the ground’ that matters ... which is determined by:
management commitment driving force for change skills, rules and procedures
applied ‘on the ground’.
Management commitment
Active ‘driving force’
Specialist know-how
Clear rules
Systematic risk assessment
Disciplined relationships
Commitment from the
topIndividual
‘ownership’
Independent review
Disciplined handling of changes
Operational things ‘done right’
Sound environment
Controlled access to system capabilities
Other obvious risks controlled
Key components of a good risk and compliance management program
Sound basic practices ‘on the ground’
1
3
2
Page 11Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
What successful experience from case studies shows
BeBe constructiveconstructive
Get the organisational Get the organisational arrangements rightarrangements right
Gain top management Gain top management commitment commitment
Keep the fact-gathering Keep the fact-gathering simplesimple
Produce meaningful results Produce meaningful results that capture the attention of that capture the attention of busy decision-makersbusy decision-makers
Secrets of success 2Secrets of success 2
Make things personalMake things personal
Introduce an element of Introduce an element of competitioncompetition
Show incidents are not an Show incidents are not an inescapable feature of inescapable feature of business lifebusiness life
Show where to focus effortShow where to focus effort
Cause pressure to filter down Cause pressure to filter down so it motivates others to actso it motivates others to act
Secrets of success 1Secrets of success 1
Secrets of success from FIRM research and case studies
These tenets have driven the development of FIRM and Citicus ONE
Page 12Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Lack of resources to drive and run programmes
Immature processes and reporting structures
Inability to measure risk objectively
Turf wars between practitioners and competing initiatives
Lack of tools
Lack of co-operation ‘on the ground’
Understanding the downside: what makes risk processes fail?
Key challenges that emerged from FIRM case studies
Page 13Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Managing information risk and compliance enterprise-wide
Top managementTop management
Information risk managerInformation risk manager
E-commerceinitiative
Wide-areanetwork or
LAN
Business application
Computerinstallation
'Owners' 'Owners'
Citicus ONECiticus ONE
Systemsdevelopment
activity
Local co-ordinators
Local co-ordinators
Gain overview of the information risk status of the enterprise
Monitor progress towards compliance
Implement simple but rigorous risk management process
Prioritize allocation of scarce resources
Understand risks in own area of responsibility
Manage actions to reduce risk and achieve compliance
Page 14Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
A continuous information risk management process
The approach’s 2-phase, constructive evaluation process is designed NOT to beat people up but to encourage success in driving risk down
A 2-phase, constructive risk management
process will help your organization achieve
compliance with required practice
efficiently
‘Private’ results - give ‘owners’ an early warning and an opportunity to improve
Results go to top management - highlighting improvements since last period
Dry runFor real
Page 15Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
A risk scorecard can measure all components of information risk
Each component of information risk is expressed on a common scale (0-100%). The outside edge of the chart indicates the maximum possible risk.
Control weaknesses
Special circumstances
Business impact
Criticality
VulnerabilitiesVulnerabilities
Level of threat
Level of risk posed by this information resource
Level of risk acceptable to top management
100%
75%
50%
25%
0%
These risk charts highlight where risk is at an unacceptable level and encourage ‘owners’ to take action to drive risk down
Main Main determinantsdeterminants
of riskof risk
Page 16Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
The results of different Criticality assessments can be consolidated into a Criticality league table, providing a risk-oriented inventory of the organization’s information resources
‘Owner’ of an information resource
An ‘owner’ can complete a criticality assessment on-
line in 15 minutes
Assessing criticality in minutes, in a business-oriented manner
Unacceptable harm
Lower level of harm
Loss of availability
Based on the maximum harm that could be suffered by the enterprise if confidentiality, integrity or availability of
information were lost
An hour or
less
Half a
day
A month
Loss ofconfidentiali
ty
Loss ofintegrit
y
A day
2-3days
A week
Critical timescale
Extremely serious harm
Very serious harm
Serious harm
Minor harm
No significant harm
Page 17Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Evaluating information risk and compliance, fully and efficiently
Application support
Business ‘owner’
Business
user or Help desk
specialist
IT Operations
Facilitator (eg local co-ordinator)
Risk factors can be fully evaluated at 3-hour facilitated i-risk workshops: Criticality Status of controls Special circumstances Experience of incidents Business impact of
incidents
Informationresource
Compliance ‘league tables’
(full or selective)
Compliance status reports
(full or selective)
‘Smart’ compliance checklists enable ‘one-pass evaluations’.
They can be completed in full or selectively before, during or after a workshop
High-level risk status
report
Individual risk status report
Page 18Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Compliance status reports provide more detail on controls
Citicus ONE provides an overview of compliance with a customizable set of control areas
Page 19Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
25%
25%25%
0%0%
0%
0%
0%0%
0%
0%
6%0%
65%82%
41%
100%
47%59%
24%
50%50%50%
50%100%
100%
75%
50%100%
100%
25%
25%0%
25%0%
25%
25%
50%0%
25%
29%
14%43%
14%57%29%
14%
29%43%
0%
Consolidated league tables show where the key risks lie
Low
High
Med
Colour codes indicate the danger posed by each component of risk:
Top 10 entries
Information resource Rank
Criticality
Level of
threat
Businessimpact
SecurNet (IRS151) 1
London data centre (IRS155) 5Global intranet (IRS150) 6Supplier data (IRS124) 7HQ LAN (IRS67) 8Pacific data centre (IRS131)
9Group EIS (IRS148) 10
Controlweaknesse
s
Specialcircumstance
s
ePurchasing site (ERS160)
138
2Global email (IRS49)Customer data (IRS156) 2
Boston data center (IRS191)
4
Bottom 10 entries
100%
75%75%75%75%75%75%
75%75%
75%100%
76%
94%94%94%88%88%82%
100%
100%
86%
71%86%71%57%71%100%
57%57%
29%
50%
100%75%
100%100%75%
100%
100%
100%
100%
25%
50%50%
75%50%50%25%100%25%
75%
Relationship mgt (IRS156) 136Group payroll (IRS167) 137
UK standby net (IRS136) 141
UK sales information (IRS12)
140
LaForce site LAN (IRS101) 144
Prices database (IRS142) 139
European data centre (IRS46)
143
Boston Order Proc. (IRS190)
142
Erland site LAN (IRS42) 145
Page 20Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Using dependency risk maps to evaluate information risk in context
Risk and compliance context can be seen from allows you to plot dependency risk maps for critical information resources.
London data centre
Group-wide WAN
Group MIS (EIS)Disparate feeder systems
European data centre
SecurNet
Group accounts (consolidation)
UK data centre
Global email
UK sales information
system
UK production controlUK logistics
Group treasury mgt system
Citicus ONE
Dependency map
Prepared by: Sian Alcock 15-J an-20031 of 1
Reference: ABC enterprise dependencies
Basic version
Criticality
Control weaknesses
Special circumstances
Level of threat Business impact
A B
B depends on A
Key to risk factors
Key to dependency direction London data centreLondon data centre
Group-wide WANGroup-wide WAN
Group MIS (EIS)Disparate feeder systems
Disparate feeder systems
European data centreEuropean data centre
SecurNetSecurNet
Group accounts (consolidation)Group accounts (consolidation)
UK data centreUK data centre
Global emailGlobal email
UK sales information
system
UK sales information
system
UK production controlUK production controlUK logistics
Group treasury mgt systemGroup treasury mgt system
Citicus ONE
Dependency map
Prepared by: Sian Alcock 15-J an-20031 of 1
Reference: ABC enterprise dependencies
Basic version
Criticality
Control weaknesses
Special circumstances
Level of threat Business impact
A B
B depends on A
Criticality
Control weaknesses
Special circumstances
Level of threat Business impact
A A B B
B depends on A
Key to risk factors
Key to dependency direction
Page 21Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
A league table shows compliance with regulatory requirements
A compliance league table is used to summarize the extent of compliance of different information resources with a specified standard of practice.
This view can be generated at a business process, business unit or enterprise-wide level.
Page 22Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Samples of other management aids for decision-making
0%
Full risk monitoring will help you identify: the most common control weaknesses the most common types of incident the costs of incidents the root causes of incidents successful solutions others can apply
Number of incidents suffered
Type of incident affecting our business-critical systems
% of information resources where control area is rated
weak 20% 40% 60% 80% 100%
Control weaknesses affecting our business-critical systems
Collect the facts you need to devise and prioritise your risk reduction and compliance programmes (eg enhanced user training)
Physical security
Data back-up
AwarenessRisk identification
IT capabilities
User capabilitiesContingency
arrangements
OwnershipAccess to information
Special controlsAudit/review
Problem managementOrganisation
System configurationChange management
Service agreementsPolicies and standards
Human error
Access violations
Malfunction
Overload
Unforeseen effects of change
Loss of services, equipment etc
0 1000 2000 3000 4000 5000
Page 23Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Summarizing the costs / benefits of a risk-based approach to compliance
Running the process (half-time job for a programme manager, plus time required of local co-ordinators and ‘owners’)
Budget for software, servers maintenance and advisory services, if required
Information risk measured efficiently, reliably and in meaningful business terms Attention focused on business applications and IT infrastructure posing the greatest
risk to your enterprise, and weaknesses most commonly in need of improvement System ‘owners’ equipped and motivated to drive risk down to a level that top
management determine to be acceptable Facilitators equipped to carry out evaluations with minimum disruption, to keep track
of remediation activity and to report on compliance efficiently Improvements will yield a measurable reduction in:
the number of information incidents your enterprise suffers the probability of your enterprise suffering a MAJOR incident financial loss caused by incidents (ie your enterprise’s annual ‘cost of
insecurity’)
Costs Business benefits
A structured approach will help you bring a key component of business risk under control, enterprise-wide constructively and economically:
Demonstrable improvement in corporate governance
Efficient way of achieving compliance
Savings and efficiency gains that improve your bottom line
Knowing you’ve got a grip on a key area of risk
Page 24Copyright © Citicus Limited, 2006. All rights
reserved.Ref R112PP
Questions?
Contact detailsSimon OxleyCiticus LimitedHolborn Gate330 High HolbornLondon WC1V 7QT.
Emailsimon.oxley@citicus.com
Web www.citicus.comTel +44 (0)20 7203 8405
top related