b-it risk management report 2-01-2008 12818026.en-us

7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us

1/52

IT Risk Management Report 2:

Myths and Realities

Trd throuh Dcmbr 2007Volum 2, Publihd Jury, 2008

IT

RIsk

M

anageM

enT


2/52

IT Risk Management is more than using

technology to solve security problems. With

proper planning and broad support, it can give

an organization the confidence to innovate,

using IT to outdistance competitors.

Greg Hughes, Chief Strategy OfficerSymantec Corporation


3/52

Table of Contents

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Risk Management concepts guide an increasing number of IT decisions, but myths about IT Risk persist. Recent information helps correct

misunderstandings about IT Risk, and direct attention to emerging areas of concern.

Myth one: IT Risk is Security Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Relationships among Security, Compliance, Availability and Performance Risks help explain industry and public perceptions.

But even as IT professionals take a less security-centric view of IT Risk, data loss threats are growing in importance.

Myth two: IT Risk management is a project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Project management serves IT well, but falls short when IT Risk environments and business goals change constantly.

Matching assessment and mitigation efforts to incident rates is a key to responsible, cost-effective IT Risk Management.

Myth three: Technology alone mitigates IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

IT Risk mitigation is more complex than deploying technology. Balanced controls depend on trained personnel following clear,

effective processeswith supporting technologies to keep them informed and effective.

Myth four: IT Risk Management is a science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

With roots in Operational Risk Management, process-improvement disciplines, and business governance, IT Risk Management

spans the boundary of business management and science. Emerging frameworks and best practices help guide effective implementations.

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

With IT at the core of many critical business processes, IT Risk Management is a business imperative. Effective management

not only protects information and infrastructure, but unlocks resources for the pursuit of strategic business initiatives.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42


4/52

2

excutiv summryIT Ricompi scurity, avilbility, Prormc, d Complic lmth

bcom criticl iu or xcutiv d bord o dirctor. I thi cod volum o th IT

Ri Mmt Rport, symtc xtd it lyi o IT proiol iiht ito th

tur o IT Ri d th mot ctiv wy to m it, with ddd ocu o avilbility d

Prormc Ri.

Th Rport ddr pritt myth bout IT Ri, cocludi tht:

IT proiol r dopti mor blcd, l scurity-ctric viw o IT Rimor o

thm ow avilbility Ri criticl or riou th y othr lmt

Complic Ri i mor th scurity Ri ormlizd by lw: dt brch, out d

ditr my cu irrcovrbl lo o cutomr loylty, rvu, d compy vlu

Rctiv or ul projct-oritd IT Ri Mmt i bttr th othi. But IT

proiol xpcttio o mothly icidt i cottly-chi lobl d riol

bui d tcholoy viromt cll or cotiuou, proc-oritd pproch

Bt-i-cl oriztio dploy cotrol blcd cro trtic, upport, dlivry, d

curity ctori, poitioi thmlv to corrct th mii or ulty proc tht

cu mot icidt

Ovr th pt yr, urvy prticipt w o improvmt i at Ivtory Cliictio

d Mmt cotrol, d dcli i Dt Licycl Mmt

IT Ri Mmt build o Oprtiol Ri Mmt d mucturi qulity

dicipli, purrd o by srb-Oxly d othr rultio cti Corport

govrc, d upportd by it ow mri rmwor, tdrd, d bt prctic

symtc rcommd cotiuou IT Ri Mmt proc trti with ri

mt, pyi clo tttio to culturl d trii iu, d ddri lo-trm

tructurl improvmt wll rly wi. Mot implmttio will ocu o scurity

Ri d ocitd cotrol i th rly t, but hould ollow up with avilbility Ri d

dlivry cotrol, d iclud Complic d Prormc Ri with trtic cotrol or

itrtd, ctiv prorm ovr th lo trm.


5/52

3

Highlights

Thi rport i itdd or xcutiv with rpoibiliti t th itrctio o IT d bui

ri, icludi CIsO d vic-pridt o Ri Mmt, Dt Ctr Oprtio, d

Complic/audit. Rport iiht r bd o th collctiv xpric o IT proiolworldwid, d symtc dp xprti i vry lmt o IT Ri Mmt.

B ur to chc th hihliht:

althouh IT proiol r with coumr bout th vrity o Dt L icidt,

thy my udrtimt thir rqucy: Security Risk and data leakage udr Myth 1

IT proiol xpct IT icidt to occur bout oc pr moth: Incident rates and

reactions udr Myth 2

Proc iu cu 53 prct o IT icidtmot ot bcu o proc i i plc to

m th icidt: The importance of process controls udr Myth 3

IT Ri Mmt i mor th div xrciit idtii trdo mo

ri, cot, d cotrol or coidt, ri-wr puruit o opportuiti: Process

improvement disciplines udr Myth 4


6/52

4

Itroductio

a IT rw rom bc-oic pcilty to th cor o icil, tlcommuictio d othr

modr bui, xpour to IT Ri hv row to mtch. not lo o, IT Ri occupid

mll corr o Oprtiol Rith opportuity lo rom mid IT dvlopmt

ddli. Tody, th ucc o oriztio d v tio my hi o mtri brod

ldcp o IT ri.

Th World ecoomic Forum provid o cl. Thy r brdow o criticl

iormtio irtructur mo th mot lily cor lobl ri, with 10 to 20 prctlilihood ovr th xt 10 yr d pottil worldwid impct o $250 billio.1 sutid

ivtmt i ITlmot $1.2 trillio or 29 prct o 2006 privt-ctor cpitl ivtmt i

th U.s. lo2ul rowi xpour to IT Ri.

a th world row mor dpdt o IT ytm d proc, mmt o IT Ri

bcom prcticl city. Tho who lct thi mri dicipli my qudr

opportuiti rom r o trivil or imid thrt, or il to t lmtry prcutio

it iiict thrt.

IT Risk elements

IT Ri comp th ull pctrum o ri tht my ct or rult rom IT oprtio:

xtrl turl ditr or ch i ovrmt rultio, itrl proc tht ct

product or rvic qulity, IT oriztiol d dtctr prormc, lo o itllctul

proprty, uprviory or ll cotrol, d much mor.

symtc dirtit mo th our cl o IT Ri lmt illutrtd i Fiur 1

ccordi to thir ourc d pottil impct o oriztio, pciiclly:

Security Risktht iormtio will b ccd, mipultd or ud by uuthorizd prti

Availability Risktht iormtio or pplictio will b md iccibl by proc,popl or ytm ilur, or turl ditr

Performance Risktht udrprormi ytm, pplictio, t, or oriztio will

dimiih bui productivity or vlu

Compliance Risktht iormtio hdli or proci will il to mt rultory,

IT or bui policy rquirmt

Why IT Risk is important now.

IT Risk: definition, elements, and controls.What weve learned so farand why some myths still endure.


7/52

5

Fiur 1: IT Ri comp our typ o lmt, ch with it ow drivr d pottil impct.

Dtild dcriptio o th ri lmt, with ourc d pottil impct, my b

oud i rlir rport.3

Todays IT Risk environment

evry oriztio h uiqu IT Ri proil. But drmtic lobl ch i IT Ri ct mot

oriztio. Thr h b o hort o brout IT Ri tori i th populr pr:

Rprcuio rom th tht o mor th 45 millio cutomr crdit- d dbit-crd

umbr crippld ri t rtilr4

a pr o dil-o-rvic ttc dirctd t Wb it i europ coutry brouht

dow ovrmt, bi, d v mll chool Wb it5

Idqut mul iormtio mmt proc plud hlth cr providr

trplt ctr, dirupti d dlyi til ptit cr6

a ovrmt tity i th Uitd kido lot CD cotii 25 millio prol rcord,

icludi icil dtil o mor th 7 millio mili7

Bhid th hdli, symtc Internet Security Threat Report (IsTR) documt th

tritio rom hcr cultur o uic viru outbr d twor vdlim to

udrroud crimil coomy i which b ccout, compromid rvr, pword

d crdit crd r bouht d old i bul.8 Proioliztio d commrciliztio o

mliciou ctiviti, lo with mor it ttc d mor rqut out, hv rid

wr d rultory tttio cro th tir pctrum o IT Ri.

Secur

ity

Availability

Perf

orm

an

ceCom

plian

ce

IT

Risk

Keep Bad Things Out

Keep Important Things In

Internal and External

Malicious Threats

IT Policy and

External Regulations

Application Performance

and IT Performance

Natural Disasters and

System Failures

Ensure Adequate Controls

Automate Evidence Collection

Optimize Resources

Ensure Correct Configuration

Keep Systems Up

Ensure Rapid Recovery


8/52

ait th rry o xtrl d itrl IT ri, oriztio dploy cotrolIT proc

d tcholoi did to clo vulrbiliti, miti cotiuity o oprtio t pciid

prormc lvl, d chiv d documt complic with xtrl d itrl policy

rquirmt.

A look back

Th iitil IT Risk Management Report, Volume 1 w publihd i Fbrury 2007 d i

vilbl t www.ymtc.com/bout/ldrhip. From mor th 500 i-dpth urvy,

it dtrmid tht IT proiol:

s thir oriztio mor ctiv dployi tcholoy th proc cotrol

Coidr IT t ivtory, cliictio d mmt, d cur pplictio

dvlopmt proc to b iiict problm r

Trt popl d proc improvmt ovr tcholoi thir bt opportuiti to

mov rom ood to rt

Idtiy r o milimt btw lvl o thir IT oriztio bout ourc o IT Ri

Th mot couri rult w tht bt-i-cl oriztiov thouh thy cd

hihr ri lvlxpricd wr icidt th l-ctiv oriztio. Thir ctiv

d it mor it ttc my b ttributbl to th blcd ivtmt cro

r o cotrol to mitit th ull pctrum o IT ri.

This report

From Fbrury to Octobr 2007, symtc urvyd 405 IT Proiol bout vriou pct

o IT Ri Mmt. Mthodoloy d mpli wr rlly comprbl with tho

o th irt urvy; pl th appdix or dtil. Thi rport o it idi complmt

Volume 1 i vrl wy, pciiclly by:

Icri mphi o avilbility d Prormc Ri, to blc th scurity d

Complic mphi o Volume 1

Blci rcurri d w urvy mtril to ch i th IT Ri viromt

ic collctio o rlir iormtio

6


9/52

nw urvy qutio ddrd mri iu with importt implictio or IT Ri

Mmt, pciiclly:

Data leakageri to oriztio iormtio t rom both xtrl mliciou

ctivity d itrl rror

Endpoint managementth d to xtd policy-bd cotrol ovr ixd d mobil

dpoit i prwli, porou, worldwid twor

Data center virtualizationIT Ri Mmt implictio o dopti virtuliztio

tcholoi to improv utiliztio d productivity o tor d rvr

Zero-day exploitsth d or w d th tim dd to crt d

dimit mliciou cod tht xploit publihd vulrbility covr o zro

Th cod urvy xtd d urthr di y iu d trd rid i th irt.

Thi rport will compr rult it tho o th irt urvy to idtiy trd d

dirc, d xplor w iiht rom th ltt rrch.

Progress and persistent myths

Th urvy dt itl, d covrtio with IT proiol roud th world, rvld

cotrdictio. awr o th importc o IT Ri Mmt to oriztio d

th IT proio cotiu to ri. Yt i mri dicipli, thi wr h ot yt

diplld w pritt miudrtdi bout th tur d xtt o IT Ri, th

bt wy to m it, d th hortcut d trp tht li lo th pth.

Thi Rport ppli w urvy dt d symtc Coulti xpric to th lyi o

our myth bout IT Ri Mmt, pciiclly tht:

IT Ri d IT Ri Mmt r xcluivly or primrily cocrd with IT scurity

IT Ri Mmt i ul, miul, or othr priodic xrci

Tcholoy cotrol r uicit to ddr mot IT Ri Mmt cocr

IT Ri Mmt i cic, with pricipl tht r uivrl cro tim, orphy,

d bui viromt

7


10/52

IT Risk covers more than

IT Securityand even Security Risk

presents new challenges.


11/52

Security is important, but not the whole story.

Compliance: law and policy.

How Availability and Performance are different,

and why they cant be ignored.

9

Myth One: IT Risk is Security Risk


12/52

no myth bout IT Ri Mmt i mor pritt th th id tht it i cocrd

primrily with idtiyi d mititi curity ri. It my b tht th word ri m to

pply mor ily to curity th prormc, vilbility, or complic. Or IT proiol

coumr d rly crr xpric my hv coditiod thm to ticipt IT scurity ri

ovr othr. Rrdl o th cu, ovrtimti scurity Ri c cu milloctio o

tim d rourc, d iiict xpour to othr IT ri.

ev wh scurity ri rmi top-o-mid, thy d to b coidrd i blc with th

ull r o IT Ri lmt. Thi ctio rviw om criticl rltiohip mo IT Ri

lmt, d poit out th vlu o blcd pproch.

Fiur 2: Importc rti o IT Ri lmt. ( = 130)*

althouh ocu o scurity Ri prit, urvy rult documt mrc o brodrviw. Fiur 2 how tht lihtly mor urvy prticipt v Criticl or sriou rti

to avilbility Ri th to y othr lmt: 78 prct, it 70 prct or cod-plc

scurity, 68 prct or Prormc, d low o 63 prct or Complic Ri. Thi rult

my rlct ocu o vilbility mo urvy prticipt who r dirctly ccoutbl or it,

d udrtimt th impct o Prormc ri tht w will r ot bui-

criticl. Th dt lo upport two importt cocluio. Firt, mjority o prticipt rt

vry r o IT Ri ithr Criticl or sriou. scod, oly 15 poit prt th top- d

bottom-rtd ctori. IT Proiol r dopti mor blcd viw o IT ri.

10

* I thi Rport, tcd-br rph how ri lvl i cdi ordr rom top to bottom. Thi i ch rom

Volume 1, to hlp rdr combi top ri lvl by rdi rom th cl itd o clculti. Color id to

ri lvl r uchd. Vritio i th umbr o dt poit rprtd i th rph rlct dirc i th

urvy itm prtd to d compltd by prticipt.


13/52

Security Risk and data leakage

Whtvr thir ri, scurity ri r udibly importt. extrl ttc, mliciou

cod rld oto public twor (with vr-hrii ltcy), d ttmpt t uuthorizd

cc to iormtio d ytm rmi iiict burd or IT dprtmt worldwid.

ad symtc h documtd icri proioliztio d commrciliztio o

computr crim9 lrmi dvlopmt, pcilly or idutri with hih-volum or

hih-vlu lctroic trctio.

scurity ri compromi cutomr trut d rputtio: cutomr riht d xpcttio

dmd tht oriztio protct thir prol iormtio d moy. Cutomr r

pcilly hrd o compi thy crl with thir iormtio 2007 coumr

urvy o dt curity howd 62 prct o coumr mor upt wh iormtio lo

i du to lic rthr th tht.10 Iowtch hihliht th cl o th brchth

vr icidt xpo th prol iormtio o 785,000 cutomr.11 Th 2007 lo by

th Uk ovrmt o mor th 7 millio mili icil rcord udrcor th ri.12

Bcu cutomr withdrw rom trctio providr d vu thy dot trut, dt

l cotitut riou thrt ot oly to coumr, but to lctroic commrc d

bi.13 I th U.s., icil lo rom crdit-crd rud r id to iur, iulti

crdholdr rom dirct icil ri. But w orm o rudphihi, idtity tht, d

udrroud mrti o privt iormtiothrt rputtio, crditworthi, privcy,

utoomy, d othr oicil t. a hitory o riou brch could tm or rvr

oli rtil rowth, rrdl o icil urt. Th m coditio pply i lctroic

bi, curiti, d currcy trdi, whr IT curity ri prt dirct thrt to th

liquidity o icil mrt.

survy rult how tht IT proiol r with thir cutomr bout th rvity o dt

l: 63 prct bliv dt l would hv riou impct o thir bui (

Fiur 3 o p 12).

11


14/52

Fiur 3: Impct vrity timt or dt l rom corport iormtio ytm. (=277)

But our urvy prticipt judd tht th probbility o mjor dt l icidt t thir

oriztio i comprtivly mll: oly 46 prct o thm xpct icidt ot oc

yr ( Fiur 4); liht mjority xpct icidt oly oc vry five yr.

I thi rlitic mt, or r urvy prticipt udrtimti thi rid

ovrtimti th ctiv o thir mititio ort?

Icidt rt or dt l r otoriouly complictd, du to:

Lc o coitcy i rporti tdrd cro oriztio d juridictio

stro poit o viw hld by oriztio tht rport icidt dt, .. coumr-privcy

dvoccy roup d bi idutry oriztio

a udrtdbl rluctc o victimizd oriztio to diclo icidt xcpt to thir

cutomr d rquird by lw

a twoold thrhold problm: mllr icidt my ot b widly rportd, o icidt rt

m lowr, but vr impct m hihr

a miuidd ocu o crimil ctivity, lthouh mot brch r du to mploy rror14

Bcu o th ctor, dt l icidt iormtio my b rportd i rmtd,

icoitt hio, ldi to lowr prdictio o icidt rqucy.

survy prticipt coidc i dt protctio my b miplcd, iv th brod

vilbility o tol dt or l o th Itrt. Idtiti, complt with U.s. b ccout,

crdit crd, ovrmt-iud idtiictio umbr d birthdt, r vilbl or

purch oli rom U.s. $14 to $18.

12

Not

applicable

Not

considered

Minimal

impact

Some

impact

Serious

impact


15/52

ad with lr impct poibl rom v il dt-curity brch, symtc rcommd:

Crul lyi o curity vt lo ui tcholoy d rvic vilbl rom Md

scurity srvic Providr (MssP)

Moitori o trd cro th curity thrt ldcp, ui th Symantec Internet

Security Threat Report d othr ourc

at miimum, quic rviw o twor dpoit, coidri vulrbiliti to both

itrl rror d xtrl mlc

evlutio o om o th w, iormtio-ocud curity tool dvlopd pciiclly to

hlp oriztio ddr dt l

Fiur 4: etimtd rqucy o dt l rom corport iormtio ytm. (=277)

Compliance

Complic Ri tm rom ilur to mt rultory or bui rquirmt or

iormtio hdli or proci. I hihly rultd idutri, complic ilur my

compromi th oriztio rputtio, proitbility, or v xitc.

sic my rultio ovr privcy d iormtio curity, Complic i omtim

drivtiv o scurity. But Complic Ri i mor th scurity Ri ormlizd by

lw. Rultio icludi w U.s. Fdrl rul or ll dicovry brod th cop o

Complic Ri byod curity cocr. ad v rultio urltd to IT my rquir

drmtic ch to IT irtructur d proc, ddi complxity d compti or

crc IT rourc with mititio o othr ri. Th U.s. srb-Oxly act o 200215 d

th eU Mrt i Ficil Itrumt Dirctiv16 r jut two rct xmpl o rultory

iititiv ot imd t scurity Ri, but with r-rchi coquc or IT.

13


16/52

Th complic oblitio o oriztio ubjct to locl, riol, d tiol rultio

iclud th cot o mitii d rporti complic to th tictio o xtrl

rultor, th chll o tti d mti itrl polici d tdrd to ur

tht xtrl rquirmt r mt, d oblitio ovri th curity, vilbility d

prormc o thir IT rvic or itrl clit.

Compliance impacts

Th IT Policy Complic group xmid icil impct o IT complic i 2007. atr

idi ocitio btw complic d lowr rt o dt lo d tht, th tudy

dtrmid tht tr lo d tht icidt, public compi xpricd iht-prct

dcli i toc pric, ctiv cutomr b, d hort-trm rvu.

I dditio, th tudy oud tht irm pt vr o $100 pr lot rcord i lititio,

ttlmt, rtortio, d improvmt.17 nocomplic with tdrd d itrl

polici itroduc ri v wh rultory cotrol r modrt. Combii th dirct

d idirct impct with itibl lo o rputtio, loylty d mploy morl jutii

th ri o Complic criticl IT Ri.

14

IT Risk: Value and Vulnerability

IT Risk element Compromised core values Risk origins

scurity Trut, cutomr rputtioextrl ttc, mliciou cod,phyicl dtructio, ippropritcc, dirutld mploy

Complic Ll, fcil, d oprtiolitrity

Chi or miudrtood rultio,mii or poorly-dfd IT polici,iufcit uditi cpbility

Prormc efcicy d productivityPoor ytm rchitctur, tworcotio, ifcit cod, idqutcpcity, ictiv proc di

avilbilityFicil d upply-chi itrity,commrcil rpoibility

ntwor ilur, idqut chmmt, dt ctr ilur,riol ditr


17/52

Availability and performancedifferent kinds of risk?

avilbility Ri cocr iccibility o iormtio or pplictio duri ytm out

d rcovry. Prormc ri cocr rduc bui productivity or vlu wh tm,

ytm or pplictio udrprorm. Ot ovrhdowd by scurity d Compliccocrd omtim urcoizd outid IT th ri dir i vrl importt wy.

Frequency and impact

scurity d complic ri ttrct tttio bcu o thir hih viibility d impct:

viru outbr, dt lo, or lwuit my rquir diclour, r tpl o th bui

pr, d r dvtti to th idividul d compi ivolvd. I th U.s. lo, twic-

wly updt brly p up with th rt o w dt brch, om ivolvi hudrd

o thoud o rcord18 d millio-dollr i. I cotrt, commo vilbility d

prormc vt td to b icrmtl, d my cp otic w cod dly i

rvi Wb it, w prct poit lowr trctio cpcity, r-mi i mti

rcovry-tim or rcovry-poit objctiv. Yt th cumultiv burd o IT udrprormc

w y oriztio, d il brout vt my b ouh to bri it dow.

Transfer of harm

a cod dirc i tht whil scurity d Complic ri ivolv trr o hrmrom

thi to victim or ovrmt to oriztioavilbility d Prormc ri ot ply out

iid th wll, rducd rvu, ddd xp, or lot proit. stholdr c, hould,

d do compli, but icrmtl vilbility d prormc hortll rrly ttrct outid

tttio, or r th ctd oriztio lily to it.

But wh thy occur, vilbility d prormc ditr c b ihtmr crio:

trctio proci t crwl o th buit hoppi dy o th yr or duri mrt

crh, ilur ccdi throuh bcup ytm duri it or riol ditr, or til

rvic mii wh thyr dd mot. Wor, avilbility d Prormc ditr r

ot irrcovrbl ovr th hort trm.

A reciprocal relationship?

Filly, om IT proiol avilbility d Prormc rciprocl to scurity d

Complic. Thi m tru t th xtrm: iormtio locd i o th oc loor

miht b cur d rom th ll d rultory coquc o diclourthouh t

rt cot to it vilbility, d th prormc o ytm tht u or rv it.

15


18/52

But th rciprocl rltiohip scurity d Complic hv with avilbility d Prormc

xtd to th middl roud. evry improvmt i ditributio o iormtio ri th

ri it will ll ito th wro hd, or violt pricipl ovri it u. Liwi, ttmpt

to cur iormtio ot m it l vilbl, d my compromi th prormc o

ytm tht proc it. Thi rciprocl rltiohip i t th cor o my touh dciio i IT

Ri Mmt.

Availability impacts

Wh bui proc dpdomtim compltlyo IT ytm d proc,

IT ilur cu bui ilur. Rrchr t Drtmouth d th Uivrity o Virii

ivtitd o xmpl: hypothticl ilur o th suprviory Cotrol d Dt acquiitio

(sCaDa) twor t oil riry. sCaDa ilur would immditly hut dow productio

bcu o ty cocr. Th rrchr timtd coomic impct o $405 millio rom

hypothticl t-dy out t upplir tht cotributd 10 prct o th U.s. oli

upply. Th ctd upplir would br oly $255 millio o th impct; othr i th upply

chi would um th rmii $180 millio lo.19

Th xmpl hihliht two importt ct: Firt, IT ytm vilbility i ot quivlt to

bui vilbility. scod, i coctd world o lobl upply chi d collbortio

twor, vilbility ilur i o bui ccd dirctly ito othr.

Performance impacts

Prormc ri compromi bui icicy. a thouht xprimt illutrt th poit:

1 prct lo i lbor productivity i jut iv miut o iht-hour dy. But or U.s.

or Wtr europ oriztio o 10,000 mploy, tht m lo cot pproximtly

$4.25 millio i w vry yr.* How my oriztio c y tht thy lo o mor th

25 miut o productiv tim (bout 5 prct) rom low ytm rpo tim, iicit

pplictio di, poor itrtio, or milid IT d bui prioriti? Fiur 5 timt

th ul cot o productivity lo o tht cl d l, or oriztio o dirt iz.

Fiur 2 howd tht 68 prct o urvy prticipt rtd Prormc Ri criticl or

riou thrt. add to th dirct impct o Prormc Ri o productivity ollow-o ct

o cutomr tictio d upply-chi icicy, d it bcom clr why Prormc

Ri i importt trt or IT Ri Mr.

16

* aum 60 prct o mploy i th Uitd stt d 40 prct i Wtr europ, ll ri thir

tiol vr hourly w: $18.58 or th U.s. d $23.31 or th Uk. U.s. vr w pr U.s. socil scurity

admiitrtio, Octobr 2007; Uk pr ntiol sttitic Oic, novmbr 2007.


19/52

Fiur 5: Hypothticl ul cot o uproductiv tim, xprd millio o dollr pr miut lot ch dy,

or oriztio o dirt iz.

Beyond Security-centric IT Risk Management

Blcd ivtmt i cotrol r th y to uccul mmt d mititio o IT

Ri, d rquir blcd mt cro IT Ri lmt. ev wh curity cocr

domit thir ri viromt, oriztio mut t cr tht curity-ctric viw do

ot blid thm to vry rl vilbility d prormc ri tht my b lctd, or v

rid by thir mititio ort.

17


20/52

IT Risk Management is a continuous

process, to address constantly-

changing IT Risk and business

environments.


21/52

IT change outpaces point-in-time planning

IT Risk Management is adaptive and continuous.

Start with policy, and deploy the right controls.

19

Myth Two: IT Risk Management is a Project


22/52

alrdy ivolvd i hudrd o projct, buy etrpri IT dprtmt my th

mt o IT Ri o-o projct, ollowd by djutmt to rmdit pciic

dicici. But thi i utictory i world whr ri r cottly chi.

Oriztio mut moitor IT ri cotiuouly, d m rqut ch to thir

mmt trty. ad whil it crtily tru tht th iitil t o IT Ri mt

will rmbl othr projct, d tht th proc c proit rom th m dicipli d

ocu tht m y IT projct ucc, th projct prcptioli th irihti

mtlity tht prcdd itc dt v th bt ittio d ort.

aul projct or rdom ct o ri mmt,20 r bttr th othi t ll. But

oriztio put thmlv t ri wh th cdc o thir IT Ri Mmt prorm

il to mtch th rt o ch i thir ri viromt. ectiv, cotiuou IT Ri

Mmt proc my b itroducd to oriztio without compromii th

dicipli d o miio urroudi th luch o mjor iititiv. Thi ctio rviw

om o th wy tht bui d tcholoy ch ct th ri viromt, d

outli om wy ldi oriztio hv itroducd IT Ri Mmt ito thir cor

bui proc.

Incident rates and reactions

IT scurity, Complic, avilbility, d Prormc icidt ult th modr

oriztio t lrmi rt. Jut th popl o th rot lidmiitrtor chrd

with moitori d rpodi to th icidt vry dy. For IT Ri Mmt prorm

to m wht thy mur, oriztio d to mur th rt o th icidt.

W d urvy prticipt to timt th rqucy o our typ o IT icidt: rultory

o-complic, mjor iormtio lo, mjor IT ilur, d mior IT ilur; rult r how

i Fiur 6 throuh 9. W oud tht:

66 prct o prticipt xpct rultory o-complic vt t lt oc

vry iv yr

59 prct xpct mjor lo-o-iormtio vt t lt oc vry iv yr

63 prct xpct mjor IT ilur t lt oc yr

69 prct xpct mior IT ilur t lt t tim yr

Th timt prdict IT icidt bout oc moth or vr oriztio. at uch

icidt rt, ul or bi-ul IT Ri Mmt i clrly iuicit.

20


23/52

Figure 6: Participants expected incidence o regulatory non-compliance by their organizations. (n=405)

Figure 7: Participants expected incidence o severe impacts rom loss o inormation conidentiality, availability,

or integrity. (n=405)

21


24/52

Figure 8: Participants expected incidence o severe impacts to their IT organizations that interrupt critical business

operations. (n=405)

Figure 9: Participants expected incidence o minor impacts to their IT organizations that impair the work o individuals

or groups. (n=405)

The changing risk environment

Not only are IT and business environments rie with every kind o IT Risk, but the risks are

constantly changing. In the Introduction, we saw evidence o a transition in the type o Security

Risk aced by organizations; in act, every category o IT Risk is evolving all the time, driven by

technology change, company go-to-market strategy, and the macro business climate.

Other elements o IT Risk are changing just as ast. The Compliance Risk environment is inconstant lux as regional and national governments enact new legislation, organizations

introduce rameworks and standards or IT Governance and other processes, and companies

adjust policies to meet the needs o their unique business strategies and environments.

Availability Risk changes, or example when entering new markets with unreliable power and

communications inrastructuresand in disaster-prone areas, it can literally vary with the

22


25/52

weather. Perormance Risk shows long-term trends based on the availability and aordability o

high-perormance systems, applications, and personnel. But it also shows seasonal variations

based on demand cycles that vary rom one organization to another, and the resources available

to meet them.

IT Risk Managementa continuous process

With such variability in IT Risk environments over time, any project-oriented or point-in-

time IT Risk Management process will quickly ind itsel overtaken by events. Changing IT

Risk environments call or adaptive IT Risk Management that anticipates and responds to

environmental change as it remains aligned to strategic organizational objectives. Adapting

environmental and event monitoring to the requency o IT incidents represents a critical best.

Major changes in business strategy are rare, but operational and go-to-market adjustments

happen every day. For example, sotware-as-a-service applications oer lexibility and rapid

time to market, but present signiicant challenges across the spectrum o IT risks. IT Risk

Management programs must track such developments, understand their business context, and

develop a Risk Management posture to accommodate and support them.

Risks rom technology are evolving, too. The SymantecInternet Security Threat Report tracks

changes in the Internet threat landscape over time in its Future Watch eature covering

emerging threat activity likely. Figure 10 illustrates some recent topics. As discussed above,

annual benchmarks are only a single contributor to an organizations continuous assessment o

IT Riskalert managers will supplement them with both ormal and inormal indicators o risks

introduced by changing technology, people, and processes.

Figure 10: Summary o the Symantec Internet Security Threat Report Future Watch topics.

23

ISTR Future Watch Topics

Polymorphous Win32 malicious

code

Web 2.0 security threats and

AJAX attacks

Microsot Vista

Increased vulnerabilities due to

ault injection uzzers

Modular malicious code

Bot networks

Phishing targets and methods

Advanced spyware developments

Wireless security threats

VoIP threats

Mac OS security

Malicious code and virtual worlds

Automated evasion processes

Advanced web threats

Diversifcation o bot usage

Volume VIISept 2005 Volume XSept 2006 Volume XIISept 2007


26/52

Continuous IT Risk Management for continuous improvement

Oriztio u tcholoy to cptur or tr w mrt d build icici, ivitbly

xpoi thmlv to w ri thy do. Cotiuou IT Ri Mmt prorm

volvi t th pd o bui chc hlp thm mur d th mitit or ccpttho ri i wy tht mtch thir trty or curi utibl comptitiv dvt.

Dpdi o oriztio iz d trty, cotiuou IT Ri Mmt prorm

my b ully td i it ow dprtmt or t or th CIO. Rrdl o it cop, vry

prorm d puh to t trtd. symtc h idtiid th prcticl irt tp tht

hv hlpd IT oriztio luch uccul Ri Mmt prorm:

1. Put one person in chargecho ccordi to your oriztiol tructur d

dymic, but with th uthority to m thi hpp

2. Use an event as a catalyst IT icidt tht provid momtum or IT RiMmt m th bt o bd itutio

3. Perform an initial risk assessmentvoid th tmpttio to jut do omthi, d

u t lt quic, qulittiv mt to ocu ort or quic rtur o modt

ivtmt

4. Start dialogues at the executive and board levelIT Ri Mmt uccd wh th

whol oriztio i bhid it: trt t th top

Controls

Oc udrwy, uccul IT Ri Mmt prorm d to moitor cotrol to

th itrl viromt, d pproprit ourc o iormtio to moitor th xtrl

viromt.

Mor rqut moitori o itrl cotrol hlp cut icidt d ocitd lo. Th IT

Policy Complic group dtrmid i 2007 tht oriztio tht moitor IT cotrol mor

rqutly xpric wr icidt:

Oriztio with th wt urportd dt lo d complic dicici r

moitori d muri cotrol oc vry o to thr w, d o vr t lt oc

vry two wirm with mot IT complic dicici d th hiht ltt dt lor moitori d muri cotrol oc vry 6.8 to 8.5 moth.21

24


27/52

Information

Covrtio with bui mr provid vlubl iiht ito trtic dirctio d

o-to-mrt iititiv; IT vdor c hlp prdict ytm uprd d othr oprtiol

iormtio.

IT lyt c hlp idtiy IT trd d mri iu to hlp mr th xtrl

viromt. O vlubl ourc i th Symantec Internet Security Threat Report, which or

ix-moth updt o itrt thrt ctivity tht iclud lyi o ttc, vulrbiliti,

mliciou cod, d trd i phihi d pm.

Myth and reality

Th myth tht IT Ri Mmt c b ddrd i il projct, or v ri

o poit-i-tim xrci cro budt priod or yr, ior th dymic tur o th

itrl d xtrl IT Ri viromt. Wor, thi viw ior th opportuity vluo cpbl IT Ri Mmtidtiyi ccptbl ri, murd it thir cot

d bui vlu, or implmti mititio proc tht llow oriztio to t

clcultd ri with coidc.

25


28/52

Peopleexecuting processes

supported by technologyare your

most valuable resource to manage

IT Risk


29/52

Process effectiveness is a known weakness.

Frameworks, controls, and the road to improvement.

Key process controls and the critical role of training

27

Myth Three: Technology alone mitigates IT Risk


30/52

Oriztio m IT ri by dployi cotrol. Th p wid vrity o ctiviti,

d typiclly ivolv popl xcuti proc with tcholoicl upport, or xmpl

by ui complic mmt otwr to crt polici mppd it rultio

d bt prctic, d th moitor d documt complic. Th Fbrury, 2007IT Risk

Management Report, Volume 1 xmid rltiohip i th u o iht tcholoy cotrol

d iht proc cotrol. I tcholoy dicipli popultd by my pcilit with

iri bcroud, it w o urpri to id ttmpt to olv pritt problm

rmd i eiri trm. IT proiol rtd thir oriztio mor ctiv dployi

tcholoy cotrol to ddr IT Ri th thy did proc cotrol.

Th lyi lo dtrmid tht bt-i-cl oriztio ollowd mor blcd

pproch i dployi tcholoy d proc cotrol. For th 2008 tudy, w xpdd th

lyi to covr lrr t o cotrol, ch with lmt o popl, proc, d tcholoy.

Best in class: risks and incidentsFor thi tudy, w d prticipt to rt th ctiv o implmttio o 18 cotrol

criticl i mi IT Ri, rrd ito our ctori: trtic, upport, dlivry, d

curity cotrol ( idbr o p 33 or dcriptio). W dividd our 405 prticipt ito

qurtil bd o thir ovrll ctiv cro ll 18 cotrol.

a i lt yr tudy, w clcultd prt idx or complic d bui proc

ri, or ch qurtil (cro ix complic d v bui-proc IT Ri r),

tothr with th rt t which prticipt xpctd IT icidt. Th rult r how i

Fiur 11.

Fiur 11: expctd icidt rt d rti or two ctori o IT Ri i oriztio i ch IT Ri Mmt

prormc qurtil. Proiol rom bttr-rtd oriztio thmlv ci mor IT Ri, but xpct

wr icidt. (=405)

28


31/52

a thy did i Volume 1, th rult how tht prticipt who rtd thir oriztio

ctiv i mi IT Ri w thm ci rtr complic d bui proc ri

but xpctd wr IT icidt. Th rltiohip ut tht oriztio mor ctiv t

dployi cotrol r rwrdd with lowr rt o icidt.

Best in class: balanced controls

Wht prt bt-i-cl prormr rom othr prticipt? a clor loo rvl tht

oriztio i th Bt qurtil dploy trtic, upport, dlivry, d curity cotrol with

uiormly hih ctiv ( Fiur 12). Thi cotrt with oriztio i th Wort

qurtil, which dploy curity cotrol t modrt lvl o ctiv, but how l

ucc with trtic d dlivry cotrol.

ai, rdr o lt yr rport will id w urpri: oriztio with tro

prormc rti dploy cotrol ctivly cro th ull r. no cotrol or ctory

lo ld to hih prormc combitio o ctiv cotrol hlp bt-i-cl

oriztio chiv thir xpcttio o lowr rt o IT icidt.

Fiur 12: ectiv rti or our ctori o cotroltrtic, upport, dlivry d curity

by prormc qurtil. (=405)

The importance of process controlsIT proiol r milir d comortbl with tcholoy cotrol. But proc cotrol r

ot th y to voidi riou icidt, dmotrtd i tudy coductd by symtc

d rrchr rom MIT Ctr or Iormtio Rrch i 2007. Th tudy xmid root

cu o 85 vrity-o curity d vilbility icidt. Fiur 13 o p 30 how th rult.

29


32/52

Proc-bd iu cud 53 prct o icidt. I 63 prct o th c, o pr-

did proc xitd to m th icidti oly 22 prct did xiti proc

il to m it. eviromtl coiurtio iu ccoutd or 51 prct o icidt root

cu; d t ill or 41 prct.

Fiur 13: Root cu o IT icidt. (Totl xcd 100 prct: 63 prct o th icidt hd multipl root

cu). (=85)

The promise of process frameworks

How c othr oriztio build tro proc to chiv bt-i-cl prormc?

Fortutly, thy hv hlp. IT ldr hv ocud coidrbl tttio i rct yr o

IT srvic Mmt (ITsM) proc rmwor d tdrd, icludi th Iormtio

Tcholoy Irtructur Librry (ITIL) rmwor md by th Uk Oic o govrmt

Commrc, th IsO/IeC 17799 curity d 20000 udit tdrd, d th Cotrol

Objctiv or Iormtio d rltd Tcholoy (CobiT) bt-prctic uidc mtril

o IT govrc.22 Followi i th trditio o th qulity dicipli tht trormd

mucturi i th 1980 d 1990, th rmwor d tdrd ddr cottly-

chi IT irtructur d dt-ctr coiurtio rom th tdpoit o rvic

dlivrd to IT d-ur.

Mor th 20 prct o billio-dollr compi hv lrdy compltd o or mor ITIL

implmttio,23 d my mor r udrwy. Th bui bit th oriztio

hop to chiv iclud:

IT rvic improvmt uch coitt prormc it srvic Lvl armt

with IT ri miimizd, md, or ccptd

IT proc improvmt icludi oprtiol bt prctic, with documttio o

complic to pproprit polici d tdrd

30


33/52

stdrdiztio o IT irtructur d proc, to rduc cot, complxity, d tim-to-

vlu o IT ivtmt

ad w will i th xt ctio, ivtmt i trii d t dvlopmt r mo

th mot productiv pth to improvd prormc.

Process trends

Whil itrviwi or lt yr tudy, w obrvd tht vrl oriztio wr mi

lr ivtmt i cur pplictio dvlopmt proc. Prticipt xplid tht

thy wr buildi mor cur IT oprti viromt by limiti curity problm t

th ourc. Compri thi yr rult with tho, w hv 10 prct improvmt i

th umbr o prticipt rti cur pplictio dvlopmt ovr 75 prct ctiv.

Thi idict tht oriztio r mi thouhtul, ctiv ivtmt to m IT Ri.

W prdict tht Problm Mmt will b th xt r to improv scur applictioDi did. ITIL hlp li IT iititiv with bui ol, ui Problm Mmt to

miimiz th dvr impct o Icidt d Problm o th bui tht r cud by

rror withi th IT Irtructur, d to t to th root cu o Icidt d th iitit

ctio to improv or corrct th itutio.24

Our rrch with MIT howd tht IT icidt hr root cu. W xpct tht IT Ri

Mmt prorm mtur, thy will bi to dploy mor robut Problm Mmt

proc to limit root cu o IT icidt, ui or modiyi tcholoy dd, but

rlyi primrily o proc to m pciic, idtiid root cu.

I Volume 1 w otd cocr ovr th low rti o th at Ivtory Cliictio d

Mmt cotrol. Prticipt i th currt urvy rportd liibl icr i

ctiv or thi cotrol, till th mot poorly rtd i th tudy. I dditio, th currt

urvy how dcli o 17 prct i th umbr o prticipt who rt Dt Licycl

Mmt ovr 75 prct ctiv.

Th combitio o th two trd i cocr. Both o th cotrol cliy ytm

d iormtio, pplyi uiqu polici to ch cl. Thi proc li th trtmt o

ch cl with bui objctiv. W o th cotrol ut tht t will b

trtd qully, o tht om ytm, proc, d objct will b ovrprotctd d othr

udrprotctd rom IT Ri, rulti i cot d rvic iicici.

31


34/52

Technology in support of process

althouh tcholoy cot ubtitut or proc dicipli d xprti, tcholoy

olutio c hlp tdrdiz, utomt, d rport y murmt rltd to proc

ctiv, icri th p o wr d cotrol o trid prol. Proc-upport tcholoi iclud otwr d pplic to it IT oriztio with:

Coiurtio d Ch Mmt, to improv th dicovry, mppi, corrltio, d

trci o ch to pplictio d rvr

Prormc Mmt, to idtiy udrprormi t d irtructur tir, d

hlp iolt root cu o udrprormc

Proviioi Mmt, or coitt ptch dploymt cro oprti ytm d

orphi, voidi icomptibiliti d timi iu

Tcholoy ply criticl rol i th mititio o IT Ri. But popl d proc, upportd

by tcholoy, dtrmi how ctiv your prorm will b. a oriztio mturity i

dployi IT Ri Mmt will dictt which ivtmt r mot pproprit or your

oriztio t thi tim. ad whil vry oriztio i uiqu, cor Ri Mmt

problm r commo to ll oriztio.

32


35/52

33

Strategic Controls

IT policy, trty, d rchitctur

Oriztiol tructur, rol, d

rpoibiliti

govrc, complic d cotiuou

improvmt

Dt licycl mmt

Support Controls

at ivtory cliictio d

mmt

Phyicl d viromtl mmt

Coiurtio, ch d rl

mmt

Icidt, rpo d problm

mmt

Delivery Controls

srvic lvl mmt

Oprtiol di, worlow d

utomtio

scur pplictio di, dvlopmt

d tti

sytm build d dploymt

Cpcity mmt

avilbility mmt

srvic cotiuity mmt

Security Controls

authtictio, uthoriztio d cc

mmt

ntwor, protocol d hot curity

Trii d wr

Key Controls for Managing IT Risk

Th y cotrol litd blow wr drivd rom xtiv tudy o publihd cotrol

tdrd or IT mmt, icludi th Iormtio Tcholoy Iormtio Librry(ITIL), CobiT, d IsO 17799, wll rom symtc xpric i wori with

top-prormi oriztio throuhout th world.


36/52

IT Risk Managementlike other

business processesrequires

disciplined planning and execution.


37/52

35

An emerging business discipline, not a science.

Origins of IT Risk Management.

IT Risk Management in context: Risk Management,

Business Strategy.

35

Myth Four: IT Risk Management is a science


38/52

Thi lt myth i mor widprd withi th prctic o IT Ri Mmt th i th

bui commuity t lr. a IT Ri Mmt bcom mor widly prcticd,

diciplid, d documtdd pcilly tdrd d rmwor cour

coitt prcticprctitior my com to it t o ixd pricipl d

rltiohip, uivrlly pplicbl cro idutri d orphi.

Roots and progress

But IT mmt i mri bui proc, ot cic. Rthr th xprimt

d lyi, IT Ri Mmt rli o th xpric ccumultd by idividul d

oriztio thy m thir wy cro chi bui ldcp.

W c idtiy thr primry cotributor to th currt prctic o IT Ri Mmt:

Operational Risk Management

I th Ri Mmt mily, Ficil Ri Mmt i th cic, d Oprtiol Ri

t o d hoc proc to ddr vt ri rom ir d rud to upply-chi ilur.

It divrity i cpturd i it diitio: th ri o lo rom idqut or ild itrl

proc, popl, d ytm, or rom xtrl vt25i ct, covri y ri tht

cot b compltly hdd or iurd it.

By 2002 th itrcoctd o itrl d xtrl twor d bui proc hd

lrdy iv IT Ri Mmt pcil ttu. Loiclly d txoomiclly till orm o

Oprtiol Ri Mmt; IT Ri Mmt mrd prt prctic bcu:

My bui oprtio d trctio ow too plc tirly withi IT ytm

Th pc o tcholoy ch rquird mor rpid dpttio i tcholoy d proc

cotrol th do othr orm o oprtiol ri

Th dicipli o IT Ri Mmt rquird pcilizd owld d ill mo both

IT proiol d bui mr

Process improvement disciplines

Proc improvmt mthodoloi trormd ctori worldwid i th lt 1980 d

throuhout th 1990, d luchd o o th rtt productivity dvc i hitory.

Mucturi dicipli drov build qulity to uprcdtd hiht, whil computr-itiv Mucturi Rourc Pli d etrpri Rourc Pli tcholoi

bro throuh old umptio bout productivity d ivtory mmt.

36


39/52

a w piori compi dmotrtd tht th icici could wor v cro

compy boudri, i upply prtr d ditributor twor tht combid with th

commuictio icici o th Itrt to luch th -commrc rvolutio.

IT Ri Mmt i thir turl uccor. Too ot viwd mrly div xrci,IT Ri Mmt hlp compi idtiy both ri d opportuiti i thir bui

viromt, d trd-o btw ri d cot, or ri d opportuiti. With trd-o

idtiid d murmt ytm d cotrol i plc, oriztio c t pproprit

ri coidtly, to puru opportuiti thy miht othrwi oro.

Business and IT Governance

Rultio ovri bui coductmot promitly srb-Oxly i th Uitd

sttrid th ccoutbility o corport oicr d diclour tdrd or bui

iormtio, with iiict implictio or IT. srb-Oxly w xtrl timulu

or my compi, th irt tht orcibly lid bui d IT trti, d md IT

govrc top-o-mid iu or my chi xcutiv.

To mt th rquirmt o srb-Oxly, eU Privcy d Mrt Dirctiv, idutry-

pciic rultio uch th Hlth Iormtio Portbility d accoutbility act (HIPaa)

d th Pymt Crd Idutry (PCI) Dt scurity stdrd, IT dd wy to oriz,

vlut, d blc th rquirmt ytmticlly to uid ctiv ctiod IT Ri

Mmt w wll dptd or th t.

Current state of IT Risk Management

Mot bui popl r milir with Ri Mmt, but w udrtd th mri

prctic o IT Ri Mmt, d wr till pprcit it rol i tody coctd

oriztio.

IT Ri Mmt combi th rior d brdth o Oprtiol Ri Mmt, th

productivity ocu o Mucturi dicipli, d th tholdr poit o viw commo

to ovrc rmwor. It dd proc d tcholoy cotrol uiqu to th IT world,

d i mri bui dicipli, li Ficil Ri Mmt or supply-Chi

Mmt, cpbl o mi uiqu cotributio to oriztiol ctiv.

37


40/52

Frameworks and best practices

Documtd bt prctic or IT Ri Mmt r crcr th or IT Oprtio

Mmt rmwor li ITIL, or xmpl. stdrd uch IsO 17799, Th Cod o

Prctic or Iormtio scurity Mmt sytm, d th brodr autrli/ nwZld stdrd o Ri Mmt, as/nZs 4360:2005 c hlp, but th r rrc

rthr th prctic uidli. Frmwor d tdrd provid xcllt trt, but

vry oriztio will dd d ri prioriti d proc pproprit or it ow ri

viromt d oriztiol ol.

Throuh it rrch d clit wor, symtc h idtiid our IT Ri Mmt bt

prctic tht r rlly pplicbl cro oriztio:

1. Assess risk and scopebor ti ctio, th lilihood d probbl impct o

ch ri. ev impl, qulittiv mt will hlp you void covr p d wt

your prorm t udrwy. kp i mid tht ot ll IT Ri mut b limitd: quic,

chp corrctio my b ouh to bri ri to ccptbl lvl.

2. Build a risk-aware culturebcu bui t ri or proit, iv ri vrio

c b brrir to ucc. IT Ri Mmt hould build cultur tht udrtd

oriztiol objctiv, IT ri, mititio cot, d thir itrrltiohip.

3. Develop peopleMIT rrch citd i Chptr 4 howd tht 41 prct o IT icidt

hv root cu bd i t ill. I prt tudy, IDC d symtc oud

tht trii d tm ill lvl hv prooud impct o IT prormc.26 Trii

ivtmt py o, or xmpl, by rocui tm ort o hih-vlu ctiviti, whichc improv tm productivity by 10 prct or mormor th ouh to covr th cot

o trii.

4. Give it timechl up om rly wi to build momtum, but ocu lo-trm ort

o trtic iu idtiid i your ri mtth llow tho cotrol to mtur

ovr tim. symtc xpric dmotrt tht it my t thr to iv yr or IT Ri

Mmt cotrol to bcom compltly ctiv.

Taking the second step

Th mot importt tp i y IT Ri Mmt prorm i imply tti trtd, di Chptr 3 w utd ui ctlyt vt to t your prorm udrwy. But wht

r th xt tp? Bd o symtc xpric with mri d tblihd IT Ri

Mmt prorm, d lyi o corrltio btw ri d cotrol or urvy

prticipt, w th ollowi loicl implmttio quc or cotrol:

38


41/52

1. Security risks and controlsurvy rult ut ddri curity ri irt: bttr

curity cotrol mot troly prdictd improvmt i icidt xpcttio. ad

bcu iormtio curity i IT-ctric, IT c ct with l dpdc o othr to

chiv y wi d i rly momtum.

2. Availability risks and delivery controlsdlivry cotrol, cloly ocitd with

avilbility Ri, hd th cod-trot corrltio with rducd icidt xpcttio.

Our rrch lo idict tht oriztio ci hihr lvl o bui proc

ri dploy dlivry cotrol mot ot. ad bcu bui mr ily rp

th bit o rducd vilbility ri, dlivry cotrol r xcllt tp i mti

bui objctiv outid th l hou.

3. Compliance/performance risks and strategic controlsComplic d Prormc Ri

mot cloly udrpi bui uit dily u o IT rvic. Mi th ri rquir

collbortio to li th ctio o IT with th rquirmt o it bui clit. Lyi oudtio with scurity d avilbility Ri lmt prpr your oriztio or th

mor ophitictd covrtio.

Your oriztio my c uiqu t o ri tht cll or dirt pproch: or xmpl

iurc compy i t-ri rio my ocu o avilbility Ri irt, or compy

udr rultory rviw o Complic Ri. a illutrtd i Fiur 14, limt i criticl

throuhout xcutio. ad rrdl o th ordr o dploymt, u th our bt prctic

uid.

Fiur 14: Illutrtio howi how y lmt o IT xcutio itrct with th mot importt iu i IT/bui

limt. excutio ill pply cro multipl iu, jutiyi ivtmt i ill dvlopmt.

39


42/52

40

CocluioTcholoy driv th coolidtio o idutri, lobliztio o mrt, d ivtio d

rivtio o oriztio worldwid. Tcholoy upport collbortio d iovtio t

rt vr bor. But tcholoy ilur c bri tir mt o th coomy to

hlt, corrupt rcord or lv thm iccibl, d compromi mploy productivity.

Mi ri itroducd by IT i bui imprtiv. I thi rport, w hv obrvd tht:

IT ilur i your oriztio rippl throuh cutomr, upplir d prtr

IT ri com rom multipl ourc, ch cottly, d rquir cotiuou prorm o

dicovry, moitori, d mmt

IT ri r md by th combitio o popl, proc, d tcholoy, blci ri

it bui objctiv

IT Ri Mmt i bui proc tht dpt to oriztiol rquirmt, uidd

by bt prctic

a you luch or xpd your IT Ri Mmt prorm, p i mid tht mi IT

Ri rrly m limiti it. Itd, IT Ri Mmt dicipli d prctic hlp

p IT rvic lxibl, dptiv, d lid to oriztiol ol i cottly chi

bui climt. I dditio, IT Ri Mmt c provid th iiht tht llow you to

t clcultd ri with coidc d u IT to driv comptitiv dvt.

The futuresymtc will cotiu it rrch ito IT Ri Mmt to dicovr dditiol prcticl

rcommdtio d bt prctic to hlp oriztio dvlop d implmt thir

ow prorm. Futur rrch will th tt o dploymt d mturity o IT Ri

Mmt prorm, icludi th prvlc o IT Ri Mmt iititiv d th u

o prorm-bd bt prctic. symtc will cotiu to xplor th how th mmt

o IT Ri cotribut to bui productivity, comptitiv dvt, d th pirit o

iovtio.

40


43/52

4141


44/52

42

appdixMethodology

Data collection

Btw Fbrury 2007 d Octobr 2007, symtc collctd 405 urvy rom IT

proiol ttdi IT vt worldwid (pproximtly 85 prct), or oli t

www.ymtc.com (pproximtly 15 prct). ech prticipt rcivd rport compri

hi or hr rpo to tho o bchmr roup. To ur cdid rpo d protct

prticipt privcy, symtc cotrctd third prty, ecoytm, LLC o Vi Va,

to collct, proc, d rt th urvy rult.

Bcu prticipt occiolly ippd o or mor urvy qutio, th umbr o

rpo my vry rom o qutio to othr.

Differences in questions

For comprio d trd lyi, th currt rport cho vrl qutio rom th

Symantec IT Risk Management Report, Volume 1, which rportd rpo rom 528

prticipt lt yr. Th currt rport lo iclud rult rom qutio did to

xtd dt-t covr or xplor mri iu.

42


45/52

43

Demographics

W ildd th urvy to brod roup o IT proiol, cro idutri, iz o

oriztio, prticipt job rol d lobl rio. Th dmorphic providd th vribl

or much o our lyi.

Fiur a1: Prticipt by idutry. (=405)

Fiur a2: Prticipt by job rol: proiol iclud bui, coultt d othr o-IT job uctio.

(=405)

43


46/52

44

Fiur a3: Prticipt by oriztio iz. (=365)

Fiur a4: Prticipt by orphic rio. Thi rport iclud prticipt rom th ai Pciic rio, which w

ot rprtd i th prviou rport. (=405)

Use of indexes

Thi rport compild v idx to mur th iiicc or impct o ri, ctiv

mur, or icidt rt cro prticipt, compr rult cro dmorphic or othr

ctori, d or corrltio d comprtiv lyi. ech idx vr dt cro th

rlvt t o qutio.

Th idx r:

Complic Idx support ectiv Idx

Bui Proc Idx Dlivry ectiv Idx

Icidt Rt Idx scurity ectiv Idx

strtic ectiv Idx


47/52

45

grl RrcWtrm, gor d Hutr, Richrd. IT Risk: Turning Business Threats into Competitive Advantage. (Boto: Hrvrd

Bui school Publihi, 2007).

Bui Roudtbl. Growing Business Dependence on the InternetNew Risks Require CEO Action. (Whito DC:sptmbr, 2007).

Lmy, Liol. IT Risk Management: A Business Issue of Strategic Importance. (Frmihm, Ma: IDC, July, 2007).

Fily, I. IT Risk Comes Into Fashion. (Boto: aMR Rrch, auut, 2007).

Th Boto Coulti group. Innovation 2007: A BCG Senior Management Survey. (Boto: auut, 2007).

IT Policy Complic group. Taking Action to Protect Sensitive Data. (Fbrury, 2007).

Cldwll, Frch. The 2007 Compliance and Risk Management Planning Guidance: Governance Becomes Central.

(stmord, CT: grtr, Ic. april, 2007).

kr, khlid. 2007 Security Budgets Increase: The Transition to Information Risk Management. (Cmbrid, Ma:

Forrtr Rrch, Ic. Jury, 2007).

Hir, Jy. Choosing Risk Management Methods. (stmord, CT: grtr, Ic. Ju, 2006).

Cldwll, Frch d Moul, Rich, Risk Management and Business Performance Are Compatible. (stmord, CT: grtr,

Ic. Octobr, 2006).

Rmu, Michl, Business Drivers for Enterprise Risk Management. (Cmbrid, Ma: Forrtr Rrch, Ic.

Fbrury, 2007).


48/52

46

ed not1 World ecoomic Forum. Global Risks 2007: A Global Risk Network Report. (gv. Jury, 2007), p 8.

2 Buru o ecoomic alyi. National Economic Accounts: Private Fixed Investment in Equipment and Software by

Type. (Whito DC. novmbr, 2007), Tbl 5.5.5U.3 symtc Corportio. IT Risk Management Report, Volume 1. (Cuprtio, Ca. Fbrury, 2007), Tbl 1, p 8.

4 shro gudi. T.J. Mxx scurity Brch Cot sor to 10 Tim erlir etimt, Information Week. (Mht,

nY: CMP Mdi LLC auut 15, 2007).

5 Jrmy kir. etoi Rcovr rom Miv Dil-o-srvic attc, NetworkWorld. (Boto: IDg. My 17, 2007).

6 Dborh g d kim s. nh. W Rlly Did scrw Up, Baseline. (nw Yor: Zi Dvi. My 14, 2007).

7 Tom You. HMRC ico plc dt protctio udr th potliht, Computing. (Lodo: Iciiv Mdi Ltd.

novmbr 29, 2007).

8 symtc Corportio. Internet Security Threat Report Volume XII. (Cuprtio, Ca. sptmbr, 2007).

9 symtc Corportio. Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers

Financial Gain, pr rl. (Cuprtio, Ca. Mrch 19, 2007).

10 Dr. Lrry Pomo d Votu, Ic. 2007 Consumer Survey on Data Security. (Trvr City, MI: Pomo Ititut.

Ju 25, 2007).

11 Iowtch. Global Data Leakage Survey 2006. http://www.iowtch.com/thrt?chptr=162971949&id=20778462

6 (Mocow: Fbrury 15, 2007).

12 Tom You, op. cit.

13 Pomo d Votu, op. cit.

14 symtc Corportio. Stop Data Leakage Now, rticl. (Cuprtio, Ca. april 17, 2007). http://www.ymtc.com/

bui/librry/rticl.jp?id=top_dt_l

15

Lwrc D. Ditz, eq. International Implications of Sarbanes-Oxley: What every IT Professional Should Know.(Cuprtio, Ca: symtc Corportio, Octobr 13, 2006).

16A Balanced Approach to MiFID Compliance. (Cuprtio, Ca: symtc Corportio, Mrch, 2007).

17 IT Policy Complic group. Why Compliance Pays: Reputation and Revenues at Risk. http://www.itpolicycomplic.

com/rrch_rport/pd_mmt/rd.p?ID=10 (July, 2007), p 1.

18A Chronology of Data Breaches. (s Dio, Ca: Privcy Riht Clrihou). www.privcyriht.or/r/

ChroDtBrch.htm

19 scott Dy, ev adrijcic, d M. eric Joho. Cot to U.s. ecoomy o Iormtio Irtructur Filur,

orthcomi i Proceedings of the Fifth Workshop on the Economics of Information Security. (Hovr, nH: Drtmouth

Coll Ititut or scurity Tcholoy studi, 2007). http://www.it.drtmouth.du/librry/207.pd

20 Ji grim. IT Ri Mmt: Rii to th Top o CIO ad, CIO Magazine, irt. (Frmihm, Ma: IDg.

Dcmbr 1, 2007).

21 IT Policy Complic group. op. cit., p 23.

46


49/52

4747

22 suy gupt. ITIL adoptio. E-business Blog. http://www.li56.com (Lo al: Li56.com, Octobr 13, 2006).

23 Onill, P. ITIL Adoption Accelerating in IT Service Management, tlcorc. (Cmbrid, Ma: Forrtr Rrch,

Ic. 2006).24 Oic o govrmt Commrc. Best Practices for Service SupportITIL: the Key to Managing IT Services. (norwich:

Th sttiory Oic, 2002), p 95.

25 Doul g. Hom. Managing Operational Risk: 20 Firmwide Best Practice Strategies. (nw Yor: Joh Wily d

so, Ic., 2002), p xxii.

26 Cuhi adro. Information Security and Availability: The Impact of Training on IT Organizational Performance.

(Frmihm, Ma: IDC, poord by symtc Corportio. Ju, 2007).


50/52

4848

not


51/52

49

nO WaRRanTY. Th iormtio providd i thi documt i bi dlivrd to you as Is d symtc Corportio m o wrrty to it ccurcy or

u. ay u o th iormtio cotid hri i t th ri o th ur. Documttio my iclud tchicl or othr iccurci or typorphicl rror.

symtc rrv th riht to m ch without prior otic.

Copyriht 2008 symtc Corportio. all riht rrvd. symtc, th symtc Loo, d InFORM r trdmr or ritrd trdmr o symtc

Corportio or it ilit i th U.s. d othr coutri. Othr m my b trdmr o thir rpctiv owr.


52/52

About Symantec

symtc i lobl ldr i

irtructur otwr, bli

bui d coumr to hv

coidc i coctd world.

Th compy hlp cutomr protct

thir irtructur, iormtio, d

itrctio by dlivri otwr

d rvic tht ddr ri to

curity, vilbility, complic,

d prormc. Hdqurtrd

i Cuprtio, Cli., symtc h

oprtio i 40 coutri.

Mor iormtio i vilbl t

www.ymtc.com

For pciic coutry oic dcotct umbr pl viit our

Wb it. For product iormtio

i th U s cll toll-r

symtc CorportioWorld Hdqurtr

20330 stv Cr Boulvrd

Cuprtio Ca 95014 Usa

Copyriht 2008 symtc Corportio. all riht

rrvd. symtc d th symtc loo r

trdmr or ritrd trdmr o symtc

Corportio or it ilit i th U.s. d othr

coutri. Othr m my b trdmr o thir

rpctiv owr.

1/08 12818026

Coidc i coctd world.

b-it risk management report 2-01-2008 12818026.en-us

Documents