1 / 30

IT Risk Management, Planning and Mitigation

IT Risk Management, Planning and Mitigation. TCOM 5253 / MSIS 4253 Introduction to Risk Management 30 August 2007 Charles G. Gray. Underlying Premise of this Course. All risk cannot be eliminated. It can only be managed to an acceptable level.

maxine-rivera
Download Presentation

IT Risk Management, Planning and Mitigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Risk Management,Planning and Mitigation TCOM 5253 / MSIS 4253 Introduction to Risk Management 30 August 2007 Charles G. Gray (c) 2007 Charles G. Gray

  2. Underlying Premise of this Course • All risk cannot be eliminated. It can only be managed to an acceptable level. • Residual risk is what is left over after you have done all that you can. (c) 2007 Charles G. Gray

  3. What is “Risk”? • Potential for damage to, or loss of: • People • Facilities • Equipment and materials • Information • Activities and operations • Corporate “reputation” • Any activity with “positive value” to the owner (c) 2007 Charles G. Gray

  4. Growth of Security Incidents (c) 2007 Charles G. Gray

  5. Notes on Previous Slide • Source – CERT (Computer Emergency Response Team) Co-ordination Center, Carnegie Mellon University, January 2004 • Incident • A reported security attack that may involve one site or thousands of sites • Vulnerability • An identified weakness in a software program (usually followed by a patch) (c) 2007 Charles G. Gray

  6. Worldwide Security Spending (c) 2007 Charles G. Gray

  7. Definitions • Threat • A potential cause of an unwanted impact to a system or organization • Intention and capability of an adversary to undertake actions detrimental to an asset owner • Vulnerability • Any weakness, administrative process, act or physical exposure that makes an “asset” susceptible to exploit by a threat or adversary (c) 2007 Charles G. Gray

  8. Significant Security Threats (c) 2007 Charles G. Gray

  9. Some Examples • Eli Lilly – disclosed names of 600 Prozac users, resulting in: • 20-year consent decree with FTC • Annual independent review of security (which they must pay for) • Card Systems Solutions (June 2005) • 40 million Visa, MasterCard, AmEx, Discover cards • Millions of cards had to be reissued • Visa and AmEx terminated their contracts • 20-year consent decree with FTC • Bi-annual independent audit for 20 years • Potential liability for millions of $$ in private suits (c) 2007 Charles G. Gray

  10. New Risk Categories Emerging • Business interconnectedness (Extranets) • Suppliers, partners, customers (Wal-Mart) • Increased dependencies and exposures • Regulatory compliance • Sarbanes-Oxley (and many other) rules • New regulatory schemes aimed at reducing abuses and punishing abusers • Consumer demand for privacy protection • HIPPA and other new privacy laws • Rising cost of IT failures (Comair- cancelled all flights Christmas day 2005) (c) 2007 Charles G. Gray

  11. Risk Management Defined • A systematic, analytical process to consider the likelihood that a threat will harm an asset or individual and to identify actions to reduce the risk and mitigate the consequences of an attack. • All risk cannot be eliminated – but it can be reduced by enhancing protection from known potential threats (Source: GAO Testimony, R. G. Decker, 12 October 2001) (c) 2007 Charles G. Gray

  12. Risk Analysis • Convert risk data into risk decision-making information • Planning is the key to successful risk mitigation • Develop actions (plans) to address individual risks • Prioritize risk actions • Create an integrated risk management plan (c) 2007 Charles G. Gray

  13. Some Organizations Involved • National Institute for Standards and Technology • Risk Management Guide for IT Systems • Security Self-Assessment Guide for IT Systems • Committee on National Security Systems • International Organization for Standards (ISO) • IT Code of Practice for IT security management • ISO 17799 • IETF (RFC 2828) Terms and Definitions • IT Governance Institute • Control Objectives for Information and Related Technology (CobiT) (c) 2007 Charles G. Gray

  14. Control Objectives for IT (COBIT) • To research, develop, publicize and promote an authoritative, up-to-date international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors (c) 2007 Charles G. Gray

  15. COBIT • Currently in its fourth edition (Dec 2005) • Help to decide the level of security and control that is necessary to protect a company’s assets • 34 high-level objectives • 215 control objectives in four domains • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate (c) 2007 Charles G. Gray

  16. “Selling” the Risk Management Concept • Prepare an impact statement for each asset(easier said than done) • Clear and concise • Show relative importance of one or more assets • Explain how Risk Management can help to protect each asset • Identify threats and adversaries • Intent, capability and motivation (c) 2007 Charles G. Gray

  17. The RM Steering Committee • Senior management • CEO, COO, CFO • CIO • Information System Security Officer (ISSO) • Business and functional managers • System and information owners • Network architects and planners • Risk assessment professionals (c) 2007 Charles G. Gray

  18. The Risk Management Team • CIO (The “Champion”) • ISSO (The team leader??) • IT Security practitioners • Network/system/database administrators • Computer specialists • Security analysts • Policy developers (must include HR) • Security and IT auditors • Systems administrators • Representatives from selected business partners (c) 2007 Charles G. Gray

  19. Critical Success Factors • Executive sponsorship • Well-defined list of stakeholders • Organizational maturity • Atmosphere of open communication • Spirit of teamwork • Holistic view of the organization • Risk Management Team authority • Must be able to implement security measures (c) 2007 Charles G. Gray

  20. Executive Sponsorship • Unambiguous and enthusiastic support • Delegation of authority to act • Support for participation by all staff as required • Allocate sufficient resources • Energetic support for the risk management process • Participation in the review and findings of the risk management team (c) 2007 Charles G. Gray

  21. Stakeholders • Who has a “vested interest” in the outcome of the risk management process? • Core team and executive sponsors • “Owners” of business assets that will be evaluated • Business partners, suppliers Could customers or stockholders ever participate as “stakeholders”? (c) 2007 Charles G. Gray

  22. Organizational Maturity • Is there any existing risk management process? • Formal? • Informal/ad hoc? • Recent poll found 42% of respondents had no documented security policy • 18% of those who do have a policy provide no employee training • Responds to only specific threats or security issues? • Don’t try to do too much at one time (c) 2007 Charles G. Gray

  23. Open Communications • Balance “need-to-know” with “free-flow” of information • Compartmentalization • Free flow of information within the team and between stakeholders • Reduces misunderstandings and wasted effort • All team members can contribute • Reduces uncertainties (c) 2007 Charles G. Gray

  24. Teamwork • Relationships between team members are critical • Strong team spirit enhances the success of the process • Strong teamwork with the business unit “owners” and other stakeholders • Demonstrate the business value of the risk management team to individual managers (c) 2007 Charles G. Gray

  25. Holistic View of the Organization • “What is good for the goose, is good for the gander” NOT! • Consider benefit/effect of RM on the entire organization • Balance all business unit needs • Overcome the “NIMBY” syndrome • “I’m not changing” (unless it makes my operation better) • Overcome preconceived “solutions” (c) 2007 Charles G. Gray

  26. Authority to Act • Authority to make changes must be delegated from senior management • Implement controls for risk mitigation • Empowered to meet the commitments assigned • Resources adequate for the mission • Team is responsible for their decisions • Understand the limits of their authority • Escalation path for issues outside the authority (c) 2007 Charles G. Gray

  27. Integrate IT and Corporate RM • IT RM must be incorporated into the overall enterprise RM plan • A security or technical incident can “jump over” the IT wall and become a corporate problem, affecting: • Customer retention • Company stock price • Regulatory scrutiny • Corporate image / reputation • Future business lost (c) 2007 Charles G. Gray

  28. Coping with IT Risk • Transfer • Buy insurance • Acceptance • Willing assumption of known risk • Usually known as “self insurance” • Avoidance • May mean dropping a product or exiting a market (e.g., asbestos insulation) • Mitigation • Reduction of risk or its consequences • The only viable strategy for IT RM (c) 2007 Charles G. Gray

  29. Summary • Defined “risk”, “threat”, “vulnerability” • Tremendous growth in security “incidents” • Worldwide spending on security growing • New risk categories are emerging • Numerous organizations are involved in RM • The RM team must have senior management support • A number of critical success factors • IT and corporate RM must be integrated (c) 2007 Charles G. Gray

  30. For Next Week • http://www.microsoft.com/technet/security/guidance/secrisk/srsgch02.mspx (c) 2007 Charles G. Gray

More Related