IT Risk Management

+

IT Risk Management
Information Security & Privacy Conference - Paris
Christopher Muffat
16 February 2012

© SecRisk Consulting Ltd – Christopher Muffat 2012

+
Agenda

 Overview
 Why Care About IT-related Risk?
 IT Incidents: the Quiz (IT Happened!)
 What’s IT Risk?
 How to manage it?

 Threat & Incident Management
 Insight 2011: Verizon Study
 The Challenge – Visibility on complex IT Infrastructure.
 Internal Threat
 External Threat
 Fraud & Investigation

 IT Risk Governance
 IT Risk : the Technology Centric legacy.
 Integrating IT Risk within ERM
 IT Risk Management: the Hidden Benefit

 Question ?


+ Overview
IT Risk Management


+
Overview
Why Care About IT-related Risk?

 Enterprises are dependent on IT

 Need to cross IT silos of risk management

 Important to integrate with existing levels of risk
management practices


+
Overview
Why Care About IT-related Risk?

 An IT risk management program is crucial in not only managing
the enterprise's exposure to risks, but also improving
overall business decision making.

 Enterprises must periodically assess and continuously
improve their risk management maturity levels.


+ Overview
Getting visibility on IT Risk


+
Overview
IT Risk Management: What?
Visibility on IT Risk.

 The domain of IT Risk can be visually represented as 4 intersecting landscapes of:

 Threat
 Asset
 Impact
 Control

 understand and manage risk
The organization’s capability to requires
information from each landscape.
 Security metrics, then, should create knowledge that improves
management’s capability to make decisions and execute on them.


+
Overview
IT Risk Management: What?
Visibility on IT Risk.

 Business Impact  IT Control
 Operational  Preventative
 Legal  Detective
 Reputation  Limitative

 Asset Landscape:  IT Threat
 Information  Compromising Integrity
 IT Infrastructure  Confidentiality
Involving Data Breach
 Business Processes
 Availability
Disruption of IT Services


+
Overview
IT Risk Management: How?
3 Essentials Activities

 Risk Governance
 Responsibility and accountability for
risk
 Risk appetite and tolerance
 Awareness and communication
 Risk culture

 Risk Evaluation
 Risk scenarios
 Business impact descriptions

 Risk Response
 Key risk indicators (KRIs)
 Risk response definition and
prioritization


+
Overview
Standards and Frameworks.

 Type of Standards and
Frameworks available:
 Enterprise risk management
oriented
 IT Security oriented
 Hybrid: Risk-IT (ISACA)


+
Overview
e-GRC: From tactical to strategic tool

 The e-GRC platform market has
expanded from a tactical focus on
regulatory compliance to a strategic
focus on enterprise risk
management.

 Many vendors are looking toward the
next market phase, which includes
adding or integrating with business
performance management and score
carding capabilities.

Source: Gartner


+ Overview
IT Risk Incident: The QUIZ


+
Overview
IT Risk Management: IT Happened
Rogue & Unauthorized Trading

2011: Rogue trader has caused it an 2008: The trading loss incident for
estimated loss of €2 billion, stunning breach of trust, forgery and
a beleaguered banking industry that unauthorized use of the bank's
has proven vulnerable to computers.
unauthorized trades.

 Financial Loss: €2 Billions  Financial Loss: €5 Billions
 Reputation impact: *****  Reputation impact: *****


+
Overview
Data leakage

2010: Worldwide electronic leader 2008: Failing to properly manage
had to interrupt its gaming network the risks associated with the security
during 23 days, due to hacking acts, of customer information, in the
due to data leakage of 100 millions context of an outsourcing program
client accounts, 58 claims. in South Africa.

 Financial Loss: €130 M  Financial Loss: €2 M (FSA Fine)
 Reputation impact: *****  Reputation impact: **


+
Overview
Information System Failure

2010: One of Singapore's largest banks,
2010: Industrial Average of one of the G8
suffered a major IT system crash country plunged about 1000 points (around
affecting the bank’s commercial and consumer 9%), only to recover flash crash losses within
banking systems. The bank has been minutes, due unusual sell of E-Mini
blamed by the Monetary Authority of
S&P 500 contracts and high-frequency
Singapore insufficient
(MAS) for trades.
oversight of the maintenance,
functional and operational practices and
controls employed by its provider IBM.
 Financial Loss: US stock market Flash Crash
 Financial Loss: €135 M  Reputation impact: n/a
 Reputation impact: ***


+
Overview
Data theft and Insider threat

2009: Personal details of 24000 2008: One of the largest worldwide
Private Bank clients have been stolen and bank had lost a CD containing 180’000
given to the French tax authorities costumers’ information and have been
by Herve Falciani, an IT specialist. FINMA fined by the FSA more than £3m for
has reprimanded the bank for failing to adequately protect
deficiencies in its internal organization confidential details from being lost or
and IT controls. stolen. Lack of training, lack of IT
security (no data encryption) have been
highlighted as the main issue.
 Financial Loss: Unknown
 Financial Loss: €3,5 M (FSA Fine)
 Reputation impact: *****
 Reputation impact: ****


+ Threat & Incident Management
The Challenge: Visibility and Traceability


+
Threat & Incident Management
The Challenge: Visibility and Traceability

 IT Threats’ visibility and traceability challenge the IT Risk & IT Security
professionals due to complex IT environment and evolved attacks.

 Understanding how the workstation, servers, network and application are is
used, having a consolidated view and dashboard of the overall IT Risk posture
is not an out-of-the-box tool.

 Knowing threats and risks to the infrastructure requires a detailed,
structured and/or correlated Information System’s logs.

 Business-critical visibility into specific behaviors by end users for effective
remediation by your security and operations teams is mandatory to ensure a
reliable incident management service.


+
The Challenge: Visibility and Traceability on Threats

 The different type tools:
 External Threat:
 Firewall
 Intrusion Prevention System (IPS)

 Internal Threat:
 Antivirus
 DLP
 Desktop monitoring (Nexthink)

 Incident: Fraud & Investigation:
 SIEM
 Forensics (Encase)


Technical Solution


+
External Threat
Enterprise Network Firewall

The enterprise network firewall market is one of the
largest and most mature security markets.

Network Firewall Leaders:
 Juniper Network
 Checkpoint Software
 Cisco
 McAfee
 Fortinet
 Palo Alto Networks

The enterprise network firewall market has
entered an evolutionary period, as disruption
is brought on by increasingly sophisticated
and targeted threats, virtualization, and
business process changes.


+
External Threat
Network Intrusion Prevention System (IPS)

Network intrusion prevention systems (IPSs) can
detect and block attacks, and can act as
prepatch shields for system and application. IPSs
include intrusion detection as a subset of
capabilities, and have long since eclipsed the
detection-only market

Network IPS Leaders:
 Tipping Point
 McAfee
 Source Fire
 Cisco
 Juniper Network

The network IPS market continues to mature
and evolve, and has become a due-diligence
safeguard. Evolving threats mean that
vendors that stand still risk becoming irrelevant


+
Internal Threat
Malware

Malware effectiveness continues to
accelerate, while vendors are busy polishing
increasingly ineffective solutions and doing
little to fundamentally reduce the attack surface
and protect users.

Antivirus Leaders:
 Symantec
 McAfee
 Trend Micro

Vendors did not show considerable movement
since couple of years. Malware detection
accuracy has not improved significantly, while
malware is improving in efficiency and
volume.


+
Internal Threat
Data Loss Prevention (DLP)

The Data Loss Prevention market has gone
through a significant shift. Vendor consolidation
has slowed, and the market has bifurcated into
“high-end” enterprise capabilities and “low-end”
channel capabilities offering more choices to
organizations of all sizes and needs.

DLP Leaders:
 Symantec
 McAfee
 Websense
 RSA

DLP Strategy should address the
fundamental question: Will channel
DLP be sufficient to address the
sensitive data requirement?


+
Fraud & Investigation
Security Information Event Management (SIEM)

Broad adoption of SIEM technology is driven by both security
and compliance needs. Targeted attack discovery requires
effective user activity, data access and application activity
monitoring.

SIEM Leaders:
 HP/ArcSight
 RSA Envison
 Q1 Labs
 Symentec
 Loglogic

SIM - Security Information Management: log management
and compliance reporting.

SEM - Security Event Management: real time monitoring and
incident management for security-related event from
network, security devices, systems and applications.

SIEM provides a mix of compliance and threat
management capabilities but remains difficult to implement
within complex IT environment.


Insight


+
Insight 2011

 How do breaches occur?  Who is behind data breaches?
 XX% utilized some form of hacking  XX% stemmed from external agents
 XX% incorporated malware  XX% implicated insiders
 XX% involved physical attacks  X% involved multiple parties
 XX% resulted from privilege misuse  <X% resulted from business partners
 XX% employed social tactics

 What commonalities exist?
 XX% of victims were targets of opportunity
 XX% of attacks were not highly difficult
 XX% of all data was compromised from
servers
2011 Study  XX % were discovered by a third party
 XX% of breaches were avoidable through
Source: Verizon simple or intermediate controls


+
Insight 2011

 How do breaches occur?  Who is behind data breaches?
 50% utilized some form of hacking  92% stemmed from external agents
 49% incorporated malware  17% implicated insiders
 29% involved physical attacks  9% involved multiple parties
 17% resulted from privilege misuse  <1% resulted from business partners
 11% employed social tactics

 What commonalities exist?
 83% of victims were targets of opportunity
 92% of attacks were not highly difficult
 76% of all data was compromised from
servers
2011 Study  86 % were discovered by a third party
 96% of breaches were avoidable through
simple or intermediate controls


+ Governance
IT Risk Management


+
IT Risk Governance
IT Risk : the Technology Centric legacy

 The technology centric legacy brought IT Risk above the ITO (Chief Information
Risk Officer), which does not allow an easy way to understand the business
risk requirements.

IT Operation Risk Management

Business Operational Internal
IT Risk IT Security
Continuity Risk Control


+
IT Risk Governance
Integrating IT Risk within ERM

 Good business
security and risk management requires mature
continuity management, compliance, identity and access
management, information security management,
privacy, and risk management practices.


+
IT Risk Governance
Integrating IT Risk within ERM

 Improvements in maturity across this 6
security and risk management
domains means moving beyond a technology-centric approach to one that
takes into account the enterprise's business requirements and
associated risks.

Risk Management
Information Security Compliance

Privacy Identity & Access Management Business Continuity


+
IT Risk Governance
the Hidden Benefits

 As maturity improves on IT Risk programs (based on the 6 security and risk
areas), the risk posture of the organization also improves, leading to reduced
costs and improved performance.

 Reaching the highest level of program maturity may not be possible,
but continuous process improvement to advance maturity levels is
possible and necessary.


Any Question?
+ IT Risk Management


Thanks
+ Christopher Muffat
christopher.muffat(at)gmail.com
LinkedIn: http://uk.linkedin.com/in/informationsecurityrisk
Twitter: https://twitter.com/#!/TheDataBreach


IT Risk Management

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Recently uploaded

Recently uploaded (20)

IT Risk Management