Enterprise Risk Management Overview of InfoSec Risk Assessment

1. Enterprise Risk Management The rising importance of ERM and the Information Security Practice Harry Contreras – CISSP/6Sigma IT Security Manager – at a Fortune 500 company

4. The Definition of ERM Enterprise Risk Management Risk management is fundamental to management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has presented the definition that has been widely referenced and accepted. Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives. 1 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework: Executive Summary , 2004

6. Definitions - what are we dealing with here? Risks, Threats and Vulnerability Not all threats pose the same level of risk. Risk (noun) – Possibility of loss or injury. Someone or something that creates or suggests a hazard. The chance that an investment will lose value. Threat (noun) – An expression of intention to inflict evil, injury or damage. An indication of something impending. Vulnerability (noun) – Is a state or defect of situation or an asset that could be exploited to create loss or harm. Operational Risk (OR) – The Basel Committee on Banking Supervision defines OR as "the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.“ 1 Examples of OR include: fraud either by external parties or employees; workplace safety and employment practices; client, product and business practices; damage to physical assets; business disruption and system failures; and losses from failed transaction processing or from trade with vendors.

7. Limiting the Scope What are Enterprise Business Risks? Economic risks – Oil prices/energy, supply interruptions. US current account deficit or fall in US$. Fiscal crises caused by demographic shift. Asset prices rise, excessive indebtedness. Environmental risks – Climate changes. Loss of freshwater services. Natural catastrophes, tropical storms, Earthquakes or inland flooding. Geopolitical risks – International terrorism, Interstate or civil wars. Instability of failed or failing states. Transnational crime. Societal risks – Pandemics, infectious diseases in the developing world. Chronic diseases in the developed world. Liability regimes. Technical risks – Breakdown of critical information infrastructure (CII). Emergence of risks identified in technologies implemented as products, services, or processes within the enterprise. Global or Macro Level Risks

8. Interpreting Business Risk Where does IT Risk come from? Marketplace – Where a company operates will shape its business environment including political, regulatory, market forces and any labor conditions it faces. Financial model – How a company structures its financial strategy will shape its risk tolerance for the changing money market conditions it faces. Operational Model – How a company chooses to define the way it operates will determine how it functions and business units work together. Organizational Model – How a company is organized to deploy, develop and retain its people for continuity of internal services. “ Volatility” is the catalyst for risk – The condition where things can change rapidly, dramatically, and sometimes unexpectedly. Risks impact the business across multiple enterprise structures

9. Limiting the Scope What falls within IT Risk Issues? Operational - Risks arising from internal business operations that are generally mitigated through internal controls or processes. Hazard – Risks arising from adverse events that result in property damage and liabilities. Some of these are generally insurable. Strategic – Risks arising from external competition, market environment, and regulatory events that can damage or enhance a company’s growth track and shareholder valuation. Financial – Risks arising from fluctuations in financial market prices that generally are hedged using financial instruments. Human Capital – Risks arising from challenges to personnel, leadership and systems used to attract, develop motivate and retain the resource labor pool. The information security triad of Confidentiality, Integrity and Availability directly map to the aforementioned areas of risk .

13. Risk Ranking Ranking Risk - Likelihood and Impact Associating Risk to Action Imperatives. Axis 1 - Likelihood Axis 2 – Business Impact An *industry example of a risk assessment matrix for ranking risk. *Marsh Risk Consulting Practice - Operational Risk Focus

14. What to do with Identified IT Risks Options for handling IT Risks Burying you head in the sand – not an option. Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs. Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography. Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource). Mitigate or Reduce the risk. The identified risk(s) are core to the business and the implementation of controls are applied to reduce likelihood and impact to the business. Ignore the risk. A identified option of choice to consciously do nothing. It carries with it the potential for catastrophic business impact and serious legal repercussions.

18. High Security in a perfect world. Minimal security defenses needed to defend from outsiders . Security in the real world . Maximum security defenses needed to defend from outsiders and insiders . Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Investment Investment Low Illustration of Risk Mitigation Relationship to Defense Efforts and Results Risk Modeling to Security “Buy-Down” Concept The Business Security Umbrella Model - Risk Scale to Security Spend. ©

19. High Security in a perfect world. Minimal security defenses needed to defend from outsiders . Security in the real world . Maximum security defenses needed to defend from outsiders and insiders . Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Investment Investment Low Illustration of Risk Mitigation Relationship to Defense Efforts and Results Risk Modeling to Security “Buy-Down” Concept The Business Security Umbrella Model - Risk Scale to Security Spend. ©

22. A Never Ending Process Annual “Best Practice” Activity As companies embrace ERM approaches and Practice this activity at least annually, then they should observe an improving risk index year over year. This activity raises awareness corporately on the risk tolerance state of the enterprise. Institutionalizing a successful and repeatable InfoSec process to protect the enterprise.

25. IT Security Practitioner - *Commentary Marcus Sachs – Director, SANS ISC “ Security is about risk management.” “ There’s no way to patch every vulnerability, so which ones do you go after? One good approach is [to look at] which ones the threats are most likely to go after.” “ There is no such thing as perfect security. Just try to manage it to get to some acceptable level of risk that you are willing to live with.” * Information Security Magazine, February, 2008

27. Presentation Conclusion Question and Answers This material copyrighted – 2008.