This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
Crea il tuo assistente AI con lo Stregatto (open source python framework)
From technology risk_to_enterprise_risk_the_new_frontier
1. From Technology Risk
to Enterprise Risk:
The New Frontier
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
General Manager
Entel Security & Risk Management
rgallego@entel.es
1
4. Definitions
frontier
noun
• the farthermost limits of knowledge or achievement in a particular subject
• a line of division between things <the frontiers separating science and the
humanities — R. W. Clark>
• a new field for exploitative or developmental activity
frontierless adjective
ORIGIN late Middle English : from Old French frontiere, based on Latin frons,
front- ‘front.’
4
5. What is risk?
•
An
inherent
part
of
any
ac3vity
•
Imprac3cal
to
eliminate
totally
•
The
risk
equa3on
includes:
value,
threats,
vulnerabili3es,
impact,...
5
6. Some facts
•
36%
of
companies
do
not
know
the
threats
that
they
are
exposed
to
•
24%
admit
that
the
organiza3on
lacks
the
procedures
that
would
allow
to
manage
them
•
19%
acknowledge
that
does
not
have
the
tools
to
analyze
and
control
risks
Soruce: Merrill Lynch CISO Survey, Deloitte 2009 Security Survey
6
7. The changing face of risk
•
Risk
is
the
level
of
exposure
to
uncertain3es
that
an
organiza(on
must
understand
and
manage
effec(vely
while
performing
its
du3es
to
achieve
objec3ves
and
create
value
•
The
uncertainty
of
an
event
happening
(or
not)
can
have
an
impact
on
the
achievement
of
corporate
goals
7
8. What type of risks are we
facing?
•
Different
categories:
reputa3onal
risk,
project
management
risk,
provisioning
risk,
HR
risk,
hygienic
risk,
fraud
risk,
legal
risk,
environmental
risk,
opera3onal
risk,
financial
risk,
TECHNOLOGY
RISK,
...
•
Related
to:
–
its
origin
–
a
specific
ac3vity,
an
event
or
an
incident
–
its
consequences
or
impact
–
a
reason
–
protec3on
mechanisms
or
countermeasures
–
3me
of
occurrence
8
10. What can we do with risk?
•
Transfer
risk
•
Tolerate
or
accept
•
Terminate
the
ac3vity
•
Treat
risk
10
11. Technology risk management
•
Part
of
Global
Risk
Management
•
Focused
towards
and
efficient
balance
between
opportuni3es
and
losses
•
Needs
a
risk
analysis
combined
with
a
business
impact
analysis
(BIA)
11
12. Implementing Risk Management
•
Five
core
processes:
–
Defini3on
of
scope
–
Risk
analysis
–
Risk
Treatment
–
Risk
Communica3on
–
Monitor
and
review
12
13. Framework for a risk analysis
•
Start
a
value
analysis
•
Consider
aggregated
risk
13
17. Risk Analysis
•
Can
be
quan3ta3ve
or
qualita3ve
•
Works
at
mul3ple
levels
•
Visibility
across
the
company
•
Management
support
is
instrumental
17
18. The value of assets
•
Value
at
Risk
(VAR)
•
Single
Loss
Expectancy
(SLE)
•
Annualized
Loss
Expectancy
(ALE)
•
Exposure
Factor
(EF)
18
19. Risk Communication
•
Communica3on
channels
must
be
created
•
Mul3-‐dimensional
•
Related
with
incident
&
response
management
disciplines
•
Metrics
and
indicators
19
25. What is a control?
•
An
ac(on
taken
by
Management
in
order
to
manage
risk
so
that
objec(ves
are
met
•
Preven3ve,
Correc3ve
and
Detec3ve
25
26. CSFs, KGIs, KPIs: what are
they?
• CSFs: Critical Success
Factors or “vital elements”
• KGIs: Key Goals
Indicators or “what” needs
to be accomplished
• KPIs: Key Performance
Indicators or “how good” the
process is behaving
26
27. Monitor vs. Manage
R A GE
ITO Refine,
observe,
MA
N
M ON analize
and
classify
data
Value (and cost)
provided
by
Act with
systems business
knowledge, in a
Centralize single place
access
to
data
Apply business
relevance to the according to
content
and
information to business needs
applica3ons determine
business
priorities
DATA INFORMATION KNOWLEDGE ACTION
Level 1 Level 2 Level 3 Level 4
27