Risk Management is more than just Risk Avoidance.
Go beyond IT Audits, Security Assessments, checklists and checkboxes. Join Michael Scheidell, Certified CISO as you move beyond Risk Assessments and Risk Management into Risk Enablement.
Risk Enablement is the process of developing an Enterprise Risk Management program that facilitates and encourages a strategy of supporting TAKING Risks. The requirement of any growing company.
Find out how to build a culture of informed Enterprise Risk Management.
(related whitepaper at http://blog.securityprivateers.com/2014/03/to-achieve-good-security-you-need-to.html
7. Sub headline
AGENDAWho is Responsible for IT Security
Not My Job
CFO
IT Security
Network
Manager
CIO
Dir IT
CEO
8. Please Stop Calling it Information Security
Information Security
Usually in the IT department, no visability
into business practices. Revolves around the
Information Security Policy and one of several
InfoSec Frameworks.
1 IT Risk Management
Without direct involvement with all
stakeholders you can’t allocate resources or
determine what to protect and why.
2
10. From here to there and back again
Risk Management Steps
1
Business Impact Analysis
What will it cost us. Needed for
DRP and BCP also.
2
Identify Risks
Governance, Risk, Compliance
3
Priorize Mitigation
Budget, Business Impact, Legal
4
Fund Failure
It will happen. Decide what to
do before it happens.
11. LIKELIHOOD CONSEQUENCES
How likely is the
event to occur ?
What is the Severity of Injuries/potential damages/financial ?
Almost certain -
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
CRITICAL
RISK
Expected in normal
circumstances: 100%
Likely -
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Probably occur in
most circumstances:
10%
Possible -
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Might occur at some
time: 1%
Unlikely -
LOW
RISK
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Could occur at some
future time: 0.1%
Rare -
LOW
RISK
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Only in exceptional
circumstances: 0.01%
Insignificant Minor Moderate Major Catastrophic
No Injuries
No Envir Impact
< $1,000 Damage
Some First Aid
Low Envir Impact
< $10K Damage
External Medical
Medium Impact
< $100K Damage
Extensive injuries
High Envir Impact
< $1MM Damage
Death/Major injury
Toxic Envir Impact
> $1MM Damage
13. Operational Risk
Operational risks exist in every organization, regardless of its size, in any number
of forms including hurricanes, blackouts, computer hacking, and organized fraud.
Types of Risk Management
Regulatory and Legal Risk
International, Federal, State, Local, Legal and Industry Specific:
Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI
Financial Risk
The loss of key resources like funding through Credit Risk, Investment Risk,
Liquidity Risk and Market Risk
Enterprise Risk
Enterprise risk management (ERM) is a framework to reduce earnings volatility
through a robust risk governance structure and strong risk culture, supported by
sound risk management capabilities.
Unknown Risk
“There are known knowns. These are things we know that we know. There are known
unknowns. That is to say, there are things that we know we don’t know. But there are also
unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld
15. Working With Risks
Enterprise Operational Regulatory Financial
Strategic Risks
Preventable Risks
External Risks
Acceptable Risks
16.
17. IT-related Risk
Enterprise Risk
Strategic
Risk
Environmental
Risk
Market
Risk
Credit
Risk
Operational
Risk
Sub headline
AGENDAIT Risk in the Risk Hierarchy
Where IT fits in
IT Benefit/Value
Enablement Risk
IT Program and
Project Delivery Risk
IT Operations and
Service Delivery Risk
IT risk is a component of the overall risk universe
of the enterprise. In many enterprises, IT-related
risk is considered to be a component of
operational risk, e.g., in the financial industry in
the Basel II. However, even strategic risk can have
an IT component to it, especially where IT is the
key enabler of new business initiatives.
The same applies for credit risk, where poor IT
(security) can lead to lower credit ratings. For that
reason it is better not to depict IT risk with a
hierarchic dependency on one of the other risk
categories, but perhaps as shown in the example
given.
20. Connect to
Business
Objectives
Align IT Risk
Management
With ERM
Balance
Cost/Benefit
of IT Risk
Promote Fair
and Open
Discourse
Establish Tone
and
Accountability
at the Top
Function as
Part of Daily
Activities
Sub headline
AGENDAIT Risk Frameworks
ISACA’s RISK IT Framework
Risk IT
Principles
21. Sub headline
AGENDAIT-related Risk Management
Risk IT is not limited to information security. It covers all IT-
related risks, including:
• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems
22. You take the blue pill – the story
ends, you wake up in your bed and
believe whatever you want to
believe.
You take the red pill, … you stay in
Wonderland, and I show you, how
deep the rabbit-hole goes.
Sub headline
AGENDATwo choices
This is your last chance ... After this, there is no turning back.
25. Sub headline
AGENDARisk of Too Much Management
• What major systemic failure can
you think of in Security and
Privacy?
• Where has too much Security
eliminated Privacy and did nothing
for Security?
• Have you experienced too much
security?
27. Sub headline
AGENDAWhere to put priorities
• Identify
• Risk Assessment
• Likelihood
• Logs
• Security Alerts
• Consequences
• Business Impact
Analysis
• Data Valuation
• Unavailable
• Modified
• Exfiltrated
• Data Classification
• Public
• Private
• Classified
• THEN AUDIT
28. Sub headline
AGENDAWhere to put priorities
• Exfiltrated Public Data
• State Code DB
• DoS Ketchup Formula
• Corrupt ICBM Codes
• 40MM Dumps with PIN
29. Sub headline
AGENDABusiness Impact Analysis
Data Valuation / Data Classification
Data Breach
Profitibility
BCP/DRP/RISK IT
BIA
Missing Backup
Internet Outage
Power Outage