Caroline R. Hamilton, CEO RiskWatch, Inc.

1
Caroline R. Hamilton, CEORiskWatch, Inc.
Risk Assessment - Where Security Meets Compliance
2
3 New Watchwords

• 1. Governance
• 2. Risk
• 3. Compliance

3
(No Transcript)
4
TJMAXX

• TJX discovered the intrusion in December and
  reported it to authorities in the U.S. and Canada
  as well as the major credit card companies and
  its payment processors. At the request of law
  enforcement, the breach was kept quiet until
  Wednesday, TJX said.
• The breach appears broad. In Massachusetts, 28
  banks have been contacted by credit card
  companies indicating that some of their customers
  have had personal information that may have been
  exposed, the Massachusetts Bankers Association
  said in a statement Thursday. That number is
  likely to grow as more banks report into the
  association, it said.

5
Governance, Risk Compliance

• Compliance
• Sarbanes Oxley has increased the accountability
  of management
• New regulations for financial institutions
  require every institution complete a risk
  analysis by December 2006
• Risk - Physical Security
• Increase in terrorism around the world has hit
  multi-nationals
• Cargo security now requires risk analysis
• Workplace violence continues to affect U.S.
  companies
• Concept of Integrated, Holistic Security
• Governance - Information Technology
• IT has become the important part of most
  organizations
• New international standards require more IT risk
  analysis

6
New Requirements for Security Risk Assessments
Based on Published Standards

• Governments are instituting requirements
  or expecting that companies will perform security
  risk assessments. Assessments can include
  identification of threats, vulnerabilities, and
  based on both an analysis of security gaps and
  mitigation strategies. Some of the assessment
  requirements also require that companies identify
  the most critical assets and propose plans to
  protect core business functions and human assets.
  

7
Compliance Regulations, Standards and Guidelines
8
Mapping to Audit

• Must map to audit Guidelines ISACA(ASIS
  partner organization)
• Every Vulnerability or Risk AssessmentEnds Up
  with Corporate Management CFO or IG
• Executives are being held PERSONALLY ACCOUNTABLE
  and need the assessments to demonstrate Due Care

9
APPROACH TO GOOD SECURITY

• The approach to good security is fundamentally
  similar regardless of the assets being protected.
  As GAO has previously reported for homeland
  security and information systems security,
  applying risk management principles can provide a
  sound foundation for effective security whether
  the assets are information, operations, people,
  or facilities. These principles, which have been
  followed by members of the intelligence and
  defense community for many years, can be reduced
  to five basic steps

GAO-02-687T National Security
10
Classic RA Components

• A target system consists of ASSETS which when
  exposed to THREATS can experience one or more
  LOSSES
• VULNERABILITIES are weaknesses that make ASSETS
  more susceptible to THREATS
• SAFEGUARDS and COUNTERMEASURES are controls to
  reduce or minimize LOSS

11
ELEMENTS OF RISK ASSESSMENT VS. COMPLIANCE
ASSESSMENT
ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
12
What Is Risk Assessment compared to a Site Survey
?

• A process used to determine what controls are
  neededto protect critical or sensitive assets
  adequately cost-effectively
• The process examines five variable functions
• 1. Specific Assets to be protected (value)
• 2. Potential Threats to the various assets
• 3. Vulnerabilities that would allow the threats
  to materialize
• 4. Kinds of Losses that the threats could cause
• 5. Safeguards that would reduce the loss or
  eliminate the threats

13
The Risk Assessment Process
Automated Survey Management
Risk Analysis
Process Management
Data Aggregation Analysis
Customization
Reporting
Content(Rules Data)
14
Estimating Asset Values
15
FINDING THREAT DATA OR INPUT YOUR OWN
ORGANIZATIONAL DATA SUCH AS INCIDENT REPORT DATA

• Quantified threat data is hard to find.
• Categories of Threats
• Natural Disasters, Criminal Activity
• Terrorism, Theft, Systems Failures
• Collect data from Web Sources, government data,
  weather data, crime casts, global info services,
  access control systems, incident logs.
• Use data from internally collected sources

16
Standard Threat Data or Enter your own Site
Specific Incident Data
17
Discovering Vulnerabilities

• Vulnerabilities specific by organization
• Can be completed only by the analyst
• Or include key individuals
• Web-Based surveys increase accuracy and speed of
  survey collection aggregation

18
Question answers map up to over forty
customizable vulnerability areas
19
Analysts Can Customize Questions or Add New
Questions

• Questions Follow Audit Format
• Control Standard matches Question
• Analyst Sets Threshold for Compliance
• Questions Validate Compliance with Standards
• Analyst can Add, Delete or Modify Questions

20
SAMPLE QUESTION CREATION ELEMENTS
21
Use of Server-Based Questionnaires Make it Easy
to Collect Information
22
(No Transcript)
23
Including all Relevant Safeguards and Controls

• Alarm Systems
• Background Checks
• Barriers
• Biometric Controls
• Bomb Threat Procedures
• Bomb Detection Identification
• CCTV Cameras
• Disaster Recovery Planning
• Emergency Response Planning
• Entry Controls
• Fire Controls

• Guard Services
• Incident Reporting
• Incident Response
• Intrusion Detection
• Lock Key Controls
• Monitoring Systems
• Risk Assessment
• Security Planning
• Security Policies
• Security Staff
• Technical Surveillance
• Training Programs
• Visitor Controls

24
Controls with default values for implementation
and life cycles
25
Data Aggregation Analysis
Asset
Vulnerability
Threat
Loss
Equipment Generators Facility Staff Patients Secur
ity Personnel Reputation
Related Loss Direct Loss Disruption Injury Intangi
bles Loss of Life
Accident Fire Vandalism Power Loss Theft Workplace
Viol Homicide
Personnel Screening Controlled Areas Personnel
ID Key Controls No Security Plan Observation Doors
Construction
Incident Class
Incident
Degree of Seriousness
Conditioned Incident
Risk Asset ? Loss ? Threat ? Vulnerability
26
WRITING REPORTS

• Data which can be benchmarked
• Making sure you include audit trails
• Use of recognized statistical probability models
• Includes both current and new directives
• Creating management level reports

27
MITIGATION STRATEGIES
1. Accept Risk 2. Transfer Risk 2. Mitigate
Risk 3. Better Risk Reactions 5. Dealing with
Residual Risk
28
EASY TO UNDERSTAND GRAPHS ILLUSTRATE
OVERALLCOMPLIANCE VS. NON-COMPLIANCE
29
VULNERABILITY DISTRIBUTION CHART SHOWS THE
WEAKNESSES IN THE CURRENT SECURITY PROFILE
30
Survey Answers Can be Shown by Job Title, or by
Individual Name
31
Shows the Annual Loss Expectancy By Threat
32
Loss Expectancy is Also Shown by Asset Category
Impact
33
Reports Can Include Loss Protection by Threat
Category
34
How to Calculate Return on Investment to Support
Proper Budgeting for Security. In this
example, finishing and updating the Disaster
Recovery Plan had a 2000-1 ROI that means for
every dollar spent on updating the plan the
organization saves 2,000,000

• Finish Disaster Recovery Plan 20001
• Finish the Security Plan 12001
• Complete Security Training 9431

35
Security Controls are Listed Recommended by
Return On Investment
36
This Graph Illustrates how Implementing the Top
20 Controls will Contribute to a Cumulative
Reduction in Loss Potential
Single vs. Cumulative Loss Reductions
37
The Bottom Line

• Security Risk Management Requirements will
  Continue to Increase and need to be standardized.
• Measuring and Managing Security by Return on
  Investment gives you the best bang for the buck
  
• Conducting Risk Assessments are the best way to
  meet security requirements, quantify areas of
  weakness, justify security controls, and manage
  and validate the security budget.

38
Caroline Hamilton410-224-4773,
x105 chamilton_at_riskwatch.com