A Balancing Act Between Risk Appetite and Risk Tolerance

1
A Balancing Act Between Risk Appetite and Risk
Tolerance

• Federal Information Systems Security
• Educators Association Conference
• March 2005
• Ezra Cornell Duong-Van
• Director, Strategic Marketing
• BindView Corporation

2
IT Risk Analysis and Management
Impacts
Threat
Vulnerability
Risk Analysis
Risks
Risk Management
Countermeasures
3
Detail of IT risk
RISK
Compliance
Vulnerability
Am I meeting Regulatory requirements?
What is the exposure to my systems?
Identity
Configuration
Do my users have appropriate rights?
Are my systems configured securely?

• Servers
• OS
• Data
• Infrastructure

• Users
• Groups
• Directory
• Access Control

Security
4
Return on Security Investment
5
Compliance and Cost

• Achieve compliance through improved productivity
  and efficiency Point B
• Replace manual methods with automated processes
  to reduce Compliance Risk
• Organizations with limited resources operate more
  efficiently
• Maintain your compliance level but with greatly
  reduced cost Point C
• Reduce Compliance spending
• Redirect savings to other compliance efforts
• The reality is that you will experience a
  combination of B C

6
Ideal Compliance Monitoring
7
Breadth of Coverage Across IT Stack

• CIA
• Confidentiality
• Integrity
• Availability
• Maximize CIA throughout the whole IT Stack
• Prioritize sections of the stack that pose higher
  risk
• Evaluate best of breed vs. integrated solutions

8
Changing Concerns
IT Stack
Time Investment
9
Risk Management process

• Scope definition
• Determine processes and risks to be evaluated
• Process Walkthrough
• Step through the processes to validate them
  against their goals
• Risk Assessment
• Execute the processes in the context of risks to
  be evaluated
• Control identification and evaluation
• Document IT controls and supplemental manual
  controls
• Document risks identified by these controls
• Residual risk assessment
• Provide a residual risk assessment for each
  process
• Provide recommendations for remediation

10
Risk Management Deliverables

• Process and sub-process maps
• Clearly document the business processes within
  the engagement boundary definition
• Business process automation recommendations
• Definition of the process, objectives, threats
  and controls at a detailed level
• Risk and control matrix
• For each process a summary of
• risk assessments,
• control ratings and determination of
• residual risk level
• Recommendations
• Short, medium and long-term remediation plan
• Prioritize remediation efforts

11
Risk reduction solutions
12

• Ezra Cornell Duong-Van
• Director, Strategic Marketing
• BindView Corporation
• Ezra.Duong-van_at_bindview.com
• 713-561-4274

13

• Contact BindView
• General Sales1-800-813-5869sales_at_bindview.com
• John Balena, Federal Sales
• john.balena_at_bindview.com
• Phone 713-561-4109