Risk Management An Overview

1
Risk Management An Overview

• Kim L. Jones CISM, CISSP
• February 6, 2006

2
Overview

• Risk Management Defined
• Jones Laws of Risk Management
• Questions

3
Risk Management Defined

• The systematic application of management
  policies, procedures and practices to the tasks
  of identifying, analyzing, evaluating, treating
  and monitoring risk.
• Total Risk Threat x Vulnerability x Asset Value

4
Risk Management Defined

• Four options for managing risk
• Acceptance
• Rejection
• Mitigation
• Transfer
• The objective of risk management is to bring
  residual risk to an acceptable level
• Remember It is not your risk to accept or
  reject!!

5
Source ISACA
6
Jones Laws of Risk Management

• You Cant Defend What You Cant Define
• Standards Must Be Standard
• Uniform Security Is Not Always Uniform
• Knowing is Half the Battle

7
You Cant DefendWhat You Cant Define

• Lack of definition is a common mistake
• In many cases, it leads to misspends in security
  due to misstatements re risk.
• In the worst case, it creates a false sense of
  security
• In order to understand your risk, you need to
  understand
• What you are defending
• Where you can defend it
• How you can defend it
• How you ARE defending it.

8
You Cant DefendWhat You Cant Define

• What you are defending Information
  Infrastructure
• Six Categories
• People
• Associates, Contractors, Guests
• Facilities
• Buildings, Data Centers
• Real Property
• Stuff
• Intellectual Property
• Ideas (incl. brand)
• Technology
• Data
• There may be different objectives for each area
• Examples
• Data Protection Objective That data is only
  accessed in the appropriate form, at the
  appropriate time, by the appropriate people (Need
  to Know)
• Facilities Protection Objectives
• Make sure only people who should be there, are
• Ensure the facility prevents harm to technology,
  personnel, and data contained within.

9
You Cant DefendWhat You Cant Define

• Where you are defending Protection Fronts
• Areas you can control and/or influence in order
  to achieve your security objectives (Where you
  fight the battle)
• Seven Fronts
• General
• Physical
• Personnel
• Network
• System
• Application
• Component
• Data

10
You Cant DefendWhat You Cant Define

• How you can defend it Control Criteria
• Methods of exerting control
• 5 Categories
• Restrict
• Report
• Authenticate, Access, Authorize
• Monitor
• Manage

11
You Cant DefendWhat You Cant Define
Topic Data Protection Objective Need-to-Know
12
You Cant DefendWhat You Cant Define

• How you ARE defending it YOUR Security Profile
• Reflected re how you fill the boxes
• Your risk is the result of two factors
• Efficacy of what you put in the boxes (is it
  appropriate for mitigating the risk?)
• Is it working for YOU?

13
Standards Must Be Standard

• Lack of viable metrics is an anathema to the
  security industry this adversely Impacts Risk
  Management
• Calculation of ROSI or ROIC is usually dependent
  upon assigning qualitative valuations to risk
  factors
• e.g reputation brand
• Where metrics are quantifiable, their ability to
  articulate your security posture is suspect
• E.g Number of viruses stopped
• Security-related downtime
• Results
• Continued inability to articulate whether or not
  the environment is truly secure
• Continued inability to express the need re
  security (esp. In dollars)
• Continued inability to truly understand and
  articulate risk

14
Standards Must Be Standard

• Two options here
• If you choose to quantify risk, you must agree on
  the value of assets impacts
• Reputation, man-hours, downtime, etc.
• Problems
• SMEs for this are not just in the CSO/CIO arena
  (usually requires committee)
• Opinion tends to be widely varied and varies
  more depending on background of individual (CFO
  vs Legal Counsel vs CSO)
• Metrics re past breaches limited and not always
  reliable.
• If you choose to qualify risk, you must agree on
  the value of the impact scale
• High/medium/low
• Operational downtime
• Etc
• In either event, ALL must agree whom the SMEs are
• No second guessing re risk impacts!!

15
Uniform Security Isnt Always Uniform

• Every security professional wants a one standard
  policy/process, implemented uniformly
• From a practical standpoint, this isnt always
  possible
• Factors
• Culture
• Local Laws
• Enforceability
• Liability
• Reputation/Brand
• e.g. Off-shoring
• These differences must be recognized as potential
  risks and planned/adjusted for.

16
Knowing is Half the Battle

• Identifying risk doesnt sole the problem.
• You must still make choices re risk
• Transfer
• Accept
• Mitigate
• Eliminate
• These choices must always be made in the context
  of the business need as well as cost
• Risk choices must be documented
• Ignorance of risk isnt a defense, its a
  decision
• No CSO is going to willingly allow an ignorance
  argument

17
Some Final Thoughts

• Risk management is art and science for now.
  Dont let the art obscure the science.
• You must define your desired end state as well as
  your definitions and terms.
• As in all things, keep a business focus.
• Its business risk, not technology/security risk.
• Risks AND risk choices must be documented
• In the absence of consensustake a stand!
• Youll take the potshots, but youll start
  discussion
• Besides, ANYthing beats ignorance

18
Questions ???
19
Kim L. Jones Vice President and CSO eFunds
Corporation 480-629-1428 kim_jones_at_efunds.com