Jeffrey A. Slotnick CPP, PSP Ron Worman, The Sage Group The ESRM Commission

Transcription

1 1 E N T E R P R I S E S E C U R I T Y R I S K M A N A G E M E N T : A N I N T R O D U C T I O N A N D P R O B L E M B A S E D E X E R C I S E Jeffrey A. Slotnick CPP, PSP Ron Worman, The Sage Group The ESRM Commission

2 W E L C O M E A N D TO D AY S S C H E D U L E 2:00-2:10 Welcome and Introduction Contiguous Session Covering two periods Introduction of Table Facilitators E S R M I N T R O D 2U C T I O N A N D E X E R C I S E 2:10-2:30 Overview of Enterprise Security Risk Management (ESRM) 2:30-2:40 Description of a Problem-Based Exercise 2:40-2:50 Presentation of the Problem 2:50-3:50 Table Discussions 3:50-4:40 Report Outs 4:40-5:00 Wrap-up and Next Steps 2

3 3 A S I S I S LEA DING GLOBA L CHANGE 3

4 E S R M I N T R O D U C 4T I O N A N D E X E R C I S E W H AT I S E S R M? ESRM is a cyclical, iterative approach to managing all security risk across an enterprise using established risk-management principles. 4

5 E S R M I N T R O D 5U C T I O N A N D E X E R C I S E E N T E R P R I S E S E C U R I T Y R I S K M A N A G E M E N T: A S I S I N T E R N AT I O N A L I S L E A D I N G G L O B A L C H A N G E The goal of an ESRM program is to create an iterative process to manage security risks across all aspects of the enterprise. A fully integrated ESRM program will: Continuously assess ALL security risks facing the organization. Quantify and qualify threats facing the organization, regardless of the vector. Document and establish mitigation plans. Identify and document risk acceptance procedures. Document the risk appetite of the organization. Manage incidents when they occur. Provide root cause analysis procedures and reporting. 5

6 E S R M I N T R O D U C 6T I O N A N D E X E R C I S E W H AT E S R M I S N O T ESRM is not convergence ESRM is not Enterprise Risk Management (ERM). 6

7 E S R M I N T R O D U C 7T I O N A N D E X E R C I S E B E N E F I T S O F E S R M Common problems faced by those working in security siloes vs a collaborative ESRM Approach Difficulty explaining the benefits of your traditional security program versus the department s role. Budget requests are denied for specific security projects when its critical to the company. Difficulty aligning with business stakeholders. Cultural alignment with organizational stakeholders who feel constrained or forced to follow your security program. 7

8 E S R M I N T R O D U C 8T I O N A N D E X E R C I S E E S R M : A D I F F E R E N T A P P R O A C H Aligning the Security Mission with the Organizational Mission Gain an intimate knowledge of your Organization Understand what is important to the Organization Learn how to align risk objectives with business objectives. Helps the business understand what security risks they have, or may face, while meeting their business objectives. Provide objective perspective on risk, allowing executives the ability to decide the path to address their risk. Provide Subject Matter expertise in the area of risk, resilience and security 8

9 E S R M I N T R O D U C 9T I O N A N D E X E R C I S E T H E O R G A N I Z AT I O N B E N E F I T S F R O M E S R M Mission alignment: A proper understanding of the security department s role versus simply the tasks assigned to it. Budget alignment: Lower total cost of ownership for the total security programs. Program alignment: Greater risk mitigation and proper risk prioritization throughout the organization. Value alignment: More direct connection to the protection of assets the business stakeholders truly care about. 9

10 E S R M I N T R O D U C 10 T I O N A N D E X E R C I S E T H E PAT H TO O P T I M I Z E D E S R M ESRM is a journey not a destination 10

11 11 W H AT I S A P R O B L E M B A S E D E X E R C I S E? People learn from being engaged in a Story Problem-based learning (PBL) is an approach that challenges participants to learn through engagement in a real problem. 11

12 12 W H AT I S A P R O B L E M B A S E D E X E R C I S E? ( N O T E S S L I D E ) Problem-based learning (PBL) is an approach that challenges participants to learn through engagement in a real problem. It is a format that simultaneously develops both problem solving strategies and disciplinary knowledge bases and skills by placing attendees in the active role of problem-solvers confronted with an ill-structured situation that simulates the kind of problems they are likely to face in complex organizations. The process of PBL uses the power of authentic problem solving to engage attendees and enhance their learning and motivation. Learning takes place within the contexts of authentic tasks, issues, and problems--that are aligned with real-world concerns. PBL fosters collaboration, stresses the development of problem solving skills within the context of professional practice, promotes effective reasoning and self-directed learning, and is aimed at increasing motivation for life-long learning. Problem-based learning begins with the introduction of an ill-structured problem on which all learning is centered. Your role, is more active, as you are engaged as a problem-solver, decision-maker, and meaning-maker, rather than being merely a passive listener and note-taker. 12

13 E S R M I N T R O D U C 13 T I O N A N D E X E R C I S E EXERCISE, EXERCISE, EXERCISE 13

14 14 D A I R Y M I L K I - S C R E A M Refer to your handout. 14

15 15 D A I R Y M I L K I - S C R E A M You are a part of the Senior Management team of a large company called Dairy Milk I-Scream; a dairy where milk, ice cream, and cheeses are manufactured and produced. Due to the large refrigeration needs of your plant you have an unprotected storage container holding 5,000 gallons of anhydrous ammonia. When I-Scream was initially built in the 1980s it was located on the outskirts of town. In 2017, due to development, the plant is now located within the built-up environment. The plant employs approximately 300 employees: 40 employees on shifts 1 and 2 engaged in manufacturing and administrative work; 20 employees on shift 3 primarily engaged in plant maintenance. 15

16 16 D A I R Y M I L K I - S C R E A M The plant contracts with a local guard company for unarmed guards deployed as follows: Shift 1: 3 guards scheduled from 6am - 2pm, Shift 2: 3 guards scheduled from 2 pm -10 pm, Shift 3: 2 guards scheduled from 10 pm - 6am Trucks, fully loaded, haul product arrive every day at 5am and are loaded and depart by 7am for distribution. 16

17 17 TA B L E C O M P O S I T I O N - T H E P L AY E R S Risk Manager Environmental Health and Safety Manager Chief Operations Officer Chief Security Officer Chief Information Security Officer 17

18 18 P O S I T I O N D E S C R I P T I O N S Risk Manager Develops and administers risk-management and loss-prevention programs. Initiates policies to comply with safety legislation and industry practices. Researches and reports on the most cost effective plans to minimize asset liability. Acts as the liaison to attorneys, insurance companies and individuals, investigating any incidences that may result in asset loss. Reviews and analyzes risk management programs for the effectiveness of coverage and to reduce costs and losses. Typically reports to top management. Environmental Health and Safety Manager Assists in supporting Safety and OSHA Compliance. The EH&S Supervisor will advance initiatives which promote and sustain the safety, health, security, and welfare of all personnel. Develop, deploy, and monitor all EHS programs, procedures, policies, and standards in a manner that ensures compliance to Federal, State, Local, Customer, and align with Corporate EHS requirements. Provide focus, direction, leadership, and technical expertise to the various work groups; including safety committees and accident review teams. Develop and administer a root cause analysis procedure/process design to reveal and capture intellectual wisdom from all near miss and/or failure occurrences. Assess and evaluate plant EHS connections and make recommendations to the Operations Manager regarding strategies to remedy training, skills, or performance deficiencies. Provide fire protection and coordinate fire prevention and protection with local fire department; conduct frequent fire drills and inspections of the facility; ensure the maintenance and submission of logs and reports as required. Provide for safety and security through the direction, monitoring, and conducting appropriate drills in preparation for emergencies. 18

19 19 P O S I T I O N D E S C R I P T I O N S Chief Information Security Officer A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve IEC/ISO 27001:2013 certification for an entity, or a part of it). Typically, the CISO's influence reaches the entire organization. Responsibilities may include, but not be limited to: Computer emergency response team/computer security incident response team; Cybersecurity; Disaster recovery and business continuity management; Identity and access management; Information privacy; Information regulatory compliance (e.g., US PCI DSS, FISMA, GLBA, HIPAA; UK Data Protection Act 1998; Canada PIPEDA); Information risk management; Information security and information assurance; Information security operations center (ISOC); Information technology controls for financial and other systems; IT investigations, digital forensics, ediscovery, and Security architecture 19

20 20 P O S I T I O N D E S C R I P T I O N S Chief Security Officer A Chief Security Officer (CSO) is an organization's senior most executive accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, operational, strategic, financial and reputational security risk strategies relating to the protection of people, intellectual assets and tangible property. The accountabilities of the CSO include, but are not necessarily limited to: In cooperation with the organization s executive leadership team(s), directs the development of an effective strategy to assess and mitigate risk (foreign and domestic), manage crises and incidents, maintain continuity of operations, and safeguard the organization. Directing staff in identifying, developing, implementing, and maintaining security processes, practices, and policies throughout the organization to reduce risks, respond to incidents, and limit exposure and liability in all areas of information, financial, physical, personal, and reputational risk. Ensures the organization s compliance with the local, national, and international regulatory environments where applicable to the accountability of this role (i.e. privacy, data protection, and environmental, health and safety). Researches and deploys state-of-the-art technology solutions and innovative security management techniques to safeguard the organization s personnel and assets, including intellectual property and trade secrets. Establishes appropriate standards and associated risk controls. Develops relationships with high-level officials in law enforcement [and international counterparts] to include incountry security [and international security agencies], intelligence, and other relevant governmental functions as well as private sector counterparts [worldwide]. Through other internal policy committees, personnel and/or other external resources, coordinates and implements site security, operations, and activities to ensure protection of executives, managers, employees, customers, stakeholders, visitors, etc., as well as all physical and information assets, while ensuring optimal use of personnel and equipment. 20

21 21 T H E P R O B L E M Working together as an Executive Team and employing ESRM Concepts, each table will address the problem they have been given and address the risk, response, mitigation and recovery for their problem. Each of the participants will attempt to resolve the problem from their professional perspective and identify the response and mitigations for the current event and to prevent a similar event from occurring in the future. 21

22 22 R E P O R T O U T S 1. Solutions developed 1. How were you able to co-support the other functional areas on your team? 2. How were you able to apply the concepts of ESRM to this problem? 3. What learning moments did you have which were significant for your working group? 4. Will the learnings from this exercise assist you when you return to your organization? 5. Critical Observations from the Facilitators 22

23 23 W R A P U P - E S R M & R E S I D U A L R I S K T H E E X E C U T I V E I N T R O D I S C U S S I O N If you do not yet have a formal ESRM model / Program What are the lessons learned from this exercise that point out newly found risks or potential recurring risks from a similar event? ESRM in Action! These lessons are ESRM-discussion intro-points while executives are still thinking about the crisis. NOT a "Money Grab" for more resources... but an opportunity to meet with leaders to discuss risk, impact, and the role of security in helping the enterprise mitigate the impact if it is outside of tolerance. 23

24 24 W R A P U P - E S R M & C O N T I N U A L I M P R O V E M E N T If you do already have a formal ESRM model / program ESRM is a process of continual improvement What impacts occurred during this event? Were any caused by risks that were previously identified and accepted? Was the impact within stated risk tolerance? If previously unidentified risks caused impact, or mitigations did not place impact within tolerance Who "owns" the risks? Who needs to be aware that tolerances were exceeded? How can you use this event to further educate business leaders on security risk and help them protect their operations to the level they would like? 24

25 25 Thank you For More information on ESRM please contact Thank you, Jeffrey A. Slotnick CPP, PSP 25