Allen D. Becker MMA, , ITILv3. Risk Management. Allen D. Becker - MMA, PMP, ITILv3 Sr. Security Consultant Business Development Specialist

Transcription

1 Allen D. Becker MMA, Allen D. Becker MMA, Allen D. Becker MMA,, ITILv3, ITILv3, ITILv3, ITILv3 Risk Management Allen D. Becker - MMA, PMP, ITILv3 Sr. Security Consultant Business Development Specialist Copyright 2018 Terra Verde, LLC. All rights reserved.

2 Risk Management An approach from a consultants point of view Copyright 2018 Terra Verde, LLC. All rights reserved.

3 Agenda Definition The Basics Methodology Process 7 Infamous Questions Summary

4 Risk Management - Wikipedia Risk management is the identification, evaluation, and prioritization of risks (defined in ISO as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events [1] or to maximize the realization of opportunities. Risks can come from various sources including uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. [2][3]

5 Risk Management - Wikipedia Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits). Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk; whereas the confidence in estimates and decisions seem to increase. [1] For example, one study found that one in six IT projects were "black swans" with gigantic overruns (cost overruns averaged 200%, and schedule overruns 70%). [4]

6 Risk Management It is critical that executive management set the tone for the risk assessment activity first by determining the corporation s appetite / tolerance for risk by considering their capacity for absorbing damage position in the risk-averse to risk-aggressive range of how it approaches business and then by ensuring the organizations within the enterprise respond to the risk assessment team s requests for information and business impact estimates with considered but prompt answers. A risk assessment is more than a vulnerability assessment in that it considers the business impact (damage or consequences) that can result if a vulnerability is successfully exploited. Copyright 2018 Terra Verde, LLC. All rights reserved.

7 Risk Management Damage can be to reputation, loss of revenue due to service failure, government levied fines, fines from payment card entities. Business owners and executive management are the proper entities to determine the impact that could result from an incident. Information Technology Senior Management is the proper lead for vulnerability assessment. Copyright 2018 Terra Verde, LLC. All rights reserved.

8 Methodology For the most part, these methods consist of the following elements, performed, more or less, in the following order. identify, characterize threats assess the vulnerability of critical assets to specific threats

9 Risk Assessment Methodology Need to document a risk assessment process. It must be a formal written report that identifies the risks discovered There should be a repository where all the assessments and evidence documents are stored. It should be based on accepted methods although a blended process is acceptable.

10 Methodology continued determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) identify ways to reduce those risks prioritize risk reduction measures

11 Risk Assessment Methodology Approach must completely address how one determines business impact If assessing potential vendors or partners review industry attestations (SOC Type 1/2, SSAE18, ISO 27001/2 certificate, PCI AOC etc.) Accept, mitigate, transfer, or remove the risk.

12 Risk Management Process Use an Information Asset top-down approach PCI Card Holder Data (CHD) or other protected data first, then as maturity grows, add other types. (GDPR and California Consumer Privacy Act might cause acceleration.) An alternative approach, and one used by most, is to start at the system/network level to determine what s vulnerable and then see what assets are affected by that vulnerabilities. Identify processes/services that handle CHD, where CHD is stored, where it is transmitted, and where it is redirected. Identify systems that support the above listed assets, systems that connect to those systems, and systems that provide services to those systems (note this should have been done for PCI compliance).

13 Risk Management Process Get business impact statements for when processes/services become compromised and/or unavailable. Get business impact statements for when Protected Data is exposed to unauthorized entities or is modified/deleted by unauthorized entities or by accident. Use vulnerability assessment information to determine probability of an unauthorized event. Use that probability and resulting damage estimate to determine risk.

14 The 7 Infamous Questions Commonly Used [5] WHO? Who are the parties ultimately involved? WHY? What do the parties want to achieve? WHAT? What is it the parties are interested in? WHICH WAY? How is it to be done? WHEREWITHAL? What resources are required? WHEN? When does it have to be done? COST? How much capital are you willing to allocate?

15 WHO Business Owners ultimately involved Business initiators Later players Other interested parties WHAT Design WHICH WAY Activity-based plans WHEREWITHAL Plan-based resource allocations WHEN Plan-based timetable WHY Motives Revenue Profit Cost Other motives Reference 5 Copyright 2018 Terra Verde, LLC. All rights reserved. Main feedforward/feedback loops Initial Influence

16 Summary Inventory your assets You got to know what you have that s worth protecting. Match the threats to the assets You have to define what could happen to your assets Use the risk equation to find the inherent risk consider if it s a full loss or partial. Then line up your known controls and evaluate how much of the risk has been mitigated leaving you with residual risk. Decide if that residual risk is acceptable or if more controls/countermeasures/solution are need to further reduce the risk. Think about the proposed control/counter-measure/solution to evaluate whether the cost will reduce the residual risk enough to be worthwhile.

17 Q&A What's on your mind?

18 Acknowledgement's My collaborators: Hoyt Kesterson, Terra Verde, Sr. Consultant Deb Bond, Terra Verde, Sr. Consultant Dea Ann Farley, Terra Verde, Sr. Consultant References 1. Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p ISO/IEC Guide 73:2009 (2009). Risk management Vocabulary. International Organization for Standardization. 3. ISO/DIS (2009). Risk management Principles and guidelines on implementation. International Organization for Standardization. 4. Flyvbjerg, Bent & Budzier, Alexander (2011). "Why Your IT Project May Be Riskier Than You Think". Harvard Business Review. 89 (9): Chris Chapman & Stephen Ward (1999). Project Risk Management, Processes Techniques and insights. John Wiley and Sons pages en.wikipedia.org/wiki/risk Management

19 Copyright 2018 Terra Verde, LLC. All rights reserved.