7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

Transcription

1 7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

2 TO MANAGE INFORMATION RISK AND KEEP YOUR ORGANIZATION MOVING FORWARD, YOU NEED A SOLID STRATEGY AND A GOOD GAME PLAN. RSA DESIGNED THIS EBOOK TO HELP WITH BOTH. IT WALKS YOU THROUGH A RISK MANAGEMENT FRAMEWORK THAT S BASED ON PROVEN GRC PRINCIPLES. 2

3 INFORMATION RISK ASSESSMENT: THE BIG PICTURE The seven-step framework laid out in this ebook takes an approach to risk management that follows ISO and NIST guidelines. You ll be assessing the inherent risk of information in your organization, evaluating it in the context of risk appetite and determining how you ll respond. RSA Framework: Information Risk Approach Identify Important Information & Establish Business Context No Is IR Acceptable? Assess Residual Risk (RR) Yes Evaluate Residual Risk (RR) Against Risk Appetite Assess Inherent Risk (IR) Evaluate Inherent Risk (IR) Against Risk Appetite Accept, Reject, Reduce Risk &/or Apply Controls & Risk Transfer No Let s get started. Turn the page to begin with Step 1. Is IR Acceptable? 3

4 STEP 1: DEFINE WHAT INFORMATION NEEDS TO BE PROTECTED The first step in building your risk management framework is determining what information you need to protect. Making connections between information and major areas of business activity will provide you with context for why certain information needs protection. Areas of Information That May Be Important Organizational Structure & Business Jurisdictions Strategies/ Objectives Products/ Services Policies & Procedures Regulatory Obligations AT THE END OF STEP 1, YOU SHOULD BE ABLE TO: See the connections between business elements and information Define what constitutes potentially important information Understand what makes the information important 4

5 STEP 2: IDENTIFY THE LOCATION AND AMOUNT OF IMPORTANT INFORMATION Once you know what information you need to protect, you need to determine how much there is and where it exists. That means identifying businesses related to it and documenting relevant external access points, IT applications and systems, and third-party relationships. Infrastructure Elements Related to Information Strategies/ Objectives Regulatory Obligations Important Information Organizational Structure & Business Jurisdictions Policies & Procedures Physical Information Generated Business Processes Third Parties External-facing Access Points IT Applications IT Systems Products/ Services AT THE END OF STEP 2, YOU SHOULD BE ABLE TO: Identify business processes that are associated with important information Document external connections to processes and information See the business context for elements of the business risk management framework Databases/Data Stores 5

6 STEP 3: ASSESS INHERENT RISK AND EVALUATE ITS ACCEPTABILITY Inherent risk is the risk to information that exists when you haven t applied any controls or taken other measures to reduce risk. In the most basic sense, it s calculated like this: AT CHOOSE YOUR METHODS Formula for Calculating Inherent Risk Inherent Risk = (Criticality of Information x Number of Records) x Impact per Record Associated with each Type of Threat Assessing risk Different organizations may assess risk differently. For example, a new organization with limited resources may simply rate an infrastructure element s risk as high, medium or low, while a more mature organization may formally calculate risk exposure. Expressing risk Risk can be expressed in monetary values; the higher the risk, the more money is lost if information is compromised. But sometimes a more appropriate way to express risk is in terms of potential loss of reputation or some other qualitative measure. The important thing is for everyone to be on the same page about how you will assess and express risk. AT THE END OF STEP 3, YOU SHOULD BE ABLE TO: Identify processes and third parties that pose the greatest information-related risk Understand where the most resources should be allocated to control information risk Know what the worst case impact would be from an information security incident 6

7 STEP 4: EVALUATE RISK TREATMENTS You know your inherent business risk. You know your risk appetite. If your appetite for risk is lower than your inherent risk, your next step is to evaluate the controls available. Use questionnaires and automated tools to determine what controls you already have in place and how well they re working. Methods for Assessing Controls Manual Assessment Questionnaires External-facing Access Points AT THE END OF STEP 4, YOU SHOULD BE ABLE TO: IT Applications IT Systems Business Processes Third Parties Databases/ Data Stores Vulnerability Scan Results Manual Assessment Questionnaires Intelligence Feeds Know what controls are in place to mitigate risk See where controls are missing or inoperable Gauge the inherent risk in areas where controls are missing or inoperable 7

8 STEP 5: ASSESS RESIDUAL RISK After you ve done all you can to reduce inherent risk, by identifying controls, putting them in place and establishing that they re working correctly, any risk that remains is known as residual risk. Formula for Calculating Residual Risk Residual Risk = Inherent Risk x Risk Reduction Percentage of all applied and operating Risk Treatments WHAT DO YOU DO WHEN RISK EXCEEDS RISK APPETITE? AT THE END OF STEP 5, YOU SHOULD BE ABLE TO: Option 1: Lower the risk Often, it s possible to take steps to lower residual risk to acceptable levels. Typically, this involves reallocating people, processes and technology to devote more risk management resources to areas where risk is unacceptably high. Assess residual information risks Compare residual and inherent information risks Understand the options to lower risk or end risky activity Option 2: End the activity If it s difficult to make allocation decisions that will lower risk, it may be time to take a step back and decide whether a particular business activity is worth the level of information risk that s associated with it. 8

9 STEP 6: DOCUMENT PROCESSES AND ENTERPRISE RISKS AND CONTROLS Physical access to information, regulatory changes and other activities beyond third parties and infrastructure can also introduce risk. To manage these risks, you need to document them, along with the controls you re using to mitigate them. You also need to test the controls to show they re effective. Business Risk Processes and Controls Business Processes Risk Register Control Register AT THE END OF STEP 6, YOU SHOULD BE ABLE TO: Identify activities outside of IT and third parties than introduce risk Understand the nature of the risks these activities pose Validate the effectiveness of controls in the control register 9

10 STEP 7: PROVIDE VISIBILITY AND REPORTING The last step in creating a GRC-based framework for business risk management is providing visibility into and reporting on activities associated with the framework. THIS REQUIRES: Analytics to provide timely information and insights Dashboards to share insights from analytics Use of GRC process workflows, notifications and reporting to provide transparency 10

11 RSA PORTFOLIO With award-winning solutions for rapid detection and response, identity and access assurance, consumer fraud protection, and business risk management, RSA customers can thrive in an uncertain, high-risk world. It s time for Business-Driven Security. RSA ARCHER RSA NETWITNESS RSA SECURID SUITE SUITE SUITE The industry s leading business risk management suite, proven to help customers confidently advance their command of risk and understand what risks are worth taking. Triple the impact of security teams by providing essential visibility to detect advanced threats and deliver the right response in minutes not months. Enables organizations of all sizes to ensure the right individuals have the right access, from anywhere on any device leveraging risk analytics and context-based awareness. RSA FRAUD & RISK RSA RISK & CYBER INTELLIGENCE SUITE SECURITY PRACTICE Allows organizations to transform their digital, multi-channel strategy, the ability to both protect consumers against fraud and improve the user experience by reducing transaction friction. Essential consulting, support and incident response expertise so that you can take command of your evolving security posture. 11

12 ABOUT RSA RSA offers Business-Driven Security solutions that uniquely link business context with security incidents to help organizations manage risk and protect what matters most. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive in an uncertain, high risk world. For more information visit rsa.com Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA, 06/17. Ebook: 7 steps to build a GRC Framework for Business Risk Management, H16374 Dell Inc. or its subsidiaries believe the information in this document is accurate as of its publication date. The information is subject to change without notice. 12