Applying the risk process in the real world using COBIT Christian Dinesen NNIT A/S CiD@nnit.com
#Who Am I Last 4 years @ NNIT 2 years as Security Auditor 2 years as Security Advisor/Architect Hacker since 1994 CISA, CISM
Hacker Cyber Criminal? A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity Bruce Schneier, Secrets and Lies 2000
Shout Out Inspiration and context
Disclaimer The views and opinions expressed in this presentation are those of the authors and do not necessarily represent official policy or positions at the authors workplace.
QUOTE Turning IT Risk into Business Risk Mapping Business Risk to Business goals
Risk perception & definitions Assessing Risk w/examples Governance vs. Management Risk Process & Scenarios w/examples Respond to Risk Risk Capacity & Profile w/examples
Risk perception Why are we so bad at assessing risk? Risks that are Abstract Slowly progressing Kind of unlikely Like Cancer Car accidents Hacker attacks Are perceived way to small!! Actual Risk Perceived Risk
Risk Definitions Risk the possibility of a situation or event with uncertain frequency and magnitude of loss (or gain) occurring that is associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise Threat Vulnerability Risk Appetite Risk Tolerance Risk Optimization Risk Hierarchy
Categories in Assessing Risk Inherent Risk Residual Risk Control Risk Detection Risk The risk associated with an event when no controls are in place The risk that is associated with an event after controls have been applied Results from the internal control systems failure to prevent, detect or correct an incident in a timely manner Prescribed controls, substantive testing or monitoring will fail to detect an error that could be material
Defacements of.dk websites 2017-09-04
Governance vs. Management Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized o o o Evaluate risk management Direct risk management Monitor risk management Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk o o o o o o o Collect data Analyze risk Maintain a risk profile Articulate risk Define a risk management action portfolio Respond to risk
Risk Management Process Identify Risk Assess Risk Respond to Risk Control & Monitor
Risk Scenarios Top-down and Bottom-up Both approaches are complementary and should be used simultaneously. Risk scenarios must be relevant and linked to real business risk. Specific risk items for each enterprise and critical business requirements need to be considered in the enterprise risk scenarios. COBIT 5 for Risk provides a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios.
COBIT 5 Risk Scenario Structure
Risk Scenarios Identify Risk Scenarios Threat Types Malicious Accidental Error / Failure Nature External requirement Actors Internal External Event Disclosure Interruption Modification Theft Inappropriate use
Attack on the mobile platform and data
Phising emails
Assess Scenarios
Timeline on WannaCry 2013 AUG 2016 JAN 2016 FEB 2017 FEB 2017 MAY 12 2017 NSA Tools Stolen Shadow Brokers Emerges Shadow Brokers announces auction of NSA tools Microsoft cancels Patch Tuesday for the first time Microsoft releases SMC updates for supported OS s WannaCry outbreak begins First WannaCry samples seen in VirusTotal
Linking Enterprise and IT Risk
Goals Cascade Overview
Respond to Risk Accept Avoid Mitigate Share/Transfer
Accept the Risk?
Types of Controls
Risk Capacity Risk Appetite The broad-based amount of risk in different aspects that an enterprise is willing to accept in pursuit of its mission Risk Tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Risk Capacity The cumulative loss an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which is more on how much risk is desirable.
Risk Capacity Left diagram A relatively sustainable situation Risk appetite is lower than risk capacity Actual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity Right diagram An unsustainable situation Risk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. This usually represents an unsustainable situations
Maintain Risk Profile Maintain the inventory of known risks and their attributes (including expected frequency, potential impact and responses) as well as resources, capabilities and current control activities Register Resulting from risk analysis, consists of a list of risk scenarios and their associated estimates for impact and frequency Action Plan Includes action items, status, responsible, deadline, etc Loss Events Loss data related to events occurring over the last reporting period(s) Risk Factors Both contextual risk factors and capabilityrelated risk factors Independent Assessment Findings Result of independent assessments (e.g., audit findings, self assessments)
Risk profile towards IoTs
QUOTE Turning IT Risk into Business Risk Mapping Business Risk to Business goals
Christian Dinesen CiD@NNIT.com