e nterprise risk management bobby singh, director, information security & risk management,...
Post on 19-Dec-2015
221 views
TRANSCRIPT
![Page 1: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/1.jpg)
ENTERPRISE RISK MANAGEMENT
Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc.
Moderator: Illena Armstrong, editor-in-chief, SC Magazine
![Page 2: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/2.jpg)
Understand current risk challenges and roadblocks affecting risk management
How to manage Information Security
Overview of an Information Security Risk Management Lifecycle
Overview of Risk Assessment Methodology
Walk through of Risk Process Flows and the Use of Technology
Objectives of this session
![Page 3: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/3.jpg)
Why is risk difficult to manage?
There is no single, common definition of what “risk” is or means. Risk means different things to different groups with little to zero
alignment or mapping (ex. credit risk, market risk, insurance risk, operational risk, security risk, health risk, hazard risks, etc.)
No common or defined method and approach for managing risk. Risk identification is complex, and managing risk is even more
complex.
A unified approach (reducing complexity) to operational risk and security risk has numerous benefits and efficiencies, but the road to get there is not simple.
Risk management is often performed in silos (especially security risk management).
3
![Page 4: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/4.jpg)
Lack of clear, well defined business objectives
Lack of established governance
Lack of effective follow-up and tools
Lack of accountability
Lack of risk definitions
Lack of common understanding in managing risks
Lack of standardized risk management approach / method
4
![Page 5: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/5.jpg)
Challenges
Solutions
5
![Page 6: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/6.jpg)
Security Metrics - Program Framework, KRIs, KPIs
Security Governance
Security Controls
Security Services
Strategic Planning
Legal & Regulatory Compliance
Security in Enterprise
Architecture
Risk Assessment
Access Controls (IAM)
Audit
Compliance
Process & Procedures
Risk TreatmentGovernance Exceptions
I & IT Asset Management
Service Architecture
Security Management Metrics (How well security is managed)
Security Posture Metrics (How well security is being implemented)
Security Risk Management Processes
Incident Manag. (ESPIM)
Anti-Virus
Vulnerability & Patch
Management
Cryptographic Controls
Monitoring
Configuration Management
ISMS Program/Plan
eHO Service Definitions
Service Classifications
Third Part Contracts & Agreements
Security Awareness &
Training
Key Risk Indicator Groups(KRIs)
Key Performance
Indicator Groups (KPIs)
Change Management
Network Security
Application Security
HR On Boarding & Exiting
Physical & Environmental
Security Within the PLC and
DLC
![Page 7: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/7.jpg)
Benefits The benefits of the security metrics program
include:
improved understanding of the organization’s security strengths and weaknesses.
improved identification, prevention, and mitigation of security issues and risks.
meeting regulatory requirements as well as demonstrating to other governance bodies our ability and commitment to maintain a secure environment.
improved decision making, planning, and prioritization of security activities.
improved allocation of security efforts, resources, and funding.
![Page 8: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/8.jpg)
Approach
Information security risk management approach focuses on the following:
The use of common definitions and terms The use of a defined risk management lifecycle Threat and Risk Assessments that clearly focus on how
risks impact business objectives The utilization of tools to manage risks across the
organization Alignment with other business units such as Enterprise
Risk Management, Privacy, SecOps, Audit……..
8
![Page 9: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/9.jpg)
Security Specific - Risk definition
There is no one standard/universal definition for security risk.
However, all security risk definitions should include elements of:– time (e.g. the risk is a future event that has not yet occurred) – potential for loss or harm (to a valuable asset) – harm is caused by threats (which take advantage of an asset’s vulnerabilities (weakness)
Suggested security risk definition:
The potential for a threat to exploit an asset weakness, which will negatively impact the ability for an organization
to meet its business objectives.
9
![Page 10: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/10.jpg)
Assessing technology vulnerabilities
Enforcing security policyFocusing on the perimeterProtecting infrastructureTracking security incidents Quantitative Approach
From managing IT function silos…
Assessing business riskPartnering to influence behavior
Focus within the perimeterProtect organization dataOptimize risk mitigation Qualitative Analysis
… to a business centric approach to risk mitigation
Infrastructure
Information
Why Information Risks
10
![Page 11: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/11.jpg)
Risk Management – Project vs. Business Risk
Project Risks
Are problems, gaps, limitations, etc. that may impact the project
Business Risks
Are events that may occur in the future. If and when they occur, they may cause loss or harm to organization’s ability to meet its business objectives Schedule delay
Budget overrun Scope creep Incomplete deliverables Resource constrains Potential escalations Internal reputation
Contractual commitments missed
Poor service delivery Poor asset management System unreliable Slow system uptake Privacy & security risks Client dissatisfaction
Project Issues
Are problems, gaps, tech’gy limitations, etc. that exist today. Issues may contribute to Risks.
Lack of documentation No security requirements No security architecture Undefined R&Rs or
accountabilities No separation of duties Insufficient access control No hardening req’s Vendor agreements and
SLAs do not include security requirements
Insufficient logging, audit and monitoring controls
Maturity
ImpactEffort
11
![Page 12: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/12.jpg)
Security Risk Management
Information Security Risk Management is the coordinated direction and control of activities to ensure that security risks are identified, analyzed, understood, addressed, and managed to meet business goals and objectives.
These activities include the identification, assessment, and appropriate management of current and emerging security risks that could cause loss or harm to persons, business operations, information systems or other assets.
12
![Page 13: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/13.jpg)
Risk Assessment Methodology
13
![Page 14: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/14.jpg)
Business & Control ObjectivesBusiness Objectives
What the business wants to achieve (goals)
Security Control Objectives
What must be accomplished so that business objectives are met
Security Controls
Safeguards that must be in place to achieve the security control
objectives
Threat Risk Assessments
Take into consideration how security risks will
impact each of these areas and ultimately how security risks impact business
objectives.
14
![Page 15: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/15.jpg)
Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
Assess Risk
Source COSO15
![Page 16: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/16.jpg)
Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation
Risk Assessment
16Source - (NIST SP800-30)
![Page 17: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/17.jpg)
Security Risk Management Model
Security Risks
Security Requirements
Asset Values & Impacts
exploit
exposeincreaseincreaseprotect against
reduce impact
haveincreaseinfluencemet by
determine
Assets
• Computers• Files & folders• Test results• Prescriptions
Threats• Hackers• Viruses• Spyware• Fire
Vulnerabilities
• Un-patched systems• Old anti-virus• Weak passwords• Unlocked cabinets
SecurityControls
• Policy• Passwords• Anti-virus• Backups
17
![Page 18: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/18.jpg)
Risk Acceptance Process
Security risk acceptance is the deliberate decision by the appropriate level of management to accept an identified security risk for the purposes of meeting business objectives.– Risk owners may accept risks that lie below the
approved Risk Tolerance Levels.– However, if a risk owner wishes to accept a risk
above the risk tolerance line, they must escalate the risk by submitting a Risk Escalation Approval Form, and obtaining appropriate approvals to proceed with the risk acceptance.
18
![Page 19: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/19.jpg)
Determine Risk Appetite
Risk appetite is the amount of risk — at a Board Level — an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
Source COSO19
![Page 20: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/20.jpg)
Level Definition
High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability
Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
Likelihood
20
![Page 21: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/21.jpg)
Level Definition
High 1. highly costly loss of major tangible assets or resources2. significantly violate, harm, or impede an organization’s mission,
reputation, or interest
Medium 1. may result in the costly loss of tangible assets or resources2. violate, harm, or impede an organization’s mission, reputation,
or interest;
Low 1. may result in the loss of some tangible assets or resources2. noticeably affect an organization’s mission, reputation, or
interest.
Impact Analysis
21
![Page 22: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/22.jpg)
Risk Tolerance LevelsImpact
Very High VH
High H
Medium M
Low L
Very Low
VL L M H VH
Very Low
Low Medium High Very High
Likelihood
Level Risk Levels
Unacceptable Risk
High Risk (Dynamic and manageable)
Medium Risk (Dynamic and manageable)
Low / Tolerable Risk
Very Low / Tolerable Risk
Risk Escalation is required when the risk owner chooses to accept a risk that is rated above the risk tolerance line.
Default Risk Tolerance Line
![Page 23: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/23.jpg)
Showtime
23
![Page 24: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/24.jpg)
Information Security Risk Management Lifecycle
24
![Page 25: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/25.jpg)
Security Risk Management Lifecycle
Phase 1 Establish the Context
Phase 2 Asset Identification & Valuation
Phase 3Threat & Vulnerability
Assessment
Phase 4Treat the Risk
MonitorTrack
& Report
Risk Assessment
Risk Treatment
25
![Page 26: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/26.jpg)
Tracking & Managing Process The objective of this process is to improve
management of security issues and risks The primary purpose of this process is to ensure
that all those with responsibility for identifying or managing security issues and risks know: their responsibilities how each affected Business Unit interacts with others to
achieve effective management of security issues and risks the work flow to achieve effective management of identified
issues/risks
26
![Page 27: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/27.jpg)
The FUN stuffProcess Flows
27
![Page 28: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/28.jpg)
Risk Management – Process Overview
Summary of the Process
InfoSec: identifies a risk & notifies the risk owner and the project team
Risk owner: develops a risk treatment plan to address the risk with the assistance of InfoSec
InfoSec: enters the risk and the treatment plan into its risk management tracking tool
Risk Owner: implements the risk treatment plan
InfoSec: follows up with the risk owner (or their delegate) to periodically monitor the progress of the treatment plan
InfoSec: provides executive level reports on a monthly and quarterly basis to report on the status of risk and risk treatment plans
28
![Page 29: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/29.jpg)
Risk Tracking – Documenting
29
![Page 30: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/30.jpg)
Risk Tracking – Monitoring
30
![Page 31: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/31.jpg)
Risk Tracking – Reporting
31
![Page 32: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/32.jpg)
Technology
32
![Page 33: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/33.jpg)
Tools for Monitoring & Tracking
Example with dummy data
Dash Board
33
![Page 34: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/34.jpg)
Tools for Monitoring & Tracking
Sensitive info has been blocked.
34
![Page 35: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/35.jpg)
Tools for Monitoring & TrackingExample with dummy data
35
![Page 36: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/36.jpg)
Sample Factors that can decrease risk
Effective policies and standards Awareness programs Reliance on proven and tested controls Consistency of processes, technology and controls Appropriate Segregation of Duties Customers Regulations/Compliance Audits Knowing what your risks are
36
![Page 37: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/37.jpg)
Discussion / Q&A
37
![Page 38: E NTERPRISE RISK MANAGEMENT Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong,](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d2c5503460f94a02c18/html5/thumbnails/38.jpg)
Contact Info:
Bobby Singh
Director, Information Security & Risk Mgt
416.935.6691