gestión de riesgos concepto de riesgo - acsic · riesgos, los costes y las respuestas de gestión...

Grado de Ingeniería Informática, Universitat de les Illes Balears

Gestión de riesgos en las TIC#GSII!

@[email protected]!

Marco de la gestión

❖ ¿Os presentáis a un examen sin estudiar?!

❖ ¿Vais con la bicicleta por el carril bici o por la carretera?!

❖ ¿Compráis una máquina Dell o IBM?!

❖ ¿Desarrolláis una aplicación en Java o Python?!

❖ Subcontratáis a otra empresa!

❖ …!

!

“Risk is something we need to manage”

Gestión de riesgos

Isaac Lera - Grau d’informàtica

Gestión de riesgosHa de dar soporte a :!

❖ Planificación!❖ Aprovisionamiento!❖ Instalación!❖ Operación!❖ Mantenimiento !❖ Administración

3

SEGURIDAD

RIESGO

INFORMACIÓN

CONTROL DE COSTES


Concepto de RiesgoDefinimos el riesgo como la probabilidad de realización de una consecuencia no deseada que conduce a un resultado no deseado como la pérdida, daños, lesiones o oportunidades perdidas.!

“el riesgo viene de no saber lo que está haciendo.”Warren Buffet!

• Threat : Lower Probability Event!

• Risk : High Probability Event

4


Enterprise Risk ManagementERM is the process for effective identification, assessment, and management of all significant risks to an entity. This includes not only the traditional areas of financial and hazard risk, but also larger operational and strategic risks. ERM refers to the people, tools, systems, and structures that are part of a broader framework of Governance, Risk, and Compliance.!

Buenas prácticas: !

• COSO (Committee of Sponsoring Organization of the Treadway Commission) http://www.coso.org/-ERM.htm!

• ISO 31000 Risk Management: Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

5

! •! Global economic conditions could materially adversely affect the company. !

! •! Global markets for the company’s products and services are highly competitive and subject to rapid technological change, and the company may be unable to compete effectively in these markets. !

! ✓ To remain competitive and stimulate customer demand, the company must successfully manage frequent product introductions and transitions. !

! ✓ The company faces substantial inventory and other asset risk in addition to purchase commitment cancellation risk. !

! ✓ Future operating results depend upon the company’s ability to obtain components in sufficient quantities. !

! ✓ The company depends on component and product manufacturing and logistical services provided by outsourcing partners, many of whom are located outside of the United States. !

! ✓ The company relies on third-party intellectual property and digital content, which may not be available to the company on commercially reasonable terms or at all. !

! •! Thecompanyisfrequentlyinvolvedinintellectualpropertylitigationandcouldbe found to have infringed on intellectual property rights.

Apple Enterprise Risk Factors: 10-K Report

! •! The company’s success depends largely on the continued service and availability of key personnel. !

! ✓ ! The company’s business may be impacted by political events, war, terrorism, public health issues, natural disasters, and other circumstances.!

! •! The company’s business and reputation may be impacted by information system failures or network disruptions. !

! •! The company may be subject to breaches of its information technology which could damage business partner and customer relationships, curtail or otherwise adversely impact access to online stores and services, and could subject the company to significant reputational, financial, legal, and operational consequences. !

Apple Enterprise Risk Factors: 10-K Report

❖ New technologies could block our ads, which would harm our business.!❖ If we were to lose the services of Larry, Sergey, Eric, or other members of our senior

management team, we may not be able to execute our business strategy.!❖ We rely on highly skilled personnel and, if we are unable to retain or motivate key

personnel, hire qualified personnel, or maintain our corporate culture, we may not be able to grow effectively.!

❖ Interruption or failure of our information technology and communications systems could hurt our ability to effectively provide our products and services, which could damage our reputation and harm our operating results.!

❖ The availability of our products and services depends on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems. Some of our data centers are located in areas with a high risk of major earthquakes. Our data centers are also subject to break-ins, sabotage, and intentional acts

Google RISKs 10K

http://en.wikipedia.org/wiki/Form_10-K

http://investor.apple.com/secfiling.cfm?filingid=1193125-14-383437&cik=#D783162D10K_HTM_TOC783162_2

10K FORM

10K FORM - APPLE

10K FORM - Google

https://investor.google.com/documents/20101231_google_10K.html#toc120214_2

http://www.google.com/about/company/facts/management/


Conceptos

❖ Risk Event. Es la realización del riesgo. No tan solo son discretos o ocurrencias temporales, sino también, son continuos cuando afectan al rendimiento de la operación.

10

¿ejemplos?


Conceptos: threat vectorsIt describes where a threat originates and the path it takes to reach a target. !

11 Isaac Lera - Grau d’informàtica

Actividad

Un listado de vectores de amenazas!

dentro del CTI IT-equipament

12


Conceptos

❖ Risk Exposure and Vulnerability. La cantidad medible de potencial perdido como resultado a un evento de riesgo.!

❖ La vulnerabilidad no es posible de cuantificar

13

¿ejemplos?


Actividad

Un riesgo es que un trabajador se vaya de la empresa.!

Se os ocurre alguna manera de medir el impacto sobre la empresa de dicho evento

14


Conceptos

❖ Risk Resilience se refiere a la capacidad de recuperarse o adaptarse a la desgracia o el cambio

15

¿ejemplos?


Conceptos

❖ Risk Appetite refleja el grado de riesgo de que una organización o individuo está dispuesto a aceptar o tomar en la búsqueda de sus objetivos.!

❖ Risk averse - Ningún riesgo

16

¿ejemplos de empresas?


Conceptos❖ Risk Analysis es el proceso de evaluar cualitativa y

cuantitativamente los riesgos potenciales dentro de un sistema.!

❖ Contempla: la identificación de riesgos y la evaluación o de estos eventos, como mínimo, en dos dimensiones. Estas dimensiones incluyen la probabilidad de ocurrencia de un riesgo y el impacto en caso de materializarse el riesgo de convertirse en un evento de riesgo.


Conceptos

❖ Risk Response Plan, es una extensión lógica de un análisis de riesgo. El plan de riesgos es un documento que define los riesgos conocidos e incluye descripciones, causas, probabilidades o probabilidad de ocurrencia de riesgos, los costes y las respuestas de gestión de riesgos propuestas.

18


Conceptos❖ Risk Compliance incluye las actividades internas adoptadas para cumplir

con las normas y reglamentos necesarios o impuestos, ya sean gubernamentales, de una industria específica, o impuestos internamente. !

❖ Las empresas siempre han tenido requisitos de cumplimiento relacionados con la información financiera, el cumplimiento ambiental, y otras áreas.!

❖ Se logra a través de los procesos de gestión donde (1) se identifican las leyes, reglamentos, contratos, estrategias y políticas; (2) se evalúan el estado actual de cumplimiento; (3) se evalúan los riesgos y los costes potenciales de incumplimiento en contra de los gastos proyectados para lograr el cumplimiento; y (4) priorizar, financiar y poner en marcha las medidas correctoras que se consideren necesarias.

19

• El tanque del Ford Pinto, explotaba con ciertas colisiones traseras, con graves resultados de muerte. Ford conocía los riesgos durante la reproducción y continuo con la comercialización. Fue una decisión de negocios: resulta más barato pagar demandas que hacer la reparación. “Deshumanizar el riesgo”


Tipos de riesgos❖ Strategic Risk aquellos riesgos que impiden la

consecución de la estrategia empresarial, de objetivos y efectos sobre la marca!

❖ Hazard Risk, interrupciones aleatorias por causas naturales o humanas. !

❖ Financial Risk, internas o externas dificultades económicas!

❖ Operational Risk , riesgos que interrumpen la operación


Ejemplos de riesgos según tipos de riesgos

❖ Strategic Risk aquellos riesgos que impiden la consecución de la estrategia empresarial, de objetivos y efectos sobre la marca!

❖ Hazard Risk, interrupciones aleatorias por causas naturales o humanas. !

❖ Financial Risk, internas o externas dificultades económicas!

❖ Operational Risk , riesgos que interrumpen la operación

22

¿Riesgos sobre las TIC?


Tipos de riesgos❖ Operational Risk , riesgos que interrumpen la operación !

❖ Demand Risk!❖ Customer Risk!❖ Product Risk. Poor product portfolio management!❖ Logistics Risk!

❖ Process Risk!❖ Known Risks: medibles y “planificables” : IT failures,…!❖ Unknown Risks!❖ Chronic Risks


Ejemplos de tipos de riesgos

❖ Operational Risk , riesgos que interrumpen la operación !❖ Demand Risk!

❖ Customer Risk!❖ Product Risk. Poor product portfolio management!❖ Logistics Risk!

❖ Process Risk!❖ Known Risks: medibles y “planificables” : IT failures,…!❖ Unknown Risks!❖ Chronic Risks

24


Buenas prácticas en la gestión de IT Risk

• ISO 31000:2009!

• ISO/IEC 27005:2011!

• NIST Special Publication 800-39 (USA)!

• AS/NSZ 4360 (Australia)!

• …!

• ISACA: The IT risk Framework (2009)

25


ISO 31000

❖ ISO 31000 - Risk management - Principles and guidelines provides a framework and a generic process to manage risk in all part of any type of organisation.!

❖ Define 11 principios que deberían considerarse.


ISO 310001. Risk management create and protects value. Contribución cuantificable en la

consecución de objetivos y mejora del rendimiento.!

2. Risk management is an integral part of all organisational processes. Forma parte de las actividades de gestión en los procesos organizacionales, incluyendo la estrategia de planificación y la gestión de cambios.!

3. Risk management is part of decision making. Ayuda a la toma de decisiones respecto a alternativas y prioriza acciones!

4. Risk management explicitly addresses uncertainty. Tiene en cuenta la incertidumbre y como ha de enfocarse.!

5. Risk management is systematic, structured and timely. Contribuye a una consistente y eficiente comparación y confianza de resultados!

6. Risk management is based on the best available information. (historical data, experience, stakeholder feedback, observation, forecasts and expert judgement)

28


ISO 310007. Risk Management is tailored. !

8. Risk Management takes human and cultural factors into account.!

9. Risk management is transparent and inclusive!

10. Risk management is dynamic, iterative and responsive to change!

11. Risk management facilitates continual improvement of the organisation.

29


ISO/IEC 27005:2011

❖ ISO/IEC 27005:2011 provides an iterative process for risk management which advances to be the framework for several methodologies in the domain of risk management.!

❖ Proceso >

32


Context Establishment

❖ La propuesta de gestión de riesgo, los criterios de evaluación, el impacto y su aceptación!

❖ Definición de los ámbitos y límites en la gestión del riesgo!

❖ Definición de la organización y responsabilidades del gestor de riesgos


Risk Assessment I❖ Identificación del riesgo y posibles fuentes de perdida!

❖ Los bienes definidos en el ámbito!❖ Las amenazas y sus fuentes!❖ Controles actuales y planificados!❖ Vulnerabilidades que pueden ser explotadas por amenazas con

impacto negativo sobre los bienes y la organización!❖ Las consecuencias respecto a la integridad, disponibilidad y

confidencialidad sobre los bienes!❖ El proceso de negocio

34


Risk Assessment II❖ El análisis y estimación del riesgo:!

❖ Escala de la medición: cualitativa, cuantitativa, o ambas.!

❖ Evaluación de las consecuencias: confidencialidad, integridad y disponibilidad!

❖ Evaluación de la probabilidad de ocurrencia !❖ Determinación del nivel de riesgos para todos los

escenarios relevantes.

35


Risk Treatment

Cuatro grandes opciones:!

• Risk modification: el riesgo residual sea aceptable!

• Risk retention: aceptando el riesgo sin más !

• Risk avoidance: abandonando la actividad donde está presente el riesgo!

• Risk sharing: compartir el riesgo con terceros (aseguradores, subcontratación,…)

37


ISACA Risk IT Framework❖ The Risk IT framework is based on the

principles of enterprise risk management (ERM) standards/frameworks such as COSO ERM2 and ISO 31000 and provides insight on how to apply this guidance to IT.!

❖ It is dedicated to helping enterprises manage IT-related risk!

❖ It complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services.

39

(Information Systems Audit and Control Association)!


Benefits

Applying good IT risk management practices will provide tangible business benefits, e.g., fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and innovative applications supporting new business initiatives.

40


Risk IT Principles

Principios a tener en cuenta durante la gestión de riesgos


Risk Hierarchy

The Risk IT framework explains IT risk and enables users to:!

• Integrate the management of IT risk into the overall ERM of the enterprise: risk-return-aware decisions!

• Make well-informed decisions about the extent of the risk, and the risk appetite and the risk tolerance of the enterprise!

• Understand how to respond to the risk42


Categories

IT benefit/Value enablement risk: associated with (missed) opportunities to use technology to improve efficiency of effectiveness of risk business processes, or as an enabler for new business initiatives


CategoriesIT programme and project delivery risk: associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes.

44


CategoriesIT operations and service delivery risk: associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the enterprise.

45

“IT risk always exists, whether or not it is detected or recognised by an enterprise.”!


Process model of each domain!Risk Governance (RG):!

❖ RG1 Establish and maintain a common risk view!❖ RG2 Integrate with ERM!❖ RG3 Make risk-aware business decisions!

Risk Evaluation (RE):!❖ RE1 Collect data!❖ RE2 Analyse risk!❖ RE3 Maintain risk profile!

Risk Response (RR):!❖ RR1 Articulate risk!❖ RR2 Manage risk!❖ RR3 React to events

46


Essentials of Risk Governance

• Risk appetite is the amount of risk an entity is prepared to accept when trying to achieve its objectives. Two major factors are important:!

• The enterprise’s objective capacity to absorb loss, e.g., financial loss, reputation damage!

• The (management) culture or predisposition towards risk taking—cautious or aggressive.

47

Ryanair +Ejemplos

❖ Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk.!

❖ Risk Maps:

Ejemplos

Actividad

¿De 0 a 5 vuestro número de asignaturas a aprobar?

¿De 0 a 5 el número de HD dañados?

❖ Risk tolerance is the tolerable deviation from the level set by the risk appetite and business objectives, e.g., standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated. !

❖ Responsibility belongs to those who must ensure that the activities are completed successfully.!

❖ Risk awareness is about acknowledging that risk is an integral part of the business.!

❖ Risk communication is a key part in this process; it refers to the idea that people are naturally uncomfortable talking about risk.

Essentials of Risk Governance


Risk Communication❖ Information on expectations from risk management: risk strategy, policies,

procedures, awareness training, continuous reinforcement of principles, etc.!❖ Information on current risk management capability.!❖ Information on the actual status with regard to IT risk. It includes

information such as:!❖ Risk profile of the enterprise.!❖ Event/loss data!❖ Root cause of loss events!❖ Options to mitigate (cost and benefits) risks


Risk Culture❖ Behaviour towards taking risk - How much risk does the

enterprise feel it can absorb and which risks is it willing to take?!

❖ Behaviour towards following policy: To what extent will people embrace and/or comply with policy?!

❖ Behaviour towards negative outcomes: how does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause?

52


Casos

• Un estudio de CISCO encontró que el 61% de empleados no se hacían responsables de proteger la información y dispositivos. Un 70% ignora las políticas de IT!

• Los dispositivos de la empresa sufren un mayor número de daños. “Como no es mío, no importa”!


Risk Culture

54


Ejemplos

Risk Appetite:!

Management of a financial service firm has determined that the main processing platform and applications cannot be unavailable for any period longer than two hours and the system should be able to process yearly transaction growth of 15 percent without performance impact.!

IT management needs to translate this into specific availability and redundancy requirements for the servers and other infrastructure on which the applications are running. In turn, this leads to:!

• Detailed technical capacity requirements and forecast requirements!

• Specific IT procedures for performance monitoring and capacity planning


Ejemplos

Risk Tolerance:!

Risk tolerance is the tolerable deviation from the level set by the risk appetite and business objectives. Examples include:!

• Standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.!

• Service levels for system uptime require 99.5 percent availability on a monthly basis; however, isolated cases of 99.4 percent will be tolerated. !

• The enterprise is very security risk-averse and does not want to accept any external intrusions; however, single isolated intrusions with limited damage can be tolerated.!

56


Actividad Grupal

❖ Grupos de 4: !

• 2 Gestionan y 2 Administran!

• ¿Una propuesta de gestión sobre la aceptación (tolerancia / apetito) de un riesgo IT dentro de la empresa?!

• ¿Una propuesta de administración de como dar solución a esa gestión?!❖ Metodología: Debate rápido

57

Ejemplo• Gestión: “No es tolerable que un sistema IT permanezca sin

servicio en días festivos” !

• Administración: “Guardias - Monitorización - Disponibilidad - …”






58


Essentials of Risk EvaluationDescribing business impact:!❖ An IT person should understand how IT-related

failures or events can impact enterprise objectives and cause direct or indirect loss to the enterprise!

❖ A business person should understand how-IT related failures or events can affect key services and processes.!

!

How to express IT risk in business terms? Methods…

59

Methods

MethodsEjemplos: Alineamiento entre Objetivos e Impacto

y su importancia dentro del método elegido :


Risk Scenarios

❖ One of the challenges for IT risk management is to identify the important and relevant risks amongst all that can possibly go wrong with IT or in relation to IT, given the pervasive presence of IT and the business’s dependence on it.!

63

IT Risk Scenario Development

IT Risk Scenario ComponentsEjemplos

Ejemplos


Actividad

Escenarios:!

1. Destrucción de la infraestructura!

2. Database integrity!

3. Operational IT errors

68



Risk factorsRisk factors are those factors that influence the frequency and/or business impact of risk scenarios; they can be of different natures, and can be classified in two major categories:!

❖ Environmental factors - degree of control that an enterprise has over them:!

❖ Internal: strategic importance of IT, complexity of IT, complexity of the entity, degree of change, risk management philosophy, risk appetite, operating model!

❖ External : market, rate of change, competition, geopolitical situation, regulatory environment, technology status and evolution!

❖ Capabilities: how good the enterprise is in a number of IT-related activities?

70

EjemplosIT Risk Scenario Development


ImpactKey Risk indicators (KRIs) are metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.!

Criteria to select KRIs include:!

❖ Impact - Indicators for risks with high business impact are more likely to be KRIs!

❖ Effort to implement, measure and report!

❖ Reliability - The indicator must possess a high correlation with the risk and be a good predictor or outcome measure!

❖ Sensitivity - The indicator must be representative for risk and capable of accurately indicating variances in the risk


Risk ImpactImpact of Asset Loss × Probability of Threat ×

Vulnerability Exposure = Total Risk Points!

!

❖ Scale of 1 to 5!

❖ e.g., Microprocessor design, might warrant a rating of 5

74


Ejemplos

75

Director del IT departamentoCustomer Relationship Office






76


77

Risk Response


Risk Response Selection and Prioritisation

Parameters to be taken into account:!

• Cost of the response, e.g., in the case of risk transfer, the cost of the insurance premium; in the case of risk mitigation, the cost (capital expenses, salaries, consulting) to implement control measures!

• Importance of the risk addressed by the response, i.e., its position on the risk map (wich relefects combined frequency and magnitude levels)!

• The enterprise’s capability to implement the response. When the enterprise is mature in its risk management processes, more sophisticated responses can be implemented; when the enterprise is rather immature, some very basic responses may be better.!

• Effectiveness of the response, i.e., the extent to which the response will reduce the frequency and impact of the risk!

• Efficiency of the response, i.e., the relative benefits promised by the response.

78


Risk Avoidance:!

❖ Relocating a data centre away from a region with significant natural hazards!

❖ Declining to engage in a very large project when the business case shows a notable risk of failure!

❖ Deciding not to use a certain technology or software package because it would prevent future expansion

79

Ejemplos


Risk Reduction - with controls:!

• Data centre operation control: setups and scheduling, operator actions, and data backup and recovery procedures,!

• Access security controls: controls that prevent inappropriate and unauthorised use of the system.!

Risk sharing:!

• Where applications hosting is outsourced, the organisation always remains accountable for protecting client privacy, but it the outsourcer is negligent and a breach occurs, risk (financial impact) might at least be shared with the outsourcer.!

!

80

Ejemplos


81

Risk IT Framework


Riesgos en el cloud

❖ Disponibilidad!❖ SLA!❖ Compensación: económica, o mediante servicio.!

❖ Data Persistence!❖ “Espionage” - EEUU : Patriot Act Ramification!❖ Política: no permitido el cloud computing!❖ PCI políticas: dónde exactamente está el CPD y físicamente están los datos.!❖ Migración!❖ Confidencialidad

86


Defensa, Detección, Disuasión, Riesgo Residual

A. Fuga, robo o exposición de datos!

B. Espionage, packet sniffing!

C. Inappropriate administrator access!

D. Storage Persistence!

E. Pishing!

F. Denial of service (DDos)!

G. Inestabilidad and fallo de aplicaciones!

H. Slowness!

I. Backup failure!

J. Mobile device risks!

A. Fuzzing!

B. …


Conclusions❖ IT Risk must:!

❖ Take a complete look at technology across the enterprise!❖ be grounded in business risk and business context!

❖ IT risk measures:!❖ use quantitative factors in addition to the qualititative measures!❖ focus on the maturity of the risk assessment over time!❖ involve and educate the IT organisation in the risk assessment process!

❖ Use IT risk to:!❖ drive the audit plan!❖ enable the entire audit organisation to assess risk

88

Actividad

• Risk description from high level scenarios!

• Template file: Risk Description-form!

• Groups of 2/3 person!

• Top five practices have a medal!!

IT programme selection!

New technologies!

Technology selection!

IT investment decision making!

Accountability over IT!

Integration of IT within business processes!

State of infrastructure technology!

Ageing of application software!

Architectural agility and flexibility!

Regulatory compliance!

Software implementation!

IT project termination!

IT project economics!

Project delivery!

Project quality

Selection/performance of third-party suppliers!

Infrastructure theft!

Destruction of infrastructure!

IT staff!

IT expertise and skills!

Software integrity!

Infrastructure (hardware)!

Software performance!

System capacity!

Ageing of infrastructural software!

Malware!

Logical attacks!

Information media!

Utilities performance!

Industrial action!

Data(base) integrity!

Logical trespassing

Scenarios



92

Risk Response

gestión de riesgos concepto de riesgo - acsic · riesgos, los costes y las respuestas de gestión...

Documents