risk view - infosec intro

© Rev2 Networks, Inc—Confidential

Rev2

IT Information Security

Risk Management

February 26, 2010


Goals

Introduce RiskViewTM

a decision support system which helps identify and focus on business-material risks

Understand your risk-management focus areas & processes

Agenda

1. Rev2 Introduction

2. RiskView Framework

3. Examples

4. Next Steps

Today’s Discussion

2


Rev2 Risk Management

InfoSec Risk Supply Chain Risk Service Delivery Risk

RiskView replaces ad-hoc processes with a

Fact-based, Scalable, Repeatable Framework

Identify under controlled risk via business views

Focus on the most material drivers

“What-if” controls testing


Today

Plenty of Data But Big Exposure

Info sec tools and

services regularly identify

100,000’s vulnerabilities

RiskView provides a fact-based, scalable, repeatable process

4

Most companies collect large vulnerability data sets, but

face big material risk in information security.

Value is limited by…

Data silos

Inconsistent data

Wrong metrics

Changing process

Inadequate tools

Because…

Reactive response

Perception vs. facts

Wasted money

On-going vulnerability

How do you prioritize 1 Million vulnerabilities?


Requirements

Effective risk management requires specialized structures,

tools and systems that most companies lack

Structure Systems Tools

Info Sec Risk Mgt requires a formal strategy and organization approach

An on-going formal

process is needed to meet

goals and execute strategy

Special tools are required to

consistently and efficiently

analyze large data sets

Leadership – To coordinate

across business units

Metrics—Consistent metrics for

materiality of business impact

Risks and Policies—To identify

risks and define policies to limit

exposure

Compliance—Regular

evaluations to learn policy

compliance and violations

Risk Updates—Regular

reviews for materiality score

changes

Measures and Actions—

Regular risk assessments with

next steps to fix key findings

Risk Algorithm—To calculate

materiality scores

Analytic Engine —To compare

risks and identify drivers

Scenario Testing— To pre-test

potential program changes

Visualization —To facilitate

analysis and understanding

Key Elements Include

5


Strategic Data

Normalized Data Different Impacts Asset Roles

The Issue:

Risks are measured

differently

How to compare them?

The Solution:

Create a normalized risk

score

Score based on materiality

of adverse business impact

A fact-based risk program requires normalized data,

with a range of impacts tied to specific assets.

Strategic Data supports a fact-based, scalable, repeatable process

The Issue:

Risks have different

impacts

How evaluate risk types?

The Solution:

Score vulnerabilities on the

type of risk they present

Differentiate financial, legal,

regulatory, reputational

The Issue:

Risk impact varies based

on where it occurs

How recognize differences?

The Solution:

Score impact based on the

specific asset at risk

Recognize differences in

asset value

6


Materiality

The probability of an

attempt

The probability of

success

The criticality of the intersected asset

or business process

7

SUSCEPTIBILITY

IMPACT

BUSINESS

MATERIALITY:

DOES IT

MATTER?

EXPLOITABILITY

We normalize risk scores based on business materiality.

The probability of a successful attempt is weighed versus its

impact based on the asset’s business criticality.


What is RiskViewTM?

• A software Risk Data

Warehouse platform that

collects vulnerability data

• Business-specific modules

with customizable views and

analytics

• Advanced Visualization to

create a packaged decision

support system

Highly-extensible platform, for fact-based, scalable, repeatable

Risk Management Decisions

8


RiskView Features

Business Views

Impact/Effect

Cause

Business Unit

Geography/Location

Process

Cost Types

Financial

Reputational

Regulatory

Legal

– Collect and Combine risks Enterprise wide

– Normalized scoring based on Materiality

– Impact Centric business views

– Pre and post testing for ―what if?‖ and ―did it work?‖

– Advanced Visualization for easy analysis and interpretation

Fact-based—Scalable—Repeatable!

9

© Rev2 Networks, Inc—Confidential 10

RiskView Examples


Vertical View- InfoSec

11


Business Unit View

13


Filters = Focus

Not every vulnerability is equal in terms of materiality

Once aggregate material risk is identified and unacceptable

levels detected, need to identify and profile drivers

14

Materiality(finding the “Critical Few”)

What-if(testing)

Date Range(trending)


Exploded View

15


RiskView Benefits

16

Identify uncontrolled critical risks

Typically reduction is > 50%

Save money

Improve risk with current budget; cut spending without added risk

Identify common controls

For one client, a single control eliminated 70% of uncontrolled risk

Improve staff productivity

Only one FTE week per quarter for analysis/administration

Analyze up to 200 million vulnerabilities in real-time

Justify budgets and investments

Test program investments before decision and after execution

Establish a fact-base for decision-making

Determine/assign organization accountabilities


Next Steps

Free Risk Evaluation

17

We will conduct a limited information

security risk evaluation with RiskView

Load a set of data, aligned with your

policies and procedures

Analyze and present the findings, along

with implications/recommendations

Requirements:

Aon resources: ~ 1 day for set-up, plus

1 hour for findings presentation

Rev2 time: ~ 2 weeks start to finish

http://images.google.com/imgres?imgurl=http://www.dentalspacosmetics.com/risk_free.gif&imgrefurl=http://www.dentalspacosmetics.com/index2.htm&usg=__72frLu_SInuiTO0SzzPUYzV9mn4=&h=336&w=270&sz=19&hl=en&start=13&tbnid=LKyfKlMh1lk3_M:&tbnh=119&tbnw=96&prev=/images?q=risk+free&gbv=2&ndsp=21&hl=en&sa=N

risk view - infosec intro

Documents

risk impact

controlled risk

type of risk

risk types

factbased risk program

big material risk

normalized risk scorescore

businessmaterial risks