Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Sample Product Risk Analysis Report by zbu58798

VIEWS: 52 PAGES: 13

Sample Product Risk Analysis Report document sample

More Info
									    A Balancing Act Between Risk
    Appetite and Risk Tolerance
Federal Information Systems Security
Educators’ Association Conference

March 2005



Ezra Cornell Duong-Van
Director, Strategic Marketing
BindView Corporation
    IT Risk Analysis and Management

        Threat    Vulnerability    Impacts




                                             Analysis
                                              Risk
                      Risks




                                               Management
                                                  Risk
                 Countermeasures




2
    Detail of IT risk
                                                   RISK
            Compliance:                                                     Vulnerability:
            Am I meeting                                                   What is the exposure
       Regulatory requirements?                                             to my systems?




                        Configuration:                         Identity:
                        Are my systems                    Do my users have
                      configured securely?                appropriate rights?


                              •   Servers                  •   Users
                              •   OS                       •   Groups
                              •   Data                     •   Directory
                              •   Infrastructure           •   Access Control




3
                                              Security
    Return on Security Investment
               Purchase      Life        Annual                      Risk of
                                                     Annual Cost                Effectiveness   ROSI
                 Cost     Expectancy   Maintenance                 deployment

    Door
    Lock        $50          10           $0            $5           Low           Low          High

    Deadbolt    $50          10           $0            $5           Low           Low          High

    Window
    Bars       $2000         10           $0           $20           Med           Med          Med

    Alarm      $100          NA          $300         $300           Low           Med          Med

    Security
    Fence      $3000         10          $120         $310           Med           High         Med

    Guard
    Dog        $2000          6         $4000         $1000          High          High         Low

    Armed
    Guard        $0          NA        $30,000       $30,000         Low           High         Low



4
     Compliance and Cost
• Achieve compliance through improved productivity and efficiency – Point B
     – Replace manual methods with automated processes to reduce Compliance Risk
     – Organizations with limited resources operate more efficiently
• Maintain your compliance level but with greatly reduced cost – Point C
     – Reduce Compliance spending
     – Redirect savings to other compliance efforts
• The reality is that you will experience a combination of B & C
                                         Optimizing Compliance
     Compliance Risk




                                                        Current Experience
                                                 A
                             C


                       Optimized Experience    B

 5                                               Cost
    Ideal Compliance Monitoring
                                                                     Select appropriate internal best practices and
                                                                            external compliance mandates


                                          Regulations                            Frameworks                                    Internal Policies

                                                                                                              Business                                     Best
                                    NIST                       DITSCAP                ISO 17799                                      INTERNAL
                                                                                                              Process                                    Practices




                                   Mandates                    Mandates                Mandates               Mandates                Mandates           Mandates



                                                                                        Generated departmental task lists


                                                                          HR                      Acctg.                 IT Group 1          IT Group 2
                           Policy &                   GAP                 Task 1…                 Task 1…                Task 1…             Task 1…
                                                                                                                                                               IT Task - Servers
        Monitor




                         IT Controls                 Analysis             Task 2…                 Task 2…                Task 2…             Task 2…
                                                                          Task 3…                 Task 3…                Task 3…             Task 3…
                                                                                                                                                                    IT Task - Applications
                                                                          Task 4...               Task 4...              Task 4...           Task 4...
                                                                                                                                                                    IT Task - Databases

                                                               5
                                           3
                                                       4
                                                           3
                                                                                                                                                               IT Task - Users
                                                 1
                                          Consolidate
        Generate                           Results
        Reports



                                                                                                  Tracked Worklists


                  Exec     Audit     IT        Other




6
    Breadth of Coverage Across IT Stack


                       CIA
                          – Confidentiality
                          – Integrity
                          – Availability

                       Maximize CIA throughout the
                       whole IT Stack

                       Prioritize sections of the stack
                       that pose higher risk

                       Evaluate best of breed vs.
                       integrated solutions



7
    Changing Concerns
         IT Stack   Time Investment
                        2004   2005
                        10%    30%

                        20%    30%

                        10%    20%

                        5%     10%

                        20%    5%

                        25%    5%



8
    Risk Management process
    1. Scope definition
      –   Determine processes and risks to be evaluated

    2. Process Walkthrough
      –   Step through the processes to validate them against their goals

    3. Risk Assessment
      –   Execute the processes in the context of risks to be evaluated

    4. Control identification and evaluation
      –   Document IT controls and supplemental manual controls
      –   Document risks identified by these controls

    5. Residual risk assessment
      –   Provide a residual risk assessment for each process
      –   Provide recommendations for remediation

9
     Risk Management Deliverables
     1. Process and sub-process maps
       –   Clearly document the business processes within the engagement
           boundary definition;

     2. Business process automation recommendations
       –   Definition of the process, objectives, threats and controls at a
           detailed level

     3. Risk and control matrix
       –   For each process a summary of
           • risk assessments,
           • control ratings and determination of
           • residual risk level

     4. Recommendations
       –   Short, medium and long-term remediation plan
       –   Prioritize remediation efforts

10
     Risk reduction solutions
              Compliance Officer              IT Operations          IT Operations & Security        Security & Help Desk

                  (compliance)               (configuration)               (vulnerability)          (identity management)
             • Create policy             • Enforce Policy            • Enforce Policy              • Enforce Policy
             • Maintain policy
             • Enforce Policy
 Define



             • Evaluate against Policy   • Evaluate against policy   • Evaluate against policy     • Administer according to
                                         • Maintain gold standards   • Evaluate against known        policy
                                                                       threats                     • Evaluate against policy
 Evaluate



             • Report                    • Remediate                 • Report                      • Remediate
 Remediate                                                           • Risk Analysis Remediate
             Policy Management           Configuration               Security Management           Identity Management
               Product                     Management Product          Product                       Product
             • Content                   • Link to Policy            • Link to Policy              • Synchronize identities
             • Workflow                  • Gold Standards            • Gold Standards              • Manage Access Control
             • Document Management
 Sample      • Link to evidence          • Baselines                 • Baselines                   • Manage directories and OS
 Solution                                • Trending                  • Trending                    • Password Management
                                         • Patch Management          • Vulnerability Assessment    • Authentication
                                         • Alerting                  • Intrusion Prevention        • Security event Management
                                         • Remediation               • Security event Management   • Audit
                                         • Audit                     • Audit




11
Ezra Cornell Duong-Van
  Director, Strategic Marketing
      BindView Corporation

 Ezra.Duong-van@bindview.com

         713-561-4274
         Contact BindView

            General Sales
            1-800-813-5869
         sales@bindview.com



     John Balena, Federal Sales

     john.balena@bindview.com

       Phone: 713-561-4109




13

								
To top