Change Management Telenor Pakistan - PDF by vws19007

VIEWS: 131 PAGES: 18

More Info
									                                                     Security risk management in a business context
                                                     Erik Wisløff, CISA, CISM
                                                     Group Risk, Telenor ASA




                                                     1st Dutch Workshop in Information Risk Management
                                                     University of Twente - 31st June 2007




                                                    Roadmap

                                                    1. Context:
                                                         • About Telenor

                                                    2. Perspective:
                                                         • Business and security risk management

                                                    3. Case:
                                                         • An IS-division’s approach to risk management




                                                       Voiced opinions are mine, not necessarily
                                                       those of Telenor




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                          1
                 123 million mobile subscriptions

                                                                                                        123
                                                                                              115
                                                                                    105
                                                                          96
                                                                 90
                                                       83
                                             75
                                 67
                     60




                   Q1 2005     Q2 2005     Q3 2005   Q4 2005   Q1 2006   Q2 2006   Q3 2006   Q4 2006   Q1 2007




                 Subscription figures in millions - 100% figures for all companies




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Telenor’s mobile world


   Norway
   Telenor                100%

   Denmark
   Sonofon                100%

   Sweden
   Telenor                100%

   Hungary
   Pannon                 100%
                                                                                                                 Pakistan
                                                                                                                 Telenor Pakistan 100%
   Montenegro
   Promonte               100%                                                                                   Bangladesh
                                                                                                                 GrameenPhone         62.0%
   Serbia                                      Ukraine
   Telenor                100%                 Kyivstar        56.5%                                             Thailand
                                                                                                                 DTAC                 73.2% (*)
   Austria                                     Russia
   One                    17.5%                                                                                  Malaysia
                                               VimpelCom       29.9%                                             DiGi                 61.0%
                                                                                                                 *Economic exposure




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                                                  2
          Social responsibility

          •      Customers shall be confident
                 that the Group conducts
                 business in an ethically
                 responsible manner

          •      Investors expecting high
                 standards of social
                 commitment shall prefer
                 Telenor

          •      Employees shall be proud of
                 the way in which the Group
                 manages its social
                 responsibilities




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          A commercial business creates value




       Value creation = (profit * growth) @ risk




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                    3
          Security should support value creation

          • Defend value creation, e.g.
                    – Safeguard assets, protect against crime
                    – Protect against loss of reputation by security incidents


          • Bolster the business model, e.g.
                    – Trusted systems as default
                    – Trustworthy systems when required
                    – Be socially responsible




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Risk is two-sided.
          Security and business managers are not.

          Risk
          •      The chance of something
                 happening that will have an
                                                       Probability




                 impact on objectives.




          Risk Management
                                                                                   Expected         Gain
          •      Culture, processes and
                                                                     Loss           return

                 structures that are directed
                 towards realizing potential
                 opportunities whilst managing
                 adverse effects.
                                                                            Risk Management focus




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                           4
                Business driven security risk management



                              Confidentiality                       Integrity           Availability



                                                                               Control
                                                    Realise gains
                                                                            adverse effects



                                                              Value creation




                                Value creation = (profit * growth) @ risk

1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Security risk management is difficult

          • Utility:
                                                                                                What can
                    – Who foots the bill?                                                       happen?

                    – Who reaps the benefits?
                                                                                                Why does
                    – Who shares what with whom?                                               it happen?


          • Time line:                                                                         How often?
                    – Who decides the time line?
                                                                                               What is the
          • Responsibility:                                                                     impact?

                    – Who treats the risk?
                                                                                                What to
                    – Who owns the risk?                                                         do?




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                             5
          Achieving business driven security is “easy”

          • Business determines system objectives
                    – Business model
                    – Security policy

          • Perform system wide security risk management
                    – Risk assessment during system development
                    – Risk treatment according to policy

          • Aggregate across all business areas/divisions

          • Assess risk exposure in context of external environment

          • Iterate…



1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                       Can you standardize
                                                    security risk management?

                                                       •   What is “the system”?
                                                       •   When is security required?
                                                       •   Where to apply security?
                                                       •   Why bother?
                                                       •   Who cares?
                                                       •   How to implement policy?
                                                       •   Is it profitable to all?




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                        6
          You can standardize (some) concepts

          • “Risk” as a negative concept, e.g.
                    – Risk is the chance of a loss or a negative experience


          • “Risk” as a neutral concept, e.g.
                    – Risk = probability * consequence


          • “Risk” as a positive concept, e.g.
                    – Risk is the chance of a gain or a positive experience




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          You can’t standardize risk perception

          • Some parameters that determine how I perceive risk
                    – Have I chosen to undertake the risk?
                    – Do I have prior experience with the risk?
                    – Am I in control?
                    – Are children involved?
                    – What’s in it for me?
                    – Is my primal brain in control?




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                              7
          You can standardize simple models

          • Risk = f(event, probability, impact)
                    – Impact is a non-zero value
                    – 0 < probability < 1
                    – Functions: additive, multiplicative




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          You can’t standardize complex models

          • Risk = f(event, probability, impact, perception, time, actor)
                    – Associative functions
                    – Communicating the risk defines the risk
                    – My opportunity is your threat
                    – A threat today                an opportunity tomorrow




                                        Risk: Variability, uncertainty – or both?
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                    8
  A particular standard for a particular model

                     JI S Q
                                                    2001
                                                                    :200
                                                                         1
                                                Establish context
                      Communicate and consult




                                                                        Monitor and review
                                                  Identify risks


                                                 Analyse risks

                                                                                                Auditing standard: COSO ERM
                                                 Evaluate risks                                         (risk = a threat)


                                                   Treat risks

                                                                                                      991
                                                                                                 814:1
                     Formal standard: AS/NZS 4360:2004
                         (risk = threat or opportunity)                                      NS-5
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Telenor’s Risk Management Process is a
          generic process based on AS/NZS 4360:2004




               State your                                                   Decide risk        Implement        Monitor the
                                                   Assess risks
                 goals                                                       strategy           strategy          results


                                                                    Communicate throughout




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                              9
          Risk assessment is a generic activity
          within the risk management process



                   Scope the             Identify    Map risk          Management       Propose risk
                     work                events       level             acceptance       strategy




               State your                                       Decide risk          Implement         Monitor the
                                          Assess risks
                 goals                                           strategy             strategy           results


                                                         Communicate throughout




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Security risk management in a business context

          • Security management requires input
                    – Business goals
                    – Security policy
                    – Actor perspectives, perceptions and objectives
                    – System description, timeframe



          • Risk assessments are crucial
                    – Understanding risk exposure
                    – Treatment suggestions
                    – Fostering action                    dynamics




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                     10
          Desired risk assessment output 1:
          Risk map

                                                           Likelihood
                                Very high gain                                               O2

                                High gain

                                Medium gain                                O1                O3
                  Consequence




                                Moderate gain

                                                    Rare   Occasional   Intermittent       Frequent

                                Moderate loss                 T2                             T7

                                Medium loss                               T1, T8           T3, T6

                                High loss           T9                                       T4

                                Very high loss                T5




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Desired risk assessment output 2:
          Recommended treatments



                                                                                   Target effect
             ID Recommended / planned treatment
                                                                             Consequence     Likelihood


              1


              3




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                          11
          Desired risk assessment output 3:
          Foster action




         Action = f(motivation, commitment, anticipation)




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Collate security risk from all areas


                                                    “The business”




       Operations
              Sales
                    Human resources

                            Information systems




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                     12
          Consider objectives and environment


                                                    “The business”




       Operations
              Sales
                    Human resources

                            Information systems                      External environment




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Treat risk and/or update security policies


                                                    “The business”




       Operations
              Sales
                    Human resources

                            Information systems                      External environment




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                            13
          Case: IS division of Telenor Nordic


                                                                   “Telenor Nordic”




       Operations
              Sales
                    Human resources

                            Information systems                                         External environment




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Security risk management embedded in a
          business driven change management process




                                                    RM Screening              Risk               Design, code
       Master change
                                                                           assessment            and roll out




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                14
          Update risk registers




                                                        Risk
                                                                     Basis for risk assessment
         System class                                assessment
                                                      (per system)   Update risk map




                                                    RM Screening                    Risk         Design, code
       Master change
                                                                                 assessment      and roll out




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Aggregate

                                                                          IS portfolio
                                                                        Aggregate risk map




                                                        Risk
                                                                     Basis for risk assessment
         System class                                assessment
                                                      (per system)   Update risk map




                                                    RM Screening                    Risk         Design, code
       Master change
                                                                                 assessment      and roll out




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                15
          Example: summary portfolio risk report

                                                                                                           Level 1   Level 2   Level 3   Level 4 Level 5


          Portfolio xyz


                                                        SYSTEM


                                                                 SYSTEM


                                                                          SYSTEM




                                                                                            SYSTEM
                                                                                   SYSTEM
          Assessment themes                                                                          Specific assessment pr theme


          Technology – access control                   ☺ ☺ ☺ ☺ ☺
                                                                                                                                      e
                                                                          ☺
                                                                                                                                    pl
          Regulatory – Contracts                                 NA




                                                                                                                am
          Personnel – Management/Organization                    ☺ ☺ ☺


                                                                                                             Ex
          Finance – Market/Customers
                                                                 NA                NA NA

          Total per system
                                                                 ☺                 ☺


          - High           - Medium             - Low


1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          Some learning points

          • Understand how value is created and costs are shared

          • “Good enough” is better than perfect in a business setting

          • Timing and perspective does matter

          • Risk communication is crucial
                    – Don’t be a scare monger; be factual, speak in plain language
                    – Visualize risk exposure
                    – Recommend a course of action – but the decision maker decides




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                                                                           16
              Static vs. dynamic security risk management


                     Risks are a threat                 Risks are opportunities


                     Do things the right way            Do the right thing


                     Make a secure system               Make a profitable system




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




          A business focussed security risk manager

          • Understands the business
                    – Customers: what are their needs
                    – Business model: Sharing costs and gains
                    – Dynamics: timing, actors, objectives

          • Understands the value chain
                    – Assets: Protect that which needs protection
                    – Actors: Perspectives, needs, mental models

          • Understands the system
                    – Goal: Trusted or trustworthy
                    – Policy: Static or dynamic




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                   17
                     Security isn’t about risk
                     avoidance, it’s about risk
                     management
                                                    (Microsoft techNet, November 2000)



1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                               Thank you
                                                                  Erik Wisløff, CISA, CISM
                                                                 Telenor ASA, Group Risk

                                                                  erik:wisloff () telenor;com




                                                                        No aspirations no risk
                                                                  No risk no security requirements




1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007




                                                                                                     18

								
To top