Get documents about "Change Management Telenor Pakistan - PDF
W
Description
Change Management Telenor Pakistan document sample
Document Sample
Security risk management in a business context
Erik Wisløff, CISA, CISM
Group Risk, Telenor ASA
1st Dutch Workshop in Information Risk Management
University of Twente - 31st June 2007
Roadmap
1. Context:
• About Telenor
2. Perspective:
• Business and security risk management
3. Case:
• An IS-division’s approach to risk management
Voiced opinions are mine, not necessarily
those of Telenor
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
1
123 million mobile subscriptions
123
115
105
96
90
83
75
67
60
Q1 2005 Q2 2005 Q3 2005 Q4 2005 Q1 2006 Q2 2006 Q3 2006 Q4 2006 Q1 2007
Subscription figures in millions - 100% figures for all companies
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Telenor’s mobile world
Norway
Telenor 100%
Denmark
Sonofon 100%
Sweden
Telenor 100%
Hungary
Pannon 100%
Pakistan
Telenor Pakistan 100%
Montenegro
Promonte 100% Bangladesh
GrameenPhone 62.0%
Serbia Ukraine
Telenor 100% Kyivstar 56.5% Thailand
DTAC 73.2% (*)
Austria Russia
One 17.5% Malaysia
VimpelCom 29.9% DiGi 61.0%
*Economic exposure
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
2
Social responsibility
• Customers shall be confident
that the Group conducts
business in an ethically
responsible manner
• Investors expecting high
standards of social
commitment shall prefer
Telenor
• Employees shall be proud of
the way in which the Group
manages its social
responsibilities
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
A commercial business creates value
Value creation = (profit * growth) @ risk
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
3
Security should support value creation
• Defend value creation, e.g.
– Safeguard assets, protect against crime
– Protect against loss of reputation by security incidents
• Bolster the business model, e.g.
– Trusted systems as default
– Trustworthy systems when required
– Be socially responsible
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Risk is two-sided.
Security and business managers are not.
Risk
• The chance of something
happening that will have an
Probability
impact on objectives.
Risk Management
Expected Gain
• Culture, processes and
Loss return
structures that are directed
towards realizing potential
opportunities whilst managing
adverse effects.
Risk Management focus
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
4
Business driven security risk management
Confidentiality Integrity Availability
Control
Realise gains
adverse effects
Value creation
Value creation = (profit * growth) @ risk
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Security risk management is difficult
• Utility:
What can
– Who foots the bill? happen?
– Who reaps the benefits?
Why does
– Who shares what with whom? it happen?
• Time line: How often?
– Who decides the time line?
What is the
• Responsibility: impact?
– Who treats the risk?
What to
– Who owns the risk? do?
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
5
Achieving business driven security is “easy”
• Business determines system objectives
– Business model
– Security policy
• Perform system wide security risk management
– Risk assessment during system development
– Risk treatment according to policy
• Aggregate across all business areas/divisions
• Assess risk exposure in context of external environment
• Iterate…
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Can you standardize
security risk management?
• What is “the system”?
• When is security required?
• Where to apply security?
• Why bother?
• Who cares?
• How to implement policy?
• Is it profitable to all?
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
6
You can standardize (some) concepts
• “Risk” as a negative concept, e.g.
– Risk is the chance of a loss or a negative experience
• “Risk” as a neutral concept, e.g.
– Risk = probability * consequence
• “Risk” as a positive concept, e.g.
– Risk is the chance of a gain or a positive experience
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
You can’t standardize risk perception
• Some parameters that determine how I perceive risk
– Have I chosen to undertake the risk?
– Do I have prior experience with the risk?
– Am I in control?
– Are children involved?
– What’s in it for me?
– Is my primal brain in control?
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
7
You can standardize simple models
• Risk = f(event, probability, impact)
– Impact is a non-zero value
– 0 < probability < 1
– Functions: additive, multiplicative
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
You can’t standardize complex models
• Risk = f(event, probability, impact, perception, time, actor)
– Associative functions
– Communicating the risk defines the risk
– My opportunity is your threat
– A threat today an opportunity tomorrow
Risk: Variability, uncertainty – or both?
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
8
A particular standard for a particular model
JI S Q
2001
:200
1
Establish context
Communicate and consult
Monitor and review
Identify risks
Analyse risks
Auditing standard: COSO ERM
Evaluate risks (risk = a threat)
Treat risks
991
814:1
Formal standard: AS/NZS 4360:2004
(risk = threat or opportunity) NS-5
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Telenor’s Risk Management Process is a
generic process based on AS/NZS 4360:2004
State your Decide risk Implement Monitor the
Assess risks
goals strategy strategy results
Communicate throughout
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
9
Risk assessment is a generic activity
within the risk management process
Scope the Identify Map risk Management Propose risk
work events level acceptance strategy
State your Decide risk Implement Monitor the
Assess risks
goals strategy strategy results
Communicate throughout
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Security risk management in a business context
• Security management requires input
– Business goals
– Security policy
– Actor perspectives, perceptions and objectives
– System description, timeframe
• Risk assessments are crucial
– Understanding risk exposure
– Treatment suggestions
– Fostering action dynamics
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
10
Desired risk assessment output 1:
Risk map
Likelihood
Very high gain O2
High gain
Medium gain O1 O3
Consequence
Moderate gain
Rare Occasional Intermittent Frequent
Moderate loss T2 T7
Medium loss T1, T8 T3, T6
High loss T9 T4
Very high loss T5
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Desired risk assessment output 2:
Recommended treatments
Target effect
ID Recommended / planned treatment
Consequence Likelihood
1
3
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
11
Desired risk assessment output 3:
Foster action
Action = f(motivation, commitment, anticipation)
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Collate security risk from all areas
“The business”
Operations
Sales
Human resources
Information systems
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
12
Consider objectives and environment
“The business”
Operations
Sales
Human resources
Information systems External environment
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Treat risk and/or update security policies
“The business”
Operations
Sales
Human resources
Information systems External environment
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
13
Case: IS division of Telenor Nordic
“Telenor Nordic”
Operations
Sales
Human resources
Information systems External environment
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Security risk management embedded in a
business driven change management process
RM Screening Risk Design, code
Master change
assessment and roll out
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
14
Update risk registers
Risk
Basis for risk assessment
System class assessment
(per system) Update risk map
RM Screening Risk Design, code
Master change
assessment and roll out
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Aggregate
IS portfolio
Aggregate risk map
Risk
Basis for risk assessment
System class assessment
(per system) Update risk map
RM Screening Risk Design, code
Master change
assessment and roll out
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
15
Example: summary portfolio risk report
Level 1 Level 2 Level 3 Level 4 Level 5
Portfolio xyz
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
Assessment themes Specific assessment pr theme
Technology – access control ☺ ☺ ☺ ☺ ☺
e
☺
pl
Regulatory – Contracts NA
am
Personnel – Management/Organization ☺ ☺ ☺
Ex
Finance – Market/Customers
NA NA NA
Total per system
☺ ☺
- High - Medium - Low
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Some learning points
• Understand how value is created and costs are shared
• “Good enough” is better than perfect in a business setting
• Timing and perspective does matter
• Risk communication is crucial
– Don’t be a scare monger; be factual, speak in plain language
– Visualize risk exposure
– Recommend a course of action – but the decision maker decides
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
16
Static vs. dynamic security risk management
Risks are a threat Risks are opportunities
Do things the right way Do the right thing
Make a secure system Make a profitable system
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
A business focussed security risk manager
• Understands the business
– Customers: what are their needs
– Business model: Sharing costs and gains
– Dynamics: timing, actors, objectives
• Understands the value chain
– Assets: Protect that which needs protection
– Actors: Perspectives, needs, mental models
• Understands the system
– Goal: Trusted or trustworthy
– Policy: Static or dynamic
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
17
Security isn’t about risk
avoidance, it’s about risk
management
(Microsoft techNet, November 2000)
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
Thank you
Erik Wisløff, CISA, CISM
Telenor ASA, Group Risk
erik:wisloff () telenor;com
No aspirations no risk
No risk no security requirements
1st Dutch Workshop in Information Risk Management
University of Twente -- 31st June 2007
18
Related docs
