Risk Management Thomas Peltier - PDF

Document Sample
Risk Management Thomas Peltier - PDF Powered By Docstoc
					    Using Risk Management to
    Keep Your Boss Out of Jail

      Due Diligence and Fiduciary Duty




                              Thomas R. Peltier
              Using Risk Management to Keep Your Boss out of Jail
                                 29 April 2008




                           Abstract
• An effective risk management process is critical to
  successful business operations; not just protecting data
  assets, but also protecting the ability of the enterprise to
  meet its missions and objectives. In this open forum we
  will examine and discuss how risk analysis may support
  management’s due diligence needs, then discuss how
  management can furthermore meet its fiduciary duty to
      t t the       i ti '        t
  protect th organization's assets.


                              Thomas R. Peltier
              Using Risk Management to Keep Your Boss out of Jail
                                 29 April 2008




                                                                    1
                              Agenda

    –Risk Management
        • Risk Analysis
        • Risk Assessment
        • Risk Mitigation
     V l    bilit           t
    –Vulnerability assessment

                                  Thomas R. Peltier
                  Using Risk Management to Keep Your Boss out of Jail
                                     29 April 2008




                Risk Management
• Risk management is made up of four distinct processes: risk
  analysis, risk assessment, risk mitigation and vulnerability
                          evaluation.
  assessment and controls evaluation
   – Risk Management - The total cost to identify, control and
     minimize impact of uncertain events. The objective of risk
     management is to reduce risk to an acceptable level. Support of
     this process by senior management is a demonstration of their
     due diligence.
   – Risk Analysis - Is a technique used to identify and assess factors
     that may jeopardize the success of a project or achieving a goal.
                                                                (PIA).
     Another term for this process is a project impact analysis (PIA)



                                  Thomas R. Peltier
                  Using Risk Management to Keep Your Boss out of Jail
                                     29 April 2008




                                                                          2
          Risk Management
– Risk Assessment - A where vulnerabilities, threats,
  likelihood, loss or impact, and theoretical effectiveness of
        it                       i d This i
  security measures are examined. Thi is a process to  t
  evaluate threats and vulnerabilities, known and postulated,
  to determine expected loss and establish the degree of
  acceptability to system operations.
– Risk Mitigation - Is the process in which an organization
  implements controls and safeguards to prevent identified
  risks from ever occurring, while at the same time
  implementing a means of recovery should the risk become
  a reality in spite of all efforts.


                             Thomas R. Peltier
             Using Risk Management to Keep Your Boss out of Jail
                                29 April 2008




           Risk Management
– Vulnerability Assessment and Controls
  Evaluation - Systematic examination of a critical
  infrastructure, the interconnected systems on
  which it relies, its information, or product to
  determine the adequacy of security measures,
  identify security deficiencies, evaluate security
  alternatives, and verify the adequacy of such
              ,           y        q y
  measures after implementation.

                             Thomas R. Peltier
             Using Risk Management to Keep Your Boss out of Jail
                                29 April 2008




                                                                   3
               Risk Management
• Senior management must ensure that the enterprise has the
  capabilities needed to accomplish its mission or business
  objectives. As we will see, senior management of a
  department, business unit, group or other such entity is
  considered to be the functional owner of the enterprise’s assets
  and in their fiduciary duty, act in the best interest of the
  enterprise to implement reasonable and prudent safeguards and
  controls. Risk management is the tool that will assist them in
  the task.


                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




               Risk Management
• Risk Management as Part of the Business Process - The term
  “system development life cycle (SDLC)” seems to have been
  structured to meet the needs of the information technology
  organization and therefore anything associated to the SDLC must
  be an IT process.
• Risk management is a business process and all business decisions
  should have a business development life cycle (BDLC).
• BDLC allows for those elements that make up information
  technology development, but also takes into account normal
  business decisions.

                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                                                                      4
                                               Risk Management
               SYSTEM DEVELOPMENT LIFE CYCLE PHASES

                                                           CONSTRUCTION        TEST          MAINTENANCE
  ANALYSIS
                           DESIGN                             PHASE           PHASE             PHASE
   PHASE
                           PHASE


                                                                                         P
                                                                                         R      REVIEW
  RISK       PRE-SCREENING                                                               O      FRAAP
ANALYSIS        PROCESS                                                                  D     FINDINGS
                                                                                         U
                                                                                         C
                                                                                         T
                                                                             SAFE-       I
                                       SAFEGAURDS          SAFEGAURDS                    O
                                                                            GAURDS
                                        APPROVED          IMPLEMENTED &                  N      CONDUCT
                                                                            TESTED
                 RISK                      BY              REVIEW FRAAP                        Vulnerability
              ASSESSMENT                 OWNER                                                 Assessment



                                                                                                  ANNUAL
                                       CRITICALITY LIST                       BEGIN                 BCP
                BUSINESS
                                         APPROVED                              BCP                REVIEW
                 IMPACT
                                             BY                               PLAN
                ANALYSIS
                                        MANAGEMENT
                   (BIA)



                                                             BUILD
              INFORMATION                      Thomas R. ADEQUATE
                                                         Peltier                                  REVIEW
             CLASSIFICATION                                 ACCESS                                ACCESS
             IDENTIFICATION                                CONTROL                               CONTROL
                             Using Risk Management to     Keep Your
                                                           PROCESS
                                                                      Boss out of Jail             LISTS
                                                  29 April 2008




                            Risk Analysis


                              Due Diligence


                                               Thomas R. Peltier
                             Using Risk Management to Keep Your Boss out of Jail
                                                  29 April 2008




                                                                                                               5
                    Risk Analysis
• Risk analysis is a technique used to identify and assess factors
  that may jeopardize the success of a project or achieving a
  goal.
• Another term for this process is a project impact analysis.
• This process will require a cost-benefit analysis be conducted.
• The cost-benefit process should incorporate the features and
  benefits of the asset or process under review.




                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




                    Risk Analysis
• Part of the review will examine the costs of the project.
                                           development
• These costs include procurement and/or development.
• Operation and maintenance costs, which include:
  documentation development; user and infrastructure support
  training; and possible upgrades.
• Other costs that must be factored into the analysis are
  conversion or migration costs.
• All costs are examined both in dollars and staffing
  implications.

                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




                                                                       6
                   Risk Analysis
• While it is important to consider all of the elements of
                            forward
  cost in deciding to move forward, procurement is just
  one variable.
• The cost of not moving forward with the new project
  must be factored into the analysis process.




                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                   Risk Analysis
• What would be the impact to the enterprise if it was decided to
  delay or not approve the project?
• How would not moving forward impact the competitive
  advantage of the organization?
• How would this decision impact the ability to meet the mission
  of the enterprise?
• How would strategic business partners, suppliers, vendors and
   th t k h ld be impacted?
  other stakeholders b i      t d?


                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                                                                      7
                   Risk Analysis
• Another important factor to consider in this process is the
  impact of regulatory compliance issues.
• The new project should, whenever possible, enhance
  regulatory requirements.
• Sometimes a new idea or concept is drafted by a department,
  such as Marketing, and it gains support and management
  acceptance before the infrastructure, budget and security
  personnel get the opportunity to perform a project impact
  analysis.


                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                   Risk Analysis
• Whenever money or resources are to be spent, a risk analysis
  should be conducted.
• This will provide the business reasons that should be used to
  justify the decision to move forward.
• This is a way that management can demonstrate that due
  diligence has been performed.




                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                                                                      8
                   Risk Analysis
• The output from the risk analysis process will
  be   d twice.
  b used t i
   – The first time is when decisions need to be made.
   – Typically the only other time the results would be
     examined is when the enterprise is being examined by a
     third party and management is asked to show its decision-
     making process.



                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                   Risk Analysis
• For risk analysis and risk assessment the need to demonstrate
  due diligence is an important factors.
• However, the over-riding reason to conduct these processes is
  that it makes good business sense.
• The enterprise proceeds on certain paths based on need and the
  ability of the organization to meet those specific business or
  mission needs.




                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                                                                      9
                                    Project Impact Analysis Questionnaire
                         Issue                              Applicable                  Comments
                                                              Y/N
Identify any existing requirements in the baseline
that conflict with the proposed change.
Identify any other pending requirement changes that
conflict with the proposed change.
What are the consequences of not making the
change?
What are possible adverse side effects or other risks
of making the proposed change?
Will the proposed change adversely affect
performance requirements or other quality attributes?
Will the change affect any system component that
affects critical properties such as safety and security,
or involve a product change that triggers
recertification of any kind?
Is the proposed change feasible within known
technical constraints and current staff skills? Thomas R. Peltier
                                 Using Risk Management to Keep Your Boss out of Jail
                                                     29 April 2008




                                    Project Impact Analysis Questionnaire
                           Issue                            Applicable                 Comments
                                                              Y/N
   Will the proposed change place unacceptable
   demands on any computer resources required for
   the development, test, or operating
   environments?
   Must any tools be acquired to implement and test
   the change?
   How will the proposed change affect the
   sequence, dependencies, effort, or duration of any
   tasks currently in the project plan?
   Will prototyping or other user input be required
   to verify the proposed change?
   How much effort that has already been invested
   i the project will be lost if this change is
   in th    j t ill b l t thi h              i
   accepted?
   Will the proposed change cause an increase in
   product unit cost, such as by increasing third-
   party product licensing fees?
                                                  Thomas R. Peltier
   Will the change affect any marketing,
                             Using Risk support
   manufacturing, training, or customer Management to Keep Your Boss out of Jail
   plans?                                       29 April 2008




                                                                                                   10
              Risk Analysis Report
1.  Name of project and brief               5.    Regulatory impact
    description                             6
                                            6.    Infrastructure impact
2. Project champion/owner                   7.    Maintenance cost
3. Business reason or need                  8.    Time line
    for project
4. Estimated cost of project
   – Money
   – Time
   – Resources

                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                 Risk Assessment
• Risk is a function of the probability that an identified threat
  will occur and then impact the mission or business objectives
        organization
  of an organization.
   – Risk Management encompasses seven primary steps:
       •   Asset definition
       •   Threat identification
       •   Probability of occurrence
       •   Impact analysis
       •   Risk level identified
       •   Control recommendations
       •   Results documentation

                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                          11
               Risk Assessment
1. Asset definition – the first step is to define the scope of the
   effort. In this step the boundaries of the asset to be analyzed.
   – The boundaries of the system, application, platform or
      business process are to be established.
   – Include all related information (hardware, software,
      interfaces, data, persons, and information).
   – Asset mission




                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




               Risk Assessment
1. Asset definition (continued)
   – To gather the relevant information, you can use
     any of the following techniques:
       • Questionnaires
       • On-site interviews
       • Document review (policy statement, legislation,
         requirements directives, etc.)
         requirements, directives etc )
       • Scanning tools (network mapping)

                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




                                                                       12
                Risk Assessment
2. Threat identification – a threat is the potential for a particular
        tt          f ll       i       ti l      l    bilit
   event to successfully exercise a particular vulnerability.
   – Threat – an undesirable event that could impact the
      business objectives or mission of the risk assessment asset.
   – Vulnerability – a weakness in a system or control that can
      be exploited to violate the system’s intended behavior.
   – Impact – the effect or result of an event occurring that
      affects the business objective or mission of the enterprise
   – Probability – the likelihood that an event will occur

                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




                 Risk Assessment
• Common threat categories
   – Natural threats – floods earthquakes, tornadoes, landslides,
                       floods, earthquakes tornadoes landslides
     avalanches, electrical storms, and other such events.
   – Human threats – events that are either enabled by or caused
     by human beings, such as unintentional acts (inadvertent
     information entry) or deliberate actions (network based
     attacks, malicious software, unauthorized access to
                  information).
     confidential information)
   – Environmental threats – long-term power failure, pollution,
     chemicals, liquid leakage.
                                 Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                    29 April 2008




                                                                        13
                        Risk Assessment
• Create a complete list of threats
     –    Brainstorming
     –    Checklist
     –    Historical data
     –    Annual rates of occurrence
           • Law enforcement
           • Insurance underwriters
           • National weather centers

                                             Thomas R. Peltier
                            Using Risk Management to Keep Your Boss out of Jail
                                               29 April 2008




Source                               Motivation                        Threat
External Hacker                      Challenge
                                     Ego                               •System hacking
                                     Game-playing                      •Social engineering
                                                                       •Dumpster diving
Internal hacker                      Deadline
                                     Financial problems                •Trap-door
                                     Disenchantment                    •Fraud
                                                                       •Poor documentation
Cracker                              Destruction of information
                                     Monetary gain                     •Spoofing
                                     Unauthorized data alteration      •System intrusion
                                                                       •Impersonation
                                                                       •Denial of service attack
Terrorist (environmental)            Revenge
                                     Greenmail                         •System attack
                                     Strident cause                    •Social engineering
                                                                       •Letter bombs
                                                                       •Viruses
                                                                       •Denial of service
Poorly trained employees             Unintentional errors
                                     Programming errors              •Corruption of data
                                     Data entry errors R. Peltier
                                             Thomas                  •Malicious code introduced
                                                                     •System bugs
                            Using Risk Management to Keep Your Boss out of Jail
                                                                     •Unauthorized access
                                             29 April 2008




                                                                                                   14
             Risk Assessment
3. Probability of occurrence
  – To derive an overall likelihood that indicates
    the probability that a potential threat may be
    exercised within the risk assessment asset it
    will be necessary to define probability
    categories:



                                   Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




              Risk Assessment
         Term                                     Definition

        Probability               A measure of how likely a threat may occur.

       Threshold
           Level


          High             Very likely that the threat will occur within the next year.

         Medium             Possible that the threat will occur within the next year.

           Low           Highly unlikely that the threat will occur within the next year.




                                   Thomas R. Peltier
                 Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                                            15
                  Risk Assessment
4. The next major step is measuring the level of risk a threat
   poses is to determine the impact if the threat were to occur.
• Before obtaining the impact value, it is necessary to ensure
   that the scope has defined:
   – The mission
   – The level of controls to be considered (usually this step
      would be done as if no controls were in place).
       • This step can then be repeated with existing or selected
           controls are in place to see if the risk level is reduced
           to an acceptable level.
                                     Thomas R. Peltier
                  Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                  Risk Assessment
        Term                                   Definition

          p
        Impact       The effect of a threat being carried out on an asset – expressed in
                                                g                             p
                                            tangible or intangible terms

      Threshold
          Level


         High                     Entire mission or business is impacted.

        Medium          Loss limited to single business unit or business objective.

         L
         Low                                 Business as usual.
                                             B i             l




                                     Thomas R. Peltier
                  Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                                                                                           16
                    Risk Assessment
5.    The purpose of this step is to assign the risk level based on
      the results of the probability and impact review
     – The likelihood that a give threat may occur
     – The magnitude of the impact should a threat occur
     – The adequacy of the controls in place or selected




                                    Thomas R. Peltier
                    Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                    Risk Assessment
                                  IMPACT
      P
     R                      Low            Medium            High
     O
     B
            High
     A
     b
     I     Medium
     L
     I
     T      Low
     Y




                                    Thomas R. Peltier
                    Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                                                                          17
                                 Risk Assessment
                               Color                   Risk Level                                 Action

                                                            High                  Requires immediate action



                                                         Medium                    May require action, must
                                                                                       continue to monitor


                                                             Low                   No action required at this
                                                                                               time




                                                              Thomas R. Peltier
                                    Using Risk Management to Keep Your Boss out of Jail
                                                                 29 April 2008




                                                      Regulatory                                                              Health & Safety
     Category                  Image                                            Revenue                   Expense
                                                      Compliance
                       •Significant,
                       sustained negative
                                                 •Criminal penalties
                       International or                                                              •Increase in costs
                                                 or fines greater than
                       national media                                      •Irrevocable direct       (i.e., maintenance,
                                                 $10M
5   Severe             exposure                                              loss of revenue        labor, supplier fees,   •Loss of life or limb
                                                 •Major regulatory
                       •Loss of alliance                                   greater than $10M          etc.) greater than
                                                 sanctions, criticism,
                       partners (e.g., Nestle)                                                               $10M
                                                 actions
                       •Loss of operating
                       participants

                       •Ongoing negative
                        Ongoing
                                                                                                     •Increase in costs
                                                                                                       I         i    t
                       regional or national                                 •Irrevocable direct                               •Severe injuries,
                                                 •Penalties or fines of                              (i.e., maintenance,
4            Major     media exposure                                     loss of revenue $2M-                                   requires
                                                     $2M-$10M                                       labor, supplier fees,
                       •Key alliances are                                          $10M                                        hospitalization
                                                                                                       etc.) $2M-$10M
                       threatened


                        •Ongoing (but less                                                           •Increase in costs
                                                                           •Irrevocable direct
                          than 2 weeks)          •Penalties or fines of                              (i.e., maintenance,     •Cuts and burses,
3       Moderate                                                             loss of revenue
                       negative local media          $500K-$2M                                      labor, supplier fees,     requires first aid
                                                                               $500K-$2M
                            exposure                                                                  etc.) $500K-$2M


                       •Degradation in
                                                                                                     •Increase in costs
                       quality of service or                               •Irrevocable direct                               •Major exposure to
                                                 •Penalties or fines of                              (i.e., maintenance,
2            Minor     products                                              loss of revenue                                   unsafe work or
                                                    $100K-$500K                                     labor, supplier fees,
                       •Limited negative
                        Limited                                               $100K $500K
                                                                              $100K-$500K                                   building environment
                                                                                                       t ) $100K $500K
                                                                                                     etc.) $100K-$500K
                       local media exposure

                                                                                                     •Increase in costs        •- Little or no
                       •Reputation
                                                                           •Irrevocable direct       (i.e., maintenance,      negative impact
                       inconsistent with         •Penalties or fines of
1      Insignificant                                                      loss of revenue less      labor, supplier fees,   - Minor exposure to
                       desired brand image         less than $100K
                                                                               than $100K               etc.) less than         unsafe work
                       •No press coverage
                                                                                                             $100K              environment

                                                              Thomas R. Peltier
                                    Using Risk Management to Keep Your Boss out of Jail
                                                                 29 April 2008




                                                                                                                                                    18
                      Risk Assessment
                                    Category      Weight                 Grade              Score
    Impact to Employee or Student Health and        5.0
                                     Safety:                0    1   2   3   4   5



                            Impact to Image:        4.5
                                                            0    1   2   3   4   5



   Legal and/or Regulatory Compliance Impact:       4.0
                                                            0    1   2   3   4   5



                          Impact to Revenue:        3.5
                                                            0    1   2   3   4   5



                  Impact to Cast Productivity:      3.0
                                                            0    1   2   3   4   5



                                                                             Risk Rating:




                                             Thomas R. Peltier
                        Using Risk Management to Keep Your Boss out of Jail
                                                 29 April 2008




                     Risk Assessment
During this step, the risk assessment team will
 d t    i     hi h        it     t l        ll
 determine which security controls generally couldld
 best reduced threat risk level to a more acceptable
 level. There are a number of sources for standards
 that can assist the risk assessment team in
 establishing an effective set of controls. These
 sources might include some of the following:


                                             Thomas R. Peltier
                        Using Risk Management to Keep Your Boss out of Jail
                                                 29 April 2008




                                                                                                    19
                     Risk Assessment
   – Information Technology – Code of Practice for Information Security
     Management (ISO/IEC 27002)
   – Security Technologies for Manufacturing and Control Systems (ISA-
     TR99.00.01-2004)
         g     g                   y                  g              y
   – Integrating Electronic Security into Manufacturing and Control Systems
     Environment (ISA-TR99.00.02-2004)
   – Federal Information Processing Standards Publications (FIPS Pubs)
   – National Institute of Standards and Technology
   – CobiT® Security Baseline
   – Health Insurance Portability and Accountability Act (HIPAA)
   – The Basel Accords
   – Privacy Act of 1974
   – Gramm Leach Bliley Act (GLBA)
     Sarbanes O l A t (SOX)
   – S b       Oxley Act
   – Information Security for Banking and Finance (ISO/TR 13569)
   – FFEIC Examination Guidelines


                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                   Risk Assessment
6. Controls recommendations
  –    During this step the controls that could mitigate or eliminate the
                                               organization’s
       identified risks, as appropriate to the organization s operations,
       are identified.
  –    The goal of the recommended controls is to reduce the level of
       risk to an acceptable level.
  –    The following factors should be considered in recommending
       controls and alternative solutions to minimize or eliminate
       identified risks:
      •    Effectiveness of recommended controls
      •    Legislation and regulation
      •    Operational impact
      •    Safety and reliability

                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                              20
                Risk Assessment
•   The expenditure on controls must be balanced
    against business harm.
     g
•   The risk assessment technique should be applied
    across the enterprise.
•   The output from the risk assessment will lead the
    enterprise to identify controls and safeguards that
    could reduce the level o threat occu e ce.
    cou d educe e eve of e occurrence.


                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




         Cost – Benefit Analysis
• To allocate resources and implement cost-effective controls,
  organization’s, after identifying all possible controls and
  evaluating their feasibility and effectiveness, should conduct a
  cost-benefit analysis.
• This process should be conducted for each new or enhanced
  control to determine if the control recommended is appropriate
  for the organization.
• A cost-benefit analysis should determine the impact of
  implementing the new or enhanced control and then determine
  the impact of not implementing the control.

                                Thomas R. Peltier
                Using Risk Management to Keep Your Boss out of Jail
                                   29 April 2008




                                                                      21
           Cost – Benefit Analysis
• Remember that one of the long-term costs of any control is the requirement
  to maintain its effectiveness. It is, therefore, necessary to factor this cost
  into the benefit requirement of any control. When performing a cost-
  b fit analysis it will be necessary to consider the cost of implementation
  benefit     l i       ill b            t      id th       t fi l          t ti
  based on some of the following:
   – Costs of implementation including initial outlay for hardware and
      software.
   – Reduction in operational effectiveness.
   – Implementation of additional policies and procedures to support the
      new controls
   – Cost of possibly hiring additional staff or at a minimum, training
      existing staff in the new controls
   – The cost of education support personnel to maintain the effectiveness
      of the control


                                    Thomas R. Peltier
                    Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                   Risk Assessment
7. Results Documentation
   –                                              p    ,
         Once the risk assessment has been completed, the results
         should be documented in an official report or briefing.
   –     A risk assessment management report that helps senior
         management, the business owner, make decisions on
         policy, procedural, budget and system and management
         changes.
   –                                      report
         Unlike an audit or investigation report, which looks for
         wrongdoing, a risk assessment report should not be
         presented in an
                                    Thomas R. Peltier
                    Using Risk Management to Keep Your Boss out of Jail
                                       29 April 2008




                                                                                   22
                 Risk Mitigation


        Acceptable Level of Risk


                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                    Risk Mitigation
• Risk Mitigation
               g           y                   gy        y
   – Risk mitigation is a systematic methodology used by senior
     management to reduce mission risk.
   – Risk mitigation can be achieved through any of the following options:
       • Risk Assumption – to accept the potential risk and continue
         operating or to implement controls to lower the risk to an
         acceptable level.
       • Risk Avoidance – to avoid the risk by eliminating the risk cause
         and/or consequences (such as forgoing certain functions of the
         system or shut down the system when risks are identified).



                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                             23
                     Risk Mitigation
• Risk Mitigation (continued)
               g                             g    y               g p
   – Risk mitigation can be achieved through any of the following options:
       • Risk Limitation – to limit the risk by implementing controls that
         minimize the adverse impact of a threat’s exercising a vulnerability
         (such as use of avoidance, assurance, detective or recovery
         controls).
       • Risk Planning – to manage risk by developing a risk mitigation
         plan that prioritizes, implements, and maintains controls.
       • Risk Transference – to transfer the risk by using other options to
         compensate for the loss, such as purchasing insurance.



                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                     Risk Mitigation
  • The business objectives and mission of
    an organization should be considered in
    selecting any of these risk mitigation
    options.
  • It may not be practical to address all
    identified risks, so priority should be
      i    to th threats identified in the i k
    given t the th t id tifi d i th risk
    level determination process.
                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                                24
              Control Categories
Control                                    CONTROLS
  Category
  Avoidance
                  Encryption and authentication
                  System security architecture
                  Facilitated risk analysis and assessment process
                  Information awareness program
                  Information security program
                  Interruption prevention
                  Policies and standards
                  Public key infrastructure
                                  Thomas R. Peltier
                  Secure application architecture
                  Using Risk Management to Keep Your Boss out of Jail
                  Secure communications plans
                             29 April 2008




                   Control Categories
     Assurance                                 CONTROLS
                     Application security review
                     Standards testing
                                       g
                     Penetration testing
                     Periodic perimeter scans
                     Vulnerability assessment
      Detection                                CONTROLS
                     Intrusion detection
                     Remote intrusion monitoring
      Recovery                                 CONTROLS
                     Business continuity planning
                     Business impact analysis
                     Crisis management planning
                     Disaster recovery planning
                                 Thomas R. Peltier
                  Using Risk Management to Keep Your Boss out of Jail
                      Incident response procedures
                                    29 April
                     Investigation tools 2008




                                                                        25
                       Control Categories
Security Category                                         CONTROLS
      Management
                       Risk assessment
                       Security planning
                       System and service acquisition procedures
                       Control vulnerability assessment
                       Processing authorization
       Operational                                        CONTROLS
                       Personnel security
                       Physical and environmental controls
                       Continuity planning
                            g            g
                       Configuration management
                       Hardware and software maintenance
                       System integrity
                       Media protection
                       Incident response
                                        Thomas R. Peltier
                       Security awareness program
                      Using Risk Management to Keep Your Boss out of Jail
                                             29 April 2008




                     Control Categories
       Technical                                      CONTROLS

                        Identification and authentication

                        Logical access control

                        Audit trails and logs

                        Communication protection

                        System protection



                                           Thomas R. Peltier
                      Using Risk Management to Keep Your Boss out of Jail
                                             29 April 2008




                                                                            26
                        Residual Risk
• The risk remaining after the implementation of new or
  enhanced controls is the residual risk.
• Practically no system is risk free, and not all implemented
  controls can eliminate the risk they are intended to address or
  reduce the risk level to zero.




                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail

Source GAO/AIMD 98-68                 29 April 2008




                            Summary

• Risk Management is made up of four key
   l    t
  elements:
    –   Risk Analysis
    –   Risk Assessment
    –   Risk Mitigation
    –   Compliance Checking or Vulnerability Assessment


                                   Thomas R. Peltier
                   Using Risk Management to Keep Your Boss out of Jail
                                      29 April 2008




                                                                         27
              Conclusion
Comments?

                                   Questions?



                                                     Rebuttals?

                       Thomas R. Peltier
       Using Risk Management to Keep Your Boss out of Jail
                          29 April 2008




 Using Risk Management to
 Keep Your Boss Out of Jail

  Due Diligence and Fiduciary Duty




                       Thomas R. Peltier
       Using Risk Management to Keep Your Boss out of Jail
                          29 April 2008




                                                                  28

				
DOCUMENT INFO
Description: Risk Management Thomas Peltier document sample