Upload
digitallibrary
View
802
Download
2
Embed Size (px)
DESCRIPTION
An effective risk management process is critical to successful business operations. It protects data assets, and it protects the ability of the enterprise to meet its missions and objectives. Learn how risk analysis may support management's due diligence needs and how management can support its fiduciary duty to protect the organization's assets.
Citation preview
1
Using Risk Management to Keep Your Boss Out of JailKeep Your Boss Out of Jail
Due Diligence and Fiduciary Duty
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Abstract
An effective risk management process is critical to• An effective risk management process is critical to successful business operations; not just protecting data assets, but also protecting the ability of the enterprise to meet its missions and objectives. In this open forum we will examine and discuss how risk analysis may support management’s due diligence needs, then discuss how management can furthermore meet its fiduciary duty to
t t th i ti ' t
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
protect the organization's assets.
2
Agenda
–Risk Management• Risk Analysis• Risk Assessment• Risk Mitigation
V l bilit t
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
–Vulnerability assessment
Risk Management• Risk management is made up of four distinct processes: risk
analysis, risk assessment, risk mitigation and vulnerabilityassessment and controls evaluationassessment and controls evaluation.– Risk Management - The total cost to identify, control and
minimize impact of uncertain events. The objective of risk management is to reduce risk to an acceptable level. Support of this process by senior management is a demonstration of their due diligence.
– Risk Analysis - Is a technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Another term for this process is a project impact analysis (PIA)
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Another term for this process is a project impact analysis (PIA).
3
Risk Management– Risk Assessment - A where vulnerabilities, threats,
likelihood, loss or impact, and theoretical effectiveness of it i d Thi i tsecurity measures are examined. This is a process to
evaluate threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.
– Risk Mitigation - Is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
implementing a means of recovery should the risk become a reality in spite of all efforts.
Risk Management– Vulnerability Assessment and Controls
Evaluation Systematic examination of a criticalEvaluation - Systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
, y q ymeasures after implementation.
4
Risk Management• Senior management must ensure that the enterprise has the
capabilities needed to accomplish its mission or businesscapabilities needed to accomplish its mission or business objectives. As we will see, senior management of a department, business unit, group or other such entity is considered to be the functional owner of the enterprise’s assets and in their fiduciary duty, act in the best interest of the enterprise to implement reasonable and prudent safeguards and controls. Risk management is the tool that will assist them in
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
the task.
Risk Management• Risk Management as Part of the Business Process - The term
“system development life cycle (SDLC)” seems to have been structured to meet the needs of the information technology organization and therefore anything associated to the SDLC must be an IT process.
• Risk management is a business process and all business decisions should have a business development life cycle (BDLC).
• BDLC allows for those elements that make up information
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
technology development, but also takes into account normal business decisions.
5
Risk ManagementCONSTRUCTION
PHASE
SYSTEM DEVELOPMENT LIFE CYCLE PHASES
ANALYSISPHASE DESIGN
PHASE
TESTPHASE
MAINTENANCEPHASE
P
RISK ASSESSMENT
ANNUAL
REVIEWFRAAP
FINDINGS
PRODUCTION
SAFEGAURDSAPPROVED
BYOWNER
SAFEGAURDSIMPLEMENTED &REVIEW FRAAP
SAFE-GAURDSTESTED
RISKANALYSIS
PRE-SCREENINGPROCESS
CONDUCTVulnerabilityAssessment
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
CRITICALITY LISTAPPROVED
BYMANAGEMENT
BCPREVIEW
BEGINBCP
PLAN
INFORMATIONCLASSIFICATIONIDENTIFICATION
BUILDADEQUATE
ACCESSCONTROLPROCESS
BUSINESSIMPACT
ANALYSIS(BIA)
REVIEWACCESS
CONTROLLISTS
Risk Analysis
Due Diligence
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
6
Risk Analysis• Risk analysis is a technique used to identify and assess factors
that may jeopardize the success of a project or achieving athat may jeopardize the success of a project or achieving a goal.
• Another term for this process is a project impact analysis. • This process will require a cost-benefit analysis be conducted. • The cost-benefit process should incorporate the features and
benefits of the asset or process under review.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Analysis• Part of the review will examine the costs of the project. • These costs include procurement and/or development• These costs include procurement and/or development. • Operation and maintenance costs, which include:
documentation development; user and infrastructure support training; and possible upgrades.
• Other costs that must be factored into the analysis are conversion or migration costs.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
• All costs are examined both in dollars and staffing implications.
7
Risk Analysis
• While it is important to consider all of the elements of cost in deciding to move forward procurement is justcost in deciding to move forward, procurement is just one variable.
• The cost of not moving forward with the new project must be factored into the analysis process.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Analysis• What would be the impact to the enterprise if it was decided to
delay or not approve the project?delay or not approve the project? • How would not moving forward impact the competitive
advantage of the organization? • How would this decision impact the ability to meet the mission
of the enterprise? • How would strategic business partners, suppliers, vendors and
th t k h ld b i t d?
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
other stakeholders be impacted?
8
Risk Analysis• Another important factor to consider in this process is the
impact of regulatory compliance issues.impact of regulatory compliance issues. • The new project should, whenever possible, enhance
regulatory requirements. • Sometimes a new idea or concept is drafted by a department,
such as Marketing, and it gains support and management acceptance before the infrastructure, budget and security personnel get the opportunity to perform a project impact
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
personnel get the opportunity to perform a project impact analysis.
Risk Analysis• Whenever money or resources are to be spent, a risk analysis
should be conducted.should be conducted. • This will provide the business reasons that should be used to
justify the decision to move forward. • This is a way that management can demonstrate that due
diligence has been performed.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
9
Risk Analysis
• The output from the risk analysis process will b d t ibe used twice.– The first time is when decisions need to be made. – Typically the only other time the results would be
examined is when the enterprise is being examined by a third party and management is asked to show its decision-making process.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
making process.
Risk Analysis• For risk analysis and risk assessment the need to demonstrate
due diligence is an important factors.due diligence is an important factors. • However, the over-riding reason to conduct these processes is
that it makes good business sense. • The enterprise proceeds on certain paths based on need and the
ability of the organization to meet those specific business or mission needs.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
10
Project Impact Analysis Questionnaire
Issue ApplicableY/N
Comments
Identify any existing requirements in the baseline that conflict with the proposed change.
Identify any other pending requirement changes thatIdentify any other pending requirement changes that conflict with the proposed change.
What are the consequences of not making the change?
What are possible adverse side effects or other risks of making the proposed change?
Will the proposed change adversely affect performance requirements or other quality attributes?
Will the change affect any system component that
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Will the change affect any system component that affects critical properties such as safety and security, or involve a product change that triggers recertification of any kind?
Is the proposed change feasible within known technical constraints and current staff skills?
Will the proposed change place unacceptable demands on any computer resources required for the development, test, or operating environments?
Project Impact Analysis Questionnaire
Issue ApplicableY/N
Comments
Must any tools be acquired to implement and test the change?
How will the proposed change affect the sequence, dependencies, effort, or duration of any tasks currently in the project plan?
Will prototyping or other user input be required to verify the proposed change?
How much effort that has already been invested i th j t ill b l t if thi h i
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
in the project will be lost if this change is accepted?
Will the proposed change cause an increase in product unit cost, such as by increasing third-party product licensing fees?
Will the change affect any marketing, manufacturing, training, or customer support plans?
11
Risk Analysis Report1. Name of project and brief
description5. Regulatory impact6 Infrastructure impactdescription
2. Project champion/owner3. Business reason or need
for project4. Estimated cost of project
– Money
6. Infrastructure impact7. Maintenance cost8. Time line
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
– Time– Resources
Risk Assessment• Risk is a function of the probability that an identified threat
will occur and then impact the mission or business objectives of an organizationof an organization.– Risk Management encompasses seven primary steps:
• Asset definition• Threat identification• Probability of occurrence• Impact analysis• Risk level identified
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
• Risk level identified• Control recommendations• Results documentation
12
Risk Assessment1. Asset definition – the first step is to define the scope of the
effort. In this step the boundaries of the asset to be analyzed.effort. In this step the boundaries of the asset to be analyzed.– The boundaries of the system, application, platform or
business process are to be established.– Include all related information (hardware, software,
interfaces, data, persons, and information).– Asset mission
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Assessment1. Asset definition (continued)
– To gather the relevant information, you can use any of the following techniques:• Questionnaires• On-site interviews• Document review (policy statement, legislation,
requirements directives etc )
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
requirements, directives, etc.)• Scanning tools (network mapping)
13
Risk Assessment2. Threat identification – a threat is the potential for a particular
t t f ll i ti l l bilitevent to successfully exercise a particular vulnerability.– Threat – an undesirable event that could impact the
business objectives or mission of the risk assessment asset.– Vulnerability – a weakness in a system or control that can
be exploited to violate the system’s intended behavior. – Impact – the effect or result of an event occurring that
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
affects the business objective or mission of the enterprise– Probability – the likelihood that an event will occur
Risk Assessment• Common threat categories
Natural threats floods earthquakes tornadoes landslides– Natural threats – floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
– Human threats – events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent information entry) or deliberate actions (network based attacks, malicious software, unauthorized access to confidential information)
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
confidential information).– Environmental threats – long-term power failure, pollution,
chemicals, liquid leakage.
14
Risk Assessment• Create a complete list of threats
Brainstorming– Brainstorming– Checklist– Historical data– Annual rates of occurrence
• Law enforcement
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
• Insurance underwriters• National weather centers
Source Motivation Threat
External Hacker ChallengeEgoGame-playing
•System hacking•Social engineering•Dumpster diving
Internal hacker DeadlineFinancial problems •Trap-doorDisenchantment •Fraud
•Poor documentation
Cracker Destruction of informationMonetary gainUnauthorized data alteration
•Spoofing•System intrusion•Impersonation •Denial of service attack
Terrorist (environmental) RevengeGreenmailStrident cause
•System attack•Social engineering
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
•Letter bombs•Viruses•Denial of service
Poorly trained employees Unintentional errorsProgramming errorsData entry errors
•Corruption of data•Malicious code introduced•System bugs•Unauthorized access
15
Risk Assessment3. Probability of occurrence
– To derive an overall likelihood that indicates the probability that a potential threat may be exercised within the risk assessment asset it will be necessary to define probability categories:
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk AssessmentTerm Definition
Probability A measure of how likely a threat may occur.Probability A measure of how likely a threat may occur.
Threshold Level
High Very likely that the threat will occur within the next year.
Medium Possible that the threat will occur within the next year.
Low Highly unlikely that the threat will occur within the next year.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Low Highly unlikely that the threat will occur within the next year.
16
Risk Assessment4. The next major step is measuring the level of risk a threat
poses is to determine the impact if the threat were to occur.• Before obtaining the impact value, it is necessary to ensure
that the scope has defined:– The mission– The level of controls to be considered (usually this step
would be done as if no controls were in place).• This step can then be repeated with existing or selected
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
• This step can then be repeated with existing or selected controls are in place to see if the risk level is reduced to an acceptable level.
Risk AssessmentTerm Definition
Impact The effect of a threat being carried out on an asset – expressed in p g ptangible or intangible terms
Threshold Level
High Entire mission or business is impacted.
Medium Loss limited to single business unit or business objective.
L B i l
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Low Business as usual.
17
Risk Assessment5. The purpose of this step is to assign the risk level based on
the results of the probability and impact reviewthe results of the probability and impact review– The likelihood that a give threat may occur– The magnitude of the impact should a threat occur– The adequacy of the controls in place or selected
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk AssessmentP
IMPACTPROBAbILITY
Low Medium High
High
Medium
Low
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
18
Risk AssessmentColor Risk Level Action
High Requires immediate action
Medium May require action, must continue to monitor
Low No action required at this time
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Category Image Regulatory Compliance Revenue Expense Health & Safety
5 Severe
•Significant, sustained negative International or national media exposure•Loss of alliance partners (e.g., Nestle)•Loss of operating participants
•Criminal penalties or fines greater than $10M•Major regulatory sanctions, criticism, actions
•Irrevocable direct loss of revenue
greater than $10M
•Increase in costs (i.e., maintenance, labor, supplier fees,
etc.) greater than $10M
•Loss of life or limb
•Ongoing negative I i t
4 Major
Ongoing negative regional or national media exposure •Key alliances are threatened
•Penalties or fines of $2M-$10M
•Irrevocable direct loss of revenue $2M-
$10M
•Increase in costs (i.e., maintenance, labor, supplier fees,
etc.) $2M-$10M
•Severe injuries, requires
hospitalization
3 Moderate
•Ongoing (but less than 2 weeks)
negative local media exposure
•Penalties or fines of $500K-$2M
•Irrevocable direct loss of revenue
$500K-$2M
•Increase in costs (i.e., maintenance, labor, supplier fees,
etc.) $500K-$2M
•Cuts and burses, requires first aid
2 Minor
•Degradation in quality of service or products •Limited negative
•Penalties or fines of $100K-$500K
•Irrevocable direct loss of revenue $100K-$500K
•Increase in costs (i.e., maintenance, labor, supplier fees,
t ) $100K $500K
•Major exposure to unsafe work or
building environment
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Limited negative local media exposure
$100K $500K etc.) $100K-$500K building environment
1 Insignificant
•Reputation inconsistent with desired brand image•No press coverage
•Penalties or fines of less than $100K
•Irrevocable direct loss of revenue less
than $100K
•Increase in costs (i.e., maintenance, labor, supplier fees,
etc.) less than $100K
•- Little or no negative impact
- Minor exposure to unsafe work environment
19
Risk AssessmentCategory Weight Grade Score
Impact to Employee or Student Health and Safety:
5.00 1 2 3 4 5Safety:
Impact to Image: 4.5
Legal and/or Regulatory Compliance Impact: 4.0
Impact to Revenue: 3.5
Impact to Cast Productivity: 3.0
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Rating:
Risk AssessmentDuring this step, the risk assessment team will
d t i hi h it t l ll lddetermine which security controls generally could best reduced threat risk level to a more acceptable level. There are a number of sources for standards that can assist the risk assessment team in establishing an effective set of controls. These sources might include some of the following:
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
sources might include some of the following:
20
Risk Assessment– Information Technology – Code of Practice for Information Security
Management (ISO/IEC 27002)– Security Technologies for Manufacturing and Control Systems (ISA-
TR99.00.01-2004)– Integrating Electronic Security into Manufacturing and Control Systems g g y g y
Environment (ISA-TR99.00.02-2004)– Federal Information Processing Standards Publications (FIPS Pubs)– National Institute of Standards and Technology– CobiT® Security Baseline– Health Insurance Portability and Accountability Act (HIPAA)– The Basel Accords– Privacy Act of 1974– Gramm Leach Bliley Act (GLBA)
S b O l A t (SOX)
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
– Sarbanes Oxley Act (SOX)– Information Security for Banking and Finance (ISO/TR 13569)– FFEIC Examination Guidelines
Risk Assessment6. Controls recommendations
– During this step the controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations,identified risks, as appropriate to the organization s operations, are identified.
– The goal of the recommended controls is to reduce the level of risk to an acceptable level.
– The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:
• Effectiveness of recommended controls
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
• Legislation and regulation• Operational impact• Safety and reliability
21
Risk Assessment• The expenditure on controls must be balanced
against business harm. g• The risk assessment technique should be applied
across the enterprise. • The output from the risk assessment will lead the
enterprise to identify controls and safeguards that could reduce the level of threat occurrence.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
cou d educe e eve o e occu e ce.
Cost – Benefit Analysis• To allocate resources and implement cost-effective controls,
organization’s, after identifying all possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit analysis.
• This process should be conducted for each new or enhanced control to determine if the control recommended is appropriate for the organization.
• A cost-benefit analysis should determine the impact of
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
implementing the new or enhanced control and then determine the impact of not implementing the control.
22
Cost – Benefit Analysis• Remember that one of the long-term costs of any control is the requirement
to maintain its effectiveness. It is, therefore, necessary to factor this cost into the benefit requirement of any control. When performing a cost-b fit l i it ill b t id th t f i l t tibenefit analysis it will be necessary to consider the cost of implementation based on some of the following:– Costs of implementation including initial outlay for hardware and
software.– Reduction in operational effectiveness.– Implementation of additional policies and procedures to support the
new controls– Cost of possibly hiring additional staff or at a minimum, training
existing staff in the new controls
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
existing staff in the new controls– The cost of education support personnel to maintain the effectiveness
of the control
Risk Assessment7. Results Documentation
– Once the risk assessment has been completed, the results p ,should be documented in an official report or briefing.
– A risk assessment management report that helps senior management, the business owner, make decisions on policy, procedural, budget and system and management changes.
– Unlike an audit or investigation report which looks for
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Unlike an audit or investigation report, which looks for wrongdoing, a risk assessment report should not be presented in an
23
Risk Mitigation
Acceptable Level of Risk
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Mitigation• Risk Mitigation
– Risk mitigation is a systematic methodology used by senior g y gy ymanagement to reduce mission risk.
– Risk mitigation can be achieved through any of the following options:• Risk Assumption – to accept the potential risk and continue
operating or to implement controls to lower the risk to an acceptable level.
• Risk Avoidance – to avoid the risk by eliminating the risk cause and/or consequences (such as forgoing certain functions of the
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
and/or consequences (such as forgoing certain functions of the system or shut down the system when risks are identified).
24
Risk Mitigation• Risk Mitigation (continued)
– Risk mitigation can be achieved through any of the following options:g g y g p• Risk Limitation – to limit the risk by implementing controls that
minimize the adverse impact of a threat’s exercising a vulnerability (such as use of avoidance, assurance, detective or recovery controls).
• Risk Planning – to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.
• Risk Transference – to transfer the risk by using other options to
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Risk Transference to transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
Risk Mitigation• The business objectives and mission of
an organization should be considered inan organization should be considered in selecting any of these risk mitigation options.
• It may not be practical to address all identified risks, so priority should be i t th th t id tifi d i th i k
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
given to the threats identified in the risk level determination process.
25
Control CategoriesControl
CategoryCONTROLS
AvoidanceEncryption and authenticationSystem security architectureFacilitated risk analysis and assessment processInformation awareness programInformation security program
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Information security programInterruption preventionPolicies and standardsPublic key infrastructure Secure application architectureSecure communications plans
Control CategoriesAssurance CONTROLS
Application security reviewStandards testingPenetration testinggPeriodic perimeter scansVulnerability assessment
Detection CONTROLSIntrusion detectionRemote intrusion monitoring
Recovery CONTROLS
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Business continuity planningBusiness impact analysisCrisis management planningDisaster recovery planningIncident response proceduresInvestigation tools
26
Control CategoriesSecurity Category CONTROLS
Management
Risk assessment
Security planning
System and service acquisition procedures
Control vulnerability assessment
Processing authorization
Operational CONTROLS
Personnel security
Physical and environmental controls
Continuity planning
Configuration management
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
g g
Hardware and software maintenance
System integrity
Media protection
Incident response
Security awareness program
Control CategoriesTechnical CONTROLS
Identification and authentication
Logical access control
Audit trails and logs
Communication protection
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
System protection
27
Residual Risk• The risk remaining after the implementation of new or
enhanced controls is the residual risk.enhanced controls is the residual risk.• Practically no system is risk free, and not all implemented
controls can eliminate the risk they are intended to address or reduce the risk level to zero.
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008Source GAO/AIMD 98-68
Summary
• Risk Management is made up of four key l telements:– Risk Analysis– Risk Assessment– Risk Mitigation– Compliance Checking or Vulnerability Assessment
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Compliance Checking or Vulnerability Assessment
28
Conclusion
Comments?
Questions?
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008
Rebuttals?
Using Risk Management to Keep Your Boss Out of JailKeep Your Boss Out of Jail
Due Diligence and Fiduciary Duty
Thomas R. Peltier
Using Risk Management to Keep Your Boss out of Jail
29 April 2008