Using Risk Management to Keep Your Boss out of Jail

1

Using Risk Management to Keep Your Boss Out of JailKeep Your Boss Out of Jail

Due Diligence and Fiduciary Duty

Thomas R. Peltier

Using Risk Management to Keep Your Boss out of Jail

29 April 2008

Abstract

An effective risk management process is critical to• An effective risk management process is critical to successful business operations; not just protecting data assets, but also protecting the ability of the enterprise to meet its missions and objectives. In this open forum we will examine and discuss how risk analysis may support management’s due diligence needs, then discuss how management can furthermore meet its fiduciary duty to

t t th i ti ' t

Thomas R. Peltier


29 April 2008

protect the organization's assets.

2

Agenda

–Risk Management• Risk Analysis• Risk Assessment• Risk Mitigation

V l bilit t

Thomas R. Peltier


29 April 2008

–Vulnerability assessment

Risk Management• Risk management is made up of four distinct processes: risk

analysis, risk assessment, risk mitigation and vulnerabilityassessment and controls evaluationassessment and controls evaluation.– Risk Management - The total cost to identify, control and

minimize impact of uncertain events. The objective of risk management is to reduce risk to an acceptable level. Support of this process by senior management is a demonstration of their due diligence.

– Risk Analysis - Is a technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Another term for this process is a project impact analysis (PIA)

Thomas R. Peltier


29 April 2008

Another term for this process is a project impact analysis (PIA).

3

Risk Management– Risk Assessment - A where vulnerabilities, threats,

likelihood, loss or impact, and theoretical effectiveness of it i d Thi i tsecurity measures are examined. This is a process to

evaluate threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.

– Risk Mitigation - Is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become

Thomas R. Peltier


29 April 2008

implementing a means of recovery should the risk become a reality in spite of all efforts.

Risk Management– Vulnerability Assessment and Controls

Evaluation Systematic examination of a criticalEvaluation - Systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such

Thomas R. Peltier


29 April 2008

, y q ymeasures after implementation.

4

Risk Management• Senior management must ensure that the enterprise has the

capabilities needed to accomplish its mission or businesscapabilities needed to accomplish its mission or business objectives. As we will see, senior management of a department, business unit, group or other such entity is considered to be the functional owner of the enterprise’s assets and in their fiduciary duty, act in the best interest of the enterprise to implement reasonable and prudent safeguards and controls. Risk management is the tool that will assist them in

Thomas R. Peltier


29 April 2008

the task.

Risk Management• Risk Management as Part of the Business Process - The term

“system development life cycle (SDLC)” seems to have been structured to meet the needs of the information technology organization and therefore anything associated to the SDLC must be an IT process.

• Risk management is a business process and all business decisions should have a business development life cycle (BDLC).

• BDLC allows for those elements that make up information

Thomas R. Peltier


29 April 2008

technology development, but also takes into account normal business decisions.

5

Risk ManagementCONSTRUCTION

PHASE

SYSTEM DEVELOPMENT LIFE CYCLE PHASES

ANALYSISPHASE DESIGN

PHASE

TESTPHASE

MAINTENANCEPHASE

P

RISK ASSESSMENT

ANNUAL

REVIEWFRAAP

FINDINGS

PRODUCTION

SAFEGAURDSAPPROVED

BYOWNER

SAFEGAURDSIMPLEMENTED &REVIEW FRAAP

SAFE-GAURDSTESTED

RISKANALYSIS

PRE-SCREENINGPROCESS

CONDUCTVulnerabilityAssessment

Thomas R. Peltier


29 April 2008

CRITICALITY LISTAPPROVED

BYMANAGEMENT

BCPREVIEW

BEGINBCP

PLAN

INFORMATIONCLASSIFICATIONIDENTIFICATION

BUILDADEQUATE

ACCESSCONTROLPROCESS

BUSINESSIMPACT

ANALYSIS(BIA)

REVIEWACCESS

CONTROLLISTS

Risk Analysis

Due Diligence

Thomas R. Peltier


29 April 2008

6

Risk Analysis• Risk analysis is a technique used to identify and assess factors

that may jeopardize the success of a project or achieving athat may jeopardize the success of a project or achieving a goal.

• Another term for this process is a project impact analysis. • This process will require a cost-benefit analysis be conducted. • The cost-benefit process should incorporate the features and

benefits of the asset or process under review.

Thomas R. Peltier


29 April 2008

Risk Analysis• Part of the review will examine the costs of the project. • These costs include procurement and/or development• These costs include procurement and/or development. • Operation and maintenance costs, which include:

documentation development; user and infrastructure support training; and possible upgrades.

• Other costs that must be factored into the analysis are conversion or migration costs.

Thomas R. Peltier


29 April 2008

• All costs are examined both in dollars and staffing implications.

7

Risk Analysis

• While it is important to consider all of the elements of cost in deciding to move forward procurement is justcost in deciding to move forward, procurement is just one variable.

• The cost of not moving forward with the new project must be factored into the analysis process.

Thomas R. Peltier


29 April 2008

Risk Analysis• What would be the impact to the enterprise if it was decided to

delay or not approve the project?delay or not approve the project? • How would not moving forward impact the competitive

advantage of the organization? • How would this decision impact the ability to meet the mission

of the enterprise? • How would strategic business partners, suppliers, vendors and

th t k h ld b i t d?

Thomas R. Peltier


29 April 2008

other stakeholders be impacted?

8

Risk Analysis• Another important factor to consider in this process is the

impact of regulatory compliance issues.impact of regulatory compliance issues. • The new project should, whenever possible, enhance

regulatory requirements. • Sometimes a new idea or concept is drafted by a department,

such as Marketing, and it gains support and management acceptance before the infrastructure, budget and security personnel get the opportunity to perform a project impact

Thomas R. Peltier


29 April 2008

personnel get the opportunity to perform a project impact analysis.

Risk Analysis• Whenever money or resources are to be spent, a risk analysis

should be conducted.should be conducted. • This will provide the business reasons that should be used to

justify the decision to move forward. • This is a way that management can demonstrate that due

diligence has been performed.

Thomas R. Peltier


29 April 2008

9

Risk Analysis

• The output from the risk analysis process will b d t ibe used twice.– The first time is when decisions need to be made. – Typically the only other time the results would be

examined is when the enterprise is being examined by a third party and management is asked to show its decision-making process.

Thomas R. Peltier


29 April 2008

making process.

Risk Analysis• For risk analysis and risk assessment the need to demonstrate

due diligence is an important factors.due diligence is an important factors. • However, the over-riding reason to conduct these processes is

that it makes good business sense. • The enterprise proceeds on certain paths based on need and the

ability of the organization to meet those specific business or mission needs.

Thomas R. Peltier


29 April 2008

10

Project Impact Analysis Questionnaire

Issue ApplicableY/N

Comments

Identify any existing requirements in the baseline that conflict with the proposed change.

Identify any other pending requirement changes thatIdentify any other pending requirement changes that conflict with the proposed change.

What are the consequences of not making the change?

What are possible adverse side effects or other risks of making the proposed change?

Will the proposed change adversely affect performance requirements or other quality attributes?

Will the change affect any system component that

Thomas R. Peltier


29 April 2008

Will the change affect any system component that affects critical properties such as safety and security, or involve a product change that triggers recertification of any kind?

Is the proposed change feasible within known technical constraints and current staff skills?

Will the proposed change place unacceptable demands on any computer resources required for the development, test, or operating environments?

Project Impact Analysis Questionnaire

Issue ApplicableY/N

Comments

Must any tools be acquired to implement and test the change?

How will the proposed change affect the sequence, dependencies, effort, or duration of any tasks currently in the project plan?

Will prototyping or other user input be required to verify the proposed change?

How much effort that has already been invested i th j t ill b l t if thi h i

Thomas R. Peltier


29 April 2008

in the project will be lost if this change is accepted?

Will the proposed change cause an increase in product unit cost, such as by increasing third-party product licensing fees?

Will the change affect any marketing, manufacturing, training, or customer support plans?

11

Risk Analysis Report1. Name of project and brief

description5. Regulatory impact6 Infrastructure impactdescription

2. Project champion/owner3. Business reason or need

for project4. Estimated cost of project

– Money

6. Infrastructure impact7. Maintenance cost8. Time line

Thomas R. Peltier


29 April 2008

– Time– Resources

Risk Assessment• Risk is a function of the probability that an identified threat

will occur and then impact the mission or business objectives of an organizationof an organization.– Risk Management encompasses seven primary steps:

• Asset definition• Threat identification• Probability of occurrence• Impact analysis• Risk level identified

Thomas R. Peltier


29 April 2008

• Risk level identified• Control recommendations• Results documentation

12

Risk Assessment1. Asset definition – the first step is to define the scope of the

effort. In this step the boundaries of the asset to be analyzed.effort. In this step the boundaries of the asset to be analyzed.– The boundaries of the system, application, platform or

business process are to be established.– Include all related information (hardware, software,

interfaces, data, persons, and information).– Asset mission

Thomas R. Peltier


29 April 2008

Risk Assessment1. Asset definition (continued)

– To gather the relevant information, you can use any of the following techniques:• Questionnaires• On-site interviews• Document review (policy statement, legislation,

requirements directives etc )

Thomas R. Peltier


29 April 2008

requirements, directives, etc.)• Scanning tools (network mapping)

13

Risk Assessment2. Threat identification – a threat is the potential for a particular

t t f ll i ti l l bilitevent to successfully exercise a particular vulnerability.– Threat – an undesirable event that could impact the

business objectives or mission of the risk assessment asset.– Vulnerability – a weakness in a system or control that can

be exploited to violate the system’s intended behavior. – Impact – the effect or result of an event occurring that

Thomas R. Peltier


29 April 2008

affects the business objective or mission of the enterprise– Probability – the likelihood that an event will occur

Risk Assessment• Common threat categories

Natural threats floods earthquakes tornadoes landslides– Natural threats – floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

– Human threats – events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent information entry) or deliberate actions (network based attacks, malicious software, unauthorized access to confidential information)

Thomas R. Peltier


29 April 2008

confidential information).– Environmental threats – long-term power failure, pollution,

chemicals, liquid leakage.

14

Risk Assessment• Create a complete list of threats

Brainstorming– Brainstorming– Checklist– Historical data– Annual rates of occurrence

• Law enforcement

Thomas R. Peltier


29 April 2008

• Insurance underwriters• National weather centers

Source Motivation Threat

External Hacker ChallengeEgoGame-playing

•System hacking•Social engineering•Dumpster diving

Internal hacker DeadlineFinancial problems •Trap-doorDisenchantment •Fraud

•Poor documentation

Cracker Destruction of informationMonetary gainUnauthorized data alteration

•Spoofing•System intrusion•Impersonation •Denial of service attack

Terrorist (environmental) RevengeGreenmailStrident cause

•System attack•Social engineering

Thomas R. Peltier


29 April 2008

•Letter bombs•Viruses•Denial of service

Poorly trained employees Unintentional errorsProgramming errorsData entry errors

•Corruption of data•Malicious code introduced•System bugs•Unauthorized access

15

Risk Assessment3. Probability of occurrence

– To derive an overall likelihood that indicates the probability that a potential threat may be exercised within the risk assessment asset it will be necessary to define probability categories:

Thomas R. Peltier


29 April 2008

Risk AssessmentTerm Definition

Probability A measure of how likely a threat may occur.Probability A measure of how likely a threat may occur.

Threshold Level

High Very likely that the threat will occur within the next year.

Medium Possible that the threat will occur within the next year.

Low Highly unlikely that the threat will occur within the next year.

Thomas R. Peltier


29 April 2008

Low Highly unlikely that the threat will occur within the next year.

16

Risk Assessment4. The next major step is measuring the level of risk a threat

poses is to determine the impact if the threat were to occur.• Before obtaining the impact value, it is necessary to ensure

that the scope has defined:– The mission– The level of controls to be considered (usually this step

would be done as if no controls were in place).• This step can then be repeated with existing or selected

Thomas R. Peltier


29 April 2008

• This step can then be repeated with existing or selected controls are in place to see if the risk level is reduced to an acceptable level.

Risk AssessmentTerm Definition

Impact The effect of a threat being carried out on an asset – expressed in p g ptangible or intangible terms

Threshold Level

High Entire mission or business is impacted.

Medium Loss limited to single business unit or business objective.

L B i l

Thomas R. Peltier


29 April 2008

Low Business as usual.

17

Risk Assessment5. The purpose of this step is to assign the risk level based on

the results of the probability and impact reviewthe results of the probability and impact review– The likelihood that a give threat may occur– The magnitude of the impact should a threat occur– The adequacy of the controls in place or selected

Thomas R. Peltier


29 April 2008

Risk AssessmentP

IMPACTPROBAbILITY

Low Medium High

High

Medium

Low

Thomas R. Peltier


29 April 2008

18

Risk AssessmentColor Risk Level Action

High Requires immediate action

Medium May require action, must continue to monitor

Low No action required at this time

Thomas R. Peltier


29 April 2008

Category Image Regulatory Compliance Revenue Expense Health & Safety

5 Severe

•Significant, sustained negative International or national media exposure•Loss of alliance partners (e.g., Nestle)•Loss of operating participants

•Criminal penalties or fines greater than $10M•Major regulatory sanctions, criticism, actions

•Irrevocable direct loss of revenue

greater than $10M

•Increase in costs (i.e., maintenance, labor, supplier fees,

etc.) greater than $10M

•Loss of life or limb

•Ongoing negative I i t

4 Major

Ongoing negative regional or national media exposure •Key alliances are threatened

•Penalties or fines of $2M-$10M

•Irrevocable direct loss of revenue $2M-

$10M


etc.) $2M-$10M

•Severe injuries, requires

hospitalization

3 Moderate

•Ongoing (but less than 2 weeks)

negative local media exposure

•Penalties or fines of $500K-$2M

•Irrevocable direct loss of revenue

$500K-$2M


etc.) $500K-$2M

•Cuts and burses, requires first aid

2 Minor

•Degradation in quality of service or products •Limited negative

•Penalties or fines of $100K-$500K

•Irrevocable direct loss of revenue $100K-$500K


t ) $100K $500K

•Major exposure to unsafe work or

building environment

Thomas R. Peltier


29 April 2008

Limited negative local media exposure

$100K $500K etc.) $100K-$500K building environment

1 Insignificant

•Reputation inconsistent with desired brand image•No press coverage

•Penalties or fines of less than $100K

•Irrevocable direct loss of revenue less

than $100K


etc.) less than $100K

•- Little or no negative impact

- Minor exposure to unsafe work environment

19

Risk AssessmentCategory Weight Grade Score

Impact to Employee or Student Health and Safety:

5.00 1 2 3 4 5Safety:

Impact to Image: 4.5

Legal and/or Regulatory Compliance Impact: 4.0

Impact to Revenue: 3.5

Impact to Cast Productivity: 3.0

0 1 2 3 4 5

0 1 2 3 4 5

0 1 2 3 4 5

0 1 2 3 4 5

0 1 2 3 4 5

Thomas R. Peltier


29 April 2008

Risk Rating:

Risk AssessmentDuring this step, the risk assessment team will

d t i hi h it t l ll lddetermine which security controls generally could best reduced threat risk level to a more acceptable level. There are a number of sources for standards that can assist the risk assessment team in establishing an effective set of controls. These sources might include some of the following:

Thomas R. Peltier


29 April 2008

sources might include some of the following:

20

Risk Assessment– Information Technology – Code of Practice for Information Security

Management (ISO/IEC 27002)– Security Technologies for Manufacturing and Control Systems (ISA-

TR99.00.01-2004)– Integrating Electronic Security into Manufacturing and Control Systems g g y g y

Environment (ISA-TR99.00.02-2004)– Federal Information Processing Standards Publications (FIPS Pubs)– National Institute of Standards and Technology– CobiT® Security Baseline– Health Insurance Portability and Accountability Act (HIPAA)– The Basel Accords– Privacy Act of 1974– Gramm Leach Bliley Act (GLBA)

S b O l A t (SOX)

Thomas R. Peltier


29 April 2008

– Sarbanes Oxley Act (SOX)– Information Security for Banking and Finance (ISO/TR 13569)– FFEIC Examination Guidelines

Risk Assessment6. Controls recommendations

– During this step the controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations,identified risks, as appropriate to the organization s operations, are identified.

– The goal of the recommended controls is to reduce the level of risk to an acceptable level.

– The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:

• Effectiveness of recommended controls

Thomas R. Peltier


29 April 2008

• Legislation and regulation• Operational impact• Safety and reliability

21

Risk Assessment• The expenditure on controls must be balanced

against business harm. g• The risk assessment technique should be applied

across the enterprise. • The output from the risk assessment will lead the

enterprise to identify controls and safeguards that could reduce the level of threat occurrence.

Thomas R. Peltier


29 April 2008

cou d educe e eve o e occu e ce.

Cost – Benefit Analysis• To allocate resources and implement cost-effective controls,

organization’s, after identifying all possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit analysis.

• This process should be conducted for each new or enhanced control to determine if the control recommended is appropriate for the organization.

• A cost-benefit analysis should determine the impact of

Thomas R. Peltier


29 April 2008

implementing the new or enhanced control and then determine the impact of not implementing the control.

22

Cost – Benefit Analysis• Remember that one of the long-term costs of any control is the requirement

to maintain its effectiveness. It is, therefore, necessary to factor this cost into the benefit requirement of any control. When performing a cost-b fit l i it ill b t id th t f i l t tibenefit analysis it will be necessary to consider the cost of implementation based on some of the following:– Costs of implementation including initial outlay for hardware and

software.– Reduction in operational effectiveness.– Implementation of additional policies and procedures to support the

new controls– Cost of possibly hiring additional staff or at a minimum, training

existing staff in the new controls

Thomas R. Peltier


29 April 2008

existing staff in the new controls– The cost of education support personnel to maintain the effectiveness

of the control

Risk Assessment7. Results Documentation

– Once the risk assessment has been completed, the results p ,should be documented in an official report or briefing.

– A risk assessment management report that helps senior management, the business owner, make decisions on policy, procedural, budget and system and management changes.

– Unlike an audit or investigation report which looks for

Thomas R. Peltier


29 April 2008

Unlike an audit or investigation report, which looks for wrongdoing, a risk assessment report should not be presented in an

23

Risk Mitigation

Acceptable Level of Risk

Thomas R. Peltier


29 April 2008

Risk Mitigation• Risk Mitigation

– Risk mitigation is a systematic methodology used by senior g y gy ymanagement to reduce mission risk.

– Risk mitigation can be achieved through any of the following options:• Risk Assumption – to accept the potential risk and continue

operating or to implement controls to lower the risk to an acceptable level.

• Risk Avoidance – to avoid the risk by eliminating the risk cause and/or consequences (such as forgoing certain functions of the

Thomas R. Peltier


29 April 2008

and/or consequences (such as forgoing certain functions of the system or shut down the system when risks are identified).

24

Risk Mitigation• Risk Mitigation (continued)

– Risk mitigation can be achieved through any of the following options:g g y g p• Risk Limitation – to limit the risk by implementing controls that

minimize the adverse impact of a threat’s exercising a vulnerability (such as use of avoidance, assurance, detective or recovery controls).

• Risk Planning – to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.

• Risk Transference – to transfer the risk by using other options to

Thomas R. Peltier


29 April 2008

Risk Transference to transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

Risk Mitigation• The business objectives and mission of

an organization should be considered inan organization should be considered in selecting any of these risk mitigation options.

• It may not be practical to address all identified risks, so priority should be i t th th t id tifi d i th i k

Thomas R. Peltier


29 April 2008

given to the threats identified in the risk level determination process.

25

Control CategoriesControl

CategoryCONTROLS

AvoidanceEncryption and authenticationSystem security architectureFacilitated risk analysis and assessment processInformation awareness programInformation security program

Thomas R. Peltier


29 April 2008

Information security programInterruption preventionPolicies and standardsPublic key infrastructure Secure application architectureSecure communications plans

Control CategoriesAssurance CONTROLS

Application security reviewStandards testingPenetration testinggPeriodic perimeter scansVulnerability assessment

Detection CONTROLSIntrusion detectionRemote intrusion monitoring

Recovery CONTROLS

Thomas R. Peltier


29 April 2008

Business continuity planningBusiness impact analysisCrisis management planningDisaster recovery planningIncident response proceduresInvestigation tools

26

Control CategoriesSecurity Category CONTROLS

Management

Risk assessment

Security planning

System and service acquisition procedures

Control vulnerability assessment

Processing authorization

Operational CONTROLS

Personnel security

Physical and environmental controls

Continuity planning

Configuration management

Thomas R. Peltier


29 April 2008

g g

Hardware and software maintenance

System integrity

Media protection

Incident response

Security awareness program

Control CategoriesTechnical CONTROLS

Identification and authentication

Logical access control

Audit trails and logs

Communication protection

Thomas R. Peltier


29 April 2008

System protection

27

Residual Risk• The risk remaining after the implementation of new or

enhanced controls is the residual risk.enhanced controls is the residual risk.• Practically no system is risk free, and not all implemented

controls can eliminate the risk they are intended to address or reduce the risk level to zero.

Thomas R. Peltier


29 April 2008Source GAO/AIMD 98-68

Summary

• Risk Management is made up of four key l telements:– Risk Analysis– Risk Assessment– Risk Mitigation– Compliance Checking or Vulnerability Assessment

Thomas R. Peltier


29 April 2008

Compliance Checking or Vulnerability Assessment

28

Conclusion

Comments?

Questions?

Thomas R. Peltier


29 April 2008

Rebuttals?

Using Risk Management to Keep Your Boss Out of JailKeep Your Boss Out of Jail

Due Diligence and Fiduciary Duty

Thomas R. Peltier


29 April 2008