Upload
ayman-al-sayyed
View
57
Download
3
Tags:
Embed Size (px)
DESCRIPTION
cgeit Risk Management
Citation preview
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
1
Risk Management
Steve Kruse
Sr. Solutions Principal, RSA
Agenda: Required Knowledge*What is IT Risk?
* Align the IT risk management processes with the enterprise business risk management framework (where this exists).
What is an IT Risk Management Framework?* Ensure a consistent application of the risk management framework across the enterprise IT
environment. .
How is Risk Managed?* Ensure a consistent application of the risk management framework across the enterprise IT
environment. * Ensure that risk assessment and management is included throughout the information life
cycle. * Define risk management strategies, and prioritize responses to identified risks to maintain risk
levels within the appetite of the enterprise
How is Risk Communicated & Monitored?* Implement timely reporting on risk events and responses to appropriate levels of
management (including the use of key risk indicators, as appropriate). * Establish monitoring processes and practices to ensure the completeness and effectiveness of
established risk management processes.
2
* From CGEIT Job Practice (Risk Management domain)
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
2
WHAT IS IT RISK?
3
Some Risk Categories• Important point to define IT risk beyond just CIA –
Confidentiality, Integrity Availability – types of risk also include:
– Hazard risk Liability torts, Property damage, Natural catastrophe Financial risk ,Pricing risk
– Asset risk, Currency risk, Liquidity risk, Technology obsolescence
– Operational risk Customer satisfaction, Product failure, Integrity
– Strategic risks Competition, Social trend, Capital availability, Reputational risk
– Security risks
4
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
3
Information Properties
IT responsibility to develop and preserve multiple information properties (per COBIT)– effectiveness
– efficiency
– confidentiality
– integrity
– availability
– reliability
– compliance
• Managing ‘security’ is only part of managing IT Risk
5
Security
This broader definition of IT Risk is also driven by Regulations
• SOX• Basel II:
Level 1 Level 2
Internal Fraud Unauthorized Activity
Theft and Fraud
External Fraud Theft and Fraud
System Security
Employment Practices Employee Relations
Safe Environment
Diversity and Discrimination
Clients, Products, and Business Practices Suitability, Disclosure, and Fiduciary
Product Flaws
Improper Business or Market Practices
Advisory Activities
Selection, Sponsorship, and Exposure
Damage to Physical Assets Disasters and Other Events
Business Disruptions and System Failures Systems
Execution Delivery and Process Management Transaction Capture, Execution, and
Maintenance
Monitoring and Reporting
Customer Intake and Documentation
Customer Account Management
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
4
A Risk Framework incorporating the broader definitions
• U.K. Office of Government and Commerce (OGC)– Management of Risk (M_o_R) Framework
Strategic Level
Program Level
Project Level
Operational Level
Decisions on business strategy
Decisions transforming
strategy into action
Decisions required to enable
implementation of actions
WHAT IS AN IT RISK MANAGEMENT FRAMEWORK?
8
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
5
IT Risk Frameworks
• Intended to ensure the appropriate recognition and treatment of risk – Best Practices
• Frameworks define
– Required management activity
– Scope
– Roles and responsibilities
– Mechanisms | Methods
– Artifacts
– Assurance requirements
9
Risk FrameworksCOSO ERM
– Applies to all aspects of enterprise risk
– IT risk managed as a special case
– Specialized IT risk frameworks should be considered as a special case
OCTAVE– Carnegie Mellon’s Software Engineering Institute’s contribution
ISO 31000– Risk framework generally applied (operational, technical, enterprise)
– Supercedes AS/NZS 4360:2004 as existing legislated standard on risk management
IT risk addressed as a component service or project management, eg, ITIL (ISO 20000), PMBOK
10
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
6
Risk Artifacts
Risk Register– Capture all relevant risks
– Origins in Project Management
OCTAVE Threat Tree
Heat MapsSpecialized IT risk framework applied to information security
Gap Assessment – Current and Desired States
11
Risk RegisterCollection of identified risks
– Typically rated on Impact and Likelihood estimates
– Expands beyond projects to enterprise registers
12
Risk number
Risk name Risk Owner
Key issues Residual risk score
Raw risk score
Rank (based on residual score)
Previous rank
Status green/orange/ red
1 2 3 4 5
Likelihood of risk1 – Very low2 – Low3 – Medium4 – High5 – Very highIf likelihood was assessed as very low (e.g. earthquake) it could be given a score of “less than 1” such that even highest impact risks could attract on overall score of “less than 5”.
Impact of risk1 – Insignificant2 – Minor3 – Moderate4 – Serious5 – Very serious
Total residual risk score (likelihood x impact) – and traffic light1 – 6 Low (green traffic light)8 – 12 Medium (green/orange light)14 – 20 High (orange/red light)Over 20 Very high (red light)
*Register and rating methodology courtesy Cambridge University
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
7
OCTAVE Threat Tree
13
Asset Access Actor Motive Outcome Impact ISO 17799 Clauses
Values
Con
fiden
tialit
y
Inte
grity
Ava
ilabi
lity
Pro
babi
lity
1. S
ecur
ity P
olic
ies
2. O
rg.
Sec
urity
3. A
sset
Cla
ssifi
catio
n
4. P
erso
nnel
Sec
urity
5. P
hysi
cal S
ecur
ity
6. C
omm
. M
anag
emen
t
7. A
cces
s C
ontr
ol
8. S
ys.
Dev
elop
men
t
9. in
cide
nt M
anag
emen
t
10.
Con
tinui
ty M
gmt.
11.
Com
plia
nce
Acc
ept
Miti
gate
disclosure H L Xaccidental modification
interruption L M Xinside loss/destruction M L X
disclosure H L Xdeliberate modification L L X
physical interruption L M Xloss/destruction L L X
disclosure H L Xaccidental modification
interruption L L Xoutside loss/destruction L L X
disclosure H L Xdeliberate modification
interruption M L Xloss/destruction M L X
IP Data
Human Actors Using Physical AccessApproach
Heat Map
14
Likelihood and Impact
VH M H VH VH VH
H L M H H H
M VL L M M M
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
Legend
VL Very LowL LowM MediumH HighVH Very High
Map current risks onto “heat map” to identify current risks and their potential likelihood and impact.
Can be transposed from a risk register:
Numbers from numbered risks are plotted on the map to quickly depict which risks are potentially most damaging if actualized
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
8
Heat Map
15
Gap Analysis – Current and Desired
16
Maturity Levels
ISO 27002
Major
Clauses Ad hoc Repeatable Defined Measured Optimized
Security Policies X OOrganizational Security X OAsset Classification X OPersonnel Security X OPhysical Security X OCommunications Management X OAccess Control X OSystem Development X OIncident Management X OContinuity Management X OCompliance X O
Current State X
Desired State O
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
9
HOW IS RISK MANAGED?
17
• Classic Risk Formula – Impact x Likelihood
• Another popular (IT centric) perspective:
Realized Threat on Asset with Vulnerability
• ISO’s new definition:
ISO 31000 “effect of uncertainty on objectives”
18
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
10
HOW IS RISK COMMUNICATED & MONITORED?
19
• Risk Governance – how are we determining the management of the risk program?
– Cited by George Westerman in his article Building IT Risk Management Effectiveness, one of the CGEIT suggested articles.
– Westerman’s 4A’s – Availability, Access, Accuracy and Agility – his book IT Risk
• Database of risk – the risk register
• Tracking, trending of risks
20
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
11
Information Security Governance:Guidance for Boards
• Purpose of infosec governance:• Alignment w/ business strategy (avoid focus on past wars)
• Risk management
• Efficient use of resources
• Monitoring and reporting of appropriate risk metrics
• Optimize value of security investments
• Roles & responsibilities– Board
• Define ‘global risk profile’
• Set tone
• Resource infosec
• Obtain independent assurance from auditors (internal or external)
☼ Insist that management makes security investments measurable & reports on security program effectiveness
21
Information Security Governance: Guidance for Boards
• Roles & responsibilities– Sr. Management
• Oversight for security and control framework: policy, standards, practices and procedures, measures
• Appropriate risk identification
• Security infrastructure
• Monitoring
• Reviews of effectiveness
• Incorporation into SDLC
• Questions
• Infosec Governance Deliverables (by domain)
• Maturity model– IT focus is associated w/ lower levels of maturity
22
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
12
Risk Awareness and Culture
• Risk Awareness– Those closest to the process/technology/program have the greatest knowledge of the
potential risks
– Again, these can be business (non‐technical) risks
– We as risk professionals must tap that knowledge – “What keeps you up at night?” and other open‐ended questions
• Proper awareness fosters a risk culture– OK to talk about risks
– OK to take risks
– OK to fail (if managed appropriately)
23
• Key Risk Indicators – KRI’s
– Measure to indicate how risky an activity is
– Primary use to report risk profiles to Sr. Management ‐ according to Risk Management Association (RMA) 2005 survey
– Proprietary within each organization, no common set of KRI’s
24
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
13
• Enterprise Risk Management needs a consistent and universal way to articulate risk throughout the environment
– Quantifying risk into $ another approach to talk the language of business
25
• Roles & responsibilities
– Risk must be communicated throughout the organization
– Various organization structures proposed• Chief Risk Officer
• Risk Managers in Business Units
– ITGI recommends
• Risk Management Plan – subject to periodic review
• IT Executive Committee to review the plan– Committee reviews priorities
– Approves allocation of resources to mitigate prioritized risks
26
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
14
• Monitoring, Reviewing and Trending Risk
– Management of risk takes a lifecycle approach
– Obtain assurance of effectiveness
• Alignment of risk management with business objectives
• Understanding the risk landscape allows the organization to take judicious greater risks when appropriate (change the risk appetite)
27
Practice Question
• Which of the following would be implemented at the highest level of an enterprise?
A. An enterprise risk register
B. A risk management board
C. A risk owner
D. A risk council
28
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
15
Answer
• Which of the following would be implemented at the highest level of an enterprise?
A. An enterprise risk register is a management tool that is used within the context of the risk management board
B. A risk management board is made up of managers who are responsible for the reporting of the enterprise’s risk response to the board
C. Although the highest level of management is responsible for risk, the risk owner is tied to a low‐level project, program, or business unit.
D. The risk council is defined either by the enterprise board or the marketplace itself.
Reference: ISACA; IT Governance Practices and Competencies: Information Risks: Whose Business Are They?
29
GOVERNANCE RISK & COMPLIANCETOOLS
30
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
16
Risk Management Snapshot
Results from the April 2009 Archer Technologies Risk Management Working Group poll.
The 2008 global financial crisis has raised awareness for business‐oriented risk management on issues such as IT security and financial reporting, as well as the need to have a
comprehensive understanding of risk across the organization. Despite these heightened concerns, most organizations continue to struggle with silos of risk management activities
that fail to provide an integrated framework for these efforts.
‐ Paul Proctor, Douglas McKibben. An Overview of IT and Enterprise Risk Management. Gartner, Inc. December, 2008.
Results from the September 2009 Archer Technologies Risk Management Working Group poll.
The 2008 global financial crisis has raised awareness for business‐oriented risk management on issues such as IT security and financial reporting, as well as the need to have a
comprehensive understanding of risk across the organization. Despite these heightened concerns, most organizations continue to struggle with silos of risk management activities
that fail to provide an integrated framework for these efforts.
‐ Paul Proctor, Douglas McKibben. An Overview of IT and Enterprise Risk Management. Gartner, Inc. December, 2008.
Policies ControlStandards
Authoritative Sources
AssessmentsRisk Register
Test Results
QuestionLibrary
Scoping
Devices
ApplicationsBusinessProcesses
BusinessHierarchy
CorporateObjectives
Metrics
Findings
Product/Services
Facilities
Archer’s Approach to GRC
Archer Policy ManagementCentrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance.
Archer Risk ManagementIdentify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance.
Archer Compliance ManagementDocument your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.
Archer Enterprise ManagementManage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.
Go
vern
ance
Ris
kC
om
pli
ance
En
terp
rise
Man
agem
ent
LossEvents
Information
ControlProcedures
Manual Automated
Testing
Quarterly Risk Review
RemediationPlans
ExceptionRequests
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
17
Risk Management Process
• Risk Register
• Loss Events
• Metrics
• Quarterly Risk Reviews
• Question Library
• Assessments
• Findings
• Exception Requests
• Remediation Plans
Risk Register
QuarterlyRisk Reviews
Exception Requests
Loss Events
Question Library
Assessments
Findings
Metrics
RemediationPlans
A Top‐Down Risk ApproachRisk Register
Metrics
LossEvents
Quarterly Risk
Review
QuestionLibrary
Affected Business Units
Risk Nature
Risk Ownership
Source Information
Impact Score
Loss Amounts
Likelihood Score
Risk Response
Inherent Risk Score
Residual Risk Score
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
18
Follow on Top DownRisk Register
Metrics
LossEvents
Quarterly Risk
Review
QuestionLibrary
Status
Ownership
Objective
How to Calculate
Measurement Frequency
Threshold Type and Value
Current Value
Date Measured
Impacted Business Processes
Financial Valuation & Recovery Summary
Offset Transactions
Root Cause Analysis
Failed Controls
Violated Policies
Top‐Down ContinuedRisk Register
Metrics
LossEvents
Quarterly Risk
Review
QuestionLibrary
Statuses
Submitter & Reviewer
Review & Due DatesType & Status
Policy References
Answer Inheritance
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
19
A Bottom‐Up Risk Approach
Assessments
RemediationPlans
ExceptionRequests
Findings
Fraud Assessment
Application Assessment
Facility Assessment
Information Asset Assessment
Device Assessment
Bottom‐Up Continued
Assessments
RemediationPlans
ExceptionRequests
Findings
Status
Authoritative Source References
Control Standards
Approval Workflow
Finding Description
Finding Response
Remediation Status and Dates
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
20
Bottom‐Up Risk 3
Assessments
RemediationPlans
ExceptionRequests
Status
Exception Declaration
Impacted Control Standards
Compensating Controls
Exception Attachments
Review and Approvals
Findings
Status
Cost Analysis
Approval Workflow
Related Findings
Related Vulnerabilities
Related Configuration Check Results
Risk Management Reporting• Over 140 Out‐of‐the‐Box Reports
including:
– Risk Impact and Rating Summary
– Risks by Inherent and Residual Rating
– Risks by Company Objective
– Metric Status Summary
– Net Total Losses by Business Unit by Month
– Open Loss Events by Business Unit
– All Events by Basel II Categories
– Risk Assessment Average Residual Scores by Business Unit
– Risk Findings by Status
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
21
END
41
ERM Components• Objective Setting
• Necessary preconditions of risk management – strategic objectives regarding operations, reporting and compliance
• Event identification• Positive or negative risk related events
• Risk assessment• Impact and likelihood of identified events
• Risk response• Avoidance, reduction, sharing, acceptance
• Control activities• Controls that ensure that risk response is completed
• Information and communications• Processes that link the above components
• Monitoring• Ensure that all the above processes work effectively
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
22
COSO ERM Principles
• ERM is a process implemented in context of the internal control environment. Takes into consideration:
– Risk management philosophy
– Risk appetite
– BOD attitude
– Integrity and ethical values
• Implemented by people
• Reasonable assurance
• Supports achievement of objectives
COSO ERM
• Risk management is essential component of COSO internal control model
– Identify risk; estimate its significance and frequency; determine what actions should be taken in response
– General lack of a comprehensive risk assessment process
• Silo approaches preclude:– Comparison of risk across functional components
– Integrated management
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
23
• COSO ERM
– Eight Components and Four Objectives Categories
• Eight Components– Internal Environment Risk Response
– Objective Setting Control Activities
– Event Identification Information and Communication
– Risk Assessment Monitoring
• Four Objectives Categories– Strategy Operations
– Financial Reporting Compliance
45
COSO ERM Framework
• General framework for management of enterprise risk
– Common language & approach
• Management of IT related risks (eg infosec) should be addressed as special case of ERM
– Enterprise context
– IT risk as ‘just another’ kind of business risk
46
Objectives Categories
Com
pone
nt a
ctiv
ity
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
24
COSO ERM Component Activity
• Control activity– Policies and procedures that ensure that risk response activity
carried out• E.g., (trivial) not the password policy, but the AD & Win logon mechanism that
enforces the policy
• Information and communication – Outputs, indicators, reports that coordinate other component
activities
• Monitoring– Processes needed to determine the effectiveness of all the other
ERM components
47
• Other ERM Frameworks
– ISO 31000 – recent work by the International Organization for Standards (November, 2009)
• Replaced AS/NZS 4360:2004
– Risk IT – ISACA’s own
• Leverages elements of George Westerman’s work at MIT, Jack Jones FAIR Methodology (Heat Maps)
• Balance risk with opportunity – little to no risk means fewer necessary controls to identify and work towards opportunities
48
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
25
Risk IT Framework
• 3rd Component of ITGI’s IT Governance Framework
– Val IT – creation of business value
– Risk IT – protection of information assets
– COBIT ‐ control & improve IT
49
Risk IT
• Goal: ensure enterprise governance of IT risk– Connects IT risk with business objectives
– Aligns IT‐related business risk with overall enterprise risk management
• akin to IT‐enabled business investment / value
– Framework specializes the COSO ERM framework to IT risk• Emphasis (but not exclusively) on information security risk
• Framework provides:– Risk management governance practices
– End to end process framework
– Catalog of generic adverse related IT risk
– Tools & techniques
– Roles & responsibilities
50
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
26
Risk IT Components
51
Risk IT Process Model
52
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
27
Risk IT Process Model : Zoom
53
• For each process, RISK IT provides:– Detailed control activities / objectives
– Inputs – outputs for each activity
– RACI chart
– Goals and metrics (activity, process & ‘domain’)
– Maturity model
Risk IT Companion Document
54
CGEIT EXAM PREP #3
Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization.
28
COSO ERM: for more info
55
COSO.org
• http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
• http://www.coso.org/documents/COSO_ERM.ppt
• http://www.coso.org/ERM-IntegratedFramework.htm
especially recommended for security professionals
COSO ERM Entity & Unit Level Risk
Entity‐wide plus unit specific risks
• Unit‐level risk– Risk should be considered and managed at all levels of business
• Follow organization chart?
• Entity level risk– Risk impacting multiple business units
– Roll up of unit level risk with ‘material’ impact
56