15/08/2016

1

Why Integrated Enterprise Risk Management Is Essential

(Session 2304)

Monday, September 12, 2016 4:30 PM - 5:30 PM

Orlando, FL

Doug Powell, CPP, PSP

J. Kelly Stewart, CPP

LEARNING OBJECTIVES

• Understand why Critical Infrastructure security risk management requires an Enterprise, or End-to-End view of security risk

• Understand how IT, OT and Physical (traditional) security risk need to be COMPLETELY INTEGRATED.

• Identify a new methodology that utilizes Governance, Risk and Compliance.

THE ISSUE

• Understand why Critical Infrastructure security risk management requires an Enterprise, or End-to-End view of security risk

• Understand how IT, OT and Physical (traditional) security risk need to be COMPLETELY INTEGRATED.

• Identify a new methodology that utilizes Governance, Risk and Compliance.

15/08/2016

2

THE NEED FOR CHANGE

• Security Risk Management (SRM) still holds a predominantly “physical” tone in most organizations.

• IT Security Risk Management has received considerable attention over the past decade.

• Operational Technology (OT) security risk management is almost non-existent.

• There is no Integrated Approach to managing critical risk infrastructure.

WHY GRC?

• Critical Infrastructure security risk management requires an Enterprise, or End- to-End view of security risk

• We can no longer silo security risk and believe we are adequately protecting our infrastructure

• An integrated view of security risk is loooooong overdue

• Physical security practices also protect IT assets

• IT assets also form part of the physical security infrastructure

• But IT and Physical Security practices contribute to OT security program management

• IT, OT and Physical (traditional) security risk is COMPLETELY INTEGRATED

• Why would we manage security risk across any of these domains independently?

• How can we provide assurance to the organization (executive or Board) that security risk is being managed effectively and completely without a single risk view for ALL security risk?

• An Enterprise Security Risk Management (ESRM) view is required.

ESRM INTERDEPENDANCIES

• Does IT and Physical Security Risk exist independent of each other?

• No!

• Consider the substation example.

15/08/2016

3

A SECURITY MANAGEMENT PROGRAM MODEL

Security Program Development

Governance Model Enterprise Security Risk

Management

Risks Identified & Prioritized

Mitigation Plan/ Strategic Plan

Physical Security

Upgrades

Personnel Management

Issues

Access Control Program

Policy & Standards Development

Reporting Requirements

Metrics Development

Incident Management

Security Program/Compliance

Management

IT/OT Security Development

Liaison Management

Corrective Actions/Gaps/

Emerging Threats

T r a i n i n g & A w a r e n e s s

Tr

ai

ni

ng

&

A

wa

re

ne

ss

Tr

ai

ni

ng

&

A

wa

re

ne

ss

GOVERNACE, RISK & COMPLIANCE ISSUES

CRITICAL FACTORS

GOVERNANCE

RISK

COMPLIANCE

Executive Sponsorship

Well-Defined list of Risk

Management Stakeholders

Organizational Maturity

regarding Risk Management

Open Communication

& Teamwork

Holistic View of the Process & Organization

Risk Methodology

15/08/2016

4

ROADMAP FOR ACHIEVING ESRM/GRC

Service Governance

Risk Compliance

Process

People

Data

Infrastructure

Policy, Standards, Guidelines,

Procedures, Gap Analysis

Awareness, Rolls &

Responsibilities, Teamwork,

Communication

Data Governance, Ownership,

Classification, Convergence

Security Baseline

Risk Assessment Framework

Independent Security

Assessments, Contractual

Compliance

Data Risk Assessment,

Risk Mitigation

Comprehensive Risk, Threat, &

Vulnerability Assessment

Integrated SM, Metrics, KPI’s

periodic Audits, Exec. Reports

Access Reviews, Collaboration,

Communication, Process

Review

Security configuration &

compliance, SLA’s service

Data Protection, PII compliance

ISO 31000, ISO 31010, ISO 27000, HIPAA, PCI DSS, SAS 70, ASIS/ANSI/RIMS RA Standard, ASIS/ANSI SPC.1-2009 Organizational Resilience, ASIS/ANSI SCRM.1-2014 Supply Chain Risk Management, ASIS/ASIS SPC.2-2014 Auditing Management Systems: Risk, Resilience, Security, and Continuity – Guidance for Application

THE ESRM LANDSCAPE TODAY

BOARD LEVEL RISKS vs. SECURITY PROGRAM

15/08/2016

5

BOARD LEVEL RISKS vs. SECURITY PROGRAM

GRC METHODOLOGY IS CRITICAL TO SUCCESS

GRC COMPONENTS

ENTERPRISE RISK MANAGEMENT PROCESS

15/08/2016

6

The External Context

The Internal Context

The Risk Management Context

Develop Criteria and Define the Structure

What Can Happen, When, Where, How, & Why

Asset Identification, Valuation and Characterization

Threat/Opportunity, Vulnerability/Capability & Criticality/Impact Analysis

Identify Existing Controls

Determine Likelihood

Determine Consequences

Determine Level of Risk

Compare the Criteria – Set the Principles

Consider Tolerance and Acceptability

Identify and Assess Options

Avoid? Share? Exploit? Reduce? Accept?

Prepare and Implement Treatment Options

Analyze & Evaluate Residual Risk

Co

mm

un

ica

tio

n &

Co

ns

ult

ati

on

Mo

nito

r & R

evie

w

Establishing the Context

Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation

Treat Risk

Risk Treatment

No

Yes

Risk Assessment Process

Metal Theft

Unresolved Critical Defects

Theft of HV Transformer

Theft of explosive

charges

Terrorist caused dam breach – T1

Environmental Risk

Safety Risk

Financial Risk

ENTERPRISE RISK PLOTTING

APPLYING QUALITATIVE RISK MITIGATION

Malware

Privacy Breach

Workplace

Violence

Loss of Permission to

Operate

Fatality

Additional Scope in

the magnitude of

$100M – $1B

Undesirable

Event

Preventative Measures

1

1

1

2

2

2

3

4

4

4

Recovery Measures

5

5

FUNDAMENTAL PROTECTION, END-TO-END (IT, OT and Physical): • Access Control

• Physical Barriers • Situational Awareness • Cultural adaptation Audit

• Surveillance & Monitoring • Intelligence

• Security zones • Effective Response….

Clear Governance, effective Standards and Best Practices

15/08/2016

7

NORMALIZING RISK DEFINITION

• Before risks can be effectively managed, we must agree on a common definition of risk that is clearly understood by the board, management, faculty, and staff.

• Replace old definitions of risk and risk management

Old Language Risk

• Negative Outcomes

Risk Management

• Ensuring the Organization

was adequately protected in

the event of Catastrophe

New Language Risk

• Any issue that affects the organization’s ability to

meet its objectives

Enterprise Security Risk Management

• Encompasses all of the operational, financial,

compliance, strategic, and reputation issues

encountered in attempt to achieve objectives

Adapting GRC Methodology

• The GRC management framework provides a good foundation for integrated security risk management

• GRC sets a useful risk management and assessment framework

• Governance and Compliance gaps frame the majority, if not all security risk concerns

• But GRC is far too narrow in its current design

• Physical risk assessment is much more detailed and follows a different methodology

• Can be adapted to GRC and automated

• Yet, neither method really allows for situational awareness inputs

• Changing environments need to be part of the ongoing assessment

ADAPTING TO GRC METHODOLOGY

• The GRC management framework provides a good foundation for

integrated security risk management

• GRC sets a useful risk management and assessment framework

• Governance and Compliance gaps frame the majority, if not all security risk concerns

• But GRC is far too narrow in its current design

• Physical risk assessment is much more detailed and follows a different methodology

• Can be adapted to GRC and automated

• Yet, neither method really allows for situational awareness inputs

• Changing environments need to be part of the ongoing assessment

15/08/2016

8

GRC – GOVERNANCE, RISK & COMPLIANCE

Wherever Risk Management is considered:

• Correct GOVERNANCE is an Imperative to Risk Management

• Loss of GOVERNANCE leads to Loss of Compliance

• Compliance, traditionally, has been viewed as a Regulatory Framework

• Compliance in an Enterprise Security Framework must use Compliance in terms of every policy and standard that supports its objectives.

• Critical Step: Define all requisite Standards

THANK YOU!

J Kelly Stewart, MBA: jkstewart@nccllc.net

Doug Powell CPP, PSP: doug.powell@bchydro.com