© Rev2 Networks, Inc—Confidential

Rev2 IT Information Security

Risk Management

February 26, 2010

© Rev2 Networks, Inc—Confidential

Goals

Introduce RiskViewTM

a decision support system which helps identify and focus on business-material risks

Understand your risk-management focus areas & processes

Agenda

1. Rev2 Introduction

2. RiskView Framework

3. Examples

4. Next Steps

Today’s Discussion

2

© Rev2 Networks, Inc—Confidential

Rev2 Risk Management

InfoSec Risk Supply Chain Risk Service Delivery Risk

RiskView replaces ad-hoc processes with aFact-based, Scalable, Repeatable Framework

Identify under controlled risk via business viewsFocus on the most material drivers

“What-if” controls testing

© Rev2 Networks, Inc—Confidential

Today

Plenty of Data But Big Exposure

Info sec tools and services regularly identify 100,000’s vulnerabilities

RiskView provides a fact-based, scalable, repeatable process

4

Most companies collect large vulnerability data sets, but face big material risk in information security.

Value is limited by…Data silosInconsistent dataWrong metricsChanging processInadequate tools

Because…Reactive responsePerception vs. factsWasted money On-going vulnerability

How do you prioritize 1 Million vulnerabilities?

© Rev2 Networks, Inc—Confidential

RequirementsEffective risk management requires specialized structures, tools and systems that most companies lack

Structure Systems ToolsInfo Sec Risk Mgt

requires a formal strategy and organization approach

An on-going formal process is needed to meet goals and execute strategy

Special tools are required to consistently and efficiently

analyze large data sets

Leadership – To coordinate across business units

Metrics—Consistent metrics for materiality of business impact

Risks and Policies—To identify risks and define policies to limit exposure

Compliance—Regular evaluations to learn policy compliance and violations

Risk Updates—Regular reviews for materiality score changes

Measures and Actions—Regular risk assessments with next steps to fix key findings

Risk Algorithm—To calculate materiality scores Analytic Engine —To compare risks and identify drivers

Scenario Testing— To pre-test potential program changes Visualization —To facilitate analysis and understanding

Key Elements Include

5

© Rev2 Networks, Inc—Confidential

Strategic Data

Normalized Data Different Impacts Asset Roles

The Issue:Risks are measured

differentlyHow to compare them?

The Solution:Create a normalized risk

scoreScore based on materiality

of adverse business impact

A fact-based risk program requires normalized data, with a range of impacts tied to specific assets.

Strategic Data supports a fact-based, scalable, repeatable process

The Issue:Risks have different

impactsHow evaluate risk types?

The Solution:Score vulnerabilities on the

type of risk they presentDifferentiate financial, legal,

regulatory, reputational

The Issue:Risk impact varies based

on where it occursHow recognize differences?

The Solution:Score impact based on the

specific asset at riskRecognize differences in

asset value

6

© Rev2 Networks, Inc—Confidential

Materiality

The probability of an attempt

The probability of success

The criticality of the intersected asset or business process

7

SUSCEPTIBILITY

IMPACT

BUSINESS MATERIALITY:

DOES IT MATTER?

EXPLOITABILITY

We normalize risk scores based on business materiality.The probability of a successful attempt is weighed versus its

impact based on the asset’s business criticality.

© Rev2 Networks, Inc—Confidential

What is RiskViewTM?

• A software Risk Data Warehouse platform that collects vulnerability data

• Business-specific modules with customizable views and analytics

• Advanced Visualization to create a packaged decision support system

Highly-extensible platform, for fact-based, scalable, repeatableRisk Management Decisions

8

© Rev2 Networks, Inc—Confidential

RiskView Features

Business Views

Impact/Effect Cause Business Unit Geography/Location Process

Cost Types

Financial Reputational Regulatory Legal

– Collect and Combine risks Enterprise wide– Normalized scoring based on Materiality– Impact Centric business views – Pre and post testing for “what if?” and “did it work?”– Advanced Visualization for easy analysis and interpretation

Fact-based—Scalable—Repeatable!

9

© Rev2 Networks, Inc—Confidential 10

RiskView Examples

© Rev2 Networks, Inc—Confidential

Vertical View- InfoSec

11

© Rev2 Networks, Inc—Confidential 12

Horizontal View- Geography

© Rev2 Networks, Inc—Confidential

Business Unit View

13

© Rev2 Networks, Inc—Confidential

Filters = FocusNot every vulnerability is equal in terms of materiality

Once aggregate material risk is identified and unacceptable

levels detected, need to identify and profile drivers

14

Materiality(finding the “Critical Few”)

What-if(testing)

Date Range(trending)

© Rev2 Networks, Inc—Confidential

Exploded View

15

© Rev2 Networks, Inc—Confidential

RiskView Benefits

16

Identify uncontrolled critical risksTypically reduction is > 50%

Save money Improve risk with current budget; cut spending without added risk

Identify common controlsFor one client, a single control eliminated 70% of uncontrolled risk

Improve staff productivity Only one FTE week per quarter for analysis/administrationAnalyze up to 200 million vulnerabilities in real-time

Justify budgets and investmentsTest program investments before decision and after execution

Establish a fact-base for decision-makingDetermine/assign organization accountabilities

© Rev2 Networks, Inc—Confidential

Next Steps

Free Risk Evaluation

17

We will conduct a limited information security risk evaluation with RiskView

Load a set of data, aligned with your policies and procedures

Analyze and present the findings, along with implications/recommendations

Requirements: Aon resources: ~ 1 day for set-up, plus

1 hour for findings presentationRev2 time: ~ 2 weeks start to finish