1 / 38

Enterprise risk management

Enterprise risk management. Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong, editor-in-chief, SC Magazine. Objectives of this session. Understand current risk challenges and roadblocks affecting risk management

Download Presentation

Enterprise risk management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Enterprise risk management Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong, editor-in-chief, SC Magazine

  2. Objectives of this session Understand current risk challenges and roadblocks affecting risk management How to manage Information Security Overview of an Information Security Risk Management Lifecycle Overview of Risk Assessment Methodology Walk through of Risk Process Flows and the Use of Technology

  3. Why is risk difficult to manage? There is no single, common definition of what “risk” is or means. Risk means different things to different groups with little to zero alignment or mapping (ex. credit risk, market risk, insurance risk, operational risk, security risk, health risk, hazard risks, etc.) No common or defined method and approach for managing risk. Risk identification is complex, and managing risk is even more complex. A unified approach (reducing complexity) to operational risk and security risk has numerous benefits and efficiencies, but the road to get there is not simple. Risk management is often performed in silos (especially security risk management). 3

  4. Lack of clear, well defined business objectives Lack of established governance Lack of effective follow-up and tools Lack of accountability Lack of risk definitions Lack of common understanding in managing risks Lack of standardized risk management approach / method 4

  5. 5

  6. Security Metrics - Program Framework, KRIs, KPIs

  7. Benefits The benefits of the security metrics program include: improved understanding of the organization’s security strengths and weaknesses. improved identification, prevention, and mitigation of security issues and risks. meeting regulatory requirements as well as demonstrating to other governance bodies our ability and commitment to maintain a secure environment. improved decision making, planning, and prioritization of security activities. improved allocation of security efforts, resources, and funding.

  8. Approach Information security risk management approach focuses on the following: The use of common definitions and terms The use of a defined risk management lifecycle Threat and Risk Assessments that clearly focus on how risks impact business objectives The utilization of tools to manage risks across the organization Alignment with other business units such as Enterprise Risk Management, Privacy, SecOps, Audit…….. 8

  9. Security Specific - Risk definition There is no one standard/universal definition for security risk. However, all security risk definitions should include elements of: time (e.g. the risk is a future event that has not yet occurred) potential for loss or harm (to a valuable asset) harm is caused by threats (which take advantage of an asset’s vulnerabilities (weakness) Suggested security risk definition: The potential for a threat to exploit an asset weakness, which will negatively impact the ability for an organization to meet its business objectives. 9

  10. Why Information Risks … to a business centric approach to risk mitigation • Assessing technology vulnerabilities • Enforcing security policy • Focusing on the perimeter • Protecting infrastructure • Tracking security incidents • Quantitative Approach Information • Assessing business risk • Partnering to influence behavior • Focus within the perimeter • Protect organization data • Optimize risk mitigation • Qualitative Analysis Infrastructure From managing IT function silos… 10

  11. Risk Management – Project vs. Business Risk Project Issues Are problems, gaps, tech’gy limitations, etc. that exist today. Issues may contribute to Risks. Project Risks Are problems, gaps, limitations, etc. that may impact the project Business Risks Are events that may occur in the future. If and when they occur, they may cause loss or harm to organization’s ability to meet its business objectives • Lack of documentation • No security requirements • No security architecture • Undefined R&Rs or accountabilities • No separation of duties • Insufficient access control • No hardening req’s • Vendor agreements and SLAs do not include security requirements • Insufficient logging, audit and monitoring controls • Schedule delay • Budget overrun • Scope creep • Incomplete deliverables • Resource constrains • Potential escalations • Internal reputation • Contractual commitments missed • Poor service delivery • Poor asset management • System unreliable • Slow system uptake • Privacy & security risks • Client dissatisfaction 11

  12. Security Risk Management Information Security Risk Management is the coordinated direction and control of activities to ensure that security risks are identified, analyzed, understood, addressed, and managed to meet business goals and objectives. These activities include the identification, assessment, and appropriate management of current and emerging security risks that could cause loss or harm to persons, business operations, information systems or other assets. 12

  13. Risk Assessment Methodology 13

  14. Business & Control Objectives 14

  15. Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. 15 Source COSO

  16. Risk Assessment Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation 16 Source - (NIST SP800-30)

  17. Un-patched systems • Old anti-virus • Weak passwords • Unlocked cabinets • Hackers • Viruses • Spyware • Fire exploit Threats Vulnerabilities increase expose increase protect against Security Controls reduce Assets Security Risks met by increase influence have • Policy • Passwords • Anti-virus • Backups • Computers • Files & folders • Test results • Prescriptions Security Requirements Asset Values & Impacts determine Security Risk Management Model impact 17

  18. Risk Acceptance Process Security risk acceptance is the deliberate decision by the appropriate level of management to accept an identified security risk for the purposes of meeting business objectives. Risk owners may accept risks that lie below the approved Risk Tolerance Levels. However, if a risk owner wishes to accept a risk above the risk tolerance line, they must escalate the risk by submitting a Risk Escalation Approval Form, and obtaining appropriate approvals to proceed with the risk acceptance. 18

  19. Determine Risk Appetite Risk appetite is the amount of risk — at a Board Level — an entity is willing to accept in pursuit of value. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation). 19 Source COSO

  20. Likelihood 20

  21. Impact Analysis 21

  22. Risk Tolerance Levels Risk Escalation is required when the risk owner chooses to accept a risk that is rated above the risk tolerance line. Default Risk Tolerance Line

  23. Showtime 23

  24. Information Security Risk Management Lifecycle 24

  25. Security Risk Management Lifecycle 25

  26. Tracking & Managing Process The objective of this process is to improve management of security issues and risks The primary purpose of this process is to ensure that all those with responsibility for identifying or managing security issues and risks know: their responsibilities how each affected Business Unit interacts with others to achieve effective management of security issues and risks the work flow to achieve effective management of identified issues/risks 26

  27. The FUN stuffProcess Flows 27

  28. Risk Management – Process Overview Summary of the Process InfoSec: identifies a risk & notifies the risk owner and the project team Risk owner: develops a risk treatment plan to address the risk with the assistance of InfoSec InfoSec: enters the risk and the treatment plan into its risk management tracking tool Risk Owner: implements the risk treatment plan • InfoSec: follows up with the risk owner (or their delegate) to periodically monitor the progress of the treatment plan • InfoSec: provides executive level reports on a monthly and quarterly basis to report on the status of risk and risk treatment plans 28

  29. Risk Tracking – Documenting 29

  30. Risk Tracking – Monitoring 30

  31. Risk Tracking – Reporting 31

  32. Technology 32

  33. Tools for Monitoring & Tracking Dash Board 33

  34. Tools for Monitoring & Tracking 34

  35. Tools for Monitoring & Tracking 35

  36. Sample Factors that can decrease risk • Effective policies and standards • Awareness programs • Reliance on proven and tested controls • Consistency of processes, technology and controls • Appropriate Segregation of Duties • Customers • Regulations/Compliance • Audits • Knowing what your risks are 36

  37. Discussion / Q&A 37

  38. Contact Info: Bobby Singh Director, Information Security & Risk Mgt 416.935.6691 Bobby.singh@rci.rogers.com

More Related