View
213
Download
0
Category
Tags:
Preview:
Citation preview
© G. DhillonAll Rights Reserved
AlignmentGlenmeade
Vision
To provide a personalized experience to our
customers
To reach out to the customers and know their
preferences, likes and dislikes Business
Objective(s)
MarketingObjectives
IT ObjectivesOps
Objectives
Implement a Customer
Relationship Management
System. Buy a state of the art
system
Develop a Tastemasters
program
Get to the customer directly &
most efficiently
Various marketingPrograms-freebees
-sponsorships
Various OperationsPrograms
-On time delivery incentives
etc
Various ITPrograms
-New rollouts-System Training
-IT Project Management
© G. DhillonAll Rights Reserved
Security is a business enabler
Security allows me to do something I couldn’t do [safely] otherwise/before
Electronic Commerce Online banking Online brokerage
Added value, security is part of the product Help make sale because of security Revenue generated as a result of security
Security is not the product – it allows me to do business
© G. DhillonAll Rights Reserved
RealityFor a range of reasons companies have always
been under pressure to cut IT costs. Perhaps by outsourcing. Justify
expenses. And when choosing being keeping the
“shop running” versus securing it, protection
mechanisms take a back burner.
© G. DhillonAll Rights Reserved
RisksGlenmeade
Vision
To provide a personalized experience to our
customers
To reach out to the customers and know their
preferences, likes and dislikes Business
Objective(s)
MarketingObjectives
IT ObjectivesOps
Objectives
Implement a Customer
Relationship Management
System. Buy a state of the art
system
Develop a Tastemasters
program
Get to the customer directly &
most efficiently
Various marketingPrograms-freebees
-sponsorships
Various OperationsPrograms
-On time delivery incentives
etc
Various ITPrograms
-New rollouts-System Training
-IT Project Management
PersonalPrivacy
DataOwnership
Data flowIntegrity
Availability
…
… Project risksSystem
Dev. risks
Businesscontinuity
risks
Inherent risks (Doubleclick
type)
© G. DhillonAll Rights Reserved
Glenmeade VisionRisk Management
To provide a personalized experience to our
customers
To reach out to the customers and know their
preferences, likes and dislikes Business
Objective(s)
MarketingObjectives
IT ObjectivesOps
Objectives
Implement a Customer
Relationship Management
System. Buy a state of the art
system
Develop a Tastemasters
program
Get to the customer directly &
most efficiently
Various marketingPrograms-freebees
-sponsorships
Various OperationsPrograms
-On time delivery incentives
etc
Various ITPrograms
-New rollouts-System Training
-IT Project Management
PersonalPrivacy
DataOwnership
Data flowIntegrity
Availability
…
… Project risksSystem
Dev. risks
Businesscontinuity
risks
Inherent risks (Doubleclick
type)
What is the probability that personal privacy will be compromised when
personally identifiable information is accessed in an unauthorized
manner?
What is the probability of unauthorized access?
© G. DhillonAll Rights Reserved
Answer
Let’s calculate the probability of occurrence of a negative event (privacy breach or unauthorized access in this case)
What is going to be the cost to mend the privacy breach?
BINGO!!
R = P * C
© G. DhillonAll Rights Reserved
Communicating Risk
Well-Formed Risk Statement Well-Formed Risk Statement
ImpactWhat is the impact to the
business?
ProbabilityHow likely is the threat given the
controls?
AssetWhat are you
trying to protect?
AssetWhat are you
trying to protect?
ThreatWhat are you
afraid of happening?
ThreatWhat are you
afraid of happening?
VulnerabilityHow could the threat occur?
VulnerabilityHow could the threat occur?
MitigationWhat is currently
reducing the risk?
MitigationWhat is currently
reducing the risk?
© G. DhillonAll Rights Reserved
Reference Documents
Publications to help you determine your organization’s risk management maturity level include:Publications to help you determine your organization’s risk management maturity level include:
ISO Code of Practice for Information Security Management (ISO 17799)
ISO Code of Practice for Information Security Management (ISO 17799)
International Standards Organization
Control Objectives for Information and Related Technology (CobiT)
Control Objectives for Information and Related Technology (CobiT)
IT Governance Institute
Security Self-Assessment Guide for Information Technology Systems (SP-800-26)
Security Self-Assessment Guide for Information Technology Systems (SP-800-26)
National Institute of Standards and Technology
© G. DhillonAll Rights Reserved
What’s Risk Management?
Formally defined
“The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value
of the protected assets.”
© G. DhillonAll Rights Reserved
More simply put…
“Determine what your risks are and then decide on a course of action to deal with those risks.”
© G. DhillonAll Rights Reserved
Even more colloquially…
What’s your threshold for pain?
Do you want failure to deal with this risk to end up on the front page of theDaily Progress?
© G. DhillonAll Rights Reserved
Risk Management Maturity Assessment
Level State
0 Non-existent
1 Ad hoc
2 Repeatable
3 Defined process
4 Managed
5 Optimized
© G. DhillonAll Rights Reserved
Risk management: classification
Inherent risks
Planning needed
Can be assessed
and predicted
Strategic High Potential
Key Operational Support
Outcome: highOperational: lowProcess: low
What risk?
Outcome: lowOperational: highProcess: medium
Outcome: lowOperational: lowProcess: high
© G. DhillonAll Rights Reserved
Typical concerns
Strategic High Potential
Outcome risks
Opportunity & financial
risks?
Lack of strategic framework: poor business understandingConflicts of strategy and problems of coordinationIT supplier problemsPoor management of changeSenior management not involvedLarge and complex projects; too many stakeholdersRigid methodology and strict budgetary controls
Key Operational Support
Operationalrisks
Process based risks
Too much faith in the ‘technical fix’Use of technology for its novelty valuePoor technical skills in the development teamInexperienced staffLarge and complex projects; too many stakeholdersPoor testing proceduresPoor implementationLack of technical standards
© G. DhillonAll Rights Reserved
Generic CSFs for different applications
Strategic High Potential
Key Operational Support
TimeQuality
Cost
Time
QualityCost
Time
Quality
Cost
R & D projects
© G. DhillonAll Rights Reserved
Risk management: core strategies
Strategic High Potential
Key Operational Support
CONFIGURE COMMUNICATE
CONTROL CONSTRAIN
© G. DhillonAll Rights Reserved
Risk management: directions - 1
Strategic High Potential
Business andcorporate risks
Opportunity &financial
risks
Key Operational Support
Operationalrisks
Process based risks
Con
trol
lab
leU
nco
ntr
olla
ble
Predictable Unpredictable
No problem -carry out plans
Practice quick response to manage as
events unfold
Emphasis forecastingand thus
“steer around” these events
Develop a contingency
planning system
© G. DhillonAll Rights Reserved
Risk management: directions -2
History
Context(external)
Context(internal)
Businessprocesses
Content
RiskOutcomes
Context oriented risk assessment
Strategic High Potential
Business andcorporate risks
Key Operational Support
Operationalrisks
Process based risks
Opportunity &financial
risks
© G. DhillonAll Rights Reserved
Risk Management Practices
Conduct a mission impact analysis and risk assessment to:
1. Identify various levels of sensitivity associated with information resources
2. Identify potential security threats to those resources
© G. DhillonAll Rights Reserved
Risk Management Practices(cont.)
Conduct a mission impact analysis and risk assessment to:
3. Determine the appropriate level of security to be implemented to safeguard those resources
4. Review, reassess and update as needed or at least every 3 years
© G. DhillonAll Rights Reserved
Step 1 - Identify
Cri tical IT Assets
Critical Assets
List
Step 2 – Assess Risks
For each critical asset: • Weigh likelihood & impact
of threats to each asset • Prioritize threats • Select response strategies • Develop remediation plan
Step 3 – Mission
Continuity Planning
Create a response plan to use in the event that critical IT assets are lost, unavailable, corrupted or disclosed
ITS -RM Toolbox: 1. threat scenarios 2. response strategies 3. remediation plan
template & example
Remediation Plan
ITS -RM Toolbox: 1. disaster recovery
plan example 2. interim manual
procedures example
ITS-RM Toolbox: 1. Criteria 2. Template
Disaster Recovery
Plan Interim Manual
Procedures
Step 4 – Evaluation and Reassessment
Required at least once every three years
Recommended