Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our

Information Systems SecurityRisk Management

© G. DhillonAll Rights Reserved

AlignmentGlenmeade

Vision

To provide a personalized experience to our

customers

To reach out to the customers and know their

preferences, likes and dislikes Business

Objective(s)

MarketingObjectives

IT ObjectivesOps

Objectives

Implement a Customer

Relationship Management

System. Buy a state of the art

system

Develop a Tastemasters

program

Get to the customer directly &

most efficiently

Various marketingPrograms-freebees

-sponsorships

Various OperationsPrograms

-On time delivery incentives

etc

Various ITPrograms

-New rollouts-System Training

-IT Project Management


AspirationVision


Aspiration Vision


Aspiration Vision

Vision


Security is a business enabler

Security allows me to do something I couldn’t do [safely] otherwise/before

Electronic Commerce Online banking Online brokerage

Added value, security is part of the product Help make sale because of security Revenue generated as a result of security

Security is not the product – it allows me to do business


Business enabler


RealityFor a range of reasons companies have always

been under pressure to cut IT costs. Perhaps by outsourcing. Justify

expenses. And when choosing being keeping the

“shop running” versus securing it, protection

mechanisms take a back burner.


RisksGlenmeade

Vision


customers



Objective(s)

MarketingObjectives

IT ObjectivesOps

Objectives




system


program


most efficiently


-sponsorships



etc

Various ITPrograms



PersonalPrivacy

DataOwnership

Data flowIntegrity

Availability

…

… Project risksSystem

Dev. risks

Businesscontinuity

risks

Inherent risks (Doubleclick

type)


Glenmeade VisionRisk Management


customers



Objective(s)

MarketingObjectives

IT ObjectivesOps

Objectives




system


program


most efficiently


-sponsorships



etc

Various ITPrograms



PersonalPrivacy

DataOwnership

Data flowIntegrity

Availability

…

… Project risksSystem

Dev. risks

Businesscontinuity

risks

Inherent risks (Doubleclick

type)

What is the probability that personal privacy will be compromised when

personally identifiable information is accessed in an unauthorized

manner?

What is the probability of unauthorized access?


Answer

Let’s calculate the probability of occurrence of a negative event (privacy breach or unauthorized access in this case)

What is going to be the cost to mend the privacy breach?

BINGO!!

R = P * C


Communicating Risk

Well-Formed Risk Statement Well-Formed Risk Statement

ImpactWhat is the impact to the

business?

ProbabilityHow likely is the threat given the

controls?

AssetWhat are you

trying to protect?

AssetWhat are you

trying to protect?

ThreatWhat are you

afraid of happening?

ThreatWhat are you

afraid of happening?

VulnerabilityHow could the threat occur?

VulnerabilityHow could the threat occur?

MitigationWhat is currently

reducing the risk?

MitigationWhat is currently

reducing the risk?


Reference Documents

Publications to help you determine your organization’s risk management maturity level include:Publications to help you determine your organization’s risk management maturity level include:

ISO Code of Practice for Information Security Management (ISO 17799)

ISO Code of Practice for Information Security Management (ISO 17799)

International Standards Organization

Control Objectives for Information and Related Technology (CobiT)

Control Objectives for Information and Related Technology (CobiT)

IT Governance Institute

Security Self-Assessment Guide for Information Technology Systems (SP-800-26)

Security Self-Assessment Guide for Information Technology Systems (SP-800-26)

National Institute of Standards and Technology


What’s Risk Management?

Formally defined

“The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value

of the protected assets.”


More simply put…

“Determine what your risks are and then decide on a course of action to deal with those risks.”


Even more colloquially…

What’s your threshold for pain?

Do you want failure to deal with this risk to end up on the front page of theDaily Progress?


Risk Management Maturity Assessment

Level State

0 Non-existent

1 Ad hoc

2 Repeatable

3 Defined process

4 Managed

5 Optimized


Classify


Risk management: classification

Inherent risks

Planning needed

Can be assessed

and predicted

Strategic High Potential

Key Operational Support

Outcome: highOperational: lowProcess: low

What risk?

Outcome: lowOperational: highProcess: medium

Outcome: lowOperational: lowProcess: high


Typical concerns


Outcome risks

Opportunity & financial

risks?

Lack of strategic framework: poor business understandingConflicts of strategy and problems of coordinationIT supplier problemsPoor management of changeSenior management not involvedLarge and complex projects; too many stakeholdersRigid methodology and strict budgetary controls


Operationalrisks

Process based risks

Too much faith in the ‘technical fix’Use of technology for its novelty valuePoor technical skills in the development teamInexperienced staffLarge and complex projects; too many stakeholdersPoor testing proceduresPoor implementationLack of technical standards


Generic CSFs for different applications



TimeQuality

Cost

Time

QualityCost

Time

Quality

Cost

R & D projects


Risk management: core strategies



CONFIGURE COMMUNICATE

CONTROL CONSTRAIN


Risk management: directions - 1


Business andcorporate risks

Opportunity &financial

risks


Operationalrisks

Process based risks

Con

trol

lab

leU

nco

ntr

olla

ble

Predictable Unpredictable

No problem -carry out plans

Practice quick response to manage as

events unfold

Emphasis forecastingand thus

“steer around” these events

Develop a contingency

planning system


Risk management: directions -2

History

Context(external)

Context(internal)

Businessprocesses

Content

RiskOutcomes

Context oriented risk assessment


Business andcorporate risks


Operationalrisks

Process based risks

Opportunity &financial

risks


Risk Management Practices

Conduct a mission impact analysis and risk assessment to:

1. Identify various levels of sensitivity associated with information resources

2. Identify potential security threats to those resources


Risk Management Practices(cont.)

Conduct a mission impact analysis and risk assessment to:

3. Determine the appropriate level of security to be implemented to safeguard those resources

4. Review, reassess and update as needed or at least every 3 years


Step 1 - Identify

Cri tical IT Assets

Critical Assets

List

Step 2 – Assess Risks

For each critical asset: • Weigh likelihood & impact

of threats to each asset • Prioritize threats • Select response strategies • Develop remediation plan

Step 3 – Mission

Continuity Planning

Create a response plan to use in the event that critical IT assets are lost, unavailable, corrupted or disclosed

ITS -RM Toolbox: 1. threat scenarios 2. response strategies 3. remediation plan

template & example

Remediation Plan

ITS -RM Toolbox: 1. disaster recovery

plan example 2. interim manual

procedures example

ITS-RM Toolbox: 1. Criteria 2. Template

Disaster Recovery

Plan Interim Manual

Procedures

Step 4 – Evaluation and Reassessment

Required at least once every three years