WHAT EVERY IT RISK ASSESSMENT SHOULD … EVERY IT RISK ASSESSMENT SHOULD INCLUDE Shawna Flanders ... monitoring and reporting and of course Incident ... SIPOC which document the process

WHAT EVERY IT RISK ASSESSMENT SHOULD INCLUDE

Shawna Flanders CRISC, CISM,

CISA, CSSGB, SSBB

© 2016 MIS Training Institute Holdings, Inc.

All rights reserved.Slide 2

Seminar Logistics

5 minute break each hour

Finish at 3 PM ET, 12 PM PT

Periodic Polling Questions - must answer 90%!

Link to Materials - sent to you 1 hour prior with login

credentials

Content Questions

• Submit to Shawna via chat function

• E-mail [email protected] at the end of the webinar

• Access, Audio or Technical Support

• Submit to MISTI Webinar Series via chat function

Webinar Logistics

mailto:[email protected]



Shawna M Flanders

Senior Instructor for

MIS Training Institute

Technology

Assurance, Security,

Risk and Process

Professional 30+ Years

Background in

Financial Services and

Banking

Live in Florida



Session Overview

Risk Management is the primary process organizations can use to determine their current capability to identify, manage and respond to risk and a properly conducted risk assessment gives organizations the best depiction of their ability to maintain the confidentiality, integrity and availability of their information assets.

• As a result there is increased regulatory pressure from both industry and regulators for organizations to have a solid, demonstrated risk management process. This means asset identification and inventory, vulnerability and threat analysis, control inventory, risk assessment and response, risk monitoring and reporting and of course Incident Response, Business Continuity and Disaster Recovery.

In this session we will explore several of the more common risk assessment/analysis requirements for meeting both regulatory and industry requirements today and in upcoming years.



Agenda

In today’s sessions we will discuss the:

Risk Management Strategy and Program Development

The Risk Universe and it's Key Components

Inherent Risk Concept and Assessment Techniques

Scenario Analysis Development Fundamentals

Regulatory Requirements for Assessments

Conducting a Maturity Assessment (Gap between current and desired state)

Tips to Conducting Third Party Assessments

Risk Response Preparation and Execution Basics

Assessment Follow-up

By the end of today’s presentation attendees will have an additional perspective on the IT Risk Assessment process and some of the more critical components to incorporate into any program.



RISK MANAGEMENT STRATEGY AND

PROGRAM DEVELOPMENT

Effective Governance better ensures Effective Risk Management



Risk Governance

The building blocks of an effective Risk Management

program include:

Senior Management and Board of Director Support

Strong Risk Governance

Strategy Based on Enterprise Objectives



An effective risk strategy:

Considers how risk can impact the achievement of

enterprise objectives

Describes the desired state

Risk Strategy



The Risk Management Program is:

Based on the outcome of the Risk Assessment Process

Is designed to achieve strategy taking us from the current to

desired state

Risk Management Program



RISK UNIVERSE

Examining the Key Components



Risk Universe

The Risk Universe describes all factors that influence the

enterprise that could give rise to risk

The more comprehensive the Risk Universe, the better

starting point the enterprise has for assessing risk

Key to properly defining the complete Risk Universe is

having a comprehensive Asset Inventory

People

Processes

Technology

Information Assets

Intellectual Property (Strong Contracts)

Intangible Assets (Good Will)



The Risk Universe is a living document

A comprehensive Risk Universe considers and documents

possible risks regarding:

Supplier Relationships

Cloud Vendors

System and Hardware Support Vendors

Contractors

Industry

Geopolitical

Regulations and Laws

Enterprise Strategy

Internal Processes

Technology (Legacy, Emerging, Current)

Risk Universe



At least annually the risk team should assess the

completeness of the risk universe

All stakeholders should participate in the data collection

process

Sources to assist in the update process include:

Industry Bulletins

Regulatory Guidance

Services Management System

Change, Release, Incident, Problem Tickets

Asset and Configuration Records

Project Management Documentation

Security Incident Response, BCP, DR Results

Surveys and Interviews

Building and Improving the Risk Universe



INHERENT RISK

Concept and Assessment Techniques



Inherent Risk

Inherent Risk is the risk without taking any controls into

consideration

It’s the risk that is present in the product or service by its

design and intent

It can not be eliminated

It can not be altered through our implementation of

controls

It is the risk we need to acknowledge as probable if the

controls in place do not properly or effectively protect the

asset



Inherent Risk - Strength of Controls = Residual Risk

Management considers the Risk Appetite and Risk

Tolerance in determining whether the Inherent Risk is

something they are willing to accept.

If the Inherent Risk exceeds the appetite and tolerance, the

product will not be purchased, the service will not be offered

or the existing product or service will be sunset

Impact of Inherent Risk on Residual Risk



The Inherent Risk should be calculated and documented

as part of project initiation

Organizations should build an Inherent Risk Calculator to

bring consistency to how Inherent Risk is determined

The FFIEC Cyber Assessment released in 2015 provides

Banks and Credit Unions with a Inherent Risk Profile

Matrix to more easily determine the risk of various banking

products on a consistent basis

Items to consider include Platform, OS, Programming

Language, Number of Connections, Number of Users,

Significance of Regulations and Laws, Complexity of

System, Number of Supporting Vendors, etc.

Determining & Monitoring Inherent Risk



SCENARIO ANALYSIS

Development Fundamentals



Risk Scenarios

Before beginning a Risk Assessment the Risk

Management team must first conduct a Risk Identification

The goal is to define all the assets in the process along

with their threats, vulnerabilities and controls

The process starts with mapping the Enterprise Goals and

Objectives to Critical Business Processes

Next we map Critical Business Processes to Assets that

Support the processes

Then we map Vulnerabilities and Threats to the Assets

Then we map controls to the assets

Finally we determine what is the most probably situation

where a threat could negatively impact a vulnerability

This is the foundation of the Risk Scenario



Risk Scenarios are designed to tell a story and bring

realism to the Risk Assessment Process

The scenario has several parts including:

Actor – Who

Threat Type – What

Event – How/Where

Asset/Resource – What

Timing – When

Significance

Time to Detect

Time to Resolve

Risk Scenario



An external bad actor

Intentionally – Malious

Sent an email containing an exploit to an executive as a

part of a Whale Phishing Attack against an organization

that recently was in the new regarding an incident that

polluted a local stream which invoked a ransomware

attack impacting all the drives the executive had access to

both onsite as well as the cloud provider which housed the

companies board meeting documentation.

Because the executive had excessive access assets

impacted included Outlook, SharePoint, File Share, and

Business Objects as well as the host for the Board

Meeting Minutes

Timing – Friday 8pm, instant discovery, 5 days to restore

Example Scenario



Risk Assessments are most effect if there are a variety of

stakeholders participating in the process from the

business and IT

Before leaving the Identification Phase the team should

determine the team

Using tools such as:

RACI which documents for each major activity who is

accountable, responsible, supportive, consulted and

informed

SIPOC which document the process in 5-7 sub-processes

documenting the suppliers, input, process step description,

output and customer

Ownership and Participation



Which of the following statements best represent a complete

risk scenario?

A. Bad Actor attacked Payroll system on Friday and it was

resolved Monday afternoon

B. Employee accidentally released code before testing

which cause employees to get wrong W2 on 2/1. New

W2’s were sent to correct address 4 days later.

C. Regulation changed but company did not update process

so breach was not communicated until 60 days after

event took place

D. Tornado hit data center at 2pm and team assessed

damage one hour later determining that there was not

structural impact.

Poll #4



Risk Identification

Document Enterprise Objectives

Articulate What Critical Business Processes Are Impacted

By Enterprise Objectives

For Each Critical Business Process Document Its

Associated Assets

For Each Asset that relates’ to a Critical Business Process

document possible Threats and Vulnerabilities

For each Asset document the existing controls in place to

protect the asset

Risk Identification Summary



Risk Identification

Create one or more Complex Risk Scenarios (consider

adding Coinciding and Cascading events) based on the

most probable negative event that could cause a control to

fail

(Risk Scenario = Actor; Threat Type; Event;

Asset/Resource Impacted; Timing)

Update the Risk Assessment with All Scenarios (Risks)

discussed

Risk Identification Summary



RISK ASSESSMENT BASIS

Regulatory Requirements



Risk Assessment Intent

Regulation is a driver for why organizations conduct Risk

Assessments

From PCI to HIPAA, from FFIEC to NERC there is a need

to ensure organizations manage risk effectively

Publicly traded companies need to conduct and report on

risk to meet Rating Agency Requirements

Government Agencies need to conduct risk assessments

to meet FISMA regulations and NIST guidance



The degree of detail and the scope of the assessment

must consider the regulatory requirements which vary by

regulation

Also, the way the assessment is conducted and

documented will also vary. Some of the most common are:

FISMA – RMF

ISO31000

ISO27005

COSO ERM

NIST 800-30; 800-115

ISACA COBIT 5 for Risk

Risk Assessment Depth and Breathe



CONDUCTING A RISK ASSESSMENT

ASSESSMENT

Determining Current Risk



Once the Risk Scenario has been developed and the team

members have been selected it is time to prepare for the

assessment

The first step involves conducting interviews and survey’s

and gathering supporting documentation

Documentation should include:

Data Flow Diagrams; Process Flow Diagrams; Network

Diagrams; Policies, Procedures, Business, Functional and

Technical Specifications, etc.

The Risk Team serves as the facilitator's in the

assessment process

The more knowledgeable of the business process, the better

quality the questions and the more meaningful the

assessment becomes

Risk Analysis Preparation



Before scheduling the Risk Analysis the Risk Team should

develop and distribute a series of open ended questions

that will serve as the basis of the Risk Assessment

Then, with the assessment questions created and

distributed to the team, its time to schedule the

assessment

The Assessment should assess and document:

Known internal and external risk factors

Enterprises Risk Management capabilities to Identify,

Assess and Respond to risk

IT capabilities to meet stakeholder expectations

Risk Analysis



There are three methodologies for conducting the

analysis:

Qualitative – Opinion Dependent / Driven

Quantitative - Data Dependent / Driven

Semi-Quantitative - Combination

Semi-quantitative methodologies are preferred for

conducting the Risk Analysis as these assessments are

more data driven vs. opinion

The analysis should examine the Factors and then assess

the strength of the controls in place; can they adequately

protect the asset.

Conduction substantive testing using techniques including

re-performance and modeling provides greater reliability vs.

compliance testing which validates presence of condition

Risk Analysis



Upon completion of the Analysis it is time to document the

likelihood and impact of the scenario taking place

During the evaluate we focus on the most critical factors

that could give rise to risk which would increase the

probability that the scenario could happen

Next, by determining how often the scenario could occur,

the team then determines it potential impact

Impacts should be calculated regarding:

Productivity

Cost

Legal / Regulatory Penalties

Reputation / Customer Satisfaction

Risk Evaluation



CONDUCTING A MATURITY

ASSESSMENT

Gap between current and desired state



Maturity Assessment

One of the cornerstones of measuring the effectiveness

and efficiency of the risk management program is

conducting annual maturity assessments

There are several tools which are commonly used for such

assessments including:

PAM

CMMI

ISO15504



The first step of the assessment is educating leadership

as to the intent and assessment model to be used

Once that is discussed the risk team gathers

managements’ input into the scale and what additional

company specific criteria needs to be considered in

making the scoring decision as well as any scoping needs

Management will also be asked for a target score which

needs to be in alignment with the Risk Strategy and Risk

Appetite and Tolerance Statements

During the assessment the team will look at each process

under review and from that will give the process a score

from 0 to 5 based on its level of maturity using the

company defined scale

Maturity Assessment



Once the assessment is complete, the team will report the

results back to management for them to work on action

plans

Goal is to move from current state to desired process

The action plan will then be the basis of the corresponding

project that will remediate the gaps identified in the

assessment

Maturity Assessment



TIPS TO CONDUCTING THIRD PARTY

ASSESSMENTS

Dealing with 3rd Party Providers



Reiterating – Focus on Contract documents and third party

assessments

RFP

SOW

Intellectual Property

Café vs. Flat Fees

Non-Disclosure

Receptacle Agreement

SLA

MOU

ISA

Assessments

SSAE16; ROC; etc.

3rd Party Risk Assessments



Risk Assessment

Conduct Risk Analysis of Internal and External Risk

Factors, Risk Management Capability and IT Capability

Assess the strength of the controls in place to ensure they

adequately protect the asset

Perform a Risk Evaluation to Determine Likelihood and

Impact

(Risk Evaluation includes topics like productivity, cost to

recover and legal and regulatory fines)

Verify

Update Risk Register

Risk Assessment Summary



RISK RESPONSE PREPARATION AND

EXECUTION BASICS

Dealing with the Results



The next step is to determine treatment / response

Accept

Mitigate

Transfer / Share

Avoid

If the control effectively safeguards the asset within the

defined Risk Appetite; Risk Acceptance is justified

Otherwise to determine treatment:

Develop a Cost / Benefit Analysis

Develop a Return on Investment

Develop a Business Case with Executive Summary

The Risk Owner (business) will decide treatment

Risk Response



The treatment should be justified and documented in the

risk register

If the treatment is to mitigate, transfer/share or avoid, an

Action Plan should be created by the business owner and

be recorded in the risk register

Once the action plan is completed, each remediation

should be treated as a project

Project schedules should be created and the project

should follow the CDLC including adequate testing and

control baselining

Risk Response



ASSESSMENT FOLLOW-UP

Getting to Residual Risk



The risk team should be a part of the project team

reporting on the status of action plans and ensuring the

activities are moving toward successful completion

Upon project completion and the subsequent risk analysis,

the team will re-assess the residual risk

If now the risk remaining is within Risk Appetite and

Tolerance, management can come to final risk acceptance

Follow-up



Risk Response

Develop Cost Benefit Analysis, Return on Investments and

Business Case to supple remediation recommendations

Determine Risk Treatment based on Risk Appetite and

Tolerance (set by BOD and Exec’s)

(Accept, Mitigate, Transfer/Share, Avoid)

Determine Risk Priority

Senior Business Management Determines Risk Treatment

and Creating the Action Plan

Risk Response Summary



Risk Response

Create Action Plan

Execute Action Plan and Keep Plan Current

Conduct Post Treatment Analysis

Determine Final Risk Acceptance (if now within Risk

Appetite and Risk Tolerance)

Update Risk Register (and Profile if necessary)

Risk Response Summary



ONGOING MONITORING AND

REPORTING

The Living Process



As a precursor to go-live, Key Risk and Key Performance

Indicators should be established with threshold agreed

upon by management

Each control should be baselined by running the control

test immediately upon implementing into production

Trend tracking should also be established along with a

procedure for performing ongoing monitoring and

reporting

Ongoing Monitoring and Reporting



Risk is constantly changing

Controls need to be monitored and adjusted to respond to

those variations

The risk team needs to build a communications plan to

ensure that the right people get the right information in the

right time, using the right format to make key business

decisions

Ongoing Monitoring and Reporting



Risk Monitoring and Reporting

Assist the business in the development of KRI and KPI

Assist the business in the monitoring and reporting of

controls

Repeat steps above when a control goes out of control

Re-preform process at least annually or after significate

change or after outage/incident

Risk Monitoring and Reporting Summary



THE CORRECTIVE CONTROLS TOUR

Incident; Business Continuity, Disaster Recovery



Risk Assessments are considered the preventative

controls

The RM process is designed to Identify, Assess and

Respond to Risk

The output from the Risk Management process becomes

the input to the Business Impact Assessment

Risk Assessment Connection



Once the assessment is complete, critical business

processes and process owners have been identified along

with details regarding the business processes

That data serves as input into the BIA

The BIA team uses that data along with interviews and

workshops to determine the critical inputs and outputs;

resource needs and recovery requirements

Business Impact Assessment



This is considered a part of risk management “Respond”

AIW “Allowable Interruption Window” is determined in the

BIA

The IRP describes in detail how to:

Report

Record

Assign Incident Handler

Triage

Contain

Eradicate

Escalate / Communicate

Conduct Root Cause and Lessons Learned

Incident Response Plan




RTO “Recovery Time Objective” is determined in the BIA

It is the maximum downtime allowed before the process or

service could have a legal or regulatory impact

The BCP is business process specific and describes how

the business will recover if either a system or process has

failed and an alternative method for processing is

temporarily required

The BCP describes:

Recovery Teams

Call Library

Resource Requirements

Business Continuity Plan




RPO “Recovery Point Objective” is determined in the BIA

Amount of data that can be lost without impact to regulations

or laws

This is the IT Side of Resiliency

Backups and their individual recovery procedures are

critical to the success of your DR program

The DR Plan consists of:

DR Dependency Matrix

Recovery Plan for every asset type, application and system

Disaster Recovery Plan



RECAP

A Quick Review



Recap

Risk Management is critical for all organization's today, despite industry

We must understand:

What assets we have

How they are used

How they are protected

What events/incidents could impact their security

How to assess and recovery should these events/incidents occur

Understanding the Enterprise Risk Profile and which factors influence it is critical to managing the risk facing the enterprise and serves as the basis toward meeting out enterprise objectives



Recap – RA Process

Risk Identification Risk Assessment Risk Response Risk Monitoring and

Reporting

Identify the Risk Universe

Internal Risk Factors

External Risk Factors

Identify Business Objectives

Assoc. Business Processes

o Assoc. Assets

Assoc.

Vulnerabilities

Assoc. Threats

Assoc.

Controls

Build Risk Scenarios

Actor

Threat Type

Event

Asset/Resource (s)

Timing

Create Risk Registry Entry

Facilitate Risk Assessment

Risk Analysis

o Internal Risk Factors

o External Risk Factors

o Risk Management

Capability (Identify;

Assess; Respond)

o IT Capability

o Assess Effectiveness

of Current Controls

(Determine Current

State)

Risk Evaluation

o Determine Scenario

Likelihood and Impact

on

Productivity

Cost of

Response

Customer

Satisfaction

Reg/Legal Fines

and Penalties

VALIDATE ASSESSMENT


Create Business Case

Perform Cost / Benefit

Analysis

Determine Return on

Investments

Select Risk Treatment

Accept

Mitigate

Transfer / Share

Avoid

Create Action Plan

(and Project Schedule)


Maintain Risk Register

Conduct Post Treatment Risk

Analysis

Determine Final Risk Acceptance


Build Indicators

KPI

KRI

Monitor Indicators and

Control Testing Results

Report Results to SR.

Management

*Risk/Control Owners

Take Action as Needed*


Update Risk Profile (as

needed)



QUESTIONS / COMMENTS

Other Questions?



LINKS

Where to go for more information!



Privacy and Data Breaches

https://www.privacyrights.org/

Regulations and Privacy Laws

http://www.federalreserve.gov/bankinforeg/reglisting.htm

http://www.informationshield.com/intprivacylaws.html

US CERT

https://www.us-cert.gov/

National Vulnerabilities Database

https://web.nvd.nist.gov/view/vuln/search

NIST Cybersecurity Framework

http://www.nist.gov/cyberframework/

Links

https://www.privacyrights.org/topics/7

http://www.federalreserve.gov/bankinforeg/reglisting.htm

http://www.informationshield.com/intprivacylaws.html

https://www.us-cert.gov/

https://web.nvd.nist.gov/view/vuln/search

http://www.nist.gov/cyberframework/



SEC Documents on Cybersecurity Assessments

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-

summary.pdf

http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+App

endix+-+4.15.14.pdf

Gartner APT Framework

http://www.networkworld.com/article/2171375/network-security/gartner---five-

styles-of-advanced-threat-defense--can-protect-enterprise-from-targe.html

Breach Laws

http://www.ncsl.org/research/telecommunications-and-information-

technology/security-breach-notification-laws.aspx

Links

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++&+Appendix+-+4.15.14.pdf

http://www.networkworld.com/article/2171375/network-security/gartner---five-styles-of-advanced-threat-defense--can-protect-enterprise-from-targe.html

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx



KPI's

http://www.smartkpis.com/

http://www.shopify.com/blog/7365564-32-key-performance-indicators-kpis-for-

ecommerce

http://kpilibrary.com/topics/not-smart-but-smarter

KRI's

http://www.coso.org/documents/COSOKRIPaperFull-

FINALforWebPostingDec110_000.pdf

https://www.ior-institute.org/sound-practice-guidance/key-risk-indicators

KGI's

http://hci-itil.com/COBIT/CO/definitions/KGI.html

Links

http://www.smartkpis.com/

http://www.shopify.com/blog/7365564-32-key-performance-indicators-kpis-for-ecommerce

http://kpilibrary.com/topics/not-smart-but-smarter

http://www.coso.org/documents/COSOKRIPaperFull-FINALforWebPostingDec110_000.pdf

https://www.ior-institute.org/sound-practice-guidance/key-risk-indicators

http://hci-itil.com/COBIT/CO/definitions/KGI.html



Hardening Guidelines

Contains security configuration checklists http://checklists.nist.gov/

Another source for configurations http://iase.disa.mil/stigs/Pages/index.aspx

Guide for Security Focused Configuration Management of Information Systems

http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf

Other Helpful Sites

Health and Human Resources

http://www.hhs.gov/

Homeland Security

http://www.dhs.gov/

Links

http://checklists.nist.gov/

http://iase.disa.mil/stigs/Pages/index.aspx

http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf

http://www.hhs.gov/

http://www.dhs.gov/



National Vulnerabilities Database

https://cve.mitre.org/

https://nvd.nist.gov/full_listing.cfm

Controls Listing

https://web.nvd.nist.gov/view/800-53/home

SANS Top 20

https://www.sans.org/critical-security-controls/

PCI 3.1

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

SSAE16

http://resource.onlinetech.com/soc-1-soc-2-soc-3-report-comparison/

Links

https://cve.mitre.org/

https://nvd.nist.gov/full_listing.cfm

https://web.nvd.nist.gov/view/800-53/home

https://www.sans.org/critical-security-controls/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

http://resource.onlinetech.com/soc-1-soc-2-soc-3-report-comparison/



Incident Response

http://www.cert.org/incident-management/products-services/creating-a-

csirt.cfm?

ISO31000 & 31004 Risk

http://www.praxiom.com/iso-31000.htm

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnum

ber=56610

Cert Secure Coding eNewsletter

http://www.cert.org/secure-coding/publications/secure-coding-

enewsletter.cfm

Separation of Duties

http://www.sans.edu/research/security-laboratory/article/it-separation-duties

http://www.bdoconsulting.com/resources/thought-

leaders/SegDutiesChecklist-19.pdf

http://www.isaca.org/Journal/Past-Issues/2009/Volume-5/Pages/A-Risk-

based-Approach-to-Segregation-of-Duties1.aspx

Links

http://www.cert.org/incident-management/products-services/creating-a-csirt.cfm

http://www.praxiom.com/iso-31000.htm

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56610

http://www.cert.org/secure-coding/publications/secure-coding-enewsletter.cfm

http://www.sans.edu/research/security-laboratory/article/it-separation-duties

http://www.bdoconsulting.com/resources/thought-leaders/SegDutiesChecklist-19.pdf

http://www.isaca.org/Journal/Past-Issues/2009/Volume-5/Pages/A-Risk-based-Approach-to-Segregation-of-Duties1.aspx



THANK YOU!!

Shawna M. Flanders CRISC, CISM, CISA,

CSSGB, SSBB

Business – Technology Guidance Associates, LLC.

[email protected]

www.bustechga.com

Please complete the survey following this

webinar!

mailto:[email protected]

http://www.bustechga.com/