A Balancing Act Between Risk Appetite and Risk

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing Bind. View Corporation

IT Risk Analysis and Management Threat Vulnerability Impacts Risk Analysis Risk Management Countermeasures

Detail of IT risk RISK Compliance: Vulnerability: Am I meeting Regulatory requirements? What is the exposure to my systems? Identity: Configuration: Do my users have appropriate rights? Are my systems configured securely? • • Servers OS Data Infrastructure Security • • Users Groups Directory Access Control

Return on Security Investment Purchase Cost Life Expectanc y Annual Maintenan ce Annual Cost Risk of deployment Effectivene ss ROSI Door Lock $50 10 $0 $5 Low High Deadbolt $50 10 $0 $5 Low High Window Bars $2000 10 $0 $20 Med Med $100 NA $300 Low Med Security Fence $3000 10 $120 $310 Med High Med Guard Dog $2000 6 $4000 $1000 High Low Armed Guard $0 NA $30, 000 Low High Low Alarm

Compliance and Cost • Achieve compliance through improved productivity and efficiency – Point B – Replace manual methods with automated processes to reduce Compliance Risk – Organizations with limited resources operate more efficiently • Maintain your compliance level but with greatly reduced cost – Point C – Reduce Compliance spending – Redirect savings to other compliance efforts • The reality is that you will experience a combination of B & C Compliance Risk Optimizing Compliance C Optimized Experience A B Cost Current Experience

Ideal Compliance Monitoring

Breadth of Coverage Across IT Stack CIA – Confidentiality – Integrity – Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions

Changing Concerns IT Stack Time Investment 2004 2005 10% 30% 20% 30% 10% 20% 5% 25% 5%

Risk Management process 1. Scope definition – Determine processes and risks to be evaluated 2. Process Walkthrough – Step through the processes to validate them against their goals 3. Risk Assessment – Execute the processes in the context of risks to be evaluated 4. Control identification and evaluation – – Document IT controls and supplemental manual controls Document risks identified by these controls 5. Residual risk assessment – – Provide a residual risk assessment for each process Provide recommendations for remediation

Risk Management Deliverables 1. Process and sub-process maps – Clearly document the business processes within the engagement boundary definition; 2. Business process automation recommendations – Definition of the process, objectives, threats and controls at a detailed level 3. Risk and control matrix – For each process a summary of • risk assessments, • control ratings and determination of • residual risk level 4. Recommendations – – Short, medium and long-term remediation plan Prioritize remediation efforts

Risk reduction solutions Define Compliance Officer IT Operations & Security & Help Desk (compliance) (configuration) (vulnerability) (identity management) • Create policy • Maintain policy • Enforce Policy • Evaluate against Policy • Evaluate against policy • Maintain gold standards • Evaluate against policy • Evaluate against known threats • Administer according to policy • Evaluate against policy • Report • Remediate • Report • Risk Analysis Remediate • Remediate Policy Management Product • Content • Workflow • Document Management • Link to evidence Configuration Management Product • Link to Policy • Gold Standards • Baselines • Trending • Patch Management • Alerting • Remediation • Audit Security Management Product • Link to Policy • Gold Standards • Baselines • Trending • Vulnerability Assessment • Intrusion Prevention • Security event Management • Audit Identity Management Product • Synchronize identities • Manage Access Control • Manage directories and OS • Password Management • Authentication • Security event Management • Audit Evaluate Remediate Sample Solution