A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation
Dec 25, 2015
A Balancing Act Between Risk Appetite and Risk ToleranceA Balancing Act Between Risk Appetite and Risk Tolerance
Federal Information Systems Security Educators’ Association Conference
March 2005
Ezra Cornell Duong-VanDirector, Strategic MarketingBindView Corporation
Federal Information Systems Security Educators’ Association Conference
March 2005
Ezra Cornell Duong-VanDirector, Strategic MarketingBindView Corporation
2
IT Risk Analysis and ManagementIT Risk Analysis and Management
ThreatThreat VulnerabilityVulnerability ImpactsImpacts
RisksRisks
Ris
k A
naly
sis
Ris
k A
naly
sis
Ris
k M
an
ag
em
en
tR
isk
Man
ag
em
en
t
CountermeasuresCountermeasures
3
Configuration: Configuration:
Are my systemsconfigured securely?
Are my systemsconfigured securely?
Vulnerability:Vulnerability:
What is the exposureto my systems?
What is the exposureto my systems?
Compliance:Compliance:
Am I meeting Regulatory requirements?
Am I meeting Regulatory requirements?
Identity: Identity:
Do my users have appropriate rights?Do my users have appropriate rights?
• Servers• OS• Data• Infrastructure
• Servers• OS• Data• Infrastructure
• Users• Groups• Directory• Access Control
• Users• Groups• Directory• Access Control
RISKRISK
SecuritySecurity
Detail of IT riskDetail of IT risk
4
Return on Security InvestmentReturn on Security Investment
Purchase Cost
Life Expectancy
Annual Maintenance Annual Cost Risk of
deployment Effectiveness ROSI
Door Lock $50 10 $0 $5 Low Low High
Deadbolt $50 10 $0 $5 Low Low High
Window Bars
$2000 10 $0 $20 Med Med Med
Alarm $100 NA $300 $300 Low Med Med
Security Fence
$3000 10 $120 $310 Med High Med
Guard Dog
$2000 6 $4000 $1000 High High Low
Armed Guard $0 NA $30,00
0$30,000 Low High Low
5
Compliance and CostCompliance and Cost• Achieve compliance through improved productivity and efficiency
– Point B– Replace manual methods with automated processes to reduce Compliance Risk
– Organizations with limited resources operate more efficiently
• Maintain your compliance level but with greatly reduced cost – Point C– Reduce Compliance spending
– Redirect savings to other compliance efforts
• The reality is that you will experience a combination of B & C
• Achieve compliance through improved productivity and efficiency – Point B– Replace manual methods with automated processes to reduce Compliance Risk
– Organizations with limited resources operate more efficiently
• Maintain your compliance level but with greatly reduced cost – Point C– Reduce Compliance spending
– Redirect savings to other compliance efforts
• The reality is that you will experience a combination of B & C
Current Experience
Optimized Experience
Optimizing Compliance
CostCost
Com
plian
ce R
isk
Com
plian
ce R
isk
AACC
BB
6
Frameworks Internal PoliciesRegulations
DITSCAPNIST ISO 17799BusinessProcess
INTERNAL
Mandates Mandates Mandates Mandates Mandates
Policy & IT Controls
Best Practices
Mandates
HR
Task 1…
Task 2…
Task 3…
Task 4...
Acctg.
Task 1…
Task 2…
Task 3…
Task 4...
IT Group 1
Task 1…
Task 2…
Task 3…
Task 4...
IT Group 2
Task 1…
Task 2…
Task 3…
Task 4...
3
1
43
5
ConsolidateResultsGenerate
Reports
Generated departmental task lists
Tracked Worklists
IT Task - Databases
IT Task - Users
IT Task - Applications
IT Task - Servers
Select appropriate internal best practices and external compliance mandates
GAPAnalysis
Mo
nito
r
Exec Audit IT Other
Ideal Compliance MonitoringIdeal Compliance Monitoring
7
Breadth of Coverage Across IT StackBreadth of Coverage Across IT Stack
CIA– Confidentiality– Integrity– Availability
Maximize CIA throughout the whole IT Stack
Prioritize sections of the stack that pose higher risk
Evaluate best of breed vs. integrated solutions
CIA– Confidentiality– Integrity– Availability
Maximize CIA throughout the whole IT Stack
Prioritize sections of the stack that pose higher risk
Evaluate best of breed vs. integrated solutions
8
Changing ConcernsChanging Concerns
2004 2005
10% 30%
20% 30%
10% 20%
5% 10%
20% 5%
25% 5%
IT StackIT Stack Time Investment
Time Investment
9
Risk Management processRisk Management process
1. Scope definition – Determine processes and risks to be evaluated
2. Process Walkthrough– Step through the processes to validate them against their goals
3. Risk Assessment – Execute the processes in the context of risks to be evaluated
4. Control identification and evaluation– Document IT controls and supplemental manual controls– Document risks identified by these controls
5. Residual risk assessment– Provide a residual risk assessment for each process– Provide recommendations for remediation
1. Scope definition – Determine processes and risks to be evaluated
2. Process Walkthrough– Step through the processes to validate them against their goals
3. Risk Assessment – Execute the processes in the context of risks to be evaluated
4. Control identification and evaluation– Document IT controls and supplemental manual controls– Document risks identified by these controls
5. Residual risk assessment– Provide a residual risk assessment for each process– Provide recommendations for remediation
10
Risk Management DeliverablesRisk Management Deliverables1. Process and sub-process maps
– Clearly document the business processes within the engagement boundary definition;
2. Business process automation recommendations – Definition of the process, objectives, threats and
controls at a detailed level
3. Risk and control matrix– For each process a summary of
• risk assessments, • control ratings and determination of • residual risk level
4. Recommendations– Short, medium and long-term remediation plan – Prioritize remediation efforts
1. Process and sub-process maps – Clearly document the business processes within the
engagement boundary definition;
2. Business process automation recommendations – Definition of the process, objectives, threats and
controls at a detailed level
3. Risk and control matrix– For each process a summary of
• risk assessments, • control ratings and determination of • residual risk level
4. Recommendations– Short, medium and long-term remediation plan – Prioritize remediation efforts
11
Risk reduction solutions Risk reduction solutions Compliance
Officer
(compliance)
IT Operations
(configuration)
IT Operations & Security
(vulnerability)
Security & Help Desk
(identity management)
Define• Create policy• Maintain policy• Enforce Policy
• Enforce Policy • Enforce Policy • Enforce Policy
Evaluate
• Evaluate against Policy
• Evaluate against policy
• Maintain gold standards
• Evaluate against policy
• Evaluate against known threats
• Administer according to policy
• Evaluate against policy
Remediate
• Report
• Remediate • Report• Risk Analysis
Remediate
• Remediate
Sample Solution
Policy Management Product
• Content• Workflow• Document
Management• Link to evidence
Configuration Management Product
• Link to Policy• Gold Standards• Baselines• Trending• Patch Management• Alerting• Remediation• Audit
Security Management Product
• Link to Policy• Gold Standards• Baselines• Trending• Vulnerability
Assessment• Intrusion Prevention• Security event
Management• Audit
Identity Management Product
• Synchronize identities• Manage Access Control• Manage directories
and OS • Password Management• Authentication• Security event
Management• Audit
Ezra Cornell Duong-VanDirector, Strategic Marketing
BindView Corporation
713-561-4274
Ezra Cornell Duong-VanDirector, Strategic Marketing
BindView Corporation
713-561-4274
13
Contact BindView
General Sales1-800-813-5869
John Balena, Federal Sales
Phone: 713-561-4109
Contact BindView
General Sales1-800-813-5869
John Balena, Federal Sales
Phone: 713-561-4109