A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

A Balancing Act Between Risk Appetite and Risk ToleranceA Balancing Act Between Risk Appetite and Risk Tolerance

Federal Information Systems Security Educators’ Association Conference

March 2005

Ezra Cornell Duong-VanDirector, Strategic MarketingBindView Corporation

Federal Information Systems Security Educators’ Association Conference

March 2005

Ezra Cornell Duong-VanDirector, Strategic MarketingBindView Corporation

2

IT Risk Analysis and ManagementIT Risk Analysis and Management

ThreatThreat VulnerabilityVulnerability ImpactsImpacts

RisksRisks

Ris

k A

naly

sis

Ris

k A

naly

sis

Ris

k M

an

ag

em

en

tR

isk

Man

ag

em

en

t

CountermeasuresCountermeasures

3

Configuration: Configuration:

Are my systemsconfigured securely?

Are my systemsconfigured securely?

Vulnerability:Vulnerability:

What is the exposureto my systems?

What is the exposureto my systems?

Compliance:Compliance:

Am I meeting Regulatory requirements?

Am I meeting Regulatory requirements?

Identity: Identity:

Do my users have appropriate rights?Do my users have appropriate rights?

• Servers• OS• Data• Infrastructure

• Servers• OS• Data• Infrastructure

• Users• Groups• Directory• Access Control

• Users• Groups• Directory• Access Control

RISKRISK

SecuritySecurity

Detail of IT riskDetail of IT risk

4

Return on Security InvestmentReturn on Security Investment

Purchase Cost

Life Expectancy

Annual Maintenance Annual Cost Risk of

deployment Effectiveness ROSI

Door Lock $50 10 $0 $5 Low Low High

Deadbolt $50 10 $0 $5 Low Low High

Window Bars

$2000 10 $0 $20 Med Med Med

Alarm $100 NA $300 $300 Low Med Med

Security Fence

$3000 10 $120 $310 Med High Med

Guard Dog

$2000 6 $4000 $1000 High High Low

Armed Guard $0 NA $30,00

0$30,000 Low High Low

5

Compliance and CostCompliance and Cost• Achieve compliance through improved productivity and efficiency

– Point B– Replace manual methods with automated processes to reduce Compliance Risk

– Organizations with limited resources operate more efficiently

• Maintain your compliance level but with greatly reduced cost – Point C– Reduce Compliance spending

– Redirect savings to other compliance efforts

• The reality is that you will experience a combination of B & C

• Achieve compliance through improved productivity and efficiency – Point B– Replace manual methods with automated processes to reduce Compliance Risk

– Organizations with limited resources operate more efficiently

• Maintain your compliance level but with greatly reduced cost – Point C– Reduce Compliance spending

– Redirect savings to other compliance efforts

• The reality is that you will experience a combination of B & C

Current Experience

Optimized Experience

Optimizing Compliance

CostCost

Com

plian

ce R

isk

Com

plian

ce R

isk

AACC

BB

6

Frameworks Internal PoliciesRegulations

DITSCAPNIST ISO 17799BusinessProcess

INTERNAL

Mandates Mandates Mandates Mandates Mandates

Policy & IT Controls

Best Practices

Mandates

HR

Task 1…

Task 2…

Task 3…

Task 4...

Acctg.

Task 1…

Task 2…

Task 3…

Task 4...

IT Group 1

Task 1…

Task 2…

Task 3…

Task 4...

IT Group 2

Task 1…

Task 2…

Task 3…

Task 4...

3

1

43

5

ConsolidateResultsGenerate

Reports

Generated departmental task lists

Tracked Worklists

IT Task - Databases

IT Task - Users

IT Task - Applications

IT Task - Servers

Select appropriate internal best practices and external compliance mandates

GAPAnalysis

Mo

nito

r

Exec Audit IT Other

Ideal Compliance MonitoringIdeal Compliance Monitoring

7

Breadth of Coverage Across IT StackBreadth of Coverage Across IT Stack

CIA– Confidentiality– Integrity– Availability

Maximize CIA throughout the whole IT Stack

Prioritize sections of the stack that pose higher risk

Evaluate best of breed vs. integrated solutions

CIA– Confidentiality– Integrity– Availability

Maximize CIA throughout the whole IT Stack

Prioritize sections of the stack that pose higher risk

Evaluate best of breed vs. integrated solutions

8

Changing ConcernsChanging Concerns

2004 2005

10% 30%

20% 30%

10% 20%

5% 10%

20% 5%

25% 5%

IT StackIT Stack Time Investment

Time Investment

9

Risk Management processRisk Management process

1. Scope definition – Determine processes and risks to be evaluated

2. Process Walkthrough– Step through the processes to validate them against their goals

3. Risk Assessment – Execute the processes in the context of risks to be evaluated

4. Control identification and evaluation– Document IT controls and supplemental manual controls– Document risks identified by these controls

5. Residual risk assessment– Provide a residual risk assessment for each process– Provide recommendations for remediation

1. Scope definition – Determine processes and risks to be evaluated

2. Process Walkthrough– Step through the processes to validate them against their goals

3. Risk Assessment – Execute the processes in the context of risks to be evaluated

4. Control identification and evaluation– Document IT controls and supplemental manual controls– Document risks identified by these controls

5. Residual risk assessment– Provide a residual risk assessment for each process– Provide recommendations for remediation

10

Risk Management DeliverablesRisk Management Deliverables1. Process and sub-process maps

– Clearly document the business processes within the engagement boundary definition;

2. Business process automation recommendations – Definition of the process, objectives, threats and

controls at a detailed level

3. Risk and control matrix– For each process a summary of

• risk assessments, • control ratings and determination of • residual risk level

4. Recommendations– Short, medium and long-term remediation plan – Prioritize remediation efforts

1. Process and sub-process maps – Clearly document the business processes within the

engagement boundary definition;

2. Business process automation recommendations – Definition of the process, objectives, threats and

controls at a detailed level

3. Risk and control matrix– For each process a summary of

• risk assessments, • control ratings and determination of • residual risk level

4. Recommendations– Short, medium and long-term remediation plan – Prioritize remediation efforts

11

Risk reduction solutions Risk reduction solutions Compliance

Officer

(compliance)

IT Operations

(configuration)

IT Operations & Security

(vulnerability)

Security & Help Desk

(identity management)

Define• Create policy• Maintain policy• Enforce Policy

• Enforce Policy • Enforce Policy • Enforce Policy

Evaluate

• Evaluate against Policy

• Evaluate against policy

• Maintain gold standards

• Evaluate against policy

• Evaluate against known threats

• Administer according to policy

• Evaluate against policy

Remediate

• Report

• Remediate • Report• Risk Analysis

Remediate

• Remediate

Sample Solution

Policy Management Product

• Content• Workflow• Document

Management• Link to evidence

Configuration Management Product

• Link to Policy• Gold Standards• Baselines• Trending• Patch Management• Alerting• Remediation• Audit

Security Management Product

• Link to Policy• Gold Standards• Baselines• Trending• Vulnerability

Assessment• Intrusion Prevention• Security event

Management• Audit

Identity Management Product

• Synchronize identities• Manage Access Control• Manage directories

and OS • Password Management• Authentication• Security event

Management• Audit

Ezra Cornell Duong-VanDirector, Strategic Marketing

BindView Corporation

[email protected]

713-561-4274

Ezra Cornell Duong-VanDirector, Strategic Marketing

BindView Corporation

[email protected]

713-561-4274

13

Contact BindView

General Sales1-800-813-5869

[email protected]

John Balena, Federal Sales

[email protected]

Phone: 713-561-4109

Contact BindView

General Sales1-800-813-5869

[email protected]

John Balena, Federal Sales

[email protected]

Phone: 713-561-4109