Enterprise Solutions Operational Resilience, InfoSec, Manufacturing RiskView® Business Risk Analytics Date Evan Birkhead Business Development [email protected].

Enterprise SolutionsOperational Resilience, InfoSec, Manufacturing

RiskView® Business Risk AnalyticsDate

Evan Birkhead

Business Development

[email protected]

(908) 910-6988

Value Proposition

Our RiskView® Risk Concentration Analysis™ framework offers the ability to identify, quantify, and compare vulnerabilities throughout an organization.

RiskView identifies the materiality of risks according to their potential impact on business performance, helping our customers to prioritize and schedule risk mitigation, business process automation, problem resolution, resource allocation and overall spending.

RiskView measures risks in terms of their Financial, Reputational, Legal and Regulatory impact.

RiskView outcomes typically include: Reduced operational risk profile Reduced OpEx Improved customer experience Competitive advantage

Confidential 2

Rev2 is a rapidly growing Business Risk Analytics™ provider focused on delivering solutions that improve business performance.

Overview

Executive summary Low-footprint SaaS solution -or-

On-premise solution, customer choice Monthly subscription service includes

professional analytics, visualization, periodic reports, maintenance

Primary differentiators Risk Concentration Analysis™ identifies

hidden risks Enables prioritization of most material risks

Capitalization Employee owned ARRIS investment and board members

Selected verticals

Robert Cruickshank, CEO

• VP Customer Service Ops Center, Cablevision

• ARRIS, C-Cor, Stargus, TWC RR

• Led CableLabs DOCSIS development

Evan Birkhead, Business Services

Micromuse (IBM), OneOps, Quantiva

Sanjay Subramanian, Technical Services

NetOps, Micromuse, IBM Tivoli

Scott Stansbury, Field Services

IBM Global Network, IBM HPCC, NYSERnet, NFSnet

Confidential 3

Key Rev2 Personnel

Harry Ulmer, Reporting Services

Burroughs, GE, SNMP Workshop

Core Verticals

Confidential 4

… RiskView is a business risk analytics solution that identifies the business materiality of those events that would be the most impactful to your operational performance.

Highly Available Enterprise Solutions

… RiskView is an outage risk analytics solution that helps you drive down costs and improve your customer’s experience by delivering the capability to move from a reactive, point-in-time view of data to an over time, cross-silo view of performance metrics.

Cable & Service Provider Outage Solutions

RiskView Architecture

Confidential 5

Risk Management Landscape

No direct competitors; risk data typically analyzed via MS Excel spreadsheets

Across verticals, RiskView can collect data from: GRC (EMC/Archer, LockPath) Reporting (Crystal, SAS, etc.) Security Performance (McAfee, Clearpoint Metrics, Core Security, nCircle)

RiskView value proposition vs. competitors: Collects risk data across the enterprise, shows multiple views of risk

concentrations-geography, data center, business function, etc. Scores every risk based on its business materiality, taking into account the

importance of the business asset adversely impacted Identifies risks in the context of other risks, as opposed to looking at risks in

isolation Customers improve spending efficiencies and customer-facing

performance; lower their business-wide risk profile; and position their business for competitive advantage

Confidential 6

RiskView for Operational Resilience

SunGard R3 Solution

The Power of RiskView, R3 & CERT-RMM

Shows you how to do it…The CERT-RMM is a process improvement approach for driving operational resilience and remediating exposures.

26 Process Areas for Improvement

Shows you what to do…The SunGard proprietary R3 framework provides the tools and methodology for enabling operational resilience.

Enabling Technology & Services

Shows you where to focus…The RiskView visualization tool provides the analytical representation of risk concentration and where best to focus resources.

Risk Visualization

Confidential 8

Operational Resilience – Challenges and Benefits

Organizations often struggle with: • Meeting business and compliance requirements• Ever increasing costs• Breakdown in key processes• Understanding and measuring resilience

An Operational Resilience program can: • Lower or eliminate redundancy and cost by optimizing

between protection and sustainability strategies• Lower operational risks with an enterprise focus• Improve processes that are measurable and manageable –

and therefore make them more effective!

Confidential 9

R3 Framework

SunGard’s approach to delivering services to our clients which reduce Risk while enhancing Recoverability and thereby improving Resilience

Drives the creation and delivery of SunGard Availability Services Consulting solutions

Built upon the foundation of the Carnegie Mellon Resilience Management Model (CERT-RMM)

Confidential 10

Methodology in Action – The Process

Collect

Data

• Export data from plans in LDRPS• Perform BDNA asset scan and export results• Perform Nessus vulnerability scan and export results

Map &

Import

Data

• Normalize and validate source data• Run adapters to populate RiskView

Develop

Risk Profil

es

• Build and refine formulas to calculate concentration of risk

Evolve

Data

• Analyze & represent data in various views (business function, location, processes, etc.)• Identify gaps in BC/DR plans and testing• Perform what if analysis on identified risks

Rollout

Results

• Review results to determine focus and priority of resilience spending• Develop actionable roadmap to quantifiably reduce risk exposure

Confidential 11

The outliers represent the most material risks.

RiskView Demo

Confidential 12

Remedy & RiskView – An Ideal Complement

• Tracking of incident responses and service desk performance that require immediate attention.

• Automates processes, policies and tasks, with a focus on real-time business services.

• Asset and software license lifecycle and compliance management.

• Historical analytics determines materiality of each incident for prioritization.

• Identifies risk concentrations in processes, geographies, departments, products, etc.

• Correlation of Remedy incident data with enterprise-wide data ascertains risks to the overall business.

Remedy RiskView

Confidential 13

Remedy Case Study

“It is stunning to cut our outage impact in half.”

RiskView outage risk analytics of Remedy data identifies previously unrecognized outage risks underlying the service delivery infrastructure. Remedy tickets (excluding service requests) are analyzed and assigned an incident

materiality score, which measures each incident’s client impact. Scoring identifies potential areas of customer impact based on chronic and

intermittent faults. Measurements include: Duration, Affected System, Service Criticality, Number of Affected Users. Data can be viewed by: Service, Vendor, Resolution Type, Business Unit, Time of Day.

Experienced “impressive” declines in: Materiality from a decrease in the number of incidents/month. Decrease in the average materiality score of incidents that occur.

Additional returns: Freed up cycles for the Ops team, 2nd/3rd level support. Critical to the Result: A tiger team was assigned to focus on the most material issues.

RiskView resulted in 50% reduction in customer service incident materiality in under one year.

Confidential 14

RiskView for InfoSec

Highly extensible platform for fact-based,scalable, repeatable risk management decisions.

DATA SOURCES- NETWORK &

CONFIG SCANS, SIEM- COMPLIANCE- PEN TESTING- DB PROTECTION

- SECURE CODE- BEHAVIORAL ANALYSIS

ANALYSIS & REPORTING

- PRIORITIZE MATERIAL VULNERABILITIES- CREATE RISK MITIGATION PLAN & CONTROLS FOCUS- BUSINESS CASE GENERATION FOR MITIGATION ACTIVITIES

RISKVIEW ADAPTERSCOLLECTION & ABSTRACTION

Quantifiable business justification, demonstrable & immediate ROI

RiskView Architecture - InfoSec

Confidential 16

Behavioral Analysis

Mazu, ArcsitePen Testing

White Hat

Config Scans

Symantec, Cisco

Network ScansMcAfee

Vulnerability Mgr,Nessus,Qualys,IBM/ISS

Secure CodeFortify,

Veracode

DB ProtectionAppSec,

SPI Dynamics,HP

Compliance Surveys

Archer, Qualis

SIEMArcher, Tivoli,

IBM/ISS,CA, Cisco, etc.

"What's most important in each area?”

"What's most critical across all?”

"How do I fix?"

The Business Problem We Solve

• Trouble tickets

• Alarms

• Performance Data

• Billing data

• Service data

• Financial data

Confidential 17

McAfee & RiskView – An Ideal Complement

The RiskView “Materiality Score”Prioritizes enterprise-wide risks based on:

• Exploitability:  The probability that a vulnerability might be taken advantage of.• Susceptibility:  The probability that the business might be affected. • Impact:  How critical an event might be to the business.

• Focus on technology-based vulnerability and threats.

• Proactively correlates a threat feed with vulnerability and countermeasure information to pinpoint at-risk critical assets that require immediate attention.

• Actionable data to secure the enterprise.

• Correlation of MVM/MRA vulnerability data with enterprise-wide data to ascertain risks to the overall business.

• Identifies risk concentrations in processes, geographies, departments, products, etc.

• Determines materiality of each vulnerability for prioritization.

MVM/MRA RiskView

Confidential 18

Typical RiskView Install Data Points

Benefits & Take-aways Total Risk Determined organization’s greatest risk =

InfoSec CIA Model Determined outliers = Confidentiality Confidentiality Determined IIE greatest vulnerability Resolution Drilled down to repair information Total Risk of 11,000 vulnerabilities prioritized into 176

manageable risk mitigation items Prioritized risk mitigation steps, Improved performance of the business as it relates to security

management.

Confidential 19

Manufacturing

RiskView Architecture – Manufacturing

Highly extensible platform for fact-based, scalable, repeatable risk management decisions.

MANUFACTURINGDATA SOURCES- EXCEL, CLARITY- BUGZILLA, RATIONAL- ORACLE, SAP- MS PROJECT- SALES/FIN SYSTEMS

ANALYSIS- SUPPLY CHAIN INTERRUPTION- LOSS OF FACILITIES- CUSTOMER, COMPETITOR & MARKET RISK- OPERATIONS ISSUES- PROCESS GAPS & CHANGES- ETC.

RISKVIEW ADAPTERSCOLLECTION & ABSTRACTION

Quantifiable business justification, demonstrable & immediate ROI

Confidential 21

Vulnerability Scores

A fact-based risk program requires normalized data, with a range of impacts tied to specific assets.

Normalized data supports a fact-based, scalable, repeatable process.

The issue: Risks are measured

differently How to compare them?

The Solution: Create a normalized risk

score Score based on materiality of

adverse business impact

Normalized Data

The issue: Risks have different impacts How to evaluate risk types?

The Solution: Score vulnerabilities on the

type of risk they present Differentiate financial, legal,

regulatory, and reputational risks

Different Impacts

The issue: Risk impact varies based on

where it occurs How to recognize

differences?

The Solution: Score impact based on the

specific asset at risk Recognize differences in

asset value

Asset Roles

Confidential 22

Pre and Post Testing

RiskView filters let users evaluate risk controls before and after they are implemented.

Pre Test

Answer questions such as… How will the control impact risk? What controls reduce risk most? Which control has a better

return? What controls in what order?

Post Test

Answer questions such as… Were my controls effective? How much risk was reduced? What risks were avoided? What was the business value?

Track progress and trends over time.

Confidential 23

Outliers Represent the Most Material Risk

22

Represents 24% of total risk

Risks Ranked By Impact

Confidential 25

Methodology

Process

Risk Identified by Function

Cause(s) Creating Risk Identified

External Influences of Risk ID’d

Susceptibility to Risk ID’d

$ Impact of Realized Risk

Data Collected via Automated Survey

Risk and Cause Ranked

Risk-weighted $ value relevant to other risks

Changing Customer Demands

% of Submissions Not Meeting Margin Requirements Due to

Customer Demands

Importance of Customer to Region

Regional Margin $ by BU

Survey Issued

Data Imported into RiskView

Margin Erosion

Example Sales Analysis

Confidential 26

Thank you!