ISE ® West Executive Forum and Awards Nominee Showcase Presentation August 10, 2011 Company Name: Kaiser Permanente Project/Presentation Name: Operational Risk Management Presenter: Richard Seiersen Presenter Title: Security Principal
ISE West Executive Forum and Awards 2010 - Nominee Showcase Presentation 1
ISE® West Executive Forum and AwardsNominee Showcase Presentation
August 10, 2011
Company Name: Kaiser PermanenteProject/Presentation Name: Operational Risk ManagementPresenter: Richard SeiersenPresenter Title: Security Principal
ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation 2
Company Overview• Managed Health Care• Founded in 1945• 8.7 million Members• 167,300 Employees• 14,600 Doctors • $42 Billion Annual Revenue• Largest Private Electronic
Medical Records Program
3
Presentation/Project Overview
ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation
• ORM Explained• Program Evolution• Rules Framework• ROI Use Case
Assets
Threats Vulnerabilities
Mitigation
Expand Remediation Downward
Expand Mitigation Upwards
Exceptions
4
Overview of Business Challenge • Information Silos
ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation
An information silo is a management system incapable of reciprocal operation with other, related management systems.(wikipedia article on information silos)
• Size Mismatch
• Confusion “What is this ORM & why?”
”All evolution in thought and conduct must at first appear as heresy and misconduct.” (George Bernard Shaw)
The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. (wikipedia article on ORM)
5
Project/Program Scope/Goals• Dimensionally model the “Assessment and Response” security
domain as our data layer.
ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation
– Over 30 ETL Jobs moving data daily– Several hundred million rows or risk data in play– Several connected data marts heading towards an enterprise security
data warehouse
• Use custom tools and GRC to report and act on risk. – Develop customer applications with GRC– Integrate enterprise security solutions like McAfee MRA and others.– Create custom visualizations to motivate executive action.
Mean Exploitable Vulns Per Server
Bus
ines
s Im
pact
Sca
le
1.0
1.5
2.0
2.5
app1562187874
app1418643554
app-1925119107app1222114708
app-2050239628
app-6911371
app1710076224
app-593547572
app-1824093002
app-139339138
app-1160441423app1299627666
app-736065238
app2029819553
app512820084
app1213120660
app-1938046676
app-1194601491
app-691106672
app2095810030
app1702136896
app211756895
app665965549
app602411441app1299589039
app-726027222
app-1006633169
app2029323633
1.0 1.5 2.0 2.5 3.0 3.5 4.0
servers4
16
36
64
100
Mean Exploitable Vulns Per Server
Bus
ines
s Im
pact
Sca
le
1.0
1.5
2.0
2.5
1562187874
1418643554
-2050239628
1710076224
-593547572
-1824093002
-139339138
-1160441423
-736065238
2029819553
512820084
-1194601491
-691106672
2095810030
1702136896
211756895
665965549
1299589039
-726027222
1.0 1.5 2.0 2.5 3.0 3.5 4.0
servers1
4
9
16
25
36
49
64
mitmit
– Example: PCI Estimated $1 Million ROI – QSA put unusually large remediation requirement forward– ORM Integrations revealed cross departmental PCI impacting mitigations– ORM Integrations also applied risk analysis to reduce scope based on actual
exploitability.– QSA accepted results reducing remediation scope by 57%
– Example: Same Subset with Critical Assets , Exploitable Vulns And Mitigations
– Example: Subset with Critical Assets and Critical Vulns– Example: Major Data Flows
• Ability to Prioritize Actionable Security RiskProject/Program Results
6ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation
Subset Of Most Critical Assets With VulnsSubset of Most Critical Assets, Exploitable Vulns with Mitigations
Data Flows
Major Data Flows
Determine Mitigation State Required Update To Fix
7
Lessons Learned/Best Practices• Building teams around siloed technology needs to be re-
examined • Understand that if you are innovating – you will have resistance.
Have a solid strategy to address challenges.• If your program will have a modicum of custom development,
reduce variability by standardizing where possible.• Security is traditionally a cost center, look for opportunities to
prove ROI. • “Build it and they will come”.
ISE® West Executive Forum and Awards 2011 - Nominee Showcase Presentation