Reducing the Costs and Uncertainties of IT Security Risk Management

1
Reducing the Costs and Uncertainties of IT
Security Risk Management

• Jim Hurley

2
Agenda

• IT risk management
• Success criteria and industry results
• Define, control and govern
• Summary
• Questions

3
IT risk management
4
Why Risk Management?

• A fundamental IT governance activity
• Identifies the big gotchas before they occur
• Prioritizes actions, budgets and resources
• Keeps the organization ahead of changing
  conditions

Occurrence rates
Financial consequences
5
Value of Risk Management

• Risk management
• 2 after the management of data and knowledge
  among Proficient organizations

Procedures Data and knowledge management Organi
zational structure and strategy Technology
Training and accountability Risk management
N 876
Source Security Compliance Council , 2006
6
Domains of IT Risk Management
Master Complexity
IT
Manage Risks
7
Business and IT Risks
Online fraud
Natural disasters
Data losses
interactions information infrastructure
Malicious threats
Regulatory Non-compliance
Human errors
Security breaches
Application outages

IP leakage
8
What to do about IT Risks?

• Transfer IT risks to third party (insurer)?
• Appropriate for financial instruments
• Not sufficient by itself for managing IT
  risks
• Ignore IT risks?
• May be appropriate for some IT risks
• But how do you know which to ignore?
• Manage the risks!
• How do we do this?

risk assessment
9
Risk Assessment Step 1

• What kind of risk threat is it?
• What happens when it strikes?
• Whats the full impact before normal can be
  resumed?
• How often does it recur?
• What are the legal requirements
• What are compliance mandates?
• How does this relate to our policies and our
  missions?

10
Risk Assessment Step 1

• Assert
• Occurrences
• Financial impacts
• Measurements
• Gross to fine-tune
• IT culture clash precision gets in the way at
  this point in the exercise

Normal distribution
Occurrences
Financial impact
11
Risk Analysis Step 2

• Threat occurrence rates
• Financial consequences

Does not happen in our lifetime
Occurrence rates
Must correct?
Does not matter
Financial consequences
12
Risk Analysis Step 2

• Cost to remediate
• Financial consequences

High cost
Cost to remediate
High impact
Does not matter
Low cost
Financial consequences
13
Risk Prioritization Step 3
14
Reducing costs and uncertainties

• Application of the three-step risk management
  process
• 1) assessment
• 2) analysis
• 3) prioritization
• Eliminates
• Low risk areas
• Low incident-rate threats
• Enables focus on return and policy
• If asserted, MUST be measured - later

15
Success Criteria Industry Results
16
Risk and Compliance Challenges

• Risk compliance are often managed as separate
  activities
• Responsibility scattered across organization
  (finance, legal, business units, HR, IT)
• Compliance often treated as 1x event to pass
  audit
• Growing number of regulations mandates
• Increasing cost complexity to demonstrate,
  sustain compliance
• Infrastructure threats are often not well
  understood by senior managers
• Must be translated to business impact

17
Most Pressing Mandates

• Data, data and more data
• Increase of 31 since 2004
• Sarbanes Oxley
• Decrease of 21 since 2004

Organizations

• GLBA
• SOX
• FISMA
• HIPAA

• Basel
• Data retention, destruction and legal discovery
• Data protection and privacy
• PCI DSS

N 1,060
Source Security Compliance Council , 2006
18
Performance results 1H 2006
Proficient Less than 3
Novices More than 15

• Results
• Compliance deficiencies that had to be remediated
  to pass audit
• IT security events that resulted in financial
  harm
• Normal distribution

11.7
19.7
68.6
Norm 3 to 15
Number of IT-based compliance deficiencies and
IT security events that results in financial harm
N 1,060
Source Security Compliance Council , 2006
19
Government compliance performance results

• Better than the commercial sector!
• Fewer novices
• Fewer at the norm
• More are among the proficient

Novices average of 35 deficiencies
Norm Between 3 and 15 deficiencies
Proficient Less than 3 deficiencies
1,060 organizations, commercial and government
(/-3 error)
120 government agencies (/- 8.5 error)
20
Government by size of budget
Govt more Norm among midsize and small
Govt more Proficient among small and large

• Results differ by overall budget
• Small budget
• lt 50 million
• Midsize budget
• 50 million to 999 million
• Large budget
• 1 billion or more

Govt more Novices among midsize and large
1
2
3
1,060 organizations, commercial and government
(/-3 error)
2
1
3
2
1
3
2
1
3
120 government agencies (/- 8.5 error)
Novices Norm
Proficient
(average35) (between 3 and 15)
(Less than 3)
Source Security Compliance Council , 2006
21
Top 10 actions of the best performers
Documented business procedures, IT assets and IT
controls Changed business procedures to
comply Automated monitoring and
reporting Automated IT configuration and control
management Increased the frequency of
measurement and reporting Automated IT controls
and procedures Changed IT security policies and
procedures to comply Segmented access to
sensitive customer data Delivered training and
accountability to employees Documented IT
security policies, procedures and standards
1,060 organizations, commercial and government
(/-3 error)
120 government agencies (/- 8.5 error)
Source Security Compliance Council , 2006
22
Top 10 IT compliance deficiencies

• Contribution of IT security 7 of the top 10!

1. Documentation 2. Access controls PCs,
laptops, mobile devices 3. Configuration and
controls change management 4. Access controls -
users, application and systems 5. Audit,
measurement and reporting 5. Access controls
databases 7. IT security policies, standards and
procedures 8. Access controls information and
data 9. Business continuity 10 Data archive and
management
N 520
Organizations
Source Security Compliance Council , 2006
23
EY Ongoing SOX 404 Strategies, Year 2

• 76 employing control self-assessment (CSA) to
  support ongoing SOX 404 compliance
• One third are employing data analytics
• Nearly one third are employing IT-based
  continuous controls monitoring (CCM)

Control Self-Assessment
Analytics
Source Emerging Trends in Internal Controls
Ernst Young, 2005
IT-based Continuous Controls Monitoring
Other
24
PROOF Frequency of measurement better results

• 100 of Proficient government agencies measure at
  least once per month
• 97 of Proficient commercial firms measure at
  least once per month
• 80 of Novice government agencies measure once
  annually or less frequently
• 74 of Novice commercial firms measure once
  annually or less frequently

Norm (between 3 and 15)
Proficient (Less than 3)
Novices (Average35)
1,060 organizations, commercial and government
(/-3 error)
Source Security Compliance Council , 2006
120 government agencies (/- 8.5 error)
25
COSTS labor hours

• Proficient firms
• Spend 32.7 of the time in IT on compliance
• 680 person-hours per person, per year
• Novice firms
• Spending 21.5 of the time in IT on compliance
• 447 person-hours per person, per year

Source Security Compliance Council , 2006
N 876
26
COSTS spend on IT security

• Spend on IT security as percentage of IT budget
• Novice firms
• Mean spend 6.4 of IT budget
• Norm
• Mean spend 7.2 of IT budget
• Proficient firms
• Mean spend 10.4 of IT budget

N 1,060
Source Security Compliance Council , 2006
27
IMPROVE reallocate spend on IT security

• Labor costs are nearly constant (2 increase)
• Outside services spend declines by 11
• Automation (equipment and software) spend
  increases by 9

Allocated to employee labor
Allocated to contract labor and outside services
Allocated to software and equipment
IT security spend allocation
N 520
Source Security Compliance Council , 2006
28
Improve automation
Define
Risks
Policies
Subjects
Objects
Control
Main
Main
Rules Standards Frameworks Regulatory mandates
Application and transaction logs
Govern
IT security logs
29
Success Criteria

• Manage risk compliance as ongoing processes
• Institute cross-organizational alignment
• Implement key IT controls to support business
  operations, not just compliance
• Increase the frequency of internal IT audits and
  IT security measurements
• Automate for consistency efficiency

30
Define, control and govern
31
Continuous improvement
Continuous Improvement
Continuous Improvement
Control
Define
Govern

• Demonstrate due care
• Audit, monitor measure
• Remediate
• Retain evidence

• Risk approach to policies controls
• Translate policies, regulations mandates into
  actionable processes

• Implement enforce controls
• Assess sustain compliance

32
Define
33
Map
Create
Distribute
Prove
34
Control
35
Implement Enforce IT Policies
Restrict
Protect
Permit
Permit compliant systems Quarantine non-compliant
Block external malware Prevent user misconfigs
Limit access to data Virtualize guest sessions
36
Control Compliance Suite
Assess IT Compliance
37
Govern
38
Identify
Review
Respond
39
Report IT Compliance
40
Report IT Control Effectiveness

• Security threats, vulnerabilities, incidents,
  policy deviations

41
Retain Evidence

• Collect store logs
• Analyze to aid investigation
• Manage archived content

42
Summary
43
Summary

• Manage IT risk compliance as ongoing processes
• Implement the three-step risk management process
• Institute cross-organizational alignment
• Benchmark your results to improve results
• Implement key IT controls to support business
  operations
• Not just against compliance and technology
  policies
• Manage the define, control and govern process
• Reallocate spend
• Use automation to improve scope and effectiveness

44
Questions