Title: Reducing the Costs and Uncertainties of IT Security Risk Management
1Reducing the Costs and Uncertainties of IT
Security Risk Management
2Agenda
- IT risk management
- Success criteria and industry results
- Define, control and govern
- Summary
- Questions
3IT risk management
4Why Risk Management?
- A fundamental IT governance activity
- Identifies the big gotchas before they occur
- Prioritizes actions, budgets and resources
- Keeps the organization ahead of changing
conditions
Occurrence rates
Financial consequences
5Value of Risk Management
- Risk management
- 2 after the management of data and knowledge
among Proficient organizations
Procedures Data and knowledge management Organi
zational structure and strategy Technology
Training and accountability Risk management
N 876
Source Security Compliance Council , 2006
6Domains of IT Risk Management
Master Complexity
IT
Manage Risks
7Business and IT Risks
Online fraud
Natural disasters
Data losses
interactions information infrastructure
Malicious threats
Regulatory Non-compliance
Human errors
Security breaches
Application outages
IP leakage
8What to do about IT Risks?
- Transfer IT risks to third party (insurer)?
- Appropriate for financial instruments
- Not sufficient by itself for managing IT
risks - Ignore IT risks?
- May be appropriate for some IT risks
- But how do you know which to ignore?
- Manage the risks!
- How do we do this?
risk assessment
9Risk Assessment Step 1
- What kind of risk threat is it?
- What happens when it strikes?
- Whats the full impact before normal can be
resumed? - How often does it recur?
- What are the legal requirements
- What are compliance mandates?
- How does this relate to our policies and our
missions?
10Risk Assessment Step 1
- Assert
- Occurrences
- Financial impacts
- Measurements
- Gross to fine-tune
- IT culture clash precision gets in the way at
this point in the exercise
Normal distribution
Occurrences
Financial impact
11Risk Analysis Step 2
- Threat occurrence rates
- Financial consequences
Does not happen in our lifetime
Occurrence rates
Must correct?
Does not matter
Financial consequences
12Risk Analysis Step 2
- Cost to remediate
- Financial consequences
High cost
Cost to remediate
High impact
Does not matter
Low cost
Financial consequences
13Risk Prioritization Step 3
14Reducing costs and uncertainties
- Application of the three-step risk management
process - 1) assessment
- 2) analysis
- 3) prioritization
- Eliminates
- Low risk areas
- Low incident-rate threats
- Enables focus on return and policy
- If asserted, MUST be measured - later
15Success Criteria Industry Results
16Risk and Compliance Challenges
- Risk compliance are often managed as separate
activities - Responsibility scattered across organization
(finance, legal, business units, HR, IT) - Compliance often treated as 1x event to pass
audit - Growing number of regulations mandates
- Increasing cost complexity to demonstrate,
sustain compliance - Infrastructure threats are often not well
understood by senior managers - Must be translated to business impact
17Most Pressing Mandates
- Data, data and more data
- Increase of 31 since 2004
- Sarbanes Oxley
- Decrease of 21 since 2004
Organizations
- Basel
- Data retention, destruction and legal discovery
- Data protection and privacy
- PCI DSS
N 1,060
Source Security Compliance Council , 2006
18Performance results 1H 2006
Proficient Less than 3
Novices More than 15
- Results
- Compliance deficiencies that had to be remediated
to pass audit - IT security events that resulted in financial
harm - Normal distribution
11.7
19.7
68.6
Norm 3 to 15
Number of IT-based compliance deficiencies and
IT security events that results in financial harm
N 1,060
Source Security Compliance Council , 2006
19Government compliance performance results
- Better than the commercial sector!
- Fewer novices
- Fewer at the norm
- More are among the proficient
Novices average of 35 deficiencies
Norm Between 3 and 15 deficiencies
Proficient Less than 3 deficiencies
1,060 organizations, commercial and government
(/-3 error)
120 government agencies (/- 8.5 error)
20Government by size of budget
Govt more Norm among midsize and small
Govt more Proficient among small and large
- Results differ by overall budget
- Small budget
- lt 50 million
- Midsize budget
- 50 million to 999 million
- Large budget
- 1 billion or more
Govt more Novices among midsize and large
1
2
3
1,060 organizations, commercial and government
(/-3 error)
2
1
3
2
1
3
2
1
3
120 government agencies (/- 8.5 error)
Novices Norm
Proficient
(average35) (between 3 and 15)
(Less than 3)
Source Security Compliance Council , 2006
21Top 10 actions of the best performers
Documented business procedures, IT assets and IT
controls Changed business procedures to
comply Automated monitoring and
reporting Automated IT configuration and control
management Increased the frequency of
measurement and reporting Automated IT controls
and procedures Changed IT security policies and
procedures to comply Segmented access to
sensitive customer data Delivered training and
accountability to employees Documented IT
security policies, procedures and standards
1,060 organizations, commercial and government
(/-3 error)
120 government agencies (/- 8.5 error)
Source Security Compliance Council , 2006
22Top 10 IT compliance deficiencies
- Contribution of IT security 7 of the top 10!
1. Documentation 2. Access controls PCs,
laptops, mobile devices 3. Configuration and
controls change management 4. Access controls -
users, application and systems 5. Audit,
measurement and reporting 5. Access controls
databases 7. IT security policies, standards and
procedures 8. Access controls information and
data 9. Business continuity 10 Data archive and
management
N 520
Organizations
Source Security Compliance Council , 2006
23EY Ongoing SOX 404 Strategies, Year 2
- 76 employing control self-assessment (CSA) to
support ongoing SOX 404 compliance - One third are employing data analytics
- Nearly one third are employing IT-based
continuous controls monitoring (CCM)
Control Self-Assessment
Analytics
Source Emerging Trends in Internal Controls
Ernst Young, 2005
IT-based Continuous Controls Monitoring
Other
24PROOF Frequency of measurement better results
- 100 of Proficient government agencies measure at
least once per month - 97 of Proficient commercial firms measure at
least once per month - 80 of Novice government agencies measure once
annually or less frequently - 74 of Novice commercial firms measure once
annually or less frequently
Norm (between 3 and 15)
Proficient (Less than 3)
Novices (Average35)
1,060 organizations, commercial and government
(/-3 error)
Source Security Compliance Council , 2006
120 government agencies (/- 8.5 error)
25COSTS labor hours
- Proficient firms
- Spend 32.7 of the time in IT on compliance
- 680 person-hours per person, per year
- Novice firms
- Spending 21.5 of the time in IT on compliance
- 447 person-hours per person, per year
Source Security Compliance Council , 2006
N 876
26COSTS spend on IT security
- Spend on IT security as percentage of IT budget
- Novice firms
- Mean spend 6.4 of IT budget
- Norm
- Mean spend 7.2 of IT budget
- Proficient firms
- Mean spend 10.4 of IT budget
N 1,060
Source Security Compliance Council , 2006
27IMPROVE reallocate spend on IT security
- Labor costs are nearly constant (2 increase)
- Outside services spend declines by 11
- Automation (equipment and software) spend
increases by 9
Allocated to employee labor
Allocated to contract labor and outside services
Allocated to software and equipment
IT security spend allocation
N 520
Source Security Compliance Council , 2006
28Improve automation
Define
Risks
Policies
Subjects
Objects
Control
Main
Main
Rules Standards Frameworks Regulatory mandates
Application and transaction logs
Govern
IT security logs
29Success Criteria
- Manage risk compliance as ongoing processes
- Institute cross-organizational alignment
- Implement key IT controls to support business
operations, not just compliance - Increase the frequency of internal IT audits and
IT security measurements - Automate for consistency efficiency
30Define, control and govern
31 Continuous improvement
Continuous Improvement
Continuous Improvement
Control
Define
Govern
- Demonstrate due care
- Audit, monitor measure
- Remediate
- Retain evidence
- Risk approach to policies controls
- Translate policies, regulations mandates into
actionable processes
- Implement enforce controls
- Assess sustain compliance
32Define
33Map
Create
Distribute
Prove
34Control
35Implement Enforce IT Policies
Restrict
Protect
Permit
Permit compliant systems Quarantine non-compliant
Block external malware Prevent user misconfigs
Limit access to data Virtualize guest sessions
36Control Compliance Suite
Assess IT Compliance
37Govern
38Identify
Review
Respond
39Report IT Compliance
40Report IT Control Effectiveness
- Security threats, vulnerabilities, incidents,
policy deviations
41Retain Evidence
- Collect store logs
- Analyze to aid investigation
- Manage archived content
42Summary
43Summary
- Manage IT risk compliance as ongoing processes
- Implement the three-step risk management process
- Institute cross-organizational alignment
- Benchmark your results to improve results
- Implement key IT controls to support business
operations - Not just against compliance and technology
policies - Manage the define, control and govern process
- Reallocate spend
- Use automation to improve scope and effectiveness
44Questions