ENTERPRISE RISK MANAGEMENT

Bobby Singh, Director, Information Security & Risk Management, Rogers Communications Inc.

Moderator: Illena Armstrong, editor-in-chief, SC Magazine

Understand current risk challenges and roadblocks affecting risk management

How to manage Information Security

Overview of an Information Security Risk Management Lifecycle

Overview of Risk Assessment Methodology

Walk through of Risk Process Flows and the Use of Technology

Objectives of this session

Why is risk difficult to manage?

There is no single, common definition of what “risk” is or means. Risk means different things to different groups with little to zero

alignment or mapping (ex. credit risk, market risk, insurance risk, operational risk, security risk, health risk, hazard risks, etc.)

No common or defined method and approach for managing risk. Risk identification is complex, and managing risk is even more

complex.

A unified approach (reducing complexity) to operational risk and security risk has numerous benefits and efficiencies, but the road to get there is not simple.

Risk management is often performed in silos (especially security risk management).

3

Lack of clear, well defined business objectives

Lack of established governance

Lack of effective follow-up and tools

Lack of accountability

Lack of risk definitions

Lack of common understanding in managing risks

Lack of standardized risk management approach / method

4

Challenges

Solutions

5

Security Metrics - Program Framework, KRIs, KPIs

Security Governance

Security Controls

Security Services

Strategic Planning

Legal & Regulatory Compliance

Security in Enterprise

Architecture

Risk Assessment

Access Controls (IAM)

Audit

Compliance

Process & Procedures

Risk TreatmentGovernance Exceptions

I & IT Asset Management

Service Architecture

Security Management Metrics (How well security is managed)

Security Posture Metrics (How well security is being implemented)

Security Risk Management Processes

Incident Manag. (ESPIM)

Anti-Virus

Vulnerability & Patch

Management

Cryptographic Controls

Monitoring

Configuration Management

ISMS Program/Plan

eHO Service Definitions

Service Classifications

Third Part Contracts & Agreements

Security Awareness &

Training

Key Risk Indicator Groups(KRIs)

Key Performance

Indicator Groups (KPIs)

Change Management

Network Security

Application Security

HR On Boarding & Exiting

Physical & Environmental

Security Within the PLC and

DLC

Benefits The benefits of the security metrics program

include:

improved understanding of the organization’s security strengths and weaknesses.

improved identification, prevention, and mitigation of security issues and risks.

meeting regulatory requirements as well as demonstrating to other governance bodies our ability and commitment to maintain a secure environment.

improved decision making, planning, and prioritization of security activities.

improved allocation of security efforts, resources, and funding.

Approach

Information security risk management approach focuses on the following:

The use of common definitions and terms The use of a defined risk management lifecycle Threat and Risk Assessments that clearly focus on how

risks impact business objectives The utilization of tools to manage risks across the

organization Alignment with other business units such as Enterprise

Risk Management, Privacy, SecOps, Audit……..

8

Security Specific - Risk definition

There is no one standard/universal definition for security risk.

However, all security risk definitions should include elements of:– time (e.g. the risk is a future event that has not yet occurred) – potential for loss or harm (to a valuable asset) – harm is caused by threats (which take advantage of an asset’s vulnerabilities (weakness)

Suggested security risk definition:

The potential for a threat to exploit an asset weakness, which will negatively impact the ability for an organization

to meet its business objectives.

9

Assessing technology vulnerabilities

Enforcing security policyFocusing on the perimeterProtecting infrastructureTracking security incidents Quantitative Approach

From managing IT function silos…

Assessing business riskPartnering to influence behavior

Focus within the perimeterProtect organization dataOptimize risk mitigation Qualitative Analysis

… to a business centric approach to risk mitigation

Infrastructure

Information

Why Information Risks

10

Risk Management – Project vs. Business Risk

Project Risks

Are problems, gaps, limitations, etc. that may impact the project

Business Risks

Are events that may occur in the future. If and when they occur, they may cause loss or harm to organization’s ability to meet its business objectives Schedule delay

Budget overrun Scope creep Incomplete deliverables Resource constrains Potential escalations Internal reputation

Contractual commitments missed

Poor service delivery Poor asset management System unreliable Slow system uptake Privacy & security risks Client dissatisfaction

Project Issues

Are problems, gaps, tech’gy limitations, etc. that exist today. Issues may contribute to Risks.

Lack of documentation No security requirements No security architecture Undefined R&Rs or

accountabilities No separation of duties Insufficient access control No hardening req’s Vendor agreements and

SLAs do not include security requirements

Insufficient logging, audit and monitoring controls

Maturity

ImpactEffort

11

Security Risk Management

Information Security Risk Management is the coordinated direction and control of activities to ensure that security risks are identified, analyzed, understood, addressed, and managed to meet business goals and objectives.

These activities include the identification, assessment, and appropriate management of current and emerging security risks that could cause loss or harm to persons, business operations, information systems or other assets.

12

Risk Assessment Methodology

13

Business & Control ObjectivesBusiness Objectives

What the business wants to achieve (goals)

Security Control Objectives

What must be accomplished so that business objectives are met

Security Controls

Safeguards that must be in place to achieve the security control

objectives

Threat Risk Assessments

Take into consideration how security risks will

impact each of these areas and ultimately how security risks impact business

objectives.

14

Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.

Assess Risk

Source COSO15

Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation

Risk Assessment

16Source - (NIST SP800-30)

Security Risk Management Model

Security Risks

Security Requirements

Asset Values & Impacts

exploit

exposeincreaseincreaseprotect against

reduce impact

haveincreaseinfluencemet by

determine

Assets

• Computers• Files & folders• Test results• Prescriptions

Threats• Hackers• Viruses• Spyware• Fire

Vulnerabilities

• Un-patched systems• Old anti-virus• Weak passwords• Unlocked cabinets

SecurityControls

• Policy• Passwords• Anti-virus• Backups

17

Risk Acceptance Process

Security risk acceptance is the deliberate decision by the appropriate level of management to accept an identified security risk for the purposes of meeting business objectives.– Risk owners may accept risks that lie below the

approved Risk Tolerance Levels.– However, if a risk owner wishes to accept a risk

above the risk tolerance line, they must escalate the risk by submitting a Risk Escalation Approval Form, and obtaining appropriate approvals to proceed with the risk acceptance.

18

Determine Risk Appetite

Risk appetite is the amount of risk — at a Board Level — an entity is willing to accept in pursuit of value.

Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).

Source COSO19

Level Definition

High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective

Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability

Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised

Likelihood

20

Level Definition

High 1. highly costly loss of major tangible assets or resources2. significantly violate, harm, or impede an organization’s mission,

reputation, or interest

Medium 1. may result in the costly loss of tangible assets or resources2. violate, harm, or impede an organization’s mission, reputation,

or interest;

Low 1. may result in the loss of some tangible assets or resources2. noticeably affect an organization’s mission, reputation, or

interest.

Impact Analysis

21

Risk Tolerance LevelsImpact

Very High VH

High H

Medium M

Low L

Very Low

VL L M H VH

Very Low

Low Medium High Very High

Likelihood

Level Risk Levels

Unacceptable Risk

High Risk (Dynamic and manageable)

Medium Risk (Dynamic and manageable)

Low / Tolerable Risk

Very Low / Tolerable Risk

Risk Escalation is required when the risk owner chooses to accept a risk that is rated above the risk tolerance line.

Default Risk Tolerance Line

Showtime

23

Information Security Risk Management Lifecycle

24

Security Risk Management Lifecycle

Phase 1 Establish the Context

Phase 2 Asset Identification & Valuation

Phase 3Threat & Vulnerability

Assessment

Phase 4Treat the Risk

MonitorTrack

& Report

Risk Assessment

Risk Treatment

25

Tracking & Managing Process The objective of this process is to improve

management of security issues and risks The primary purpose of this process is to ensure

that all those with responsibility for identifying or managing security issues and risks know: their responsibilities how each affected Business Unit interacts with others to

achieve effective management of security issues and risks the work flow to achieve effective management of identified

issues/risks

26

The FUN stuffProcess Flows

27

Risk Management – Process Overview

Summary of the Process

InfoSec: identifies a risk & notifies the risk owner and the project team

Risk owner: develops a risk treatment plan to address the risk with the assistance of InfoSec

InfoSec: enters the risk and the treatment plan into its risk management tracking tool

Risk Owner: implements the risk treatment plan

InfoSec: follows up with the risk owner (or their delegate) to periodically monitor the progress of the treatment plan

InfoSec: provides executive level reports on a monthly and quarterly basis to report on the status of risk and risk treatment plans

28

Risk Tracking – Documenting

29

Risk Tracking – Monitoring

30

Risk Tracking – Reporting

31

Technology

32

Tools for Monitoring & Tracking

Example with dummy data

Dash Board

33

Tools for Monitoring & Tracking

Sensitive info has been blocked.

34

Tools for Monitoring & TrackingExample with dummy data

35

Sample Factors that can decrease risk

Effective policies and standards Awareness programs Reliance on proven and tested controls Consistency of processes, technology and controls Appropriate Segregation of Duties Customers Regulations/Compliance Audits Knowing what your risks are

36

Discussion / Q&A

37

Contact Info:

Bobby Singh

Director, Information Security & Risk Mgt

416.935.6691

Bobby.singh@rci.rogers.com