risk view info sec intro 3.4.10
TRANSCRIPT
© Rev2 Networks, Inc—Confidential
Rev2 IT Information Security
Risk Management
February 26, 2010
© Rev2 Networks, Inc—Confidential
Goals
Introduce RiskViewTM
a decision support system which helps identify and focus on business-material risks
Understand your risk-management focus areas & processes
Agenda
1. Rev2 Introduction
2. RiskView Framework
3. Examples
4. Next Steps
Today’s Discussion
2
© Rev2 Networks, Inc—Confidential
Rev2 Risk Management
InfoSec Risk Supply Chain Risk Service Delivery Risk
RiskView replaces ad-hoc processes with aFact-based, Scalable, Repeatable Framework
Identify under controlled risk via business viewsFocus on the most material drivers
“What-if” controls testing
© Rev2 Networks, Inc—Confidential
Today
Plenty of Data But Big Exposure
Info sec tools and services regularly identify 100,000’s vulnerabilities
RiskView provides a fact-based, scalable, repeatable process
4
Most companies collect large vulnerability data sets, but face big material risk in information security.
Value is limited by…Data silosInconsistent dataWrong metricsChanging processInadequate tools
Because…Reactive responsePerception vs. factsWasted money On-going vulnerability
How do you prioritize 1 Million vulnerabilities?
© Rev2 Networks, Inc—Confidential
RequirementsEffective risk management requires specialized structures, tools and systems that most companies lack
Structure Systems ToolsInfo Sec Risk Mgt
requires a formal strategy and organization approach
An on-going formal process is needed to meet goals and execute strategy
Special tools are required to consistently and efficiently
analyze large data sets
Leadership – To coordinate across business units
Metrics—Consistent metrics for materiality of business impact
Risks and Policies—To identify risks and define policies to limit exposure
Compliance—Regular evaluations to learn policy compliance and violations
Risk Updates—Regular reviews for materiality score changes
Measures and Actions—Regular risk assessments with next steps to fix key findings
Risk Algorithm—To calculate materiality scores Analytic Engine —To compare risks and identify drivers
Scenario Testing— To pre-test potential program changes Visualization —To facilitate analysis and understanding
Key Elements Include
5
© Rev2 Networks, Inc—Confidential
Strategic Data
Normalized Data Different Impacts Asset Roles
The Issue:Risks are measured
differentlyHow to compare them?
The Solution:Create a normalized risk
scoreScore based on materiality
of adverse business impact
A fact-based risk program requires normalized data, with a range of impacts tied to specific assets.
Strategic Data supports a fact-based, scalable, repeatable process
The Issue:Risks have different
impactsHow evaluate risk types?
The Solution:Score vulnerabilities on the
type of risk they presentDifferentiate financial, legal,
regulatory, reputational
The Issue:Risk impact varies based
on where it occursHow recognize differences?
The Solution:Score impact based on the
specific asset at riskRecognize differences in
asset value
6
© Rev2 Networks, Inc—Confidential
Materiality
The probability of an attempt
The probability of success
The criticality of the intersected asset or business process
7
SUSCEPTIBILITY
IMPACT
BUSINESS MATERIALITY:
DOES IT MATTER?
EXPLOITABILITY
We normalize risk scores based on business materiality.The probability of a successful attempt is weighed versus its
impact based on the asset’s business criticality.
© Rev2 Networks, Inc—Confidential
What is RiskViewTM?
• A software Risk Data Warehouse platform that collects vulnerability data
• Business-specific modules with customizable views and analytics
• Advanced Visualization to create a packaged decision support system
Highly-extensible platform, for fact-based, scalable, repeatableRisk Management Decisions
8
© Rev2 Networks, Inc—Confidential
RiskView Features
Business Views
Impact/Effect Cause Business Unit Geography/Location Process
Cost Types
Financial Reputational Regulatory Legal
– Collect and Combine risks Enterprise wide– Normalized scoring based on Materiality– Impact Centric business views – Pre and post testing for “what if?” and “did it work?”– Advanced Visualization for easy analysis and interpretation
Fact-based—Scalable—Repeatable!
9
© Rev2 Networks, Inc—Confidential 10
RiskView Examples
© Rev2 Networks, Inc—Confidential
Vertical View- InfoSec
11
© Rev2 Networks, Inc—Confidential 12
Horizontal View- Geography
© Rev2 Networks, Inc—Confidential
Business Unit View
13
© Rev2 Networks, Inc—Confidential
Filters = FocusNot every vulnerability is equal in terms of materiality
Once aggregate material risk is identified and unacceptable
levels detected, need to identify and profile drivers
14
Materiality(finding the “Critical Few”)
What-if(testing)
Date Range(trending)
© Rev2 Networks, Inc—Confidential
Exploded View
15
© Rev2 Networks, Inc—Confidential
RiskView Benefits
16
Identify uncontrolled critical risksTypically reduction is > 50%
Save money Improve risk with current budget; cut spending without added risk
Identify common controlsFor one client, a single control eliminated 70% of uncontrolled risk
Improve staff productivity Only one FTE week per quarter for analysis/administrationAnalyze up to 200 million vulnerabilities in real-time
Justify budgets and investmentsTest program investments before decision and after execution
Establish a fact-base for decision-makingDetermine/assign organization accountabilities
© Rev2 Networks, Inc—Confidential
Next Steps
Free Risk Evaluation
17
We will conduct a limited information security risk evaluation with RiskView
Load a set of data, aligned with your policies and procedures
Analyze and present the findings, along with implications/recommendations
Requirements: Aon resources: ~ 1 day for set-up, plus
1 hour for findings presentationRev2 time: ~ 2 weeks start to finish