Risk View - InfoSec intro

1. Rev2 IT Information SecurityRisk ManagementFebruary 26, 2010

2. Today’s DiscussionAgendaRev2 IntroductionRiskView FrameworkExamplesNext StepsGoalsIntroduce RiskViewTMa decision support system which helps identify and focus on business-material risksUnderstand your risk-management focus areas & processes2

3. Rev2 Risk ManagementInfoSec RiskSupply Chain RiskService Delivery RiskRiskView replaces ad-hoc processes with aFact-based, Scalable, Repeatable FrameworkIdentify under controlled risk via business viewsFocus on the most material drivers“What-if” controls testing

4. ButBig ExposurePlenty of DataInfo sec tools and services regularly identify 100,000’s vulnerabilitiesTodayRiskView provides a fact-based, scalable, repeatable process4Most companies collect large vulnerability data sets, but face big material risk in information security. Because…Reactive response

5. Perception vs. facts

6. Wasted money

7. On-going vulnerabilityValue is limited by…Data silos

8. Inconsistent data

9. Wrong metrics

10. Changing process

11. Inadequate toolsHow do you prioritize 1 Million vulnerabilities?

12. StructureSystemsToolsInfo Sec Risk Mgt requires a formal strategy and organization approachAn on-going formal process is needed to meet goals and execute strategySpecial tools are required to consistently and efficiently analyze large data setsKey Elements IncludeLeadership– To coordinate across business units

13. Metrics—Consistent metrics for materiality of business impact

14. Risks and Policies—To identify risks and define policies to limit exposure

15. Compliance—Regular evaluations to learn policy compliance and violations

16. Risk Updates—Regular reviews for materiality score changes

17. Measures and Actions—Regular risk assessments with next steps to fix key findings

18. Risk Algorithm—To calculate materiality scores

19. Analytic Engine—To compare risks and identify drivers

20. Scenario Testing— To pre-test potential program changes

21. Visualization—To facilitate analysis and understandingRequirementsEffective risk management requires specialized structures, tools and systems that most companies lack5

22. Different ImpactsAsset RolesNormalized DataThe Issue:Risks are measured differently

23. How to compare them?The Solution:Create a normalized risk score

24. Score based on materiality of adverse business impact Strategic DataA fact-based risk program requires normalized data, with a range of impacts tied to specific assets. The Issue:Risks have different impacts

25. How evaluate risk types?The Solution:Score vulnerabilities on the type of risk they present

26. Differentiate financial, legal, regulatory, reputationalThe Issue:Risk impact varies based on where it occurs

27. How recognize differences?The Solution:Score impact based on the specific asset at risk

28. Recognize differences in asset value Strategic Data supports a fact-based, scalable, repeatable process6

29. MaterialityWe normalize risk scores based on business materiality.The probability of a successful attempt is weighed versus its impact based on the asset’s business criticality. EXPLOITABILITYSUSCEPTIBILITYThe probability of successThe probability of an attemptBUSINESS MATERIALITY:DOES IT MATTER? IMPACTThe criticality of the intersected asset or business process7

30. What is RiskViewTM?A software Risk Data Warehouse platform that collects vulnerability data Business-specific modules with customizable views and analytics Advanced Visualization to create a packaged decision support systemHighly-extensible platform, for fact-based, scalable, repeatableRisk Management Decisions 8

31. RiskView FeaturesCost TypesFinancial

32. Reputational

33. Regulatory

34. LegalCollect and Combine risks Enterprise wideNormalized scoring based on MaterialityImpact Centric business views Pre and post testing for “what if?” and “did it work?”Advanced Visualization for easy analysis and interpretationFact-based—Scalable—Repeatable!Business ViewsImpact/Effect

35. Cause

36. Business Unit

37. Geography/Location

38. Process9

39. 10RiskView Examples

40. Vertical View- InfoSec11

41. Horizontal View- Geography12

42. Business Unit View13

43. Filters = FocusNot every vulnerability is equal in terms of materialityOnce aggregate material risk is identified and unacceptable levels detected, need to identify and profile driversDate Range(trending)What-if(testing)Materiality(finding the “Critical Few”)14

44. Exploded View15

45. RiskView BenefitsIdentify uncontrolled critical risksTypically reduction is > 50%Save moneyImprove risk with current budget; cut spending without added riskIdentify common controlsFor one client, a single control eliminated 70% of uncontrolled riskImprove staff productivity Only one FTE week per quarter for analysis/administration

46. Analyze up to 200 million vulnerabilities in real-timeJustify budgets and investmentsTest program investments before decision and after executionEstablish a fact-base for decision-makingDetermine/assign organization accountabilities16

47. Next StepsFree Risk Evaluation We will conduct a limited information security risk evaluation with RiskViewLoad a set of data, aligned with your policies and procedures

48. Analyze and present the findings, along with implications/recommendationsRequirements: Aon resources: ~ 1 day for set-up, plus 1 hour for findings presentation

49. Rev2 time: ~ 2 weeks start to finish17

Risk View - InfoSec intro

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Risk View - InfoSec intro (20)

Risk View - InfoSec intro