CARNEGIE MELLON UNIVERSITY

Size: px

Start display at page:

Download "CARNEGIE MELLON UNIVERSITY"

Zoe Phillips
5 years ago
Views:

1 CARNEGIE MELLON UNIVERSITY 1

Integrated Risk Management for the Enterprise Brett Tucker December 2018 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

2 Integrated Risk Management for the Enterprise Brett Tucker December 2018 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA [DISTRIBUTION Distribution Statement STATEMENT A: Approved A] This material for Public has Release; been approved Distribution for is public Unlimited release and unlimited distribution 2

3 Copyright 2018 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM

4 Carnegie Mellon University Facts and Figures Established in 1900 Global research university of more than 13,500 students Carnegie Mellon attracts students from all 50 US states and 93 nations CMU Video 4

software-intensive and networked systems CERT Anticipating and solving our nation s cybersecurity challenges Largest

5 CERT Software Engineering Institute Carnegie Mellon Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Helps organizations improve development, operation, and management of software-intensive and networked systems CERT Anticipating and solving our nation s cybersecurity challenges Largest technical program at SEI Focused on information security, insider threat, operational risk management, security metrics, and governance 5

6 Our Mission and Strategy To advance the technologies and practices needed to acquire, develop, operate, and sustain software systems that are innovative, affordable, trustworthy, and enduring We achieve our mission through Research Collaboration Development and Demonstration Transition 6

get better at surviving uncertainty Knowledge and awareness of risk issues must be pervasive

7 In a World of Great Uncertainty What is Certain? Risk environment will not contract number of risks and complexity will increase Organizations must get better at surviving uncertainty Knowledge and awareness of risk issues must be pervasive throughout the organization Traditional tools, techniques, and methods may not work and will need to evolve Organizations must be agile enough to adapt 7

8 Enterprise Risk Management (ERM) as a Solution What is it? Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO PLAN IDENTIFY CONTROL Risk Management Process ANALYZE MONITOR RESPOND Fundamentally, the ERM program should provide an efficient yet effective process to help an organization gain greater confidence in achieving its goals in a world of uncertainty 8

Closer Look at ERM Portfolio Perspective

managing these risks with a view to their

9 Closer Look at ERM Portfolio Perspective An activity that looks across all types of risk activities in the organization and considers all risk types Strategic Risks Not simply an aggregation of individual types of risk but a process of managing these risks with a view to their interdependencies Financial / Credit Risks Market Risks Connects risk management to strategic and operational drivers Operational Risks 9

Operational Risk Management Cyber Risk, as an example, has tactical and strategic implications Cyber Logistics Manufacturing

10 Difference Between Operational and Enterprise One is a Subset of the Other Operational risk management (ORM) is a significant subset of ERM Enterprise Risk Management ORM addresses day-to-day risks that can affect the organization s ability to carry out its mission Operational Risk Management Cyber Risk, as an example, has tactical and strategic implications Cyber Logistics Manufacturing Projects EHS Facilities Failure to manage operational risk can have significant impact in meeting an organization s strategic objectives 10

11 Benefits of Having an ERM Program Value Proposition Sustain and advance the value of the enterprise Risk in growth, operations, strategy, etc. Maintain competitive advantage Avoid unnecessary surprises Link strategic objectives to every day action Raise confidence in achieving objectives by eliminating threat and maximizing opportunity Empower employees to make decisions within the bounds of the organizational appetite 11

elements that work for your culture, objectives, business model, etc. Global Standards COSO, ISO, etc.

12 Risk Standards and Frameworks Balance Requirements with Practicality Where can we turn for help? Analysis and review of standards will uncover gaps and best practices No two programs will be exactly alike Take the best framework elements that work for your culture, objectives, business model, etc. Global Standards COSO, ISO, etc. Government Standards NIST, FFIEC, etc. Industry Standards NERC CIP, HIPAA, etc. Benchmarking with other companies may uncover novel ways to administer a program An ERM Program and Process That Captures Necessary Requirements 12

13 Update to OCTAVE Allegro => FORTE Will Account for Several Standards to Incorporate Leverages many standard principles and best practices Facilitated Getting Organizational Input Operational Real Time Applicability Risk Establishing a Process to Assess Tailored Flexible for All Organizations Enterprise Universal Application FORTE covers the enterprise risk management life cycle from programmatic development through risk closure! 13

14 Objectives and Principles for OCTAVE: FORTE Organizations Learn How to Implement a Risk Program Objectives Establish a framework scalable for size and strategy Educate the workforce on processes, tools, and programmatic features Facilitate clients risk program and risk register development Principles Avoid endorsement of one standard over the other Comprehensive enterprise scope Establish priorities, given organizational resources Process is broadly applicable and easy to implement 14

Enterprise Risk Program Where to begin There are three fundamental elements that underpin a risk program Governance A body that provides authority, advocacy, and a decision making Appetite A central

15 Enterprise Risk Program Where to begin There are three fundamental elements that underpin a risk program Governance A body that provides authority, advocacy, and a decision making Appetite A central understanding of risk attitude that provides quantitative constraints for analysis and prioritization Policy and Procedure Provides direction and tools needed Program development only necessary one time Periodic update and maintenance accommodate organizational change Program should be tailored to meet scope and scale requirements Program Success Hinges Upon Leadership, Culture, Training, Execution, and Framework 15

Risk Program Governance Empowering Executives and Management to Manage Risk A tiered committee structure is effective Committees should have no more than 5 or 7 executives Subcommittees should employ

16 Risk Program Governance Empowering Executives and Management to Manage Risk A tiered committee structure is effective Committees should have no more than 5 or 7 executives Subcommittees should employ 5 or 7 high performing managers and executives each Members must have access and authority over resources Cyber professionals must play a more significant role within this structure. Charters must provide concise direction and membership All members must receive training 16

etc. Appetite development, education, and proliferation takes time Cyber professionals must contribute to the formulation of the

17 Linking to Appetite to Strategy Making ERM part of corporate culture Appetite must be aligned with strategy Appetite and process should support tactical decisions as well as strategic This may include acquisition of systems, vendor support, capital investment, etc. Appetite development, education, and proliferation takes time Cyber professionals must contribute to the formulation of the corporate risk appetite statement. Furthermore, they must convey their risk assessments in these terms to achieve greater board room understanding. 17

18 Policy and Procedure Will People Follow if the Path is Not Written Down? Key features to a strong policy statement: The direction must be simple and scalable The policy must be enforceable - Have a plan and program owner - Should include a procedure to follow - Might need an implementation and change management plan - Audit team support desired Cyber Professionals Must Communicate Technical Risks Using the ERM Tool Set 18

19 Effective ERM Process Leads to Resilience Resilience is related directly to risk Risk Management Operational Resilience Robust and Assured Operations The ability to identify and respond to operational risk affects operational resilience Why? Known risk is addressed before it becomes disruptive Organization is able to make informed decisions about the sustainment of services and assets under uncertain conditions (i.e., unknown risks) Poor risk management may make the organization less agile, flexible, survivable because the exposure to disruptive conditions is increased. 19

Operational Resilience Defined Resilience: The physical property of a material when it can return to its original shape or position after deformation that does not exceed its elastic limit

20 Operational Resilience Defined Resilience: The physical property of a material when it can return to its original shape or position after deformation that does not exceed its elastic limit [wordnet.princeton.edu] Operational resilience: The emergent property of an organization that can continue to carry out its mission after disruption that does not exceed its operational limit[cert RMM] 20

21 Like a Slinky. Normal and Some Abnormal Operations Disaster 21

Resilience Management Core Principles of Focus Mission

prioritize Efficiency Orientation invest only to the point

same plan Collaborative interdependency and community

decides on investment Requirements Driven activities meet

22 Resilience Management Core Principles of Focus Mission Focused protect your assets Risk Based identify and prioritize Efficiency Orientation invest only to the point of satisfying appetite Converged Approach all work to the same plan Collaborative interdependency and community considered Standards and Regulation Neutral organization decides on investment Requirements Driven activities meet requirements Process Maturity and Improvement document and monitor process 22

23 Questions? Brett A. Tucker, PMP, CSSBB Technical Manager Cyber Risk Management CERT Division Software Engineering Institute 23