A Practical and Effective Approach to Risk Assessment

Transcription

1 A Practical and Effective Approach to Risk Assessment IT Risk Assessment Case Study Portions of this presentation are from a 2007 & 2008 FFIEC Technology Conference presentation to bank examiners. Special thanks to Mark Chapman, Chapman Technology Group Inc., a FIPCO Endorsed Vendor. RIskOptix used in this risk assessment is a trademark of Chapman Technology Group Inc.

2 NIST IT Risk Assessment Definition Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. Source: NIST Special Publication

3 IT Risk Assessment is NOT! Risk Management Vulnerability Scanning Penetration Testing Social Engineering An IT Audit General Controls Testing Business Continuity IT Governance or Compliance

4 NIST Risk Definition Risk is a function of the likelihood of a given threat-source exercising a potential vulnerability, and the resulting impact of that adverse event on the organization. Source: NIST Special Publication

5 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.

6 Preparation Earn Management Buy-In Decide to In-Source or Outsource Anticipate the Benefits Identify the Specific Purpose How to Accomplish? (Methodology & Tools)

7 Earn Management Buy-In Motivators: GLBA Compliance / Fear Means to justify other initiatives New Management Eager to Learn True Believers Challenges: It costs money! I already know the risks better than anyone! We have more important things to do. Results: 1. Go through the motions 2. Do it right Copyright , Chapman Technology Group, Inc. All Rights Reserved.

8 In-Source or Outsource? Current Capability Do we have the capability or can we train inhouse? Can we identify a firm with independent, knowledgeable and sufficient resources? Future Capability Turnover of trained employees Dependence on consultants Copyright , Chapman Technology Group, Inc. All Rights Reserved.

9 Anticipated Benefits To learn something new To validate or quantify a concern To standardize communication of risk To establish common language and tools To satisfy the examiners Copyright , Chapman Technology Group, Inc. All Rights Reserved.

10 Specific Purpose Audit Planning Budgeting GLBA Compliance Disaster Recovery Policy Writing Risk Management Remediation Vendor Selection Hint: Answer the Question: What is the specific purpose of the risk assessment?

11 How to Accomplish? Methodology / Guideline / Standard NIST FFIEC ISO27001:2005 COBIT / COSO / IIA PUSH Format Paper Excel / Word Specialized Risk Assessment Software

12 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.

13 Universe Definition Goal: To define an appropriate universe for the size and complexity of the Bank Choose the Number of Dimensions Assets, Risks, Controls For Each Dimension Define Scope, Granularity, Level of Detail Populate the Universe Copyright , Chapman Technology Group, Inc. All Rights Reserved.

14 How? - Pre-Engagement Checklist Assets = What s Valuable? What documentation does the bank have to provide information about IT assets? (HW, SW, business process) Risks = What bad things could happen? Controls = How do we mitigate the impact of bad things? What documentation does the bank have to provide evidence Controls exist?

15 How? - Pre-Engagement Checklist

16 Asset Universe Scope Business Functions Fixed-Assets Strategies Brands Contracts Cash Intellectual Property Products People Granularity How many levels of assets do we want to consider? Buildings Rooms Wall Clocks Detail How much information do we want to understand for each asset? Asset Type Asset Owner Importance Dependencies Copyright , Chapman Technology Group, Inc. All Rights Reserved.

17 Name & Describe the asset? How important is the asset? Capture BIA Information Determine the attributes to characterize the asset.

18

19 Risk Universe Scope Power Outage Pandemics Water Damage Fraud Computer Hacking Employee Turnover Tampering Granularity How many levels of risks do we want to consider? City-Wide Blackout Accidental Power Disconnect Wall Clocks stop working Detail How much information do we want to understand for each risk? Risk Type Threat Source Likelihood Impact

20 Describe Risk and potential impact? Set the impact and likelihood unmitigated! Quantitative Info? Did we identify follow-up? Determine attributes to characterize the risk.

21

22 Controls Universe Scope Financial Physical Technological Reputation Legal Insurance Granularity How many levels of controls do we want to consider? Firewalls Policy Atomic Clocks Detail How much information do we want to understand for each control? Control Owner Effectiveness Compliance Info Assessment Criteria

23 Categorize = Legal, Technical, etc? Describe Control and how to assess? By Design what is the Controls effectiveness? Did we identify follow-up? Type of Control and how did we Assess?

24

25 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.

26 Scoring Choose Scale Normalize Prioritize and Trim Associate Adjust Compound Scores

27 Choose A Scoring Scale Define a consistent scale. Numeric (1-5), (0.1, 0.5, 1.0), (1-3), (0%-100%) Descriptive (Low, Med, High), (Nice-To-Have, Average, Critical)

28 Normalize Set the Relative Importance of: Risks with respect to other Risks Assets to other Assets Controls to other Controls 5

29 Prioritize and Trim Goal: To combat the natural exponential growth of assessment efforts by reducing the number of lowpriority assets, risks and controls. Approach: During data gathering, interview and universe definition we selected only critical assets, high impact/likely risks for further risk assessment efforts while documenting the decision.

30 Associate Controls to Risks Control Risks

31

32 Associate Assets to Risk Asset Risks

33 Asset Assets Risks Controls

34 Adjust Compound Scores Used Initial Scores with Few Documented Exceptions. Control Record

35 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.

36 Hitting the Mark Did we meet our Purpose? Documented Observations / Findings The Final Report Tracking Actions Over Time Evaluate Project Effectiveness

37 Hitting the Mark - Answer our question What was the specific purpose of the risk assessment? Audit Planning GLBA Compliance Risk Management

38 Hitting the Mark Source: National Institute of Standards and Technology (NIST)

39 Hitting the Mark Added Benefit An Added benefit is realized, We can answer the questions: When and under what circumstances does the bank need to take action? When should the bank implement controls to mitigate the risk and protect the organization or document the acceptance of risk?

40 Write the Final Report Focused on 1. Observations - Findings 2. High Level GLBA Compliance Assessed 3. Process used (brief) 4. Trends - Future Activity 5. Management Observations timeline, follow-up 6. Continuous Risk Assessment, track the status of observations and other audits.

41 1. Observations - Findings Observation #2: High The server and exchange backups that are stored on removable storage and transferred off site were not adequately protected. Potential Exposure: Confidential data could be compromised if the devices were lost or stolen. Recommendation: Encrypt the data stored to the backup storage devices before they are removed offsite. Management Comment: Management has explored the viability of storing archived data.. Implementation will be completed by year-end.

42 1. Observations - Findings Observation #10: Low Information Systems Security Policy contains too much detail.... Potential Exposure: Missing Information Security Policy is a Compliance Risk,. Recommendation: Modify the Information Systems Security Policy so that it contains only "Policy" documentation... Templates have been provided to assist with management response. Management Comment: In response. in 2005 the bank purchased a canned Information Policy/Toolkit.

43 2. GLBA Compliance

44 3. Process Used The primary goal for the IT Risk Assessment was to adopt and document a consistent risk assessment methodology for the purpose of assessing risks at the bank on a sustainable basis. The approach used by this assessment followed the diagram on the right. Inventory Assets Characterize Assets Advance Important Items Identify Raw Risks Consider Mitigating Factors Calculate Residual Risk Exposure Advance Areas of Higher Risk Create Audit Plan Create Audit Program

45 Management Comments - Follow-up

46

47 Continuous Risk Assessment Audit Planning & Tracking

48 Conclusion PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.

49 Risk Assessment Post Mortem Which directory did I put that in? Information is scattered all over Does a thick binder count for keeping information together? No ties between common information or information that is related

50

51 Risk Assessment Post Mortem Each risk assessment feels like it is a brand new (and painful) event! Who did it last year? Consultant X Who did it this year? Auditor Y The examiner or auditor wants proof: formal documentation. Multiple copies and duplicate data gathering Information not kept up-to-date

52

53

54

55 Risk Assessment Post Mortem Who should have access? Difficult to control who can access the information I don t have access, but I need to respond! Difficult to ensure the right people have the right information at the right time Complex spreadsheets cutting & pasting with no real cross-reference capabilities. Replace 11x17 printed spreadsheet that needs a plotter to print clearly

56 Risk Assessment Post Mortem What evidence exists that the RA was based on a formal methodology and can be repeated next year? No standard framework or format for assessing risk across the organization Assessment based simply on experience The board wants this IT Assessment in non-technical terms! Too much time spent formatting data for the Board or external auditors and examiners.

57 Questions