Addressing Complex Security Threats Through Risk Management (166377275)

7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)

http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 1/21

Addressing Complex SecurityThreats Through Risk Management

EDUCAUSE Security ProfessionalsConference

May 6, 2008

Rebecca J. Whitener, CPA, CIA, CISA, CFEFormer Vice President and Chief Risk Officer EDS



There are complex issues impactingbusiness, government and highereducation

Authentication Identity

Theft

Power Outages

Personal Information Loss

Crime

ellectual Property

Fraud

Disease Outbreaks

Violence

Earthquakes

Terrorism

Lawsuits

FloodsPolitical and Social Unrest



“……..each new wave of technology will makeobsolete existing

information securitymeasures - increasingsecurity exposures innew and legacyenvironments”

Gartner

Advances in technology creates newexposures



Organizations of all types are susceptible to these threats…..…

byEdU. Kaishun

It only seemedlike yesterdaythat Atlanta PublicSchools (APS)madeheadlines fornegative reasons: disrepair offacilities,declining

studentachievement, risingdrop-out rate, etc. Remarkably, APSisnowcon tinuallyfeaturedin positiveheadlines. Sinceits nadirin the

late 1990’s, APS has taken steps tor aise academic standards andexpectationsfor Atlanta’s children, produce graduatesm uch better

APRIL 2, 2001

FINAL

“Your Company” a victimof Cyberspace crime againThird time in Two Weeks Could it have been prevented

prepared for successful careers and lowerthe drop-out rate to 10%.In anews conferencelast week, the Mayorpublicly congratulated

theAPS faculty, the AtlantaSchool Board, and the Superintendentona jobwell doneat the FifthA nnualAtlanta PublicEducation

Summit.Since theb eginning of this year,APS has received similar accolades from the GeorgiaBoard of Education, theGovernor and

the Business Roundtable, an educational advocacy group

representing 200U.S. corporations.

This begs thequestion– Howdid thisremarkableturnaround

occur?We went looking for the answer tothis question. Many inAtlantapoint tothe collectiveefforts ofAPS andtheMetro Atlanta

Chamberof Commercein 1998 as the watershed event.

In the winter of 1998, theE ducationCommittee of theChamber

assembled a SpecialTask Forceon Education. This task force

served to identify how Atlanta’s business community could bestsupport Atlanta Public Schools in generating moreemployable

graduates.According to Odie Donald, then chairof the Education

Committee, “Unlike other efforts to narrow thegulf between APSandth eBusiness Community, the Special Task Forceon Education

allowedboth partiesto w orkintrue partnership forthebenefit of

Atlanta’s children.” Adds Benjamin Canada, then APS

Superintendent, “APS was given aseat at thetable, rather than being

treatedas apatient. As I look backon theearlydaysof the SpecialTask Force on Education, threesignificantthings cometo mind–

strong leadership,unwavering commitment andaccountability.”

As a result of APS’ remarkableachievements, the Atlanta

business c ommunity has continued to significantly support the

school district. Monetary, human and in-kind resources havebeenstrategically allocated to effect change. Additionally, EDUPAC

fundinghasbeen earmarked to support the successful re-election

campaignsof several schoolboard members.

The initial actionsof the Special TaskForce on Education

served asa rallyingpoint to improve publiceducation in Atlanta.Overthe past fiveyears, ane xpansivecoalitionof organizationsand

educational initiatives have complemented the effort. The resulttoday is sweeping changes in the city’s school district.

Annually, membersofthis education coalition come togetherattheAtlantaPublicEducation Summit, held by theMetro Atlanta

Chamberof Commerce. Important performance measures are

analyzed, improvementsare discussedandrecognition isgivento

exemplary programsand coalitionpartners.

$1,000 $1,100

$1,500

$2,200

$3,500

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

$3,500

$4,000

1 99 8 1 99 9 2 00 0 2 00 1 2 00 2

Online AttacksRevolution Within

Public Schools

“Unlike other efforts tonarrow the gulf

betweenAPS[AtlantaPublic Schools] and

the Business Community, the Special Task

Force onEducati on allowedboth parties to

work intruepartnershipfor thebenefitof

Atlanta’s children”

— OdieDonald,PresidentandCEO,

BellSouthCorporation

“Thetask force adopted adual focus.

Not only did we concentrateo nassistin g

the Atlanta PublicSchools in producing

more employablegra duates, we also

focusedonbr ingingforth moreemployable

APS graduates”

— GaryLee,Jr., formertaskmember,retiredVP

andExecutiveDi rector oftheU PS Foundation

“APS [Atlanta Public Schools]was given

a seatat the table, ratherthan being

treated as a patient. As I look back onthe

ear ly days oftheSpecialTask Forceon

Education,t hree significant things come

tomind— strong leadership,unwaver ing

commitment and accountability”

— Dr.B enjaminC anada,

SecretaryofE ducation

byJaneDoe

This inauguralissue celebrateshow

AtlantaPublic Schools transformed itselfinto

aworld-class school district. Itmay serveas a

templateto othermunicipalities on how to

makesignificant improvementsin public

education.

Thevaried c ontributors to this special

edition ofTheAtlanta Journal-Constitution’s

Guideto AtlantaPublic Education reflect the

city-widecoalitionresponsiblef orthese

remarkableresults.

Contributors:

Atlanta Public Schools

Atlanta Boardof Education

Metro Atlanta Chamber of Commerce

Atlanta Committee for PublicEducation

Mayor’s Renaissance

Commission

Atlanta Partners for Education

Atlanta’s Business Community

Atlanta’s Non-Profit Agencies Publiceducationin Atlanta:Muchhaschangedi nfiveyears

Inside This Issue

Interview with the Atlanta PublicSchoolsSuper intendent . . . . . . . . . . 3

“Revolution within APS”:

5 Year Chronology ofEvents(1998-Present) . . . . . . . . . . . . . . . . . . . 4

Perspectives: Students, Faculty,Parents, Community Partners . . . . 5

Washington Post

226,874,657 records containingsensitive personal information involvedin security breaches in the U.S. since

January, 2005Privacy Rights Clearing House

www.privacyrights.org

Updated through May 4 , 2008



2007 marked a significant change for information security incidentsoccurring at colleges and universities around the world as reported inthe news

A sample of the information in the Educational Security Incidents (ESI) Year in Review - 2007:

Total Number of Incidents: 139 67.5% increase over 2006 Total Number of Institutions Affected: 112 72.3% increase over

2006

The ESI Year in Review - 2007◦ By Adam Dodge - Posted on February 10th, 2008

Educational Security Incidents – 2007 *



Standard mode of operation for adverse eventresponses is becoming increasingly ineffective

ReactiveResponse to an event IT DrivenBased on assessments

of vulnerabilities

Generally NOTPro-ActiveFocused on Resilience

Cross-FunctionalBuilt upon a

comprehensive “Risk”Assessment



Enterprise Risk Management is emerging inresponse to these complex challenges*

Governance

R i s k

C o m p l i

a n c eDisasters

Regulatory

actions

*Forrester

These forces are leading to an increase in the need for acomprehensive view of enterprise-wide risks and theemergence of a new role – the Chief Risk Officer.



Traditional - Focus on business line processes,

internal controls

Enterprise-wide Coordination - CRO, Audit,General Counsel or cross-functional teamdevelops a common direction for Governance,Risk and Compliance (GRC)

Move to Increased Monitoring and Reporting

Analysis - Collection and evaluation of datahelps determine the impact and likelihood of riskevents

Aggregation and Integration - Full integrationinto cross-functional processes and technologies

Stages of Enterprise Risk Management

“…many businessexperts believe thatthe concept of across-functional convergence of theseactivities(Governance, Risk and Compliance)represents a

progressive approachin this area, and isquickly replacing thetraditionalfragmented or silomentality.”

The Corporate Defense

Continuum, Risk and Compliance, Sean Lyons,1/23/2007

TraditionalSilo-based

TrueRisk Resiliency

Cross FunctionalCoordination

Governance, Risk and Compliance Continuum



ERM objectives include a balance between cost/benefit and opportunity optimization

Adverse Events Opportunities

Enterprise Risk Management



ERM implementations are challenging



Why is ERM so complex?

Often requires a “culture” change It is hard to distinguish ERM from “old fashioned” business

management The approach that works for some companies may not work

for others ERM models are about estimating the impact and likelihood

of risk events The risk environment includes the behavior of people

(difficult to predict) Each “Risk” being considered within an ERM model is often

highly dependent upon context



The complexity of the task requires an effectivestrategy

“……. protecting the complex, technology-dependent, globally focused organization

today is still in the hands of organizational structures and methods that weredeveloped before the commercial computer age – let alone the network age.

……….Given this and the “silo” development of operational risk functions, the

compelling question organizations now need to ask is “what constitutes good risk

management?” BRG. 2005

Weak or non-existent

cross-functional

risk processes

Effective riskmodels and

processes

Some well developed

processes with gaps

Desired State

Any organization’s risk managementstrategy



Elements of a comprehensive risk management strategy

RiskIssue

Identification

Governanceand

Organization

StatusReport

ing

Map toProcess

andOwner

ActionPlan

Management

Assessment/Measurement

Culture and

Awareness

Context is Critical



ERM framework & standards are available

COSO = Committee of SponsoringOrganizations

Risk ManagementFramework

R i s k M an a g em ent

C ont ext

Monitor and Report

Risk Governance

A w ar

en e s s

C omm uni c at i on s

Risk Identification

Risk Evaluation

Risk AnalysisRisk Treatment

Based on AS/NZS 4360:Australian/New ZealandStandard® RiskManagement



Collaborate on strategy◦

Cross functional input from legal, audit,CRO, CFO, CSPO, risk owners

Identify and classify relevantcompliance requirements as they relateto:◦ Strategic, Financial, Operational,

Technology objectives

Assess impact, assign confidenceranking◦ Identify impact/likelihood of adverse

events on corporate objectives◦ Assess inherent risks of noncompliance

◦ Assess risks remaining after mitigations◦ Plot risks on risk map

Focus on areas with highest concerns◦ Risks are not equally important◦ Focus on those high and to the right

Prioritization of Risks

Impact

Likelihood

HighFocusRisks



Scenario Planning Consideration of events oroutcomes that couldreasonably occur - notnecessarily based onhistorical data.

Gathered through

Brainstorming with “what if’s”. Involves environmental

scanning, predictive analysis,cross-functional input frommultiple sources.

Creates circumstances to

judge “preparedness”. Addresses impact and

likelihood.

Root Cause Analysis

Root cause analysis helps identifywhat, how and why somethinghappened, thus preventingrecurrence.

Root causes are underlying, arereasonably identifiable, can becontrolled by management and

allow for generation of recommendations. The process involves data

collection, cause charting, rootcause identification andrecommendation generation andimplementation.

By directing corrective measures

at root causes, it is hoped that the likelihood of problem recurrencewill be minimized.

Two risk assessment tools



Every company tailors its ERM programbased on its specific needs…..

◦ A common element is that day-to-day riskmanagement decisions are made at everylevel in the organization.

Any organization concerned with successfullyoperationalizing ERM must ensure that itspeople…

◦ Understand ERM concepts

◦

Understand how to carry out theirresponsibility….acting in accordance with anydefined ERM principles.

The role of “People” in ERM



Organizational culture Not linked to any unique sanction,

reward or incentive Complexity of the ERM process itself

Cost/benefit constraints Expertise Dynamic nature of managing risks Cross functional differences

Roadblocks to getting people to act inaccordance with ERM principles

“A successful CROdoes not commandfrom above. Theyset a framework for

risk management,while day-to-daydecisions on whatisor isn’t anacceptablerisk falls to

managersand employees inthefrontline of business.”

EconomistIntelligence



Overcoming ERM obstacles to decisionmakers

Clarify objectives

Communicate (top down and bottom up)

Include and involve in all aspects of ERM program

Create performance metrics and expectations

Factor in emotions



New Enemies Terrorists, professionals with different

motivations, man-made and natural events

Posing New Threats Real time, context aware activity,

instantaneous, multiple sources,catastrophic impact

Requiring New Solutions Moving from reactive to proactive Adaptive, responsive to context Based on risk assessment

–

The future will require an increasingfocus on:



Board and Executive Management Support Common risk language and concepts Communication about risk using appropriate channels Development of training programs for risk management Development of a knowledge-sharing system Built into performance expectations Identification of cross-functional "risk champions"

Organizations will need a comprehensive“Risk” focus….

Goal is to create a risk culture

where people consciously takerisk into consideration indecision-making at all levels of the organization

Addressing Complex Security Threats Through Risk Management (166377275)

Documents

Transcript of Addressing Complex Security Threats Through Risk Management (166377275)