Addressing Complex Security Threats Through Risk Management (166377275)
Transcript of Addressing Complex Security Threats Through Risk Management (166377275)
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 1/21
Addressing Complex SecurityThreats Through Risk Management
EDUCAUSE Security ProfessionalsConference
May 6, 2008
Rebecca J. Whitener, CPA, CIA, CISA, CFEFormer Vice President and Chief Risk Officer EDS
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 2/21
There are complex issues impactingbusiness, government and highereducation
Authentication Identity
Theft
Power Outages
Personal Information Loss
Crime
ellectual Property
Fraud
Disease Outbreaks
Violence
Earthquakes
Terrorism
Lawsuits
FloodsPolitical and Social Unrest
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 3/21
“……..each new wave of technology will makeobsolete existing
information securitymeasures - increasingsecurity exposures innew and legacyenvironments”
Gartner
Advances in technology creates newexposures
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 4/21
Organizations of all types are susceptible to these threats…..…
byEdU. Kaishun
It only seemedlike yesterdaythat Atlanta PublicSchools (APS)madeheadlines fornegative reasons: disrepair offacilities,declining
studentachievement, risingdrop-out rate, etc. Remarkably, APSisnowcon tinuallyfeaturedin positiveheadlines. Sinceits nadirin the
late 1990’s, APS has taken steps tor aise academic standards andexpectationsfor Atlanta’s children, produce graduatesm uch better
APRIL 2, 2001
FINAL
“Your Company” a victimof Cyberspace crime againThird time in Two Weeks Could it have been prevented
prepared for successful careers and lowerthe drop-out rate to 10%.In anews conferencelast week, the Mayorpublicly congratulated
theAPS faculty, the AtlantaSchool Board, and the Superintendentona jobwell doneat the FifthA nnualAtlanta PublicEducation
Summit.Since theb eginning of this year,APS has received similar accolades from the GeorgiaBoard of Education, theGovernor and
the Business Roundtable, an educational advocacy group
representing 200U.S. corporations.
This begs thequestion– Howdid thisremarkableturnaround
occur?We went looking for the answer tothis question. Many inAtlantapoint tothe collectiveefforts ofAPS andtheMetro Atlanta
Chamberof Commercein 1998 as the watershed event.
In the winter of 1998, theE ducationCommittee of theChamber
assembled a SpecialTask Forceon Education. This task force
served to identify how Atlanta’s business community could bestsupport Atlanta Public Schools in generating moreemployable
graduates.According to Odie Donald, then chairof the Education
Committee, “Unlike other efforts to narrow thegulf between APSandth eBusiness Community, the Special Task Forceon Education
allowedboth partiesto w orkintrue partnership forthebenefit of
Atlanta’s children.” Adds Benjamin Canada, then APS
Superintendent, “APS was given aseat at thetable, rather than being
treatedas apatient. As I look backon theearlydaysof the SpecialTask Force on Education, threesignificantthings cometo mind–
strong leadership,unwavering commitment andaccountability.”
As a result of APS’ remarkableachievements, the Atlanta
business c ommunity has continued to significantly support the
school district. Monetary, human and in-kind resources havebeenstrategically allocated to effect change. Additionally, EDUPAC
fundinghasbeen earmarked to support the successful re-election
campaignsof several schoolboard members.
The initial actionsof the Special TaskForce on Education
served asa rallyingpoint to improve publiceducation in Atlanta.Overthe past fiveyears, ane xpansivecoalitionof organizationsand
educational initiatives have complemented the effort. The resulttoday is sweeping changes in the city’s school district.
Annually, membersofthis education coalition come togetherattheAtlantaPublicEducation Summit, held by theMetro Atlanta
Chamberof Commerce. Important performance measures are
analyzed, improvementsare discussedandrecognition isgivento
exemplary programsand coalitionpartners.
$1,000 $1,100
$1,500
$2,200
$3,500
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
$3,500
$4,000
1 99 8 1 99 9 2 00 0 2 00 1 2 00 2
Online AttacksRevolution Within
Public Schools
“Unlike other efforts tonarrow the gulf
betweenAPS[AtlantaPublic Schools] and
the Business Community, the Special Task
Force onEducati on allowedboth parties to
work intruepartnershipfor thebenefitof
Atlanta’s children”
— OdieDonald,PresidentandCEO,
BellSouthCorporation
“Thetask force adopted adual focus.
Not only did we concentrateo nassistin g
the Atlanta PublicSchools in producing
more employablegra duates, we also
focusedonbr ingingforth moreemployable
APS graduates”
— GaryLee,Jr., formertaskmember,retiredVP
andExecutiveDi rector oftheU PS Foundation
“APS [Atlanta Public Schools]was given
a seatat the table, ratherthan being
treated as a patient. As I look back onthe
ear ly days oftheSpecialTask Forceon
Education,t hree significant things come
tomind— strong leadership,unwaver ing
commitment and accountability”
— Dr.B enjaminC anada,
SecretaryofE ducation
byJaneDoe
This inauguralissue celebrateshow
AtlantaPublic Schools transformed itselfinto
aworld-class school district. Itmay serveas a
templateto othermunicipalities on how to
makesignificant improvementsin public
education.
Thevaried c ontributors to this special
edition ofTheAtlanta Journal-Constitution’s
Guideto AtlantaPublic Education reflect the
city-widecoalitionresponsiblef orthese
remarkableresults.
Contributors:
Atlanta Public Schools
Atlanta Boardof Education
Metro Atlanta Chamber of Commerce
Atlanta Committee for PublicEducation
Mayor’s Renaissance
Commission
Atlanta Partners for Education
Atlanta’s Business Community
Atlanta’s Non-Profit Agencies Publiceducationin Atlanta:Muchhaschangedi nfiveyears
Inside This Issue
Interview with the Atlanta PublicSchoolsSuper intendent . . . . . . . . . . 3
“Revolution within APS”:
5 Year Chronology ofEvents(1998-Present) . . . . . . . . . . . . . . . . . . . 4
Perspectives: Students, Faculty,Parents, Community Partners . . . . 5
Washington Post
226,874,657 records containingsensitive personal information involvedin security breaches in the U.S. since
January, 2005Privacy Rights Clearing House
www.privacyrights.org
Updated through May 4 , 2008
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 5/21
2007 marked a significant change for information security incidentsoccurring at colleges and universities around the world as reported inthe news
A sample of the information in the Educational Security Incidents (ESI) Year in Review - 2007:
Total Number of Incidents: 139 67.5% increase over 2006 Total Number of Institutions Affected: 112 72.3% increase over
2006
The ESI Year in Review - 2007◦ By Adam Dodge - Posted on February 10th, 2008
Educational Security Incidents – 2007 *
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 6/21
Standard mode of operation for adverse eventresponses is becoming increasingly ineffective
ReactiveResponse to an event IT DrivenBased on assessments
of vulnerabilities
Generally NOTPro-ActiveFocused on Resilience
Cross-FunctionalBuilt upon a
comprehensive “Risk”Assessment
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 7/21
Enterprise Risk Management is emerging inresponse to these complex challenges*
Governance
R i s k
C o m p l i
a n c eDisasters
Regulatory
actions
*Forrester
These forces are leading to an increase in the need for acomprehensive view of enterprise-wide risks and theemergence of a new role – the Chief Risk Officer.
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 8/21
Traditional - Focus on business line processes,
internal controls
Enterprise-wide Coordination - CRO, Audit,General Counsel or cross-functional teamdevelops a common direction for Governance,Risk and Compliance (GRC)
Move to Increased Monitoring and Reporting
Analysis - Collection and evaluation of datahelps determine the impact and likelihood of riskevents
Aggregation and Integration - Full integrationinto cross-functional processes and technologies
Stages of Enterprise Risk Management
“…many businessexperts believe thatthe concept of across-functional convergence of theseactivities(Governance, Risk and Compliance)represents a
progressive approachin this area, and isquickly replacing thetraditionalfragmented or silomentality.”
The Corporate Defense
Continuum, Risk and Compliance, Sean Lyons,1/23/2007
TraditionalSilo-based
TrueRisk Resiliency
Cross FunctionalCoordination
Governance, Risk and Compliance Continuum
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 9/21
ERM objectives include a balance between cost/benefit and opportunity optimization
Adverse Events Opportunities
Enterprise Risk Management
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 10/21
ERM implementations are challenging
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 11/21
Why is ERM so complex?
Often requires a “culture” change It is hard to distinguish ERM from “old fashioned” business
management The approach that works for some companies may not work
for others ERM models are about estimating the impact and likelihood
of risk events The risk environment includes the behavior of people
(difficult to predict) Each “Risk” being considered within an ERM model is often
highly dependent upon context
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 12/21
The complexity of the task requires an effectivestrategy
“……. protecting the complex, technology-dependent, globally focused organization
today is still in the hands of organizational structures and methods that weredeveloped before the commercial computer age – let alone the network age.
……….Given this and the “silo” development of operational risk functions, the
compelling question organizations now need to ask is “what constitutes good risk
management?” BRG. 2005
Weak or non-existent
cross-functional
risk processes
Effective riskmodels and
processes
Some well developed
processes with gaps
Desired State
Any organization’s risk managementstrategy
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 13/21
Elements of a comprehensive risk management strategy
RiskIssue
Identification
Governanceand
Organization
StatusReport
ing
Map toProcess
andOwner
ActionPlan
Management
Assessment/Measurement
Culture and
Awareness
Context is Critical
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 14/21
ERM framework & standards are available
COSO = Committee of SponsoringOrganizations
Risk ManagementFramework
R i s k M an a g em ent
C ont ext
Monitor and Report
Risk Governance
A w ar
en e s s
C omm uni c at i on s
Risk Identification
Risk Evaluation
Risk AnalysisRisk Treatment
Based on AS/NZS 4360:Australian/New ZealandStandard® RiskManagement
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 15/21
Collaborate on strategy◦
Cross functional input from legal, audit,CRO, CFO, CSPO, risk owners
Identify and classify relevantcompliance requirements as they relateto:◦ Strategic, Financial, Operational,
Technology objectives
Assess impact, assign confidenceranking◦ Identify impact/likelihood of adverse
events on corporate objectives◦ Assess inherent risks of noncompliance
◦ Assess risks remaining after mitigations◦ Plot risks on risk map
Focus on areas with highest concerns◦ Risks are not equally important◦ Focus on those high and to the right
Prioritization of Risks
Impact
Likelihood
HighFocusRisks
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 16/21
Scenario Planning Consideration of events oroutcomes that couldreasonably occur - notnecessarily based onhistorical data.
Gathered through
Brainstorming with “what if’s”. Involves environmental
scanning, predictive analysis,cross-functional input frommultiple sources.
Creates circumstances to
judge “preparedness”. Addresses impact and
likelihood.
Root Cause Analysis
Root cause analysis helps identifywhat, how and why somethinghappened, thus preventingrecurrence.
Root causes are underlying, arereasonably identifiable, can becontrolled by management and
allow for generation of recommendations. The process involves data
collection, cause charting, rootcause identification andrecommendation generation andimplementation.
By directing corrective measures
at root causes, it is hoped that the likelihood of problem recurrencewill be minimized.
Two risk assessment tools
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 17/21
Every company tailors its ERM programbased on its specific needs…..
◦ A common element is that day-to-day riskmanagement decisions are made at everylevel in the organization.
Any organization concerned with successfullyoperationalizing ERM must ensure that itspeople…
◦ Understand ERM concepts
◦
Understand how to carry out theirresponsibility….acting in accordance with anydefined ERM principles.
The role of “People” in ERM
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 18/21
Organizational culture Not linked to any unique sanction,
reward or incentive Complexity of the ERM process itself
Cost/benefit constraints Expertise Dynamic nature of managing risks Cross functional differences
Roadblocks to getting people to act inaccordance with ERM principles
“A successful CROdoes not commandfrom above. Theyset a framework for
risk management,while day-to-daydecisions on whatisor isn’t anacceptablerisk falls to
managersand employees inthefrontline of business.”
EconomistIntelligence
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 19/21
Overcoming ERM obstacles to decisionmakers
Clarify objectives
Communicate (top down and bottom up)
Include and involve in all aspects of ERM program
Create performance metrics and expectations
Factor in emotions
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 20/21
New Enemies Terrorists, professionals with different
motivations, man-made and natural events
Posing New Threats Real time, context aware activity,
instantaneous, multiple sources,catastrophic impact
Requiring New Solutions Moving from reactive to proactive Adaptive, responsive to context Based on risk assessment
–
The future will require an increasingfocus on:
7/29/2019 Addressing Complex Security Threats Through Risk Management (166377275)
http://slidepdf.com/reader/full/addressing-complex-security-threats-through-risk-management-166377275 21/21
Board and Executive Management Support Common risk language and concepts Communication about risk using appropriate channels Development of training programs for risk management Development of a knowledge-sharing system Built into performance expectations Identification of cross-functional "risk champions"
Organizations will need a comprehensive“Risk” focus….
Goal is to create a risk culture
where people consciously takerisk into consideration indecision-making at all levels of the organization