Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security...

Risk Tolerance: Balancing Business Needs And Risk

CALA Road Show

Lucent Worldwide ServicesSecurity Practice

George G. McBrideManaging PrincipalLucent Worldwide Services Security Practice

Lucent Technologies – CALA RoadShow 2005 2

Agenda

What is risk?

How can we measure it?

How do we know what is an acceptable level of risk?

Making the comparison and dealing with risk

Conclusions

Questions and Answers


What is risk?

No universally recognized “Definition”

The exposure/potential/possibility to suffer some loss of an asset

What about likelihood and impact?

Can be qualitative or quantitative

The most important concept:

– When talking about “risk”, make sure you agree on what definition you are using!


What types of risk are there?

Strategic Risk

– Risks that affect an organization’s ability to reach it’s goals

Financial Risk

– Risks of a company to suffer unnecessary losses

Environmental (Physical) Risk

– Risks of a company moving, of physical damage

Operational Risk

Technical Risk

– Business Continuity, Integrity, Change Management, Disclosure

Political/Cultural Risk

– Personal agendas, regulatory, customer constraints


What do we have to measure?

Threats

– Likelihood

– Impact

Vulnerabilities

Controls Effectiveness

Threat Assessment and Threat Matrix

Vulnerability Assessment

Controls Assessment

The Risk Equation is Simple. Obtaining the Correct Values is Not


Asset Identification

What are the assets within an organization?– Systems, buildings, cars, people, products

– Business processes, applications, data

How and who determines the assets?– Commissioning, asset management, purchasing

records, DHCP records, Active Directory

How often are the assets identified?


Asset Ownership and Management

Asset owner is usually the system administrator or someone from the support organization

Should be a business unit representative:

– Someone who can identify the data on the system

– Someone who determine the users of the system

– Someone who understands the data flow (inbound and outbound)


Risk Speak

So many terms with so many equally valid definitions:

– Threat Agent

– Threat Catalyst

– Inhibitors / Amplifiers

– Catalyst

– Capability

– Motivation

– And More!


Traditional Risk Management

Mitigate all risks to effectively reduce risk to ZERO

– Risk > 0 Becomes Unacceptable

Extremely costly

Slow to mitigate the risks

Generally shuts the business down.

– How do you remove the risk of a production system

Ris

k

Asset Criticality and Sensitivity0

Unacceptable


Risk Management as an Enabler

Allows a business to measure the level of risk that they are “comfortable with”

Drive to mitigate risks to below the acceptable level, not zero

Acceptable level of risk may be by asset, physical location of device, corporate posture, etc.

Business enabler

Ris

k

Asset Criticality and Sensitivity0

Unacceptable

Acceptable

Risk Tolerance


Acceptable Levels of Risk Factors

How does a company determine their acceptable level of risk?

– Organization Risk Tolerance: Is the company a former brick & mortar type firm with a conservative approach or a progressive Silicon Valley firm looking to be the first to market?

– Personnel Tolerance: Individuals within the organization will affect the tolerance levels

– Reaction to Previous Events: What were the results of any previous compromises/intrusions/breaches?

– Policy, Regulations, Legal Issues: These may determine what level of risk a company can deal with

– Risk Scope: An organization may be focused on a particular system, but need to be aware of additional connectivity issues


Advantages of “Acceptable Risk”

Truly serves as a business enabler

– This is redefines the concept of “business vs security”

Competitive Advantage?

– Absolutely! Get services to market first!

Focus on fixing the risks that you have to address

May maintain various levels of acceptable risk

– Logical & Physical Location, Scope, Connectivity, Customer Base and usage


Risk Management

What stays the same?– Still need a Risk Management Program

– Still need to know what the assets are

– Still need to have some type of risk assessment methodology

– Still need a risk management organization

– Still need to agree on a measurement mechanism

• Quantitative or Qualitative

– Risk Measurement is not a one-off effort

• Trigger points should initiate risk analysis at potential risk value change points during the asset lifecycle

– Still need to mitigate the risk


Risk Management Lifecycle

IdentifyAssets /

Ownership

ThreatAssessment

Determine andImplement Controls

VulnerabilityAssessment

AssessRisk

Monitor


Risk Management Program Plan

Develop a “Risk Management Program Plan”

– Defines the overall structure and program of the risk management efforts of the organization

– Describes the organizational structure, roles and responsibilities of the members

– Provides metrics, governance, compliance issues, reporting mechanisms, etc.

– Should place a “Risk Management Director/Officer” with the overall Corporate level responsibility

• manages the risk management organization and activities

– Database may be used to support the Program


Risk Database

Maintains Threats, Vulnerabilities, Controls, Likelihood, Impacts

Can be utilized for Quantitative and Qualitative efforts

Can prompt for periodic assessment reminders

Integrate with, or be, the Asset Database

Can be used to provide Enterprise Risk Management functions including:

– Dashboard

– Tiered and Segmented Reporting

Is extremely valuable to malicious individuals and must be protected accordingly

Supports compliance and governance matters


Trigger Points

You can’t just measure the risk of an asset every year or two. Certain changes must trigger a risk measurement of the asset.

A “Trigger Point” is a Risk Management program call that is inserted into other operations and programs to ensure that Risk Management is considered as part of certain programs and at the appropriate times.

– Business Impact Analysis

– Change Management

– Acquisitions

– System Commissioning or Decomissioning


Risk Methodologies

Many different types. Some fit better in particular companies or industries than others.

– OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation (http://www.cert.org/octave/)

– SPRINT, SARA, FIRM (http://www.securityforum.org)

– CRAMM (http://www.cramm.com/)

– RiskWatch, COBRA, and many others

Choose the one that works the best for you.

– Industry / Business Sector – Some tools work better than others

– Collateral Support - Including tools and training availability

– Industry Support – Who recognizes which methodologies


Risk Management – What Must Change

Modifications of the existing risk management program:

– Ensure that acceptable risk doesn’t slide below an agreed upon threshold

– Security analysts need to business and operations savvy to understand business drivers

– Continuously monitor external resources such as new regulations, technologies, and what the competition is doing

– Process to determine whether to continue to mitigate further below “Acceptable Risk” or to move on


Summary

Know Your Assets!

Devote the required resources

Determine your “Acceptable Level of Risk”

– Use a consistent measurement unit

• Your “Medium” may not be somebody else’s “5”

– Determine the scope of the Acceptable Level

• Is it for all assets or particular assets

– Measure the level of risk


Any questions?

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 1B-237A101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]

George McBrideManaging Principal

Lucent Worldwide Services

Contact me at [email protected] with any questions that you may have.

Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security...

Documents

Transcript of Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security...