A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation
2 IT Risk Analysis and Management Threat Vulnerability Impacts Risks Risk Analysis Risk Analysis Risk Management Risk Management Countermeasures
3 Configuration: Are my systems configured securely? Are my systems configured securely? Vulnerability: What is the exposure to my systems? What is the exposure to my systems? Compliance: Am I meeting Regulatory requirements? Am I meeting Regulatory requirements? Identity: Do my users have appropriate rights? Servers OS Data Infrastructure Servers OS Data Infrastructure Users Groups Directory Access Control Users Groups Directory Access Control RISK Security Detail of IT risk
4 Return on Security Investment Purchase Cost Life Expectancy Annual Maintenance Annual Cost Risk of deployment EffectivenessROSI Door Lock $5010$0$5Low High Deadbolt $5010$0$5Low High Window Bars $200010$0$20Med Alarm $100NA$300 LowMed Security Fence $300010$120$310MedHighMed Guard Dog $20006$4000$1000High Low Armed Guard $0NA$30,000 LowHighLow
5 Compliance and Cost Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Current Experience Optimized Experience Optimizing Compliance Cost Compliance Risk A A C C B B
6 Ideal Compliance Monitoring
7 Breadth of Coverage Across IT Stack CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions
8 Changing Concerns %30% 20%30% 10%20% 5%10% 20%5% 25%5% IT Stack Time Investment
9 Risk Management process 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation
10 Risk Management Deliverables 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts
11 Risk reduction solutions Compliance Officer (compliance) IT Operations (configuration) IT Operations & Security (vulnerability) Security & Help Desk (identity management) Define Create policy Maintain policy Enforce Policy Evaluate Evaluate against PolicyEvaluate against policy Maintain gold standards Evaluate against policy Evaluate against known threats Administer according to policy Evaluate against policy Remediate Report RemediateReport Risk Analysis Remediate Remediate Sample Solution Policy Management Product Content Workflow Document Management Link to evidence Configuration Management Product Link to Policy Gold Standards Baselines Trending Patch Management Alerting Remediation Audit Security Management Product Link to Policy Gold Standards Baselines Trending Vulnerability Assessment Intrusion Prevention Security event Management Audit Identity Management Product Synchronize identities Manage Access Control Manage directories and OS Password Management Authentication Security event Management Audit
Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation
13 Contact BindView General Sales John Balena, Federal Sales Phone: Contact BindView General Sales John Balena, Federal Sales Phone: