A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

Slides:



Advertisements
Similar presentations
Professional Services Overview
Advertisements

Building an Optimized Infrastructure
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Deploying GMP Applications Scott Fry, Director of Professional Services.
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The State of Security Management By Jim Reavis January 2003.
Office of Inspector General (OIG) Internal Audit
Information Systems Controls for System Reliability -Information Security-
Enterprise Architecture
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Unified Communications as a Managed Service DIR Telecom Forum, October 7, 2014 ROY ALBRECHT, Director, Sales and Marketing Globalscope Communications.
SEC835 Database and Web application security Information Security Architecture.
The Microsoft Office 2007 Enterprise Project Management Solution:
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Executive Invitation – Oracle Data Finder Service Oracle Corporation.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Engineering Essential Characteristics Security Engineering Process Overview.
ERP For Payments Presented by: Greg Midtbo Oracle Corporation Industry Vice President Financial Services.
U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.
Novell Compliance Management Platform Update CMP & CMP Extension for SAP Environments Leo Castro Product Marketing Manager Patrick Gookin.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Business Productivity Infrastructure Optimization Campaign 1 Agenda: BPIO Partner Sales Readiness Workshop Day 3: Topic: Enterprise Content management.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
State of Georgia Release Management Training
Data Center Management Microsoft System Center. Objective: Drive Cost of Data Center Management 78% Maintenance 22% New Issue:Issue: 78% of IT budgets.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
IT Audit and Penetration Testing What’s the difference and why should I care?
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
ITIL: Service Transition
Internal and external control in an automated environment
Risk management.
HP BSA Essentials Community Overview
Design for Security Pepper.
IT GOVERNANCE December 1, 2017.
Healthcare Cloud Security Stack for Microsoft Azure
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
IS4680 Security Auditing for Compliance
Healthcare Cloud Security Stack for Microsoft Azure
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Risk Mitigation & Incident Response Week 12
Third-party risk management (TPRM)
PLANNING A SECURE BASELINE INSTALLATION
Managing IT Risk in a digital Transformation AGE
Effective Risk Management in Decision Making Process
Microsoft Data Insights Summit
HSE Requirements for Pipeline Operations GROUP HSE GROUPE (CR-GR-HSE-414) EXECUTIVE SUMMARY This rule defines the minimum HSE requirements related to the.
Presentation transcript:

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation

2 IT Risk Analysis and Management Threat Vulnerability Impacts Risks Risk Analysis Risk Analysis Risk Management Risk Management Countermeasures

3 Configuration: Are my systems configured securely? Are my systems configured securely? Vulnerability: What is the exposure to my systems? What is the exposure to my systems? Compliance: Am I meeting Regulatory requirements? Am I meeting Regulatory requirements? Identity: Do my users have appropriate rights? Servers OS Data Infrastructure Servers OS Data Infrastructure Users Groups Directory Access Control Users Groups Directory Access Control RISK Security Detail of IT risk

4 Return on Security Investment Purchase Cost Life Expectancy Annual Maintenance Annual Cost Risk of deployment EffectivenessROSI Door Lock $5010$0$5Low High Deadbolt $5010$0$5Low High Window Bars $200010$0$20Med Alarm $100NA$300 LowMed Security Fence $300010$120$310MedHighMed Guard Dog $20006$4000$1000High Low Armed Guard $0NA$30,000 LowHighLow

5 Compliance and Cost Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Current Experience Optimized Experience Optimizing Compliance Cost Compliance Risk A A C C B B

6 Ideal Compliance Monitoring

7 Breadth of Coverage Across IT Stack CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions

8 Changing Concerns %30% 20%30% 10%20% 5%10% 20%5% 25%5% IT Stack Time Investment

9 Risk Management process 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation

10 Risk Management Deliverables 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts

11 Risk reduction solutions Compliance Officer (compliance) IT Operations (configuration) IT Operations & Security (vulnerability) Security & Help Desk (identity management) Define Create policy Maintain policy Enforce Policy Evaluate Evaluate against PolicyEvaluate against policy Maintain gold standards Evaluate against policy Evaluate against known threats Administer according to policy Evaluate against policy Remediate Report RemediateReport Risk Analysis Remediate Remediate Sample Solution Policy Management Product Content Workflow Document Management Link to evidence Configuration Management Product Link to Policy Gold Standards Baselines Trending Patch Management Alerting Remediation Audit Security Management Product Link to Policy Gold Standards Baselines Trending Vulnerability Assessment Intrusion Prevention Security event Management Audit Identity Management Product Synchronize identities Manage Access Control Manage directories and OS Password Management Authentication Security event Management Audit

Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation

13 Contact BindView General Sales John Balena, Federal Sales Phone: Contact BindView General Sales John Balena, Federal Sales Phone: