1. 1 Integrating information security into enterprise risk management (and how a common framework can be used to satisfy SOX compliance) Michael Sullivan, Chief Information Officer, Entrust, Inc.

2. © Copyright Entrust, Inc. 20052 My Journey…My Perspective Engineering…electronics…PMO…IT management Distributed collaboration…web applications Head of IS-IT thru Y2K, ERP and boom/bust cycle Practical approach used for InfoSec Governance (ISG) Industry task forces, townhall sessions on ISG Evolved through SOX Year 1 confusion (Dec.04) Currently integrating ERM concepts

3. © Copyright Entrust, Inc. 20053 Why Enterprise Risk Management Information security –Headlines confirm failures produce real business impact Regulatory compliance –Inconsistent “best” practices being self-imposed Enterprise risk management –Help me position audit findings and legal liabilities Search for the Holy Grail –A single framework to provide focus and efficiency

4. © Copyright Entrust, Inc. 20054 Collision of Forces Specialty areas have grown up separately –Different perspectives + terminology; folklore + stereotypes Enterprise risk management –ID objectives, events, assess risks, response and controls –Are you taking on too much risk? Information security management –ID assets, threats, impact, likelihood, countermeasures –Are your key assets protected from changing threat landscape? Internal controls and compliance –ID objectives, risks, controls, assess controls, corrective actions –Are your controls operating effectively?

5. © Copyright Entrust, Inc. 20055 Popular Framework Choices COSO/COSO ERM (control and risk guidance) COBIT (IT governance reference) ITIL (service organization model) ISO 17799 (information security-specific) Vendor-specific (solution-oriented) OR Number 1 choice:Number 1 choice: Homegrown solution based on one or all of above

6. © Copyright Entrust, Inc. 20056 Stretching a Framework to Fit Become familiar with the other worlds –Learn the language, challenges, directions Put assessments into consistent business perspective –Not risk to a specific group, but risk to the business as a whole because of a security failure in the group –Requires understanding the contribution of the group to the business success Ensure security protections are identified as controls –List them all; formal and informal; automated and adhoc –Identify the key controls which should be tested regularly

7. © Copyright Entrust, Inc. 20057 Where to Look for Guidance The References –COSO, CoCo, COBIT, ITIL, ISO 17799/13335/27001 –NIST, OECD, CMU-SEI, global federal and state governments The Experience –Specialty associations (SANS), analysts (Gartner), conferences –Security, audit, risk mgmt, culture change, project mgmt, governance, general management Product and service vendors –Whitepapers, case studies…and sales newsletters…. –Webcasts, news and magazine articles, blogs, books

8. © Copyright Entrust, Inc. 20058 How to Lose Friends and Infuriate People Too many stakeholders; too many perspectives –Focus on your personal objective: culture change Security and risk mgmt are long term commitments –Slow + steady wins the race; minimum three-year timeline Executive sponsorship is NOT required –They are accountable, so work with it Alignment with the business is not sustainable –Give away what is most dear to you; make it theirs Information Security is NOT Job #1 –They determine "acceptable" risk in decisions every day –Your job is to make them informed decisions

9. © Copyright Entrust, Inc. 20059 ISG – Keys to Successful Deployment Identify key systems (NIST SP800-18) Simple subjective risk assessment (OMB A-130 App. III) Risk expressed in words (threat, vulnerability, impact) Red - Yellow - Green ranking (FIPS-PUB 199) Iterative process, progressive detail (GAO/AIMD 00-33) Transparent process with summary reporting (GAO/AIMD 98-68)

10. © Copyright Entrust, Inc. 200510 One Way Forward One-hour sessions quarterly with managers to review: –Functions of the workgroup in support of business success –Systems and information needed to support those functions –Impact from a failure of confidentiality, integrity, availability –Assessment of controls/residual risk per ISO17799 element –Use the session to raise awareness of threats and risks –Follow-up with groups they defer to (IT, Legal, HR) Consolidate view across the organization –Feedback to managers where they stand relative to others –Share results up the management chain, request feedback Let the managers do the assessment –If you can't convince them it's a risk, they won't deal with it –They can put it into business terms better than you can

11. © Copyright Entrust, Inc. 200511 Small Steps… Remember the three year timeline; don't push –Walk them through the "maturity" phases: blissful ignorance, awareness, corrective and operational excellence* Keep to your one hour time limit –Your biggest obstacle is getting their time, the more you ask for, the less likely you'll get any Use the time between sessions to build awareness –Send a few news clippings, short case studies, or competitor stories to reinforce your discussion Make the status quo unacceptable or move on –Acceptable risk is not a problem * Gartner, Inc research note G00127617

12. © Copyright Entrust, Inc. 200512 Elements of a successful framework Management: tasks, responsibilities, practices Governance: reporting up and decisions down Business-oriented: alignment by design Evaluative: comprehensive list to think about Progressive: drives continuous improvement Participatory: delivers awareness and culture change Realistic: security is not the highest priority Authoritative: uses external references or review Expeditious: immediate benefit from effort invested Adaptive: every situation is unique

13. 13 Thank You www.entrust.com