Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crown Jewels Risk Assessment: Cost-Effective Risk Identification

Published byKathryn Angelina Gordon Modified over 5 years ago

Similar presentations

Presentation on theme: "Crown Jewels Risk Assessment: Cost-Effective Risk Identification"— Presentation transcript:

1 Crown Jewels Risk Assessment: Cost-Effective Risk Identification
GRC-W11 Crown Jewels Risk Assessment: Cost-Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll

2 Information Security Risk Assessment (ISRA)
Definition- An objective analysis of the current security controls effectiveness to protect an organization’s assets and a determination of the probability of losses to those assets. Benefits Information Security Program Oversight e.g., checks and balances Periodic Review review effectiveness after threats, environment, and business process changes Basis for Risk-based Spending buy greatest risk reductions not pet projects and squeaky wheels

3 Information Security Risk Assessment
The risk assessment process follows these five steps for EVERY risk assessment subject. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Scope Assets Boundaries Controls Review Interview Observe Test Threat Vulnerability Impact Safeguards Cost Effectiveness Report Repository Guidance Tracking

4 Traditional Centralized System Risk Assessments
Traditional organizations have centralized information systems Common organizational controls Security policy, human resources, training, incident response Common system controls Authentication, configuration management, incident monitoring Limited systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

5 De-Centralized System Risk Assessments
Many organizations have expanded from centralized information systems Cloud-based applications File storage, marketing, expense tracking, business intelligence Third party management System hosting, out-sourced development, human resources, sales “Unlimited” systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

6 Information Security Risk Assessment
The Data Gathering step of the ISRA process does not scale well. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution

7 Effect of Increasing # of Systems
Cost drastically increase… as # of systems increases. $ $ $ $ $

8 Effect of Increasing # of Systems
Data quality suffers… as # of systems increases.

9 Data Quality Typically Suffers
Self-Assessments ask each system owner to rate the strength of their systems Surveys-based assessments send questionnaires to control custodians

10 Most Critical Data & Systems
Crown Jewel Approach Most Critical Data & Systems Threats Impact All System Threats + Unique threats + Targeted attacks Catastrophic Impact upon system loss upon data loss

11 Most Critical Data & Systems
Crown Jewels Approach Most Critical Data & Systems Volume Impact For most organizations – 0.01% - 2.0% of total sensitive data Represents up to 70% of sensitive data value Source: U.S. President’s 2006 Economic Report to Congress

12 Crown Jewels Project Environment
Fortune 500 Subsidiary 189 information systems; 80%+ cloud-based 36 System owners; 15 System custodians Parsons Proprietary

13 Crown Jewels Project Define Discover Baseline Analyze Secure
For Each Business Unit: Identify Critical Systems Define Critical Data Discover For Each Crown Jewel: Identify Lifecycle, Environment, and Flows Identify System & Environment Controls Baseline Identify Requirements Assess Control Effectiveness Analyze Identify Control Gaps Identify Security Risk Prioritize Security Gaps Secure Create Security Solution Sets Deploy Solutions Monitor Solutions Reduced systems from 186 to 20 here. Applied risk remediation to overall program here. ITAR CM

14 Crown Jewels Project Define Discover Baseline Analyze Secure
Key Project Artifacts Application Risk Survey & Interview Results Responses & Scoring Required Controls Controls Assessment Risk Analysis Solutions Development ITAR CM

15 Crown Jewels Project Results
Identification of Corporate “Crown Jewels” Determination of Crown Jewel Risk Limitation of Assessment to Most Impactful Elements Creation of Security Controls Plan with Most Significant Risk Reduction Less Work – More Results Parsons Proprietary

16 Applying Crown Jewel Lessons
Define Discover Baseline Analyze Secure Next Week Identify Organization’s Security Assessment Plan Self vs. Third Party Frequency Rigor / Technique (tests vs. assessments) Determine Adequacy of Plan ITAR CM Parsons Proprietary

17 Applying Crown Jewel Lessons
Define Discover Baseline Analyze Secure Within 1 Month Identify and Review Contractual and Legal Security Requirements Review Latest Security Assessment Reports Identify Business Process Owners Within 3 Months Conduct Crown Jewels Project Apply Lessons Learned ITAR CM

18 Thank You Contacts Doug Landoll, CEO Lantego dlandoll@lantego.com
ITAR CM Parsons Proprietary

19 Project Challenges Define Discover Baseline Analyze Secure
Common Organizational Definition of “Crown Jewels” Identification of Business Processes Identification of Business / Systems Owners Identifying a Business Champion ITAR CM Parsons Proprietary

Download ppt "Crown Jewels Risk Assessment: Cost-Effective Risk Identification"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Solutions & Services to ‘Multiply your Business Performance’ 2013.

Solutions & Services to ‘Multiply your Business Performance’ 2013.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Ensuring Information Security

Ensuring Information Security
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.

Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.
A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“Mitigating Offshoring Risks in a Global Business Environment“

“Mitigating Offshoring Risks in a Global Business Environment“
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Dr. Benjamin Khoo New York Institute of Technology School of Management.

Dr. Benjamin Khoo New York Institute of Technology School of Management.
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

Similar presentations

Ads by Google