Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

Published byThomas Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell."— Presentation transcript:

1 A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation

2 2 IT Risk Analysis and Management Threat Vulnerability Impacts Risks Risk Analysis Risk Analysis Risk Management Risk Management Countermeasures

3 3 Configuration: Are my systems configured securely? Are my systems configured securely? Vulnerability: What is the exposure to my systems? What is the exposure to my systems? Compliance: Am I meeting Regulatory requirements? Am I meeting Regulatory requirements? Identity: Do my users have appropriate rights? Servers OS Data Infrastructure Servers OS Data Infrastructure Users Groups Directory Access Control Users Groups Directory Access Control RISK Security Detail of IT risk

4 4 Return on Security Investment Purchase Cost Life Expectancy Annual Maintenance Annual Cost Risk of deployment EffectivenessROSI Door Lock $5010$0$5Low High Deadbolt $5010$0$5Low High Window Bars $200010$0$20Med Alarm $100NA$300 LowMed Security Fence $300010$120$310MedHighMed Guard Dog $20006$4000$1000High Low Armed Guard $0NA$30,000 LowHighLow

5 5 Compliance and Cost Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Achieve compliance through improved productivity and efficiency – Point B –Replace manual methods with automated processes to reduce Compliance Risk –Organizations with limited resources operate more efficiently Maintain your compliance level but with greatly reduced cost – Point C –Reduce Compliance spending –Redirect savings to other compliance efforts The reality is that you will experience a combination of B & C Current Experience Optimized Experience Optimizing Compliance Cost Compliance Risk A A C C B B

6 6 Ideal Compliance Monitoring

7 7 Breadth of Coverage Across IT Stack CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions CIA –Confidentiality –Integrity –Availability Maximize CIA throughout the whole IT Stack Prioritize sections of the stack that pose higher risk Evaluate best of breed vs. integrated solutions

8 8 Changing Concerns 20042005 10%30% 20%30% 10%20% 5%10% 20%5% 25%5% IT Stack Time Investment

9 9 Risk Management process 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation 1.Scope definition –Determine processes and risks to be evaluated 2.Process Walkthrough –Step through the processes to validate them against their goals 3.Risk Assessment –Execute the processes in the context of risks to be evaluated 4.Control identification and evaluation –Document IT controls and supplemental manual controls –Document risks identified by these controls 5.Residual risk assessment –Provide a residual risk assessment for each process –Provide recommendations for remediation

10 10 Risk Management Deliverables 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts 1.Process and sub-process maps –Clearly document the business processes within the engagement boundary definition; 2.Business process automation recommendations –Definition of the process, objectives, threats and controls at a detailed level 3.Risk and control matrix –For each process a summary of risk assessments, control ratings and determination of residual risk level 4.Recommendations –Short, medium and long-term remediation plan –Prioritize remediation efforts

11 11 Risk reduction solutions Compliance Officer (compliance) IT Operations (configuration) IT Operations & Security (vulnerability) Security & Help Desk (identity management) Define Create policy Maintain policy Enforce Policy Evaluate Evaluate against PolicyEvaluate against policy Maintain gold standards Evaluate against policy Evaluate against known threats Administer according to policy Evaluate against policy Remediate Report RemediateReport Risk Analysis Remediate Remediate Sample Solution Policy Management Product Content Workflow Document Management Link to evidence Configuration Management Product Link to Policy Gold Standards Baselines Trending Patch Management Alerting Remediation Audit Security Management Product Link to Policy Gold Standards Baselines Trending Vulnerability Assessment Intrusion Prevention Security event Management Audit Identity Management Product Synchronize identities Manage Access Control Manage directories and OS Password Management Authentication Security event Management Audit

12 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Ezra.Duong-van@bindview.com 713-561-4274 Ezra Cornell Duong-Van Director, Strategic Marketing BindView Corporation Ezra.Duong-van@bindview.com 713-561-4274

13 13 Contact BindView General Sales 1-800-813-5869 sales@bindview.com John Balena, Federal Sales john.balena@bindview.com Phone: 713-561-4109 Contact BindView General Sales 1-800-813-5869 sales@bindview.com John Balena, Federal Sales john.balena@bindview.com Phone: 713-561-4109

Download ppt "A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell."

Similar presentations

Professional Services Overview

Professional Services Overview
Building an Optimized Infrastructure

Building an Optimized Infrastructure
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Deploying GMP Applications Scott Fry, Director of Professional Services.

Deploying GMP Applications Scott Fry, Director of Professional Services.
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.

Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Enterprise Architecture

Enterprise Architecture
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Unified Communications as a Managed Service DIR Telecom Forum, October 7, 2014 ROY ALBRECHT, Director, Sales and Marketing Globalscope Communications.

Unified Communications as a Managed Service DIR Telecom Forum, October 7, 2014 ROY ALBRECHT, Director, Sales and Marketing Globalscope Communications.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
The Microsoft Office 2007 Enterprise Project Management Solution:

The Microsoft Office 2007 Enterprise Project Management Solution:
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.

Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.

Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL

Similar presentations

Ads by Google