Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security Practice George G. McBride Managing Principal Lucent.

Published bySabina Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security Practice George G. McBride Managing Principal Lucent."— Presentation transcript:

1 Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security Practice George G. McBride Managing Principal Lucent Worldwide Services Security Practice

2 Lucent Technologies – CALA RoadShow 2005 2 Agenda  What is risk?  How can we measure it?  How do we know what is an acceptable level of risk?  Making the comparison and dealing with risk  Conclusions  Questions and Answers

3 Lucent Technologies – CALA RoadShow 2005 3 What is risk?  No universally recognized “Definition”  The exposure/potential/possibility to suffer some loss of an asset  What about likelihood and impact?  Can be qualitative or quantitative  The most important concept: –When talking about “risk”, make sure you agree on what definition you are using!

4 Lucent Technologies – CALA RoadShow 2005 4 What types of risk are there?  Strategic Risk –Risks that affect an organization’s ability to reach it’s goals  Financial Risk –Risks of a company to suffer unnecessary losses  Environmental (Physical) Risk –Risks of a company moving, of physical damage  Operational Risk  Technical Risk –Business Continuity, Integrity, Change Management, Disclosure  Political/Cultural Risk –Personal agendas, regulatory, customer constraints

5 Lucent Technologies – CALA RoadShow 2005 5 What do we have to measure?  Threats –Likelihood –Impact  Vulnerabilities  Controls Effectiveness Threat Assessment and Threat Matrix Vulnerability Assessment Controls Assessment The Risk Equation is Simple. Obtaining the Correct Values is Not

6 Lucent Technologies – CALA RoadShow 2005 6 Asset Identification  What are the assets within an organization? –Systems, buildings, cars, people, products –Business processes, applications, data  How and who determines the assets? –Commissioning, asset management, purchasing records, DHCP records, Active Directory  How often are the assets identified?

7 Lucent Technologies – CALA RoadShow 2005 7 Asset Ownership and Management  Asset owner is usually the system administrator or someone from the support organization  Should be a business unit representative: –Someone who can identify the data on the system –Someone who determine the users of the system –Someone who understands the data flow (inbound and outbound)

8 Lucent Technologies – CALA RoadShow 2005 8 Risk Speak  So many terms with so many equally valid definitions: –Threat Agent –Threat Catalyst –Inhibitors / Amplifiers –Catalyst –Capability –Motivation –And More!

9 Lucent Technologies – CALA RoadShow 2005 9 Traditional Risk Management  Mitigate all risks to effectively reduce risk to ZERO –Risk > 0 Becomes Unacceptable  Extremely costly  Slow to mitigate the risks  Generally shuts the business down. –How do you remove the risk of a production system Risk Asset Criticality and Sensitivity 0 Unacceptable

10 Lucent Technologies – CALA RoadShow 2005 10 Risk Management as an Enabler  Allows a business to measure the level of risk that they are “comfortable with”  Drive to mitigate risks to below the acceptable level, not zero  Acceptable level of risk may be by asset, physical location of device, corporate posture, etc.  Business enabler Risk Asset Criticality and Sensitivity 0 Unacceptable Acceptable Risk Tolerance

11 Lucent Technologies – CALA RoadShow 2005 11 Acceptable Levels of Risk Factors  How does a company determine their acceptable level of risk? –Organization Risk Tolerance: Is the company a former brick & mortar type firm with a conservative approach or a progressive Silicon Valley firm looking to be the first to market? –Personnel Tolerance: Individuals within the organization will affect the tolerance levels –Reaction to Previous Events: What were the results of any previous compromises/intrusions/breaches? –Policy, Regulations, Legal Issues: These may determine what level of risk a company can deal with –Risk Scope: An organization may be focused on a particular system, but need to be aware of additional connectivity issues

12 Lucent Technologies – CALA RoadShow 2005 12 Advantages of “Acceptable Risk”  Truly serves as a business enabler –This is redefines the concept of “business vs security”  Competitive Advantage? –Absolutely! Get services to market first!  Focus on fixing the risks that you have to address  May maintain various levels of acceptable risk –Logical & Physical Location, Scope, Connectivity, Customer Base and usage

13 Lucent Technologies – CALA RoadShow 2005 13 Risk Management  What stays the same? –Still need a Risk Management Program –Still need to know what the assets are –Still need to have some type of risk assessment methodology –Still need a risk management organization –Still need to agree on a measurement mechanism Quantitative or Qualitative –Risk Measurement is not a one-off effort Trigger points should initiate risk analysis at potential risk value change points during the asset lifecycle –Still need to mitigate the risk

14 Lucent Technologies – CALA RoadShow 2005 14 Risk Management Lifecycle Identify Assets / Ownership Vulnerability Assessment Threat Assessment Assess Risk Determine and Implement Controls Monitor

15 Lucent Technologies – CALA RoadShow 2005 15 Risk Management Program Plan  Develop a “Risk Management Program Plan” –Defines the overall structure and program of the risk management efforts of the organization –Describes the organizational structure, roles and responsibilities of the members –Provides metrics, governance, compliance issues, reporting mechanisms, etc. –Should place a “Risk Management Director/Officer” with the overall Corporate level responsibility manages the risk management organization and activities –Database may be used to support the Program

16 Lucent Technologies – CALA RoadShow 2005 16 Risk Database  Maintains Threats, Vulnerabilities, Controls, Likelihood, Impacts  Can be utilized for Quantitative and Qualitative efforts  Can prompt for periodic assessment reminders  Integrate with, or be, the Asset Database  Can be used to provide Enterprise Risk Management functions including: –Dashboard –Tiered and Segmented Reporting  Is extremely valuable to malicious individuals and must be protected accordingly  Supports compliance and governance matters

17 Lucent Technologies – CALA RoadShow 2005 17 Trigger Points  You can’t just measure the risk of an asset every year or two. Certain changes must trigger a risk measurement of the asset.  A “Trigger Point” is a Risk Management program call that is inserted into other operations and programs to ensure that Risk Management is considered as part of certain programs and at the appropriate times. –Business Impact Analysis –Change Management –Acquisitions –System Commissioning or Decomissioning

18 Lucent Technologies – CALA RoadShow 2005 18 Risk Methodologies  Many different types. Some fit better in particular companies or industries than others. –OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation (http://www.cert.org/octave/)http://www.cert.org/octave/ –SPRINT, SARA, FIRM (http://www.securityforum.org)http://www.securityforum.org –CRAMM (http://www.cramm.com/)http://www.cramm.com/ –RiskWatch, COBRA, and many others  Choose the one that works the best for you. –Industry / Business Sector – Some tools work better than others –Collateral Support - Including tools and training availability –Industry Support – Who recognizes which methodologies

19 Lucent Technologies – CALA RoadShow 2005 19 Risk Management – What Must Change  Modifications of the existing risk management program: –Ensure that acceptable risk doesn’t slide below an agreed upon threshold –Security analysts need to business and operations savvy to understand business drivers –Continuously monitor external resources such as new regulations, technologies, and what the competition is doing –Process to determine whether to continue to mitigate further below “Acceptable Risk” or to move on

20 Lucent Technologies – CALA RoadShow 2005 20 Summary  Know Your Assets!  Devote the required resources  Determine your “Acceptable Level of Risk” –Use a consistent measurement unit Your “Medium” may not be somebody else’s “5” –Determine the scope of the Acceptable Level Is it for all assets or particular assets –Measure the level of risk

21 Lucent Technologies – CALA RoadShow 2005 21 Any questions? Lucent Technologies Bell Labs Innovations Lucent Technologies Inc. Room 1B-237A 101 Crawfords Corner Road Holmdel, NJ 07733 Phone: +1.732.949.3408 E-mail: gmcbride@lucent.com George McBride Managing Principal Lucent Worldwide Services  Contact me at gmcbride@lucent.com with any questions that you may have.gmcbride@lucent.com

Download ppt "Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security Practice George G. McBride Managing Principal Lucent."

Similar presentations

Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
Planning: Processes and Techniques

Planning: Processes and Techniques
PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Security Controls – What Works

Security Controls – What Works
Planning and Strategic Management

Planning and Strategic Management
ISO General Awareness Training

ISO General Awareness Training
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
The Information Systems Audit Process

The Information Systems Audit Process
Risk Assessment Frameworks

Risk Assessment Frameworks
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
The Business Plan : Creating and Starting The Venture

The Business Plan : Creating and Starting The Venture

Similar presentations

Ads by Google