Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

Size: px

Start display at page:

Download "Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue"

Gerald Quinn
5 years ago
Views:

1 Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

2 Governance is the strategic alignment of operations with the agency such that maximum business value is achieved though the development and maintenance of effective control and compliance, performance management, and risk management. Agency Risk Control Compliance

3 Monitor Assess Compliance Risk Controllership Manage

4 Risk Charts the Course: Direction Speed Destination Finish Comprehensive Risk Assessments Goals and Objectives The Agency/Business Consulting Acquisition and Integrations Vision / Forecasting

5 Controllership Policy Management Access Management Core Technology Standards Project Services Change Management Data & Asset Management The Operation: Fuel Power Storage Alterations Policies Standards Procedures

6 Compliance Gauging & Monitoring: Performance Inspections Correction Evaluate Measure Self Audit Reporting Adherence Investigations Discipline

Governance Program Building Risk Controllership Compliance Who: Risk Council Risk Champion Controller Global Security Project Services Compliance/Disclosure Audit Staff Office of Compliance

7 Governance Program Building Risk Controllership Compliance Who: Risk Council Risk Champion Controller Global Security Project Services Compliance/Disclosure Audit Staff Office of Compliance What: Strategy Prioritization Risk acceptance Executive Operations Digitization / Tools Policy Management Control Implementation Assess compliance Report adequacy Standardization Performance & Metrics

8 Report Vision Compliance Risk RISK Monitor Assess Controllership Control Policy

9 Definition of RISK (Merriam-Webster) 1: possibility of loss or injury : PERIL 2: someone or something that creates or suggests a hazard Probability X Impact = Inherent Risk (No Controls Applied) Inherent Risk X Controllership = Residual Risk (Controls Applied)

10 Probability X Impact = Inherent Risk (No Controls Applied) H=3 M=2 L=1 H=3 M=2 L=1 IR Inherent Risk X Controllership = Residual Risk (Controls Applied) IR H=1 M=2 L=3 RR

11 Probability X Impact = Inherent Risk (No Controls Applied) 3 x 3 = 9 Inherent Risk X Controllership = Residual Risk (Controls Applied) 9 x 2 = 18 Control Considerations: 1) Good Policy 2) Intrusion Detection 3) Security Guards 4) Physical Barriers 5) Logical Barriers

12 Probability X Impact = Inherent Risk (No Controls Applied) 3 x 2 = 6 Inherent Risk X Controllership = Residual Risk (Controls Applied) 6 x 1 = 6 Control Considerations: 1) Good Policy 2) Comprehensive System 3) Research 4) Communication 5) Operations

13 Probability X Impact = Inherent Risk (No Controls Applied)? x? = Inherent Risk X Controllership = Residual Risk (Controls Applied)? x? =? Control Considerations:

14 1) ISO & ISO ) Cobit 5.0 (includes ValRISK) 3) SP

16 Top Ten List: 10) Legacy/Out of Date Processes 9) Rules and Regulations/Policy Management 8) Unauthorized Access (Internal) 7) Integration and Consolidation 6) Change Management 5) End User Controls or Ad-Hoc Solutions 4) Theft of Data 3) Industrial Espionage 2) Virus Attacks or Malware 1) Hacking/Cyber Security

17 CISO Specialist Risk &Policy Security Operations Compliance and Disclosure DR & Recovery Services Access Admin Infrastructure

18 Investment: Time Acceptance Change Culture Benefits Structure/Alignment Stability Sustainability Best Practices Effectiveness Auditability Demand Management Tool Optimization Visibility Centralization

19 Report Vision Compliance Risk Monitor Assess Controllership Control Policy

Proposal to establish Governance Program (12-24 Months to Develop and Implement) Success Factors CISO Internal Audit Sustainable Governance Program Governance Program Management Monitoring and

Management approval of Governance Concept and Implementation Risk Assessments and Analysis Control Management and Framework Activities Management Commitment and Sponsorship Establish Appropriate

20 Proposal to establish Governance Program (12-24 Months to Develop and Implement) Success Factors CISO Internal Audit Sustainable Governance Program Governance Program Management Monitoring and Compliance Mechanisms Establish IT Governance Program Structure & Approach Sr. Management approval of Governance Concept and Implementation Risk Assessments and Analysis Control Management and Framework Activities Management Commitment and Sponsorship Establish Appropriate Program Resourcing Business Engagement & Inclusion Ensuring Con=nuous Improvement Planning and Program Maturity Program Auditabili=y Ini>al Ac>vi>es Obtain Senior IT Leadership CommiCment Determine & Engage internal resources Develop and Deliver Risk Assessment Perform Risk and Control Analysis Control Framework Ac=vi=es

Nebraska CERT Conference

Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology