Visibility Analysis and Management

Transcription

1 Risk Management Insight Visibility Analysis and Management Jack Jones, CISM, CISSP, CISA RMI Founder

2 Ignorance is not bliss 2

3 What we ll cover... What do we mean by visibility? Whose visibility are we concerned with? Evaluating visibility Gaining visibility Maintaining visibility Q&A 3

4 What do we mean by visibility? 4

5 When is something visible? 5

6 When is something visible? If you have and can maintain enough information about a component of your environment that you accurately understand its risk significance, then it is visible to you. 5

7 Visibility criteria 6

8 Visibility criteria For an asset to be visible, you have to know: That it exists 6

9 Visibility criteria For an asset to be visible, you have to know: That it exists Its value/liability characteristics 6

10 Visibility criteria For an asset to be visible, you have to know: That it exists Its value/liability characteristics The threat landscape it faces 6

11 Visibility criteria For an asset to be visible, you have to know: That it exists Its value/liability characteristics The threat landscape it faces Its control condition 6

12 Whose visibility matters? 7

13 Whose visibility matters? 8

14 Whose visibility matters? It s all about decision-making. 8

15 Whose visibility matters? It s all about decision-making. The decision-maker either has to have visibility, or the person providing them the information they base their decision on has to have visibility. 8

16 Key decisions 9

17 Key decisions Prioritization 9

18 Key decisions Prioritization Solution comparison and selection 9

19 Key decisions Prioritization Solution comparison and selection Strategy development 9

20 Evaluating visibility 10

21 Evaluating visibility 11

22 Evaluating visibility Two components: Carving up the landscape into asset groups Evaluating the asset groups 11

23 Carving up the landscape 12

24 Carving up the landscape Identify the asset components that make up your landscape, for example: Internet PoP s 3rd party connections Internet applications Windows servers Development and test environments Legacy applications Managed databases Unmanaged databases Etc... 12

25 Carving up the landscape 13

26 Carving up the landscape NOTE: You may need to start by gaining visibility into the business itself Lines of business Business processes Departments Locations Business relationships Personnel 13

27 Prioritizing visibility 14

28 Prioritizing visibility Don t eat the elephant all at once. Prioritize, based on perceived: Value/liability Threat levels Control conditions Frequency of change 14

29 Evaluating visibility 15

30 Evaluating visibility For each asset group, ask the question: What percentage of [asset group] do you have visibility into? 15

31 Evaluating visibility For each asset group, ask the question: What percentage of [asset group] do you have visibility into? Make certain all aspects of visibility are considered 15

32 Evaluating visibility For each asset group, ask the question: What percentage of [asset group] do you have visibility into? Make certain all aspects of visibility are considered Estimate minimum, maximum, and most likely visibility Preferably get calibrated estimates 15

33 Evaluating visibility 16

34 Evaluating visibility For example: What percentage of unmanaged databases do we have visibility into? - Minimum: 10% (one out of ten) - Maximum: 25% (one out of four) - Most likely: 20% (one out of five) 16

35 Evaluating visibility For example: What percentage of unmanaged databases do we have visibility into? - Minimum: 10% (one out of ten) - Maximum: 25% (one out of four) - Most likely: 20% (one out of five) Why bother with a range? 16

36 Visibility Certainty Two Dimensions 17

37 How do we gain visibility? 18

38 Gaining visibility 19

39 Gaining visibility Example - Unmanaged Databases: Starting visibility: 10% to 25% 19

40 Gaining visibility Example - Unmanaged Databases: Starting visibility: 10% to 25% What are the options for improving visibility? 19

41 Gaining visibility Example - Unmanaged Databases: Starting visibility: 10% to 25% What are the options for improving visibility? Are there current tools/processes/people in the organization that we can leverage? 19

42 Gaining visibility Example - Unmanaged Databases: Starting visibility: 10% to 25% What are the options for improving visibility? Are there current tools/processes/people in the organization that we can leverage? Set specific objectives 19

43 Gaining visibility Example - Unmanaged Databases: Starting visibility: 10% to 25% What are the options for improving visibility? Are there current tools/processes/people in the organization that we can leverage? Set specific objectives - e.g 90% minimum by March 1,

44 Gaining visibility 20

45 Gaining visibility The good news... Simply asking the questions about visibility often highlights which data you need, and from where, in order to improve visibility 20

46 Gaining visibility The good news... Simply asking the questions about visibility often highlights which data you need, and from where, in order to improve visibility You can start simple and make significant gains without a lot of cost/effort. 20

47 Gaining visibility The good news... Simply asking the questions about visibility often highlights which data you need, and from where, in order to improve visibility You can start simple and make significant gains without a lot of cost/effort. These are actually useful metrics 20

48 Gaining visibility 21

49 Gaining visibility The bad news... Some data are harder to come by than others 21

50 22

51 23

52 24

53 How do we maintain visibility? 25

54 Maintaining visibility 26

55 Maintaining visibility Can be a very different problem than gaining initial visibility 26

56 Maintaining visibility Can be a very different problem than gaining initial visibility Two approaches: Active maintenance Periodic updates 26

57 Maintaining visibility Can be a very different problem than gaining initial visibility Two approaches: Active maintenance Periodic updates How often do you need to update our visibility? Realtime? Quarterly? Annually? 26

58 Timeliness consideration 27

59 Timeliness consideration Timeliness is mostly about frequency... of change, and of threat events 27

60 Control effectiveness Time 28

61 Implementation Control effectiveness Time 28

62 Implementation Control effectiveness Change occurs Time 28

63 Implementation Control effectiveness Change occurs Remediation Time 28

64 Implementation Control effectiveness Change occurs Remediation Threat event Threat event Time 28

65 Implementation Control effectiveness Change occurs Remediation Threat event Threat event Time 28

66 Maintaining visibility 29

67 Maintaining visibility Leverage existing technologies & processes 29

68 Maintaining visibility Leverage existing technologies & processes Establish policies regarding asset registration 29

69 Maintaining visibility Leverage existing technologies & processes Establish policies regarding asset registration Integrate with: Project management Change management BCP/DR 29

70 Maintaining visibility Leverage existing technologies & processes Establish policies regarding asset registration Integrate with: Project management Change management BCP/DR Establish policies regarding asset registration 29

71 Summary 30

72 Summary Visibility is required in order to: Make well-informed risk decisions Rationally claim that you are actually managing risk 30

73 Summary Visibility is required in order to: Make well-informed risk decisions Rationally claim that you are actually managing risk You have to carve up the landscape into asset groups in order to make your estimates. 30

74 Summary Visibility is required in order to: Make well-informed risk decisions Rationally claim that you are actually managing risk You have to carve up the landscape into asset groups in order to make your estimates. In order for an asset group to be visible you have to know its risk significance 30

75 Summary Visibility is required in order to: Make well-informed risk decisions Rationally claim that you are actually managing risk You have to carve up the landscape into asset groups in order to make your estimates. In order for an asset group to be visible you have to know its risk significance Don t try to eat the entire elephant at once. Prioritize your visibility efforts based on risk potential 30

76 Summary 31

77 Summary Leverage existing technology/processes/people as much as possible 31

78 Summary Leverage existing technology/processes/people as much as possible Once you ve established decent visibility, establish a strategy for maintaining it 31

79 Summary Leverage existing technology/processes/people as much as possible Once you ve established decent visibility, establish a strategy for maintaining it Visibility is just another way of thinking about, evaluating, and managing our problem space 31

80 Questions? If you d like help establishing visibility within your organization, or for more information about RMI s services: info@riskmanagementinsight.com