Business Risk Management

Similar documents
IBM Security Guardium Analyzer

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual

CYBER SECURITY AND MITIGATING RISKS

Information Security Risk Strategies. By

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

IoT & SCADA Cyber Security Services

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

LBI Public Information. Please consider the impact to the environment before printing this.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Accelerate Your Enterprise Private Cloud Initiative

Cyber Criminal Methods & Prevention Techniques. By

Building a Resilient Security Posture for Effective Breach Prevention

CA Security Management

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

How to get the Enterprise to Understand the Value of Security

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Vulnerability Assessments and Penetration Testing

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Maximizing IT Security with Configuration Management WHITE PAPER

White Paper. How to Write an MSSP RFP

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

FireMon Security manager

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Objectives of the Security Policy Project for the University of Cyprus

What is Penetration Testing?

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Rethinking Information Security Risk Management CRM002

Building a Complete Program around Data Loss Prevention

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

SIEM: Five Requirements that Solve the Bigger Business Issues

Protect Your Organization from Cyber Attacks

SecOps : Security Operations. Saurav Sinha Head of Presales India

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Enabling Security Controls, Supporting Business Results

Automating the Top 20 CIS Critical Security Controls

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Wireless e-business Security. Lothar Vigelandzoon

Cybersecurity for Service Providers

Achilles System Certification (ASC) from GE Digital

Reinvent Your 2013 Security Management Strategy

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

How to construct a sustainable vulnerability management program

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

SIEMLESS THREAT DETECTION FOR AWS

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Symantec Data Center Transformation

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Ontology- and Bayesian- based Information Security Risk Management

Leading our discussion today

Cybersecurity Today Avoid Becoming a News Headline

01.0 Policy Responsibilities and Oversight

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

The Threat & Vulnerability Management Maturity Model

Penetration Testing and Team Overview

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

A Practical Approach to Implement a Risk Based ISMS

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

How to Write an MSSP RFP. White Paper

Machine-Based Penetration Testing

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Security Information & Event Management (SIEM)

Combating Today s Cyber Threats Inside Look at McAfee s Security

Think Like an Attacker

CISO as Change Agent: Getting to Yes

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Cyber Protections: First Step, Risk Assessment

Samu Konttinen, CEO Q3 / 2017 CORPORATE SECURITY REVENUE UP BY 11% - GOOD GROWTH CONTINUED

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

IBM Internet Security Systems Proventia Management SiteProtector

Continuous protection to reduce risk and maintain production availability

Trustwave Managed Security Testing

Business Continuity Planning

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

An ICS Whitepaper Choosing the Right Security Assessment

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

TRUE SECURITY-AS-A-SERVICE

Machine-Based Penetration Testing

Cyber Resilience - Protecting your Business 1

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Think Like an Attacker

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

SYMANTEC DATA CENTER SECURITY

MetricStream GRC Summit 2013: Case Study

DATA CENTER IT/OT SECURITY FOR DATA CENTERS FOXGUARD SOLUTIONS 2285 PROSPECT DRIVE CHRISTIANSBURG, VA FOXGUARDSOLUTIONS.COM

Transcription:

slide 1 Business Risk Management

Agenda slide 2 Business Risk Management Overall Issues Risk Defined Approach BRM Structure Business Operations & Critical Functions Asset Identification and Vulnerability Mapping Roll-up and Drill-down Model Risk Remediation Prioritization Summary

Overview of Issues Security Management slide 3 Security has focused on vulnerabilities regardless of actual risk to business. Security isn t always in-sync with what the business considers critical. Security doesn t speak a language business operations clearly understands. Security for security s sake, not focused on the value to operations.

Overview of Issues Business Management slide 4 Management views security strictly as an expense, not an investment. Management hasn t clearly and repeatedly communicated what is critical to operations. Management hasn t properly identified and classified assets. Management has left security in silos.

Overview of Issues Other Factors slide 5 There has been an increase in regulations. However, there are even more being proposed, especially around privacy. Changing technologies have made it easier to circumvent traditional protections. E.g., Web apps. & WLAN. The lack of a strategic and comprehensive risk approach.

What is Risk? slide 6 Generally, it is defined as a threat exploiting a vulnerability to negatively impact an asset. Threat Vulnerability Asset

What is a Threat? slide 7 A natural force or human being with the capacity to cause damage. Threat Human Threats Unskilled ~ Script-kiddie Skilled ~ Uber-Cracker Opportunistic ~ Random Motivated ~ Targeted

What is a Vulnerability? slide 8 A weakness that can be exploited by a threat to cause damage to an asset. Vulnerability Vulnerabilities Software-based ~ Patches Configuration ~ Default Settings Processes ~ Incompleteness People ~ Social Engineering

What is an Asset? slide 9 An asset is an item, process, or resource that is valued by the organization. Asset Assets Equipment ~ IT systems & facilities Intellectual ~ Patents Process ~ Manufacturing Brand ~ Reputation

Approach slide 10 Business Risk Management is the alignment of security risk with business operations it could potentially impact. Executive and security management understand where risk resides A roll-up and drill-down view of security throughout the organization Prioritization framework for risk mitigation and remediation strategies Different types of risk can use the same framework

BRM Structure slide 11 The Business Risk Management (BRM) model is divided into four primary layers.

Structure Top Layers Corporate and Business Units The top two layers should represent the organizational structure. Business Units should be rated on their importance. E.g., - 1 to 5+ scale. Ratings can be based on revenue or criticality to the business. slide 12

slide 13 Structure Critical Functions Identify Critical Functions These are the key functions / processes that the business units perform so they can achieve their goals. These should be major functions or tasks. Critical functions should be rated on their importance. E.g., - 1 to 5+ scale. Ratings can be based on revenue or criticality to the business.

slide 14 Business Risk Management Example Corporate Business Unit A (1) Business Unit B (3) Business Unit C (2) Billing Provisioning Payroll Human Resources Corporate Sales Retail Sales (1) (2) (2) (1) (1) (2)

Structure Assets Identify Key Assets slide 15 These are assets that support a critical function. These should be mapped to directly to the function supported. Assets should be rated on their importance. E.g.,- 1 to 5+ scale. Ratings can be based on a monetary value or criticality to the function.

slide 16 Business Risk Management Example Business Unit A (1) Critical Functions Provisioning (1) Billing (2) Technical Layer Critical Assets Unix (1) Unix (4) Unix (3) Win (2) Win (5) Win (6) Risk Risk Risk Risk Risk Risk

slide 17 Business Risk Management Example Critical Assets Unix (1) Unix (4) Unix (3) Win (2) Win (5) Win (6) Risk Risk Risk Risk Risk Risk Identified Vulnerabilities Vulnerabilities are mapped to the assets they affect. Scanners and audits are used to determine vulnerabilities.

Business Risk Management Example slide 18

Structure slide 19 The model doesn t have to be overly detailed to provide benefits. If necessary, other layers can be added. It provides both roll-up and drill-down capabilities. The model can be adapted to other risk areas.

Summary slide 20 The ultimate goal is to provide a business view of how risk can potentially impact the organization. A common framework of understanding that can be shared by both the security team and executives. Executives now understand the business impact of risk without having to know the all of the details. The security team can justify their initiatives based on risk reduction to critical business operations. This same approach could be used for other kinds of risk such as compliance, physical security, and business continuity.

slide 21 Questions & Comments

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback