slide 1 Business Risk Management
Agenda slide 2 Business Risk Management Overall Issues Risk Defined Approach BRM Structure Business Operations & Critical Functions Asset Identification and Vulnerability Mapping Roll-up and Drill-down Model Risk Remediation Prioritization Summary
Overview of Issues Security Management slide 3 Security has focused on vulnerabilities regardless of actual risk to business. Security isn t always in-sync with what the business considers critical. Security doesn t speak a language business operations clearly understands. Security for security s sake, not focused on the value to operations.
Overview of Issues Business Management slide 4 Management views security strictly as an expense, not an investment. Management hasn t clearly and repeatedly communicated what is critical to operations. Management hasn t properly identified and classified assets. Management has left security in silos.
Overview of Issues Other Factors slide 5 There has been an increase in regulations. However, there are even more being proposed, especially around privacy. Changing technologies have made it easier to circumvent traditional protections. E.g., Web apps. & WLAN. The lack of a strategic and comprehensive risk approach.
What is Risk? slide 6 Generally, it is defined as a threat exploiting a vulnerability to negatively impact an asset. Threat Vulnerability Asset
What is a Threat? slide 7 A natural force or human being with the capacity to cause damage. Threat Human Threats Unskilled ~ Script-kiddie Skilled ~ Uber-Cracker Opportunistic ~ Random Motivated ~ Targeted
What is a Vulnerability? slide 8 A weakness that can be exploited by a threat to cause damage to an asset. Vulnerability Vulnerabilities Software-based ~ Patches Configuration ~ Default Settings Processes ~ Incompleteness People ~ Social Engineering
What is an Asset? slide 9 An asset is an item, process, or resource that is valued by the organization. Asset Assets Equipment ~ IT systems & facilities Intellectual ~ Patents Process ~ Manufacturing Brand ~ Reputation
Approach slide 10 Business Risk Management is the alignment of security risk with business operations it could potentially impact. Executive and security management understand where risk resides A roll-up and drill-down view of security throughout the organization Prioritization framework for risk mitigation and remediation strategies Different types of risk can use the same framework
BRM Structure slide 11 The Business Risk Management (BRM) model is divided into four primary layers.
Structure Top Layers Corporate and Business Units The top two layers should represent the organizational structure. Business Units should be rated on their importance. E.g., - 1 to 5+ scale. Ratings can be based on revenue or criticality to the business. slide 12
slide 13 Structure Critical Functions Identify Critical Functions These are the key functions / processes that the business units perform so they can achieve their goals. These should be major functions or tasks. Critical functions should be rated on their importance. E.g., - 1 to 5+ scale. Ratings can be based on revenue or criticality to the business.
slide 14 Business Risk Management Example Corporate Business Unit A (1) Business Unit B (3) Business Unit C (2) Billing Provisioning Payroll Human Resources Corporate Sales Retail Sales (1) (2) (2) (1) (1) (2)
Structure Assets Identify Key Assets slide 15 These are assets that support a critical function. These should be mapped to directly to the function supported. Assets should be rated on their importance. E.g.,- 1 to 5+ scale. Ratings can be based on a monetary value or criticality to the function.
slide 16 Business Risk Management Example Business Unit A (1) Critical Functions Provisioning (1) Billing (2) Technical Layer Critical Assets Unix (1) Unix (4) Unix (3) Win (2) Win (5) Win (6) Risk Risk Risk Risk Risk Risk
slide 17 Business Risk Management Example Critical Assets Unix (1) Unix (4) Unix (3) Win (2) Win (5) Win (6) Risk Risk Risk Risk Risk Risk Identified Vulnerabilities Vulnerabilities are mapped to the assets they affect. Scanners and audits are used to determine vulnerabilities.
Business Risk Management Example slide 18
Structure slide 19 The model doesn t have to be overly detailed to provide benefits. If necessary, other layers can be added. It provides both roll-up and drill-down capabilities. The model can be adapted to other risk areas.
Summary slide 20 The ultimate goal is to provide a business view of how risk can potentially impact the organization. A common framework of understanding that can be shared by both the security team and executives. Executives now understand the business impact of risk without having to know the all of the details. The security team can justify their initiatives based on risk reduction to critical business operations. This same approach could be used for other kinds of risk such as compliance, physical security, and business continuity.
slide 21 Questions & Comments