59246 risk mgt
TRANSCRIPT
-
7/30/2019 59246 risk mgt
1/33
Executive Blueprints, Inc
Risk Management
By Louis W. Mehrmann
-
7/30/2019 59246 risk mgt
2/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Risk Management Index
1. Introduction
2. Principal Factors
3. The Methodology
4. Helpful Hints
5. The Risk Analysis Team
6. Review Checklist
-
7/30/2019 59246 risk mgt
3/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Preparation
To get the most of this tutorial, we suggest that you prepare withwriting instruments and your canvas (blank paper) available as youfollow along. You can document your personal ideas and observations
as you follow the presentation.
For best results, group participation or review is recommended. It isalso suggested that you go through the entire process and then reviewwhat you have learned in practice.
Look for this icon in the top right corner as a promptfor you to document your personal strategy canvas.
-
7/30/2019 59246 risk mgt
4/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Introduction
Most management decisions involve the assumption of riskthe chance that things may not turn out the way we hope orwant them to. Therefore, risk management has become anintegral part of general organization and project management.
Three principle factors significantly influence risk:Rapid growth in centralization of data, and the information extractionprocesses Increasing dependence on employees with skills, talents, disciplines,and sometimes motivations, quite different from those with whichmanagement has been familiar in the past Increased proliferation of mini, micro and portable processingdevices with an associated distribution of key data to remote nodes fordata extraction, data update, and data addition.
-
7/30/2019 59246 risk mgt
5/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Assessment Procedure
Any procedure that provides sufficient accuracy and credibility whilereducing the labor to perform the risk assessment is acceptable. Thereare, however, several characteristics which an acceptable procedureshould exhibit, including the following:
Quantitative Results: The process must yield quantitative datadescribing the cost of potential problems in terms of cost per unit of time,such as dollars per year. Fundamental Simplicity: The process should be readilycomprehensible by the highest levels of management expected tosupport and fund action based on the data presented.
Usability: The requirements for data from the Users of Data Processingshould be limited in complexity to ensure that it is understandable topersons whose areas of competence and interest donot include risk assessment.
-
7/30/2019 59246 risk mgt
6/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Assessment Scope
Assessment scope can be a serious point of contention. Some individuals wantto limit consideration to catastrophicevents such as fire, flood, earthquakes,and volcanoes. Others want to focus only on intentional misconduct such asfraud and embezzlement.
The correct position is that consideration must be extended to the effects
of all of the undesirable things that might happen to data or to the meansof accessing and processing data.
Care must be taken to insist that concern is limited to the effectsof undesirablethings and not extended to a virtually endless list of bad thingsthe threat list.
It is not until the cost of the undesired event and its estimated frequency haveboth been examined that a potential source of damage can be
justifiably excluded from further consideration.
-
7/30/2019 59246 risk mgt
7/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Assessment Purpose
The purpose of performing a risk assessment is to obtain aquantitative statement of the potential problems to which the data
processing facility is exposed so that appropriate, cost effective
protection
safeguards can be selected. It is assumed that, once armed withsuch information, no protective measure will be selected that costs
more than toleration of the problem. The risk assessment should
establish that
threshold.
-
7/30/2019 59246 risk mgt
8/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Analysis Elements
Two key elements in risk analysis are:
A statement of impact relative to how badly a specific difficultywould hurt if it happens.
A statement of the probability of encountering that difficulty withinwithin a specific period of time.
Both parameters are needed to describe risk in terms of cost per unitof time such as dollars per year.
Note: The probability of an undesirable thing happening is usually moredifficult to determine with confidence than is a measure of theconsequence of its happening. However, statements of the potentialeconomic impact of events without regard to their relative probabilitycannot lead to the identification of exposures worthy of corrective
action.
-
7/30/2019 59246 risk mgt
9/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Risk Options
Once an exposure to risk has been identified, wehave three options to address it. We can:
1. Tolerate it
2. Lower the potential cost by implementing measurescosting less than the total loss in dollars per year
3. Lower the probability of loss occurring by implementingprotective measures costing less than the exposure
Unless we quantify both the potential cost and theprobability of occurrence, we can not be in a position tomake an informed selection of any of the three options.
-
7/30/2019 59246 risk mgt
10/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Insurance as an Option
Insurance is not a fourth option. It only provides ameans of soothing the effect of a loss when and if ithappens. As such, it is a matter to be considered
after the election of the other options.
Downward adjustment of risk should lessen either: The amount of insurance required (in the case of
reduced cost) or The insurance rate (in the case of reducedprobability of occurrence)
-
7/30/2019 59246 risk mgt
11/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Evaluating Sensitive Data
How should the evaluation of incorrect or lost data be measured ?
Quantifiable measurements in dollars is the ideal evaluation method.However, the assignment of dollar values to certain types of data can bean issue when:
The data under consideration if disclosed or otherwise harmed wouldhave some identifiable and undesirable political or social ramification,and is possibly affected by privacy legislation.
The data is involved with defense or intelligence activities since the
risks associated with these two categories are generally much moredifficult to assess quantitatively than are many other exposures.
When the assignment of dollar values is a stumbling block to progressit is advisable to consider alternate means of identifying and defining
the severity of the potential problems to be assessed.
-
7/30/2019 59246 risk mgt
12/33 Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Alternate Evaluation Methods
The reluctance to use dollars as a measure has led to the use of other means todefine the severity of problems. In these categories, using relative sensitivityas, for example, on a scale of 1 to 5 is a methodology that may be employed.
Such a rating scheme can be valuable as a means of communicating anassessment of the potential for harm to people due to the loss of security to files
of specific types. For example, a rating of 1 indicates great sensitivity forpsychiatric data and a 2 for files having less sensitive data such as tax files.
It is conceivable that a convention using the relative sensitivity scale of 1 to 5can be coupled with another measure describing probability of occurrence toprovide an expression which says for example: the probability of a 2-sized
problem is 0.3 times per year.
Although useful in sizing the exposure to data sensitivity, these ratings do notprovide an adequate parameter for guidance in selecting economically feasiblesecurity measures. Such rating schemes should coexist with risk analysistechniques which quantify the problem in dollars.
-
7/30/2019 59246 risk mgt
13/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Justifying Protection
A specific protection measure to contain only one problem is oftendifficult to justify. The best protective measures usually contain orassist in containing multiple problems.
Any summation of risks to be contained by specific or combinations of
specific protective measures requires that the risks be expressed incommon units of measure. If some problems are expressed in economicterms and others in non-dimensional sensitivity ratings, the ability ofspecific measures to contain this variety of problems will be awkward toassess and difficult to cost-justify.
Experience indicates that the application of standard risk analysismethodologies to data collections will often dictate measures adequateenough to also include protection against disclosure thus relieving theneed for solid quantification of social impact either real or imagined.
-
7/30/2019 59246 risk mgt
14/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
The Methodology
Assessment Objective:
Develop a quantitative statement of the potential cost of losses of security in and about adata processing facility where such losses might result in a failure to provide the servicesdesired or expected. The concept this objective supports is the implementation ofcontrols at a cost significantly less than suffering the problems to which they apply,thereby bringing the associated data processing operations risk to an acceptable level.
The overall goal is to protect the provision of data processing services through theprotection of the capabilities needed to provide those services. Thus, the concern iswith the protection of means or capabilities not physical assets.
The Evaluation Process Should Identify and Prioritize:
All critical functions supported by the data processing facility
The critical resources required to support provision of those critical functions
-
7/30/2019 59246 risk mgt
15/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Problem Sources
Data Security problems are those presented by any of the six undesirable thingsthat could happen to data. They are: Accidental disclosure Accidental modification Accidental destruction Intentional disclosure Intentional modification
Intentional destructionIn addition, there can be the denial of processing capability.
Because there are six categories of undesirable things which can happen to datain addition to the inability to process it, and because the cost or probability oftheir occurrence, or both, may vary widely as a function of which data is being
considered, experience has shown it to be desirable to look at potential cost ofan event and its probability of occurrence in a rather fine-grained structure;that is, to look at the results of each bad thing happening to every file, dataset,or other convenient aggregation.
-
7/30/2019 59246 risk mgt
16/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Sample Risk Assessment Form
This sample form can be used to evaluate the risk to data from all causes, including itsloss to physical threats such as fire.
Although the form suggested for use in the accumulation of data to support the riskassessment forces the examination of the consequence of security problems to thedata set level, the data sets listed are grouped application by application. The risk
assessment, then, is done at the application level not at the data set level.
-
7/30/2019 59246 risk mgt
17/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Doing a Risk Analysis
Refer to the form on the previous slide. The far left column is for listing the datacollections needed to support the application under consideration. If this applicationis easier to consider with further subdivision, these datasets should be groupedaccordingly. However, further subdivision should not be forced.
Some datasets support multiple applications. In such cases, it is necessary to list
them with each corresponding application and note in the comments column that theyhave been so listed. It is not satisfactory to list only once those datasets which areused to support several applications because some applications may be moredependent on that dataset than others. Furthermore, unless a file is listed with eachcorresponding application, the totality of the dependence may not be calculable.
The first objective is to assign Values for impact (V), Probability of frequency (P), and
annualized risk cost Sum (E), at each intersection in the matrix. Refer to the next slidefor V, P, and E values. Many intersections may describe problems that are sufficientlysmall and, therefore, they may be neglected. Ordinarily, if the sum of V and P, asdescribed on the next slide, is less than 6, the intersection can be neglected. Caremust be taken to avoid disregarding an intersection because the per-instance dollarimpact (V) is low. It may be that the probability of occurrence (P) is sufficiently highenough to yield a high annual cost (E) for this problem.
-
7/30/2019 59246 risk mgt
18/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Sample Value Matrix
P = 1 2 3 4 5 6 7 8
V = 1 $300 $3K $30K $300K
2 $300 $3K $30K $300K $3M
3 $300 $3K $30K $300K $3M $30M
4 $300 $3K $30K $300K $3M $30M $300M
5 $300 $3K $30K $300K $3M $30M $300M
6 $3K $30K $300K $3M $30M $300M
7 $30K $300K $3M $30M $300M
If:$ Impact of the event is:
$ 10 V = 1$ 100 V = 2
$ 1,000 V = 3$ 10,000 V = 4
$ 100,000 V = 5$ 1,000,000 V = 6
$ 10,000,000 V = 7
Estimated frequency of occurrence is:
Once / 300 Years: P = 1Once / 30 Years: P = 2Once / 3 Years: P = 3Once / 100 Days: P = 4Once / 10 Days: P = 5
1 Time / Day: P = 610 Times / Day: P = 7
100 Times / Day: P = 8
-
7/30/2019 59246 risk mgt
19/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Sample Value Matrix
P = 1 2 3 4 5 6 7 8
V = 1 $300 $3K $30K $300K
2 $300 $3K $30K $300K $3M
3 $300 $3K $30K $300K $3M $30M
4 $300 $3K $30K $300K $3M $30M $300M
5 $300 $3K $30K $300K $3M $30M $300M
6 $3K $30K $300K $3M $30M $300M
7 $30K $300K $3M $30M $300M
If:$ Impact of the event is:
$ 10 V = 1$ 100 V = 2
$ 1,000 V = 3$ 10,000 V = 4
$ 100,000 V = 5$ 1,000,000 V = 6
$ 10,000,000 V = 7
Estimated frequency of occurrence is:
Once / 300 Years: P = 1Once / 30 Years: P = 2Once / 3 Years: P = 3Once / 100 Days: P = 4Once / 10 Days: P = 5
1 Time / Day: P = 610 Times / Day: P = 7
100 Times / Day: P = 8
-
7/30/2019 59246 risk mgt
20/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Probability Analysis
It is important to recognize that assessment of probabilities is dependent on thebackground, knowledge and behavioral characteristics of the individuals assigned toperform the risk analysis.
With on-going systems with which there is a body of knowledge, particularly as it appliesto high probability errors and omissions problems, the task of assigning probability isrelatively easy. There is usually an experience base from which the team can work.
It is usually more difficult to assign probabilities to dishonest behavior problems.Informed judgment based on a thorough knowledge of the environment underconsideration is the best approach.
Common sense is also a very powerful weapon in attacking a probability analysis. Forexample, in a life insurance beneficiary payment system where several hundred to athousand or more people know that it is easy to change a beneficiary address without
the risk of anyone verifying the new address, there is an exposure to at least onedishonest person successfully diverting checks to an address where they can beobtained and cashed. Obviously, the probability of occurrence is much higher than oncein 30 years and probably much lower than every ten days. Factoring in the real numberof people who know of the potential for harm can then influence the final risk selection.For example, if the number of people is high, then one instance every 100 days may be areasonable choice. If the number of people is significantly less, then one instance every3 years may be a possible choice.
-
7/30/2019 59246 risk mgt
21/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Contingency Planning
Most organizations have a critical dependence on the timely conduct of certain dataprocessing functions. These functions are usually in the order of 15% to 20% of the totalworkload. It is important that this portion of the workload be specifically identified, and thatcontingency plans be laid which include the availability of all the things necessary toprocess elsewhere in the event of a loss of the primary facility.
The identification and quantification of any potential problems associated with delaying theperformance of critical tasks is usually necessary to the establishment of cost-effectivecontingency plans. These plans should reflect the needs of the organization for theprocessing of jobs by the data processing facility. If the nature of this dependence is notknown, a good contingency plan is difficult to justify with a subsequent risk of spending aninappropriate amount for a workable back-up arrangement.
Another product of the risk assessment is the identification of these time-dependentapplications and an awareness of the cost to the organization as a function of the length oftime it is without the ability to perform the work in this category. Therefore, the need for thetime columns on the risk assessment form. The time intervals selected should beappropriate to the particular organization and the particular business function.
-
7/30/2019 59246 risk mgt
22/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Sample of Filled in Risk Form
-
7/30/2019 59246 risk mgt
23/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Helpful Hints
Performing a risk assessment often leads to a number of unanticipated questionsin a number of areas that may impede progress. The following charts addressthe most common areas of concern:
o Threat Analysiso Errors and Omissions
o Dishonest Employeeso Personal Integrityo White Collar Crimeo Physical/Processing Losso Fire Damageo Avoidance of Subdivision
o Security/Risk Maintenanceo Security Assessment Questions
-
7/30/2019 59246 risk mgt
24/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Helpful Hints
Threat Analysis: There is often a tendency to think that a threat analysis needs tobe conducted before a risk assessment can be accomplished. Listing threats can be anendless task and experience strongly implies that, no matter how long the list, it will besufficiently incomplete and planning about it will be less effective than desirable.
A list of generic threats, such as fire, water, communications failures, power failures,
data entry errors, and programming errors is generally adequate. Vulnerabilities are farmore important to the risk determination than are detailed lists of threats.
Errors and Omissions: It is important that proper weight be given to the importanceof errors and omissions. Data is more often destroyed or otherwise rendered useless oreven harmful by people making mistakes than through dishonesty or malice. Theprincipal difference between dishonesty and mistakes lies not in how they are thwarted,
but in the intent of the offender. They are both costly.
Dishonest Employees: Of utmost importance when considering the potential fordamage by dishonest or malicious people to keep in mind that the vast majority of allwhite collar crime is committed by employees, not outsiders. Most improprietiesdirectly involving data processing are conducted by people who are very familiar withthe particular functional area of the business from which the theft occurs.
-
7/30/2019 59246 risk mgt
25/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Helpful Hints
Personal Integrity: The factors that influence individual integrity are not easilyperceptible and individual integrity is not a constant. It varies dramatically with time andwith personal situations of which a risk assessment team may be totally unaware. Forthis reason, it is best to eliminate perceived individual personal integrity when
performing a risk analysis.
White Collar Crime: A meaningful deterrent to white collar crime is often achieved bylimiting its reward to the absolute minimum. If all persons having access to the
information system are given the least privilege necessary to getting their job done, thepotential rewards for dishonest conduct will be lessened. Most people are stronglydeterred by fear of being caught and, to a lesser extent, by fear of formal punishment.
Physical/Processing Loss: The loss of the physical facility should be treated
independent from the loss of processing capability. It is misleading to consider the lossof processing capability as part of the cost of loss of the physical facility. The loss ofthe physical facility, in a properly planned operation, may not result in a loss of allprocessing ability. The loss of all processing ability need not involve the loss of thephysical facility.
-
7/30/2019 59246 risk mgt
26/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Helpful Hints
Fire Damage: Bear in mind that fire can deprive a facility owner of services without
destroying on in any way damaging the data processing complex itself. In high risebuildings, for example, severe fires on any floor below the facility, and frequently on anyfloor above, can disable the facility by depriving it of power, air conditioning, elevators,and communications. Fire destroyed customized business dependent pre-printed formsmay well take longer to replace than the hardware facility. It is therefore necessary toconsider all aspects of each possible loss to fire.
Avoid Subdivision: Whenever possible, it is best to avoid subdividing consideration ofthe protection of all data processing resources into such categories as physical
security and data security. Aside from such obvious problems as security of data
clearly requiring physical security, separating or compartmentalizing concerns tends toobscure desirable trade-offs between candidate protective measures. The problem isfurther aggravated by assigning responsibilities to different people.
Security/Risk Maintenance: A pitfall many organizations fall into is that of treating riskassessment as a one-time project. However, old applications are constantly changingand new applications are continually being developed to support new or existingbusiness functions. Therefore, it is advisable that risk assessment be implemented asan on-going process. In addition, periodic reassessments of at least key criticalapplications supporting major business functions should be completed.
-
7/30/2019 59246 risk mgt
27/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Helpful Hints
Security Assessment Questionnaire: An integral step in any risk assessment projectshould be an evaluation of existing security measures versus the risk potential for thedetermination of specific actions required to either strengthen and/or relax controls.
Executive Blueprints has developed and provides you with a comprehensive SecurityAssessment Questionnaire. You can obtain and utilize this material by accessing the
training module Security is a Management Issue.
This document can be useful to data processing management, general management,auditors, and risk assessment teams in evaluating and developing security programsand highlighting those areas that need additional attention. Thru a series of simpleyes/no answers to a series of questions in fourteen categories the questionnaire covers:
Physical Security: Fire, Rising Water, Falling Water, Intrusion
Controls and Procedures: Organizational Controls, Personnel, Operational Controls,Interface Controls, Application Development, and Other.
Contingency Planning: General, Emergency, Backup, Recovery
-
7/30/2019 59246 risk mgt
28/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
The Risk Assessment Team
Team Composition: Composition of the team to perform the risk assessment is critical tosuccess. Proper consideration of the impact and probabilities required to complete therecommended procedure requires the assignment of well informed, properly motivatedpeople. The job cannot be delegated to clerks as a routine task.
It must also be recognized that the assessment cannot be done quickly if it is to be done
well. It takes time. Therefore, it is suggested that the people assigned to the team bededicated to a specific number of hours per day until the assessment is completed.
Participants on the risk assessment team must include representatives from: Information Systems operations The department owning the data under consideration The programmer responsible for support of the function under consideration
Systems programming if the installation is large enough to have this function The data security coordinator or administrator (if any) The communication network administrator (if any) The data base administrator (if any) The internal audit function The department responsible for physical security
-
7/30/2019 59246 risk mgt
29/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Management Commitment
Strong senior management commitment to risk assessment is essential to its success.No amount of lower level concern will be truly effective unless everyone who has a rolein achieving protection of the business assets believes that senior management hassufficient commitment to this task.
It is often difficult to convince senior management that they should be concerned
without a quantitative expression of the problems as might be derived from the riskassessment. This situation leads to a chicken and egg syndrome. There is need forsenior management support to organize a properly manned risk analysis team, butmanagement may not be sufficiently concerned about data protection until it sees theproduct of the assessment for financial risk.
< -- (OR)-- >
-
7/30/2019 59246 risk mgt
30/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Implementation Checklist
Check these process steps for implementation status
In Place Process Action Needs Work
We have Senior Management support to do risk assessment
We have identified the risk assessment team participants
We have identified all of the critical business applications
We have identified and involved all critical application owners (*)
We have identified custodians and users of critical applications (*)
We have agreement on our risk assessment methodology
We have tested our methodology for reasonableness
We have provided for inclusion of new critical applications
We have a notify process when critical applications are modified
We are confident that our program will meet all of our needs
(*) Need help ? See Ownership and Classification training module on Executive Blueprints
-
7/30/2019 59246 risk mgt
31/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
Review Risk Mgmt Process
Have we adequately identified our critical information assets
Have we analyzed our ability to protect our proprietary information
Have we provided for adequate protection
Have we considered needs and opportunity to enhance our procedures
Have we gained the support of all employees to protect our assets
-
7/30/2019 59246 risk mgt
32/33
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved
AboutExecutive Blueprints, Inc
Business Consulting ProfessionalsAffiliated Consultants with
years of Executive Businessmanagement and real life
experience and success
Characterized by apassion for learning andtalent for teaching. Weconsolidate experience andrelevant information intoseminars, self-paced
tutorials, coaching andtargeted support Projects toaccommodate the demandsof modern management.
www.ExecutiveBlueprints.com
-
7/30/2019 59246 risk mgt
33/33
BizRolodex of Discounts
Executive Coaching
Business Consulting
Travel Tips
and the list keeps growing
Go towww.ExecutiveBlueprints.comfor
Calendar of Seminars
Case Studies
Training Tools
electronic Books
Email Newsletter
Executive Blueprints is designed and managed by business leaders,
with input and suggestions from business leaders, to support theefforts of current and future business leaders.
Get Connected, share your knowledge and learn from the experienceof other successful executives.
So much more from
www ExecBlue com
http://www.executiveblueprints.com/http://www.execblue.com/http://www.execblue.com/http://www.executiveblueprints.com/http://www.executiveblueprints.com/http://www.executiveblueprints.com/http://www.executiveblueprints.com/