a risk-based approach to delivering a customer …...16 years information security experience...
Post on 17-Jul-2020
2 Views
Preview:
TRANSCRIPT
A risk-based approach to delivering a
customer-centric, ‘enterprise’ patch and
vulnerability management system
STREAM Integrated Risk Manager Risk management made simple
Richard Mayall richard.mayall@acuityrm.com
Partner, Acuity Risk Management
Deniz Kucukreisoglu deniz.kucukreisoglu@cgi.com
Information Security & Risk Management Solutions Advisor, CGI
Typical Customer requirements
GRC Key Components
…and supporting processes
Overview
Introductions
Business requirement for effective Patch & Vulnerability
management
How we built the system using STREAM
Highlights, lessons learned & next steps…
Summary and questions…
Your presenters…
Richard Mayall
30 years experience in software engineering, information security
and risk management
Responsible within Acuity for integrated content development
projects for our STREAM Enterprise customers
Deniz Kucukreisoglu
16 years Information Security experience
Previous clients include…
Specific experience of custom security solutions and risk
management methodologies for clients to enhance the value that a
security function adds to the business
Background
A Public Services Entity…
Characteristics
Large Legacy Asset Infrastructure
Distributed & Complex Business Functions…
We have this problem
Hard to determine Patching Priority & Risk Status…
How we solved it
Model environment & Infrastructure accurately
Bring clarity to areas of Business Risk
We’d used STREAM previously…
The requirement was…
How model was developed…
Modelling context
The business environment
Primary Group:
Production
Pre-Production
Test & Development
Secondary Group:
System Test
BAU Development
DR
Sandpit
Etc.
STREAM Tree structure…
Asset Classes
Model: Asset types, groups & classes
HW
FW
MW
VW
SC / SS
OC / OS
AK / AS
Notification-Processing-Rollout
NPR stages
NPR assessment scheme
User workflow – Process Steps
User workflow - Acquire
VULsVULs
VULs
VULsVULs
VULs
User workflow - Prepare
1_Env1_EnvPAT
VUL
User workflow - Inject
VULs
PATs
THREAT
CONTROL
User workflow – Set-up
User workflow – Use (NPR)
User workflow - Exploit
Tools Integration
Risk-Based Approach
Primary Assets vs Secondary Assets
Example Primary Assets
SAP
Siebel
SMS
S. P.
Gov.
Audit
General Ledger
Cost Centre/
Internal Order
Accounting
Cash Journal
Accounting
Project Accounting
Financial
Statements
Reporting
Expenses
Invoicing
Bank Accounting
Planning &
Budgeting
Applications Bespoke Prodcut
Assignment
Payment Request
AssignmentRefurbishment/
Maintenance
Returns
Contact Mgt
Activities Case Mgt
Reporting
HR Admin
Staff Mgt
Time & PACE Project Planning
Project Execution
Time & Expense
Recording
Sourcing
Requisition
Purchasing
Goods Receipt
Invoice
Verification
Generation
VENUS Finance
Product Sale
Case & Client Mgt
HR Special Projects
Procurement
SERIAL
Product
RegistrationSRV Registration
Fixed Assets
Accounts Payable
Cost Allocation
Resource
Planning
Accounts
Receivable
Product Mgt
Product
performance
Monitoring
Trading & Transfer
Groups
Users 3P Agents Credit CardSpecial
CustomersBank EFT Vendors
External
compliance
External Audit
VAT Returns
PayrollBenefits PensionsStaff MemberConglomerates
Locals
Client VVIP
Client VIP
Clients N
Consumers
Stakeholders
Business Topology
Siebel
SMS
SAP
S.P.
Internal Governance & Audit
Risk Mgt Governance
Compliance & AuditIG&A
Drillable Dashboard Interface
Initial / Inherent Risk View
Identify / Assess Primary Assets
Impact & Likelihood Assessment
Risks Assessed
Residual Risk View
Optional Risk Appetite View
Top Ten Risks
Lessons Learned
Brings clarity of understanding of the Information
Systems environment
Solution based approach encourages consistent
naming, accurate modelling, etc.
Asset based approach enhances understanding of
potential business impacts
Assessing C, I and A impacts separately helps to align
with key Standards such as ISO 27001
Provides Actionable Intelligence for senior managers
Summary of Benefits
Acuity Risk Management LLP
Liberty House
222 Regent Street +44 20 7297 2086
London
W1B 5TR www.acuityrm.com
STREAM Integrated Risk Manager Risk management made simple
CGI UK Ltd.
Chaucer House, Springfield Drive
Leatherhead, Surrey, KT22 7LP
www.cgi-group.co.uk +44 (0) 1372 369579
top related