a risk-based approach to delivering a customer …...16 years information security experience...

A risk-based approach to delivering a

customer-centric, ‘enterprise’ patch and

vulnerability management system

STREAM Integrated Risk Manager Risk management made simple

Richard Mayall richard.mayall@acuityrm.com

Partner, Acuity Risk Management

Deniz Kucukreisoglu deniz.kucukreisoglu@cgi.com

Information Security & Risk Management Solutions Advisor, CGI

Some of our Customers

Typical Customer requirements

GRC Key Components

…and supporting processes

Overview

Introductions

Business requirement for effective Patch & Vulnerability

management

How we built the system using STREAM

Highlights, lessons learned & next steps…

Summary and questions…

Your presenters…

Richard Mayall

30 years experience in software engineering, information security

and risk management

Responsible within Acuity for integrated content development

projects for our STREAM Enterprise customers

Deniz Kucukreisoglu

16 years Information Security experience

Previous clients include…

Specific experience of custom security solutions and risk

management methodologies for clients to enhance the value that a

security function adds to the business

Background

A Public Services Entity…

Characteristics

Large Legacy Asset Infrastructure

Distributed & Complex Business Functions…

We have this problem

Hard to determine Patching Priority & Risk Status…

How we solved it

Model environment & Infrastructure accurately

Bring clarity to areas of Business Risk

We’d used STREAM previously…

The requirement was…

How model was developed…

Modelling context

The business environment

Primary Group:

Production

Pre-Production

Test & Development

Secondary Group:

System Test

BAU Development

DR

Sandpit

Etc.

STREAM Tree structure…

Asset Classes

Model: Asset types, groups & classes

HW

FW

MW

VW

SC / SS

OC / OS

AK / AS

Notification-Processing-Rollout

NPR stages

NPR assessment scheme

User workflow – Process Steps

User workflow - Acquire

VULsVULs

VULs

VULsVULs

VULs

User workflow - Prepare

1_Env1_EnvPAT

VUL

User workflow - Inject

VULs

PATs

THREAT

CONTROL

User workflow – Set-up

User workflow – Use (NPR)

User workflow - Exploit

Tools Integration

Risk-Based Approach

Primary Assets vs Secondary Assets

Example Primary Assets

SAP

Siebel

SMS

S. P.

Gov.

Audit

General Ledger

Cost Centre/

Internal Order

Accounting

Cash Journal

Accounting

Project Accounting

Financial

Statements

Reporting

Expenses

Invoicing

Bank Accounting

Planning &

Budgeting

Applications Bespoke Prodcut

Assignment

Payment Request

AssignmentRefurbishment/

Maintenance

Returns

Contact Mgt

Activities Case Mgt

Reporting

HR Admin

Staff Mgt

Time & PACE Project Planning

Project Execution

Time & Expense

Recording

Sourcing

Requisition

Purchasing

Goods Receipt

Invoice

Verification

Generation

VENUS Finance

Product Sale

Case & Client Mgt

HR Special Projects

Procurement

SERIAL

Product

RegistrationSRV Registration

Fixed Assets

Accounts Payable

Cost Allocation

Resource

Planning

Accounts

Receivable

Product Mgt

Product

performance

Monitoring

Trading & Transfer

Groups

Users 3P Agents Credit CardSpecial

CustomersBank EFT Vendors

External

compliance

External Audit

VAT Returns

PayrollBenefits PensionsStaff MemberConglomerates

Locals

Client VVIP

Client VIP

Clients N

Consumers

Stakeholders

Business Topology

Siebel

SMS

SAP

S.P.

Internal Governance & Audit

Risk Mgt Governance

Compliance & AuditIG&A

Drillable Dashboard Interface

Initial / Inherent Risk View

Identify / Assess Primary Assets

Impact & Likelihood Assessment

Risks Assessed

Residual Risk View

Optional Risk Appetite View

Top Ten Risks

Lessons Learned

Brings clarity of understanding of the Information

Systems environment

Solution based approach encourages consistent

naming, accurate modelling, etc.

Asset based approach enhances understanding of

potential business impacts

Assessing C, I and A impacts separately helps to align

with key Standards such as ISO 27001

Provides Actionable Intelligence for senior managers

Summary of Benefits

Acuity Risk Management LLP

Liberty House

222 Regent Street +44 20 7297 2086

London

W1B 5TR www.acuityrm.com

STREAM Integrated Risk Manager Risk management made simple

CGI UK Ltd.

Chaucer House, Springfield Drive

Leatherhead, Surrey, KT22 7LP

www.cgi-group.co.uk +44 (0) 1372 369579