educause security professionals conference may 6, 2008 rebecca j. whitener, cpa, cia, cisa, cfe...
TRANSCRIPT
Addressing Complex Security Threats Through Risk Management
EDUCAUSE Security Professionals Conference
May 6, 2008
Rebecca J. Whitener, CPA, CIA, CISA, CFEFormer Vice President and Chief Risk Officer EDS
There are complex issues impacting business, government and higher education
“……..each new wave of technology will make obsolete existing information security measures - increasing security exposures in new and legacy environments”
Gartner
Advances in technology creates new exposures
Organizations of all types are susceptible to these threats…..…
by Ed U. KaishunIt only seemed like ye sterda y that Atlanta Public Schools (APS)
made headlines for negative rea sons: disrepair of facilities, decliningstudent achievement, rising drop-out rate, etc. Remarkably, APS isnow continually featured in positive headlines. Since its nadir in thelate 1990’s, APS has ta ken steps to raise academic standards a ndexpec tations for Atlanta’s children, produce graduate s much better
AP RIL 2, 2001
FINAL
“Your Company” a victimof Cyberspace crime againThird time in Two Weeks Could it have been prevented
prepared for successful careers a nd low er the drop-out ra te to 10%.In a news conference last w eek, the M ayor publicly congratulatedthe APS faculty, the Atlanta School Boa rd, and the Superintendenton a job well done at the Fifth A nnua l Atlanta Public Educa tionSummit. Since the beginning of this year , APS has rece ived similaraccolades from the Georgia Board of Education, the Governor a ndthe Business Roundtable, an educational advocacy groupre pre senting 200 U.S. corporations.
This begs the question – H ow did this rema rka ble turnaroundoccur? We we nt looking for the answe r to this question. Many inAtlanta point to the collective effor ts of APS and the Metro AtlantaChamber of Commerc e in 1998 as the watershed e vent.
In the winter of 1998, the Education Committee of the Chamberassembled a Specia l Task Force on Education. This task forceserved to ide ntify how Atlanta’s business community could bestsupport A tlanta Public Schools in generating more employablegraduates.
According to Odie Dona ld, then cha ir of the EducationCommittee, “Unlike other efforts to narrow the gulf between APSand the Business Community, the Spec ial Task Force on Educa tionallowed both par ties to w ork in true partnership for the benefit ofAtlanta’s children.” Adds Benjamin Canada, the n APSSuperintendent, “APS was give n a seat at the table, rathe r than be ing
trea ted a s a patient. As I look back on the ear ly days of the Spec ialTa sk Forc e on Education, three signif icant things come to mind –strong le adership, unwa vering commitment and acc ountability.”
As a result of APS’ remarkable achievements, the A tlantabusine ss c ommunity has continued to signif ic antly support theschool district. Monetary, huma n and in-kind resources have beenstrategically alloc ated to e ffec t change. Additionally, ED UPACfunding has been earmarked to support the succ essful re-elec tioncampa igns of several sc hool board me mbers.
The initial ac tions of the Specia l Task Force on Educationserved a s a ra llying point to improve public educ ation in Atlanta.Over the past five years, an e xpansive coa lition of organiz ations a ndeduca tional initiative s have c omplemente d the effort. The resulttoday is sweeping cha nges in the city’s school district.
Annually, members of this educ ation coalition come togethe r atthe Atlanta Public Education Summit, held by the Metro AtlantaChamber of Commerc e. Important performance measures areanalyz ed, improve ments a re discusse d and recognition is give n toexemplary programs and coalition pa rtne rs.
$1,000 $1,100
$1,500
$2,200
$3,500
$0
$5 00
$1,0 00
$1,5 00
$2,0 00
$2,5 00
$3,0 00
$3,5 00
$4,0 00
1998 1999 2000 2001 2002
Online AttacksRevolution WithinPublic Schools
“Unl ik e other efforts to narr ow the gul f
between AP S [A tlanta P ublic Schools] andthe Busines s Comm unity, the Special Task
Force on Education al lowed both parties towork in true partner ship for the benefi t o f
Atlanta’s c hi ldren”
— Odie Donald, President and CEO,BellSouth Corporation
“The tas k force adopted a dual focus.
Not only d id we concentrate on assistingthe Atlanta P ublic Schools in producing
more employable graduates, we a ls ofoc used on bringing forth m or e employable
AP S graduates”
— Gary Lee, Jr., former task member, retired VPand Executive Director of the UPS Foundation
“AP S [Atlanta P ublic Schools ] was g iv ena s eat at the table, rather than being
treated as a patient. A s I look back on theearly days of the Spec ial Tas k Forc e on
Educ ation, thr ee signi ficant things cometo m ind — strong leadership, unwav ering
comm itment and accountabi lity”
— Dr. Benjamin Canada,Secretary of Education
by J ane Doe
This inaugural issue celebrates how
Atlanta Public Schools transformed itse lf intoa world-class school district. It ma y serve as a
template to othe r municipalities on how to
make significa nt improvements in publiceduca tion.
The va ried c ontributors to this specialedition of The Atlanta Journa l-Constitution’s
Guide to A tlanta Public Education refle ct the
city-wide coalition re sponsible for thesere markable results.
Contributors:
Atlan ta P ubl ic S cho ols
Atlan ta Boa rd of E duc ation
Metro Atlanta Cham ber ofCom me rc e
Atlan ta Com mi tte e for P ubli cE duc ation
Mayo r’s Renai ssanceCom miss i on
Atlan ta P artners for E du catio n
Atlan ta’s Bus in ess Com mu nity
Atlan ta’s No n-P rofi t Agen cies Public education in Atlanta: Much has changed in five years
Inside This Issue
Interv iew with th e Atlan ta Pu blicSch ools Superintenden t . . . . . . . . . . 3
“Revo lu tion within APS”:5 Year Ch rono lo gy of Events(19 98-Presen t) . . . . . . . . . . . . . . . . . . . 4
Per spectives: Stud ents, Faculty,Par ents, C ommunity Partner s . . . . 5
Washington Post
226,874,657 records containing sensitive personal information involved in security breaches in the U.S. since January, 2005Privacy Rights Clearing House
www.privacyrights.org
Updated through May 4 , 2008
2007 marked a significant change for information security incidents occurring at colleges and universities around the world as reported in the news
A sample of the information in the Educational Security Incidents (ESI) Year in Review - 2007: Total Number of Incidents: 139 67.5% increase over
2006 Total Number of Institutions Affected: 112 72.3% increase
over 2006
The ESI Year in Review - 2007 ◦ By Adam Dodge - Posted on February 10th, 2008
Educational Security Incidents – 2007 *
Standard mode of operation for adverse event responses is becoming increasingly ineffective
Reactive Response to an event IT Driven Based on assessments
of vulnerabilities
Generally NOTPro-Active Focused on ResilienceCross-FunctionalBuilt upon a
comprehensive “Risk” Assessment
Enterprise Risk Management is emerging in response to these complex challenges*
Governance
DisastersRegulatory
actions
*Forrester
These forces are leading to an increase in the need for a comprehensive view of enterprise-wide risks and the emergence of a new role – the Chief Risk Officer.
Traditional - Focus on business line processes, internal controls
Enterprise-wide Coordination - CRO, Audit, General Counsel or cross-functional team develops a common direction for Governance, Risk and Compliance (GRC)
Move to Increased Monitoring and Reporting
Analysis - Collection and evaluation of data helps determine the impact and likelihood of risk events
Aggregation and Integration - Full integration into cross-functional processes and technologies
Stages of Enterprise Risk Management
“…many business experts believe that the concept of a cross-functional convergence of these activities (Governance, Risk and Compliance) represents a progressive approach in this area, and is quickly replacing the traditional fragmented or silo mentality.”
The Corporate Defense Continuum, Risk and Compliance, Sean Lyons, 1/23/2007
Traditional Silo-based
True Risk Resiliency
Cross Functional Coordination
Governance, Risk and Compliance Continuum
ERM objectives include a balance between cost /benefit and opportunity optimization
Adverse Events Opportunities
Enterprise Risk Management
ERM implementations are challenging
Why is ERM so complex?
Often requires a “culture” change It is hard to distinguish ERM from “old fashioned” business
management The approach that works for some companies may not work
for others ERM models are about estimating the impact and likelihood
of risk events The risk environment includes the behavior of people
(difficult to predict) Each “Risk” being considered within an ERM model is often
highly dependent upon context
The complexity of the task requires an effective strategy
“……. protecting the complex, technology-dependent, globally focused organization today is still in the hands of organizational structures and methods that were developed before the commercial computer age – let alone the network age. ……….Given this and the “silo” development of operational risk functions, the compelling question organizations now need to ask is “what constitutes good risk management?” BRG. 2005
Weak or non-existent cross-functional risk processes
Effective risk models and processes
Some well developed processes with gaps
Desired State
Any organization’s risk management strategy
Elements of a comprehensive risk management strategy
Risk Issue Identification
Governance and
Organization
Status Reporting
Map to Process and
Owner
Action Plan Management
Assessment/ Measurement
Culture and Awareness
Context is Critical
ERM framework & standards are available
COSO = Committee of Sponsoring Organizations
Risk Management Framework
Risk M
anagem
ent
Conte
xt
Monitor and Report
Risk Governance
Aw
are
ness
Com
mun
icatio
ns
Risk Identification
Risk Evaluation
Risk Analysis
Risk Treatment
Based on AS/NZS 4360: Australian/New Zealand Standard® Risk Management
Collaborate on strategy◦ Cross functional input from legal, audit,
CRO, CFO, CSPO, risk owners
Identify and classify relevant compliance requirements as they relate to:◦ Strategic, Financial, Operational,
Technology objectives
Assess impact, assign confidence ranking◦ Identify impact/likelihood of adverse
events on corporate objectives◦ Assess inherent risks of noncompliance◦ Assess risks remaining after mitigations ◦ Plot risks on risk map
Focus on areas with highest concerns◦ Risks are not equally important◦ Focus on those high and to the right
Prioritization of Risks
Impact
Likelihood
High FocusRisks
Scenario Planning Consideration of events or
outcomes that could reasonably occur - not necessarily based on historical data.
Gathered through Brainstorming with “what if’s”.
Involves environmental scanning, predictive analysis, cross-functional input from multiple sources.
Creates circumstances to judge “preparedness”.
Addresses impact and likelihood.
Root Cause Analysis Root cause analysis helps
identify what, how and why something happened, thus preventing recurrence.
Root causes are underlying, are reasonably identifiable, can be controlled by management and allow for generation of recommendations.
The process involves data collection, cause charting, root cause identification and recommendation generation and implementation.
By directing corrective measures at root causes, it is hoped that the likelihood of problem recurrence will be minimized.
Two risk assessment tools
Every company tailors its ERM program based on its specific needs…..◦ A common element is that day-to-day risk
management decisions are made at every level in the organization.
Any organization concerned with successfully operationalizing ERM must ensure that its people…◦ Understand ERM concepts ◦ Understand how to carry out their
responsibility….acting in accordance with any defined ERM principles.
The role of “People” in ERM
Organizational culture Not linked to any unique sanction,
reward or incentive Complexity of the ERM process itself Cost/benefit constraints Expertise Dynamic nature of managing risks Cross functional differences
Roadblocks to getting people to act in accordance with ERM principles
“A successful CRO does not command from above. They set a framework for risk management, while day-to-daydecisions on what is or isn’t an acceptablerisk falls to managers and employees in the frontline of business.”
Economist IntelligenceUnit
Overcoming ERM obstacles to decision makers
Clarify objectives
Communicate (top down and bottom up)
Include and involve in all aspects of ERM program
Create performance metrics and expectations
Factor in emotions
New Enemies Terrorists, professionals with different
motivations, man-made and natural events
Posing New Threats Real time, context aware activity,
instantaneous, multiple sources, catastrophic impact
Requiring New Solutions Moving from reactive to proactive Adaptive, responsive to context Based on risk assessment
The future will require an increasing focus on:
Board and Executive Management Support Common risk language and concepts Communication about risk using appropriate channels Development of training programs for risk management Development of a knowledge-sharing system Built into performance expectations Identification of cross-functional "risk champions"
Organizations will need a comprehensive “Risk” focus….
Goal is to create a risk culture where people consciously take risk into consideration in decision-making at all levels of the organization