integrating enterprise risk management and it security “ an architect’s view” presented by...
TRANSCRIPT
Integrating Enterprise Risk Management and IT Security“an architect’s view”
Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services
MindGrove Ltd
© 2007 MindGrove
2
ERM and IT Security…
Enterprise Risk Management – technology implications of the COSO ERM model
Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT
Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk; from risk to control objectives
Ensuring your security architecture maps onto your business risk model
Notions for this session
IT Security - Backdrop
© 2007 MindGrove
4The power to perform
Year Transistors
4004 1971 2,250
8008 1972 2,500
8080 1974 5,000
8086 1978 29,000
286 1982 120,000
Intel386™ processor
1985 275,000
Intel486™ processor
1989 1,180,000
Intel® Pentium® processor
1993 3,100,000
Intel® Pentium® II processor
1997 7,500,000
Intel® Pentium® III processor
1999 24,000,000
Intel® Pentium® 4 processor
2000 42,000,000
Intel® Itanium® processor
2002 220,000,000
Intel® Itanium® 2 processor
2003 410,000,000
Intel® Dual Core processor
2006 1,200,000,000
© 2007 MindGrove
5
Yesterday and Today
300 calculations per second – calculate the trajectory of a shell
70,000,000,000,000 calculations per second –
forecast the weather for our planet
1 calculation per second – add up the
items in a shopping list
© 2007 MindGrove
6I contribute to
good governance by examining the organisation’s
plans for business continuity
But fact – security is the biggest issue
© 2007 MindGrove
7
Reactivity to IT Security is typically ad-hoc
We fix IT Security problems after the event
We don’t integrate IT Security into the foundations of the organisation’s risk management culture
The outcome is an ad-hoc risk-control structure
Enterprise Risk Management – technology implications of the COSO ERM model
© 2007 MindGrove
9
COSO
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
10An organisation’s objectives are defined by it’s context
Horologique Industries
Mission: "To produce the most desirable timepieces inthe world"
Objective: to create the most elegant and enduring designs
Objective: to create timepieces that are accepted as innovative
Objective: to create timepieces that will last for more than onehundred years
Objective: to create timepieces that meet the highest standardsof quality
Objective: to create timepieces with unrivalled precision andaccuracy
Defines first its MissionStatement
Leads to Core Objectives
Internal Environment - Context
Objectives
Event IdentificationRisk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
11
COSO
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
12And its objectives are threatened by risk
Horologique Industries
Mission: "To produce the most desirable timepieces in the world"
Objective: to create the most elegant and enduring designs
Defines first its MissionStatement
Risk : Danger of missinterpreting customer requirements
Risk : Danger of creating timepieces too expensive for clientbudgets
Risk : Danger of losing innovative lead
Objectives lead tothe definition of
threats
Internal Environment - Context
Objectives
Event IdentificationRisk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
13
COSO
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
14
And because of this we deploy controls
Horologique Industries
Mission: "To produce the most desirable timepieces in the world"
Objective: to create the most elegant and enduring designs
Defines first its MissionStatement
Risk : Danger of miss-interpreting customer requirements
Control: Conduct Market Surveys
Control: Follow competitors designs
Control: Consult with existing customers
Risk leads to definitionof risk-mitigating
controls
Internal Environment - Context
Objectives
Event IdentificationRisk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
15
Many of the risks that threaten objectives are IT Security problems
Horologique Industries
Mission: "To produce the most desirable timepieces inthe world"
Objective: to create the most elegant and enduring designs
Defines first its MissionStatement
Leads to Core Objectives
Risk : New designs held in electronic system are: destroyed,altered or copied by insiders or outsiders
Objectives lead tothe definition of
threats
Control: IT Security defences against outsiders
Control: IT Security defences against insiders
IT Security Risk
So the COSO ERMmodel is just as relevant
to the examination of the impact of IT Securityrisks as any other risk
© 2007 MindGrove
16
But IT Security risks are typically abstracted directly from IT Security goals
So we tend to model IT Securityrisk independently of the remainder of business risk losing
context and connections to objectives along the way
Risk: Data held in electronic systems are: destroyed,altered or copied by insiders or outsiders
Control: IT Security defences against outsiders Control: IT Security defences against insiders
IT Security Risk
Confidentiality, Integrity, AccountabilityOf what to
what?
Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT
© 2007 MindGrove
18The organisation’s context and objectives
To be the international delivery service of first resort
The widest range of delivery options
The smartest tracking system
The fastest delivery
The most reliable delivery
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVE
Operational Objective
© 2007 MindGrove
19Objective dependent on IT
To be the international delivery service of first resort
The widest range of delivery options
The smartest tracking system
The fastest delivery
The most reliable delivery
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVEIT ENABLED
© 2007 MindGrove
20
Data integrity as a threat to the business objective
To be the international delivery service of first resort
The widest range of delivery options
The smartest tracking system
The fastest delivery
The most reliable delivery
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVEIT ENABLED
THREAT TOOBJECTIVE
THROUGH DATAINTEGRITY LOSS
© 2007 MindGrove
21
COBIT
© 2007 MindGrove
22Cobit 4.0 Suggests that a risk is tempered by drawing down best practice control structures
To be the international delivery service of first resort
The widest range of delivery options
The smartest tracking system
The fastest delivery
The most reliable delivery
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVEIT ENABLED
THREAT TOOBJECTIVE
THROUGH DATAINTEGRITY
FAILURE
Define the Information ArchitecturePO2.1 Enterprise Information Architecture ModelPO2.2 Enterprise Data Dictionary and Data Syntax RulesPO2.3 Data Classification SchemePO2.4 Integrity Management
Application ControlsData Origination/Authorisation ControlsAC1 Data Preparation ProceduresAC2 Source Document Authorisation ProceduresAC3 Source Document Data CollectionAC4 Source Document Error HandlingAC5 Source Document RetentionData Input ControlsAC6 Data Input Authorisation ProceduresAC7 Accuracy, Completeness and Authorisation ChecksAC8 Data Input Error HandlingData Processing ControlsAC9 Data Processing IntegrityAC10 Data Processing Validation and EditingAC11 Data Processing Error HandlingData Output ControlsAC12 Output Handling and RetentionAC13 Output DistributionAC14 Output Balancing and ReconciliationAC15 Output Review and Error HandlingAC16 Security Provision for Output ReportsBoundary ControlsAC17 Authenticity and IntegrityAC18 Protection of Sensitive Information During Transmission and Transport
To be the international delivery service of first resort
The widest range of delivery options
The smartest tracking system
The fastest delivery
The most reliable delivery
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVEIT ENABLED
THREAT TOOBJECTIVE
THROUGH DATAINTEGRITY
FAILURE
© 2007 MindGrove
23
COSO ERM using predefined guidance
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionUnit
Entity
When there is a risk to the organisation through IT draw down relevant IT
Security and Control guidance
from COBIT
© 2007 MindGrove
24
COBIT 4.0
COBIT is an IT governance framework that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations.
COBIT® 4.0—emphasises regulatory compliance, helps organisations to increase the value attained from IT, enables alignment and simplifies
implementation of the COBIT framework.
Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk;
from risk to control objectives
© 2007 MindGrove
26
Mission Objectives
To provide the best banking experience
The widest range of financial products
The best customer service system
The most equitable charges from any Euopean Bank
The most secure on line home banking systems
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVE
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionU
nitE
ntity
© 2007 MindGrove
27
Customer Alienation
Inadequate orpoor response to
query
Production ofincorrect Account
StatementPoor qualitysupport materials
Failure to keeppromise
Mis-interpretationof financial
productrequirement Excessive
volume of salescalls
To provide the best banking experience
The widest range of financial products
The best customer service system
The most equitable charges from any Euopean Bank
The most secure on line home banking systems
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVE
Objectives Risks Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionUnit
Entity
© 2007 MindGrove
28
Customer Alienation
Inadequate orpoor response to
query
Customer providesincorrect or bogus
data or system failsto securely accessexisting information
Staffmisunderstand
question
Responserequired is not
flagged or follow-up system doesnot operate as
intended
Objectives Risks in more detail
© 2007 MindGrove
29
Objective: Design and maintain the IT Security infrastructure tosupport customer services and provide a secure interfacethrough which we can integrate customer help services withexisting back office systems
Objective: Record all staff conversations and transactions withcustomers and use these to monitor staff competence and totrain staff to answer queries accurately and to maintain theircompetence over time
Objective: Design and operate an IT follow up system to followup and respond to all queries initiated by the customer to reducethe likelihood of not following up a request or fulfilling ourpromises
Objective: Design and operate IT data and security controls toreduce and mitigate the likelihood of capturing or accepting thewrong customer information or one customer posing as another
Risks Controls
Customer Alienation
Inadequate orpoor response to
query
Customer providesincorrect or bogus
data or system failsto securely accessexisting information
Staffmisunderstand
question
Responserequired is not
flagged or follow-up system doesnot operate as
intended
© 2007 MindGrove
30
Customer Alienation
Inadequate orpoor response to
query
Production ofincorrect Account
StatementPoor qualitysupport materials
Failure to keeppromise
Mis-interpretationof financial
productrequirement Excessive
volume of salescalls
To provide the best banking experience
The widest range of financial products
The best customer service system
The most equitable charges from any Euopean Bank
The most secure on line home banking systems
MISSION
OBJECTIVE
OBJECTIVE
OBJECTIVE
OBJECTIVE
Objective: Design and maintain the IT Security infrastructure to support customerservices and provide a secure interface through which we can integrate customer helpservices with existing back office systems
Objective: Record all staff conversations and transactions with customers and usethese to monitor staff competence and to train staff to answer queries accurately and tomaintain their competence over time
Objective: Design and operate an IT follow up system to follow up and respond to allqueries initiated by the customer to reduce the liklihood of not following up a request orfulfilling our promises
Objective: Design and operate IT data and security controls to reduce and mitigate thelikelihood of capturing or accepting the wrong customer information or one customerposing as another
Risks Controls
Inadequate orpoor response to
query
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionUnit
Entity
Ensuring your security architecture maps onto your business risk model
© 2007 MindGrove
32Forex Bank
Mission: "To be the most profitable FOREX trader inthe world"
Objective: To innovate new trading systems
Objective: To trade within the rules set by Bank of England
Objective: To trade securely through electronic systems
Defines first its MissionStatement
Reporting objective
Compliance objective
Operational objective
Strategic objective
Objective: To monitor trades and provide early warning of bad positions
Mission Objectives
Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionUnit
Entity
© 2007 MindGrove
33
Objective: Design and operate Software security controls so thatonly identified authorised traders can operate within the facility
Objective: Design and operate tracking security controls so thatall trades can be monitored and reviewed
Objective: Design and operate Physical security controls so thatonly authorised traders can gain entry to the facility
Risk Analysis Controls Internal Environment - Context
Objectives
Event Identification
Risk Assessment
Risk Response
Controls
Communications
Monitoring
Strate
gic
Ope
ratio
ns
Repor
ting
Compl
ianc
e
Com
panyD
ivisionUnit
Entity
Objective: To trade securely through electronic systems
© 2007 MindGrove
34
Physical Access
Entity Description
Trading room security
Entity Description
Registration /Deregistration
Entity Description
Admission control
Entity Description
Recording of Access
Logical Access
Entity Description
Trading room security
Multifactor security -Physical / Logical /Software Surveillance
Entity Description
Objective - Operational -Trading will occur undercontrolled and monitoredconditions
Stather's DigitalProximity Lock
Entity Description
Entry Mechanism
ConceptualArchitecture
Software Tracking ofTrades
Entity Description
Trading room security
Logical Architecture
Component Architecture
OperationalArchitecture
Objective: To trade securely through electronic systems
Use of multi-layer formal architectural modelling approach
to ensure integrated and
effective business
fit
Objective: Design and operate Software security controls so thatonly identified authorised traders can operate within the facility
Objective: Design and operate tracking security controls so thatall trades can be monitored and reviewed
Objective: Design and operate Physical security controls so thatonly authorised traders can gain entry to the facility
© 2007 MindGrove
35
ERM and IT Security…
Enterprise Risk Management – technology implications of the COSO ERM model
Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT
Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk; from risk to control objectives
Ensuring your security architecture maps onto your business risk model
Notions for this session
© 2007 MindGrove
36
Retrieve presentation from:
www.mindgrove.co.uk
on the members’ page of the resources section
Integrating Enterprise Risk Management and IT Security“an architect’s view”
Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services
MindGrove Ltd