Simon Oxley Managing Director Citicus Limited, London Information risk and compliance management An...

Simon OxleyManaging DirectorCiticus Limited, Londonwww.citicus.com

Information risk and compliance management

An approach based on real-world statistics

Copyright © Citicus Limited, 2006. All rights

reserved.Ref R112PP

Citicus in risk and compliance management

Founders worked with the Information Security Forum, notably on risk assessment/management projects (eg SPRINT, Security Status Survey, FIRM)

Citicus was formed in 2000 to automate the FIRM methodology and extend it to a full risk and compliance management capability

Continuing relationship with the ISF (eg on IRAM and FIRM development)

RecognitionSelected customersPartners


reserved.Ref R112PP

Governance and compliance initiatives

The regulatory pressure is increasing through a bewildering range of initiatives:

Treadway

Basel 2OECD

Cadbury

Hemple

Turnbull

Higgs

HIPAA

Sarbox

GLBA

FFIEC

COSO

A common theme is risk management

ISO27001


reserved.Ref R112PP

How information risk influences other business risks

Borrowings and investment positions

Projected rates of interest Projected cash flows External developments

Sales forecasts Forecast

expenditure Actual sales and

expenditure Key variances

Information risk status reports

Identity of key assets (equipment, facilities and employees)

Status of continuity arrangements

Market riskMarket risk (ie factors beyond the

control of management such as interest and currency

rates)

Financial riskFinancial risk (eg uncertainties about projected

earnings or expenditure)

Operational riskOperational risk (eg information risk information risk, theft, fraud, loss of facilities or key

employees).

Information riskInformation risk is

an increasingly important

component of operational risk

Information risk intensifies all business risks,

since information is needed to manage

each one

Information needed to manage each risk


reserved.Ref R112PP

What is ‘information risk’ exactly?

Information risk is the chance or possibility of harm being caused to your organization as a result of a loss of the confidentiality, integrity or availability of information

Probability of suffering harmNature and level of harm

The 3 key properties of information to be protected

Exists in varying forms: held in people’s heads communicated face-to-

face recorded in deeds and

other securities entered into, stored,

processed, transmitted and presented via ITThe method of protection

depends on the form taken by information


reserved.Ref R112PP

The chance or possibility of suffering incidents is high

135

259

0

100

200

300

Avera

ge n

um

ber

of

inci

dents

su

ffere

d o

ver

a y

ear

Citicus analysis of some 210,000 incidents affecting 844 information resources covered by the Information Security Forum’s 2000-2002 Security Status Survey.

Information resources with controls in good,

all-round condition

Information resources with controls NOT in

good, all-round condition

The average number of incidents suffered a year is halved when controls are in ‘good, all-round condition’


reserved.Ref R112PP

Controls that are in ‘good, all-round condition’ reduce the probability of experiencing MAJOR incidents by more than a factor of three

Analysis of incidents affecting 654 information resources covered by the Information Security Forum’s 2003-2004 Security Status Survey.

58%

0%

25%

50%

75%

% o

f in

form

ati

on

reso

urc

es

that

suff

ere

d a

m

ajo

r in

cid

en

t over

a

year

Good controls slash the odds of suffering major incidents


all-round condition



10%


reserved.Ref R112PP

Good controls lead to big savings

$0.74m

$0.05m

$0m

$0.5m

$1.0m

Avera

ge fi

nanci

al im

pact

of

wors

t-ca

se in

ciden

ts

suff

ere

d o

ver

a y

ear

Analysis of 244 worst-case incidents for which financial data was provided covered by the Information Security Forum’s 2000-2002 Security Status Survey


all-round condition



Controls that are in ‘good, all-round condition’ dramatically reduce the financial impact of worst-case incidents

These statistics clearly show that the frequency and impact of incidents affecting IT systems can be managed down by getting controls into good all-round condition.

This is an attainable target, although most typical systems have significant weaknesses that can be identified and corrected with little effort.


reserved.Ref R112PP

Detect incidents that slip through

Prevent incidents

happening, as far as possible

Facilitate recovery

from incidents

Loss of confidentiality, integrity or availability of information

Business (including security)

requirementsThreats to the confidentiality, integrity or availability of information:

unintentional

deliberate

Impact on the

business

Business system

InformationPR

EV

EN

TIO

N

REC

OV

ER

Y

Policies and standardsOwnershipOrganisationRisk identificationAwarenessService agreements

User capabilitiesIT capabilitiesSystem configurationData back-upContingency

arrangementsPhysical security

Arrangements for protecting information - grouped into ‘FIRM control areas’

Access to informationChange managementProblem managementSpecial controlsAudit/review

DETEC

TIO

N

Getting information risk under control


reserved.Ref R112PP

What drives risk down is not statistics, it’s behaviour ‘on the ground’ that matters ... which is determined by:

management commitment driving force for change skills, rules and procedures

applied ‘on the ground’.

Management commitment

Active ‘driving force’

Specialist know-how

Clear rules

Systematic risk assessment

Disciplined relationships

Commitment from the

topIndividual

‘ownership’

Independent review

Disciplined handling of changes

Operational things ‘done right’

Sound environment

Controlled access to system capabilities

Other obvious risks controlled

Key components of a good risk and compliance management program

Sound basic practices ‘on the ground’

1

3

2


reserved.Ref R112PP

What successful experience from case studies shows

BeBe constructiveconstructive

Get the organisational Get the organisational arrangements rightarrangements right

Gain top management Gain top management commitment commitment

Keep the fact-gathering Keep the fact-gathering simplesimple

Produce meaningful results Produce meaningful results that capture the attention of that capture the attention of busy decision-makersbusy decision-makers

Secrets of success 2Secrets of success 2

Make things personalMake things personal

Introduce an element of Introduce an element of competitioncompetition

Show incidents are not an Show incidents are not an inescapable feature of inescapable feature of business lifebusiness life

Show where to focus effortShow where to focus effort

Cause pressure to filter down Cause pressure to filter down so it motivates others to actso it motivates others to act

Secrets of success 1Secrets of success 1

Secrets of success from FIRM research and case studies

These tenets have driven the development of FIRM and Citicus ONE


reserved.Ref R112PP

Lack of resources to drive and run programmes

Immature processes and reporting structures

Inability to measure risk objectively

Turf wars between practitioners and competing initiatives

Lack of tools

Lack of co-operation ‘on the ground’

Understanding the downside: what makes risk processes fail?

Key challenges that emerged from FIRM case studies


reserved.Ref R112PP

Managing information risk and compliance enterprise-wide

Top managementTop management

Information risk managerInformation risk manager

E-commerceinitiative

Wide-areanetwork or

LAN

Business application

Computerinstallation

'Owners' 'Owners'

Citicus ONECiticus ONE

Systemsdevelopment

activity

Local co-ordinators

Local co-ordinators

Gain overview of the information risk status of the enterprise

Monitor progress towards compliance

Implement simple but rigorous risk management process

Prioritize allocation of scarce resources

Understand risks in own area of responsibility

Manage actions to reduce risk and achieve compliance


reserved.Ref R112PP

A continuous information risk management process

The approach’s 2-phase, constructive evaluation process is designed NOT to beat people up but to encourage success in driving risk down

A 2-phase, constructive risk management

process will help your organization achieve

compliance with required practice

efficiently

‘Private’ results - give ‘owners’ an early warning and an opportunity to improve

Results go to top management - highlighting improvements since last period

Dry runFor real


reserved.Ref R112PP

A risk scorecard can measure all components of information risk

Each component of information risk is expressed on a common scale (0-100%). The outside edge of the chart indicates the maximum possible risk.

Control weaknesses

Special circumstances

Business impact

Criticality

VulnerabilitiesVulnerabilities

Level of threat

Level of risk posed by this information resource

Level of risk acceptable to top management

100%

75%

50%

25%

0%

These risk charts highlight where risk is at an unacceptable level and encourage ‘owners’ to take action to drive risk down

Main Main determinantsdeterminants

of riskof risk


reserved.Ref R112PP

The results of different Criticality assessments can be consolidated into a Criticality league table, providing a risk-oriented inventory of the organization’s information resources

‘Owner’ of an information resource

An ‘owner’ can complete a criticality assessment on-

line in 15 minutes

Assessing criticality in minutes, in a business-oriented manner

Unacceptable harm

Lower level of harm

Loss of availability

Based on the maximum harm that could be suffered by the enterprise if confidentiality, integrity or availability of

information were lost

An hour or

less

Half a

day

A month

Loss ofconfidentiali

ty

Loss ofintegrit

y

A day

2-3days

A week

Critical timescale

Extremely serious harm

Very serious harm

Serious harm

Minor harm

No significant harm


reserved.Ref R112PP

Evaluating information risk and compliance, fully and efficiently

Application support

Business ‘owner’

Business

user or Help desk

specialist

IT Operations

Facilitator (eg local co-ordinator)

Risk factors can be fully evaluated at 3-hour facilitated i-risk workshops: Criticality Status of controls Special circumstances Experience of incidents Business impact of

incidents

Informationresource

Compliance ‘league tables’

(full or selective)

Compliance status reports

(full or selective)

‘Smart’ compliance checklists enable ‘one-pass evaluations’.

They can be completed in full or selectively before, during or after a workshop

High-level risk status

report

Individual risk status report


reserved.Ref R112PP

Compliance status reports provide more detail on controls

Citicus ONE provides an overview of compliance with a customizable set of control areas


reserved.Ref R112PP

25%

25%25%

0%0%

0%

0%

0%0%

0%

0%

6%0%

65%82%

41%

100%

47%59%

24%

50%50%50%

50%100%

100%

75%

50%100%

100%

25%

25%0%

25%0%

25%

25%

50%0%

25%

29%

14%43%

14%57%29%

14%

29%43%

0%

Consolidated league tables show where the key risks lie

Low

High

Med

Colour codes indicate the danger posed by each component of risk:

Top 10 entries

Information resource Rank

Criticality

Level of

threat

Businessimpact

SecurNet (IRS151) 1

London data centre (IRS155) 5Global intranet (IRS150) 6Supplier data (IRS124) 7HQ LAN (IRS67) 8Pacific data centre (IRS131)

9Group EIS (IRS148) 10

Controlweaknesse

s

Specialcircumstance

s

ePurchasing site (ERS160)

138

2Global email (IRS49)Customer data (IRS156) 2

Boston data center (IRS191)

4

Bottom 10 entries

100%

75%75%75%75%75%75%

75%75%

75%100%

76%

94%94%94%88%88%82%

100%

100%

86%

71%86%71%57%71%100%

57%57%

29%

50%

100%75%

100%100%75%

100%

100%

100%

100%

25%

50%50%

75%50%50%25%100%25%

75%

Relationship mgt (IRS156) 136Group payroll (IRS167) 137

UK standby net (IRS136) 141

UK sales information (IRS12)

140

LaForce site LAN (IRS101) 144

Prices database (IRS142) 139

European data centre (IRS46)

143

Boston Order Proc. (IRS190)

142

Erland site LAN (IRS42) 145


reserved.Ref R112PP

Using dependency risk maps to evaluate information risk in context

Risk and compliance context can be seen from allows you to plot dependency risk maps for critical information resources.

London data centre

Group-wide WAN

Group MIS (EIS)Disparate feeder systems

European data centre

SecurNet

Group accounts (consolidation)

UK data centre

Global email

UK sales information

system

UK production controlUK logistics

Group treasury mgt system

Citicus ONE

Dependency map

Prepared by: Sian Alcock 15-J an-20031 of 1

Reference: ABC enterprise dependencies

Basic version

Criticality

Control weaknesses


Level of threat Business impact

A B

B depends on A

Key to risk factors

Key to dependency direction London data centreLondon data centre

Group-wide WANGroup-wide WAN

Group MIS (EIS)Disparate feeder systems

Disparate feeder systems

European data centreEuropean data centre

SecurNetSecurNet

Group accounts (consolidation)Group accounts (consolidation)

UK data centreUK data centre

Global emailGlobal email


system


system

UK production controlUK production controlUK logistics

Group treasury mgt systemGroup treasury mgt system

Citicus ONE

Dependency map

Prepared by: Sian Alcock 15-J an-20031 of 1

Reference: ABC enterprise dependencies

Basic version

Criticality

Control weaknesses



A B

B depends on A

Criticality

Control weaknesses



A A B B

B depends on A

Key to risk factors

Key to dependency direction


reserved.Ref R112PP

A league table shows compliance with regulatory requirements

A compliance league table is used to summarize the extent of compliance of different information resources with a specified standard of practice.

This view can be generated at a business process, business unit or enterprise-wide level.


reserved.Ref R112PP

Samples of other management aids for decision-making

0%

Full risk monitoring will help you identify: the most common control weaknesses the most common types of incident the costs of incidents the root causes of incidents successful solutions others can apply

Number of incidents suffered

Type of incident affecting our business-critical systems

% of information resources where control area is rated

weak 20% 40% 60% 80% 100%

Control weaknesses affecting our business-critical systems

Collect the facts you need to devise and prioritise your risk reduction and compliance programmes (eg enhanced user training)

Physical security

Data back-up

AwarenessRisk identification

IT capabilities

User capabilitiesContingency

arrangements

OwnershipAccess to information

Special controlsAudit/review

Problem managementOrganisation

System configurationChange management

Service agreementsPolicies and standards

Human error

Access violations

Malfunction

Overload

Unforeseen effects of change

Loss of services, equipment etc

0 1000 2000 3000 4000 5000


reserved.Ref R112PP

Summarizing the costs / benefits of a risk-based approach to compliance

Running the process (half-time job for a programme manager, plus time required of local co-ordinators and ‘owners’)

Budget for software, servers maintenance and advisory services, if required

Information risk measured efficiently, reliably and in meaningful business terms Attention focused on business applications and IT infrastructure posing the greatest

risk to your enterprise, and weaknesses most commonly in need of improvement System ‘owners’ equipped and motivated to drive risk down to a level that top

management determine to be acceptable Facilitators equipped to carry out evaluations with minimum disruption, to keep track

of remediation activity and to report on compliance efficiently Improvements will yield a measurable reduction in:

the number of information incidents your enterprise suffers the probability of your enterprise suffering a MAJOR incident financial loss caused by incidents (ie your enterprise’s annual ‘cost of

insecurity’)

Costs Business benefits

A structured approach will help you bring a key component of business risk under control, enterprise-wide constructively and economically:

Demonstrable improvement in corporate governance

Efficient way of achieving compliance

Savings and efficiency gains that improve your bottom line

Knowing you’ve got a grip on a key area of risk


reserved.Ref R112PP

Questions?

Contact detailsSimon OxleyCiticus LimitedHolborn Gate330 High HolbornLondon WC1V 7QT.

[email protected]

Web www.citicus.comTel +44 (0)20 7203 8405

Simon Oxley Managing Director Citicus Limited, London Information risk and compliance management An...

Documents

Transcript of Simon Oxley Managing Director Citicus Limited, London Information risk and compliance management An...