IT Risk Management

Tudor Damian

IT Solutions Specialist
CEH, Hyper-V MVP
tudy.tel

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Many thanks to our sponsors & partners!

PLATINUM

GOLD

SILVER

PARTNERS

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Agenda
• IT risk overview
• COBIT & Risk IT framework
– Risk Governance
• Risk Appetite and Risk Tolerance
– Risk Evaluation
– Risk Response
• IT risk management as a continuous process

• Sources:
Community Conference for IT Professionals @ITCAMPRO #ITCAMP15
 Image source: coolrisk.com / Artist: Michael Mittag

Business risk related to the use of IT

IT RISK OVERVIEW

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Information as a key resource
• We create information
• We use and store information
• We destroy information
• Technology creates opportunities
– Business, education, government, sales of real and
electronic goods, e-health, etc.

• IT plays an essential role in these activities

– Part of its duty is to protect these information assets
Community Conference for IT Professionals @ITCAMPRO #ITCAMP15
IT risk is business risk
• Email passwords may be disclosed
• Facebook accounts may be used by someone else
• Credit card information may be disclosed
• Customer information may be stolen
• IT service delivery to customers may be poor
• IT systems may be obsolete
• IT projects may be late or fail
• IT systems do not provide any business benefit
• Risk of non-compliance with the regulator
• Own people may harm the systems

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Opportunity vs. Risk
• Opportunity and Risk - two sides of the same coin
– Those who manage risk, succeed
– Those who do not, fail
• Risk is inherent to every enterprise
• You don’t really have a choice: every decision taken,
every strategy chosen, carries a certain risk

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

The impact of IT risk
• No organization is unaffected
• Businesses are disrupted
• Privacy is violated
• Organizations suffer direct financial loss
• Reputation is damaged

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk vs. Investment – an easy decision (?)

High Risk Low Risk

Low Cost High Cost

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Some statistics
• 87% of small business and 93% of larger organizations
experienced a security breach in the last year alone
• 85% of breaches took weeks to discover
• 96% of breaches were not highly difficult
• 97% of breaches were avoidable through simple or
intermediate controls
• 57% of EU incidents were caused by administrative error,
missing hardware, exposed online, or stolen by insiders

Sources: Center for Media, Data and Society (CMDS) / Verizon / UK Government, Department for Business, Innovation and Skills (BIS)

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Timeline of discovery for cyber attacks (2013)
Years, 5% Hours, 9%

Days, 8%

Weeks, 16%

Months, 62%

Hours Days Weeks Months Years

Source: Verizon

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Cyber crime attacks experienced by US companies (June 2014)

DENIAL OF SERVICE 34%

STOLEN SERVICES 37%

MALICIOUS INSIDERS 41%

PHISHING AND SOCIAL ENGINEERING 44%

MALICIOUS CODE 46%

WEB-BASED ATTACKS 61%

BOTNETS 76%

MALWARE 97%

VIRUSES, WORMS, TROJANS 100%

Sources: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Some more statistics

Ponemon Institute 2011 Cost of Data Breach Study: United States
Verizon 2012 Data Breach Investigations Report
Sources: Reuters, http://reut.rs/zzrcec
Symantec Internal Threat Report 17
WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1
European Commission-Justice, Data Protection
Ponemon Institute Second Annual Benchmark Study on Patient
Privacy and Data Security
ISACA 2011 Top Business/Technology Issues Survey
Symantec 2012 SMB Disaster Preparedness Survey
Ponemon Institute True Cost of Compliance Report
Thomson Reuters State of Regulatory Reform 2012
eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT-
Downtime-
Can-Cost-5K-Per-Minute-Report-549007/

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Even more statistics

Ponemon Institute 2011 Cost of Data Breach Study: United States
Verizon 2012 Data Breach Investigations Report
Sources: Reuters, http://reut.rs/zzrcec
Symantec Internal Threat Report 17
WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1
European Commission-Justice, Data Protection
Ponemon Institute Second Annual Benchmark Study on Patient
Privacy and Data Security
ISACA 2011 Top Business/Technology Issues Survey
Symantec 2012 SMB Disaster Preparedness Survey
Ponemon Institute True Cost of Compliance Report
Thomson Reuters State of Regulatory Reform 2012
eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT-
Downtime-
Can-Cost-5K-Per-Minute-Report-549007/

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Statistics overload

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

How is IT Risk ideally handled?

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

www.isaca.org/cobit

COBIT® AND RISK IT FRAMEWORKS

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Why use best practices / frameworks?
• Better accountability and responsibility (ownership)
– You get out of the blame game
• Better management
• Better benefits from IT investments
• Better compliance
• Better monitoring
• Easily compare yourself with others

• Everybody’s doing it anyway

– ITIL, ISO 27001/2, COSO ERM, PRINCE2, PMBOK, Six Sigma, TOGAF, etc.

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

IT risk in the enterprise risk hierarchy

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Overview – COBIT®, Risk IT and Val IT

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

COBIT®
• A comprehensive IT governance and management framework
• Addresses every aspect of IT
• Ensures clear ownership and responsibilities
• A common language for all
• Improves IT efficiency and effectiveness
• Better management of IT investments
• Ensures compliance

• A complementary copy is available:

– www.isaca.org/cobit

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

COBIT® coverage
• Strategic IT Plan •Acquire & Maintain
• Manage IT Investment Application Software
•Acquire and Maintain
• Manage IT Human
Technology Infrastructure
Resources
•Manage Changes
• Manage IT Risks
• Manage Projects

PLAN & ACQUIRE &

ORGANIZE IMPLEMENT

MONITOR& DELIVERY &

EVALUATE SUPPORT
•Monitor and Evaluate IT •Manage 3rd-party Services
Performance •Ensure Continuous Service
•Monitor and Evaluate •Ensure Systems Security
Internal Control •Manage Incidents
•Ensure Compliance •Manage Data & Operations
•Provide IT Governance

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk IT
• Framework for effective management of IT risk
• Complements COBIT®
– COBIT® provides a set of controls to mitigate IT risk
– Risk IT provides a framework for enterprises to identify, govern and manage IT risk
• Enterprises who have adopted COBIT® can use Risk IT to enhance risk
management
• Integrates the management of IT risk into the overall enterprise risk
management (ERM) of the organization
• Helps management make well-informed decisions about the extent of the
risk, the risk appetite and the risk tolerance of the enterprise
• Helps management understand how to respond to risk

• Available for ISACA members:

– http://isaca.org/RiskIT

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk IT principles
• Always connects to business objectives
• Aligns the management of IT-related business risk with
overall enterprise risk management (ERM) - if applicable
• Balances the costs and benefits of managing IT risk
• Promotes fair and open communication of IT risk
• Establishes the right tone from the top while defining and
enforcing personal accountability for operating within
acceptable and well-defined tolerance levels
• Is a continuous process and part of daily activities
Community Conference for IT Professionals @ITCAMPRO #ITCAMP15
Managing and understanding IT risk
• To prioritize and manage IT risk, management needs a
clear understanding of the IT function and IT risk
– Key stakeholders often do not have a full understanding
• IT risk is not just a technical issue
– IT experts help to understand and manage aspects of IT risk
– Business management is still the most important stakeholder
• Business managers determine what IT needs to do to
support their business
– They set the targets for IT
– They are accountable for managing the associated risks

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk IT process model
1. Define a risk universe and scoping risk management
2. Risk appetite and risk tolerance
3. Risk awareness, communication and reporting: includes key risk
indicators, risk profiles, risk aggregation and risk culture
4. Express and describe risk: guidance on business context,
frequency, impact, COBIT business goals, risk maps, risk registers
5. Risk scenarios: includes capability risk factors and environmental
risk factors
6. Risk response and prioritization
7. A risk analysis workflow: “swim lane” flow chart, including role
context
8. IT risk mitigation using COBIT and Val IT

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk IT publications
• Risk IT Framework
– A set of governance practices for risk management
– An end-to-end process framework for successful IT risk management
– A generic list of common, potentially adverse, IT-related risk scenarios
– Tools and techniques to understand concrete risks to business operations

• Risk IT Practitioner Guide

– Support document for the Risk IT framework
– Provides examples of possible techniques to address IT-related risk issues
– Building scenarios, based on a set of generic IT risk scenarios
– Building risk maps, techniques to describe scenario impact and frequency
– Building impact criteria with business relevance
– Defining KRIs (Key Risk Indicators)

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk management frameworks and standards compared

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

RACI charts – IT risk example

Business Process

Compliance and
Enterprise Risk

Management

Risk Control
Committee

Functions
Business

Owner
Board

Audit
CRO
CEO

CFO
CIO

HR
Key activities / Roles

Define IT risk analysis scope I R C I C A R C C

Estimate IT risk I R C C I A/R R R C
Identify risk response options C C C R A R R I
Perform a peer review of IT analysis A/R I I I
Perform enterprise IT risk assessment I A R R C I R C R C C
Propose IT risk tolerance thresholds I I C R C I A C C C
Approve IT risk tolerance A C C C C R C C C C C
Assign IT risk policy C A R R R C R R R R C
Promote IT risk-aware culture A R R R R R R R R R R
Encourage effective communication of IT risk R R R R R R A R R R R

A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

RISK GOVERNANCE

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk governance, evaluation and response
• Risk Governance
– Establish and Maintain a Common Risk View
– Integrate with Enterprise Risk Management (ERM)
– Make Risk-aware Business Decisions

• Risk Evaluation
– Collect Data
– Analyze Risk
– Maintain Risk Profile

• Risk Response
– Articulate Risk
– Manage Risk
– React to Events

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

IT Risk Management Responsibilities and Accountability

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

RISK APPETITE AND RISK TOLERANCE

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk Appetite and Risk Tolerance
• Risk Appetite: the amount of risk an entity is prepared to
accept when trying to achieve its objectives
– Defining factors:
• The enterprise’s objective capacity to absorb loss (e.g., financial loss,
reputation damage)
• The (management) culture or predisposition towards risk taking -
cautious or aggressive (i.e. what is the amount of loss the enterprise
wants to accept to pursue a return?)
• Risk Tolerance: the tolerable deviation from the level set by
the risk appetite and business objectives
– e.g., standards require projects to be completed within estimated
budgets and time, but overruns of 10 percent of budget or 20
percent of time are tolerated

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk map

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Sample risk scenarios and risk appetite

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Elements of risk culture

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

RISK EVALUATION

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Expressing IT risk in business terms

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

IT scenario development

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

IT risk scenario components

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

RISK RESPONSE

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk response overview
• Identify Key Risk Indicators based on:
– Impact
– Effort to implement, measure and report
– Reliability
– Sensitivity

• Decide on best response to risk

– Avoidance
– Reduction/Mitigation
– Sharing/Transfer
– Acceptance

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

IT RISK AS A CONTINUOUS PROCESS

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Risk IT maturity model

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Defining goals and metrics - example

Business Process Activity

IT Goals
Goals Goals Goal

Reduce Understand
Maintain IT can resist to
unauthorized vulnerabilities
reputation an attack
access and threats

Number of incidents with Number of incidents with Number of incidents caused

Frequency of review
public embarrassment business impact by unauthorized access

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

SUMMARY

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Summary
• Use best practices (such as COBIT®) to minimize IT Risks
• Start with basic processes
• Form a high level IT Strategy Committee
• Formulate and implement IT Strategic Plan and IT policies
• Allocate resources (budget, people, infrastructure)
• Assign roles and responsibilities, authority and
accountability (using RACI chart)
• Make IT a regular item on the board agenda
• Regularly assess, review and monitor IT Risks

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

 Image source: coolrisk.com / Artist: Michael Mittag

Q&A

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15

Thank you!

Tudor Damian

IT Solutions Specialist
CEH, Hyper-V MVP
tudy.tel

Community Conference for IT Professionals @ITCAMPRO #ITCAMP15