Idea Transcript
A CobiT Case Study Drawing on CobiT for the implementation of an Enterprise Risk Management Framework
December 2008 Presenter: Clive E. Waugh, CISSP C/EH
1
Clive E. Waugh CISSP, C/EH
Risk Management Framework Objectives CobiT provided guidance with essential framework elements:
2
y
Governance
y
Strategic Alignment
y
Business Focus
y
Control Objectives
y
Establishment of Risk Appetite
y
Assessment and Management of Risks
y
Performance Management
Clive E. Waugh CISSP, C/EH
CobiT Case Study
The framework in practice
3
Clive E. Waugh CISSP, C/EH
The framework in practice: 4 Domains CobiT Framework is comprised of 4 Domains, 34 Processes, 200 Control Objectives
Plan and Organize Processes
Acquire and Implement Process
PO1 – Define a Strategic IT Plan
AI2 – Acquire and Maintain Application Software
PO2 – Define the Information Architecture PO4 – Define Organization and Relationships
PO6 – Communicate Management Aims and Direction PO9 – Assess and Manage IT Risks PO10 – Manage Projects
Deliver and Support Processes
Monitor and Evaluate Processes
DS2 – Manage Third-party Services
ME1 – Monitor and Evaluate IT Performance ME2 – Monitor and Evaluate Internal Control
DS4 – Ensure Continuous Service DS5 – Ensure Systems Security
ME4 – Provide IT Governance
4
Clive E. Waugh CISSP, C/EH
The framework in practice: Plan & Organize Plan and Organize process description: PO1 – Define a Strategic IT Plan PO1.2 – Business-IT Alignment – Strategic Alignment
PO2 – Define the Information Architecture PO2.2 – Data Classification Scheme PO4 – Define the Organization & Relationships PO4.8 – Responsibility for Risks, Security & Compliance PO4.15 – Relationships PO6 – Communicate Management Aims & Direction PO6.2 – Enterprise IT Risk and Control Framework – Risk Management Framework 5
Clive E. Waugh CISSP, C/EH
The framework in practice: Plan & Organize Plan and Organize process description continued: PO9 – Assess and Manage IT Risks
PO9.1 – IT Risk Management Framework
PO9.2 – Establishment of Risk Context
PO9.3 – Event Identification
PO9.4 – Risk Assessment
PO9.5 – Risk Response
PO9.6 – Maintenance & Monitoring of a Risk Action Plan
PO10 – Manage Projects
6
PO10.3 – Project Management Approach
PO10.4 – Stakeholder Commitment
PO10.9 – Project Risk Management
PO10.13 – Project Performance Measurement, Reporting & Monitoring Clive E. Waugh CISSP, C/EH
The framework in practice: Acquire & Implement Acquire and Implement process description: AI2 – Acquire and Maintain Application Software AI2.4 – Application Security and Availability – SDLC integration
7
Clive E. Waugh CISSP, C/EH
The framework in practice: Deliver & Support Deliver and Support process description: DS2 – Manage Third-party Services DS2.3 – Supplier Risk Management – Vendor Assessments
DS4 – Ensure Continuous Service DS4.2 – IT Continuity Plans – BIA & Risk Assessment
DS5 – Ensure Systems Security
8
DS5.5 – Security Testing, Surveillance & Monitoring – Regular Vulnerability Assessments
Clive E. Waugh CISSP, C/EH
The framework in practice: Monitor & Evaluate Monitor and Evaluate process description: ME1 – Monitor & Evaluate IT Performance
ME1.5 – Board and Executive Reporting ME1.6 – Remedial Actions
ME2 – Monitor & Evaluate Internal Control ME2.3 – Control Exceptions ME2.4 – Control Self-assessment ME2.5 – Assurance of Internal Control ME2.6 – Internal Control at Third Parties ME2.7 – Remedial Actions ME4 – Provide IT Governance ME4.1 – Establishment of an IT Governance Framework ME4.2 – Strategic Alignment ME4.5 – Risk Management 9
Clive E. Waugh CISSP, C/EH
The framework in practice: RM Functions Four main Risk Management Functions:
10
y
Risk Cataloging
y
Risk Reporting
y
Remediation Planning
y
Risk Acceptance Handling
Clive E. Waugh CISSP, C/EH
Risk Cataloging – Process Flow Internal External audit Security audit Customer Other
Immediate
Critical High Medium Low
Risk Mgmt Dept leaders
Immediately address risk
Queued
Initial Risk Assmt.
Group and Segment Leaders
Documented, prioritized risks
Weekly Prioritization
Group Leaders (SMT)
Senior BU Leaders
Risk Repository
Confirms Details As Documented
11
Clive E. Waugh CISSP, C/EH
Risk Cataloging - Overview of Prioritization Standards
Risk Prioritization Sessions are conducted on a weekly basis Risk Prioritization Committee membership consists of Risk Management Dept management staff
Risk Prioritization Standards are as follows: 1)
Risks are first ranked into quadrants as follows (definitions on subsequent slides): a) Critical b) High c) Medium d) Low
2)
12
Risks within High and Medium quadrants are then force ranked by business unit, from highest risk to lowest.
Clive E. Waugh CISSP, C/EH
Risk Cataloging – Risk Management Dept Role
Risk Management Department’s role in Cataloging risk:
13
1)
Escalates Critical risks immediately
2)
Queues non-Critical risks for review by Ops-Security mgt during regular prioritization sessions
3)
Captures risk data including description, impact, likelihood, BU ownership, priority, ranking
4)
Proposes strategies for the remediation of immediate risk, and of root cause
5)
Educates Business Unit and requests confirmation of risk details as documented.
Clive E. Waugh CISSP, C/EH
Risk Cataloging – Business Unit Role
Business Unit’s role in cataloging risk: Both the Business Unit Manager and designated Risk Management Coordinator for the BU are:
14
1)
Informed of new risks by RM department as they are cataloged
2)
Reviews and acknowledges documented risk details.
Clive E. Waugh CISSP, C/EH
Risk Reporting – Process Flow
Risk Mgmt Dept
Reports Actionable Data
Changes in status / nature of risk Top Risks / Metrics
Top Risks / Metrics
Understands Risk
BU Mgr And Coordinator
Risk Mgt Cmmte
Board
Top Risks / Metrics
15
Understands Risk
Understands Risk
Clive E. Waugh CISSP, C/EH
Risk Reporting – Risk Management Dept Role Risk Management Department’s role in the risk reporting process:
16
1)
Briefs BU to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
2)
Collects status of BU risk management activity.
3)
Briefs Risk Management Committee regularly to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
4)
Briefs IFID Board of Directors regularly to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with planned remediation strategies.
Clive E. Waugh CISSP, C/EH
Risk Reporting – Business Unit Role Business Unit’s role in the risk reporting process:
17
1)
Obtains an understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. of highest-risk items for use in BU remediation planning efforts (discussed later).
2)
Provides changes in status or nature of risk to Risk Management Department
Clive E. Waugh CISSP, C/EH
Risk Reporting – Business Unit Coordinator Defined
18
Theme: Each business unit that owns risk drives risk management activity as directed by the business unit manager.
Accomplished by a coordinator within the business unit, as assigned by business unit management.
Responsibilities: 1)
Receives the same risk briefings that are delivered to the business unit manager and to the Risk Management Committee.
2)
Reports changes in status or nature of risk to Risk Management Department.
3)
Provides quarterly plans for remediation of risk, as committed to by the business unit manager.
4)
Drives remediation activities as committed to by the business unit manager.
Clive E. Waugh CISSP, C/EH
Risk Reporting – Risk Management Committee Role
Risk Management Committee’s role in the risk reporting process: 1)
19
Obtains an understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies, for use in monitoring and directing BU risk management efforts (discussed later).
Clive E. Waugh CISSP, C/EH
Remediation Planning – Process Flow
Risk Mgmt Dept
Consults with BU
Ensure impact/likelihood understood
Understands risk and bus. priorities, proposes plans
BU Mgr And Coordinator
Balance risk vs. business priorities
20
Risk Mgt Cmmte
Understands risk and bus. priorities, approves plans
Clive E. Waugh CISSP, C/EH
Remediation Planning – Risk Management Dept Role Risk Management Department’s role in the remediation planning process: 1)
21
Supports business unit as needed to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
Clive E. Waugh CISSP, C/EH
Remediation Planning – Business Unit Role
Business unit’s role in the remediation planning process:
22
1)
Balances the potential for loss associated with highest known risk items against other known business priorities in an effort to help protect against anticipated loss.
2)
Develops and proposes roadmap plan to Risk Management Committee for approval, using a standard format that clearly reflects intended progress against known risks.
Clive E. Waugh CISSP, C/EH
Remediation Planning – Risk Mgt Committee Role Risk Management Committee’s role in the remediation planning process:
23
1)
Consults with Risk Mgt Dept to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
2)
Balances the potential for loss associated with highest known risk items against other known business priorities in an effort to protect against anticipated loss.
3)
Reviews and approves proposed roadmap plans that clearly reflect intended progress against known risks.
Clive E. Waugh CISSP, C/EH
Risk Acceptance Handling – Process Flow
Develop and deliver proposal for acceptance of risk BU Representative
1 Risk Mgt Dept
Recommends either acceptance or remediation
2 Approves or
BU rejects proposal chain for acceptance of command
3 Approves or
Risk rejects proposal Mgt Cmmtte for acceptance
Balance risk vs. business priorities
24
Clive E. Waugh CISSP, C/EH
Risk Acceptance – Risk Management Dept Role Risk Management Department’s role in the risk acceptance process: 1) 2) 3)
4) 5)
25
Reviews proposal for acceptance of risk as presented by the business unit that owns the risk. Ensures effective representation of the nature of the risk, including impact and likelihood of related failures. Provides recommendation for either acceptance or remediation of risk for review by the business unit chain of command, and by the Risk Management Committee. Supports Business Unit in escalating through the business unit chain of command, and in presentation to the Risk Management Committee. Records and Retains the results of decisions made.
Clive E. Waugh CISSP, C/EH
Risk Acceptance – Business Unit Role Business Unit’s role in the risk acceptance process:
26
1)
Develops proposal for acceptance of risk for review by the Risk Management Department.
2)
Escalates proposal for acceptance of risk, including recommendation from the Risk Management Department, through the business unit chain of command. (Uses standard / consistent format)
3)
Presents proposal, to the Risk Management Committee. (Uses standard / consistent format)
Clive E. Waugh CISSP, C/EH
Risk Acceptance – Risk Management Committee Role
Risk Management Committee’s role in the risk acceptance process:
27
1)
Reviews proposal for acceptance of risk as presented by the business unit and Risk Management Department. (Uses standard / consistent format)
2)
Votes for either acceptance or remediation of risk.
Clive E. Waugh CISSP, C/EH
Documentation
28
Clive E. Waugh CISSP, C/EH
~ Charter ~ Enterprise Risk Management
Enterprise Risk Management Mission Statement Deliver for our end users secure, always-available service and support in a cost effective manner that builds confidence.
Responsibility Responsibilities include, but are not limited to, the following activities: Contributes to the strategic direction of offerings to customers Defining and publishing security policy requirements Implementation and maintenance of security infrastructure Administering access and privilege Security oversight of system and application development Security testing of the enterprise infrastructure Performing vendor and partner security assessments Identifying, prioritizing, managing the status of known risks issues
Authority The Enterprise Risk Management Operations team is authorized to: Publish enterprise-level security policy requirements, and enforce Obtain the necessary assistance of personnel from related Business Units The Risk Management and Security department’s authority extends to all risks 29
Clive E. Waugh CISSP, C/EH
The Framework in practice – Documentation
Procedures Documentation: SOP: Risk Reporting – Risk Management Committee Briefing and Decision Making SOP: Division President Briefing and Decision Making SOP: Escalation of Issues and Exceptions SOP: Business Impact Analysis (BIA) SOP: Asset Vulnerability Identification SOP: Risk Prioritization, Ranking and Approval SOP: Risk Inventory Maintenance SOP: Risk Treatment Planning SOP: Ongoing Coordination and Status Collection
30
Clive E. Waugh CISSP, C/EH
CobiT Case Study
???
31
Questions
???
Clive E. Waugh CISSP, C/EH