Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved. Risk Management What Works The Main Event 2 nd Annual GRC Symposium May 16, 2012.

Similar presentations


Presentation on theme: "Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved. Risk Management What Works The Main Event 2 nd Annual GRC Symposium May 16, 2012."— Presentation transcript:

1 Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved. Risk Management What Works The Main Event 2 nd Annual GRC Symposium May 16, 2012 Brookfield, Wisconsin. Mark T. Chapman, CISSP, CISM, CRISC Chapman Technology Group, Inc. phishline.com

2 In theory, Risk Management should be easy. Identify critical assets, consider potential risks, evaluate mitigating factors, measure results, take action, and repeat. In practice, many organizations struggle with the basic terms and concepts. For those who master the concepts, the exponentially increasing complexity of risk management efforts can quickly overwhelm organizations of every size.

3 I primarily didnt want to: Look like an idiot. Get sued for saying or doing anything dumb. Secondarily, I didnt want to Be rushed to get there or be late. Risk Assessment for a Television Interview

4 Extra suit in the car. Extra laptop. Charge cellphone and laptops. Practice the demo. Gas up the car the night before. Leave the house early. Preemptive Mitigation for a Television Interview

5 Required Cell phone was completely discharged 2 hours before the shooting. I almost tripped on a lighting cable in the studio. Unanticipated Risks for a Television Interview

6 Financial Loss: While shooting the in-the- field portion of the story, I got a parking ticket ! Damage Assessment for a Television Interview

7 Financial Loss Strategic Harm Reputation Damage Technical Breaches Compliance Failure Evil Doers Competitors Natural Disaster Employees Technology Confidentiality Integrity Availability Liability Policy Risk Area Threat Source Category

8 Financial Loss Strategic Harm Reputation Damage Technical Breaches Compliance Failures Evil Doers Competitors Natural Disaster Employees Technology Confidentiality Integrity Availability Liability Policy Risk Area Threat Source Category

9 Risk Area Threat Source Category

10 Risk Area Threat Source Category Reputation Damage

11 Risk Area Threat Source Category Reputation Damage Employees

12 Risk Area Threat Source Category Reputation Damage Employees Liability

13 Risk Area Threat Source Category Reputation Damage Employees Liability

14 Risk Area Threat Source Category Reputation Damage Employees Liability (Reputation Damage, Employees 5)

15 Risk Area Threat Source Category Reputation Damage Employees Liability (Reputation Damage, Employees 5) (Reputation Damage, Liability 3)

16 Risk Area Threat Source Category Reputation Damage Employees Liability (Reputation Damage, Employees 5) (Reputation Damage, Liability 3) (Employees, Liability 1)

17 Risk Area Threat Source Category Reputation Damage Employees Liability (Reputation Damage, Employees 5) (Reputation Damage, Liability 3) (Employees, Liability 1)

18 Risk Area Threat Source Category Reputation Damage Employees Liability (Reputation Damage, Employees 5) (Reputation Damage, Liability 3) (Employees, Liability 1) This Cublet is a specific Risk Area, Threat Source, and Category. The score is computed by the Projected values. Score(Reputation Damage, Employees, Liability) = Function(1, 3, 5)

19 Preemptive Mitigation? Unanticipated Risks? Damage Assessment? Why or Why Not? Did the formal process help?

20 People manage risk ALL THE TIME. Companies manage risks ALL THE TIME. It should feel natural, logical, And, Risk Management should ALWAYS pass the Common Sense test. What Works!

21 P reparation U niverse Definition S coring H itting the Mark High-Level Approach – PUSH PUSH Approach was first presented to the FFIEC Information Technology Conference by Mark Chapman in 2007.

22 Preparation Earn Management Buy-In Decide to In-Source or Outsource Anticipate the Benefits Identify the Specific Purpose Evaluate Automation Options

23 Earn Management Buy-In Motivators: Compliance / Fear Means to justify other initiatives New Management Eager to Learn True Believers Challenges: It costs money I already know the risks better than anyone We have more important things to do Results: 1.Go through the motions 2.Do it right

24 In-Source or Outsource? Current Capability –Do we have the capability or can we train in-house? –Can we identify a firm with independent, knowledgeable and sufficient resources? Future Capability –Turnover of trained employees –Dependence on consultants

25 Anticipated Benefits To learn something new To validate or quantify a concern To standardize communication of risk To establish common language and tools To satisfy the auditors

26 Specific Purpose Audit Planning Budgeting Compliance Disaster Recovery Policy Writing Risk Management Remediation Vendor Selection Hint: You must understand the specific purpose of the risk management project

27 Automation Paper Excel / Word Specialized Software

28 P reparation U niverse Definition S coring H itting the Mark High-Level Approach - PUSH

29 Universe Definition Goal: –To Define an Appropriate Universe for the Size and Complexity of the Institution Choose the Number of Dimensions –Assets, Risks, Controls For Each Dimension –Define Scope, Granularity, Level of Detail –Populate the Universe

30 Copyright © , Chapman Technology Group, Inc. All Rights Reserved. Risk Assessment Math It seems Easy! Assets – Valuables which must be protected Risks – Bad things that could happen to Valuables Controls – Mitigating Factors to limit impact of Bad Things Why is it so Difficult to Implement? 50 Assets X 50 Risks X 50 Controls = 125,000 Combinations! 600 Assets X 70 Risks = 42,000 Combinations before we get to controls!

31 Copyright © , Chapman Technology Group, Inc. All Rights Reserved. Risk Management Universe Assets Controls Risks 3-Dimensions* Assets Risks Controls * Technically, there is a fourth dimension, Instead of Time it is Testing which gets into Risk Monitoring.

32 2-Dimensional Example

33 How Many Dimensions? ScopeAssetsRisksControls Business Impact Analysis Inherent Risk Assessment Risk-Based Audit Plan Disaster Recovery Plan Risk-Based Audit

34 Asset Universe Granularity How many levels of assets do we want to consider? Buildings Rooms Individual Bricks Detail How much information do we want to understand for each asset? Asset Type Asset Owner Importance Dependencies Scope Business Functions Fixed-Assets Strategies Brands Contracts Cash Intellectual Property Products People

35 Assets - Level of Detail Determine the attributes to characterize assets. Hint: Keep the list small and add as needed.

36 Assets – Documentation* Take the opportunity to centralize asset documentation: Pictures, Diagrams, Schematics, Building Plans Policies, Procedures Contracts, Licenses, Vendor Data Phone #s, Key Contacts, Password Escrow *Do the same thing for Risks and Controls Example #1: Keep pictures of fire suppression, power and other critical infrastructure Example #2: Attach pictures of bad check writers

37 Risk Universe Granularity How many levels of risks do we want to consider? City-Wide Blackout Accidental Power Disconnect Mouse Chews Through Power Cord Detail How much information do we want to understand for each risk? Risk Type Threat Source Likelihood Impact Scope Power Outage Pandemics Water Damage Fraud Computer Hacking Employee Turnover Tampering

38 Risks - Level of Detail Determine the attributes to characterize risks. Hint: Keep the list small and add as needed.

39 Controls Universe Granularity How many levels of controls do we want to consider? Use a Framework Individual Bricks Detail How much information do we want to understand for each control? Control Owner Effectiveness Compliance Info Assessment Criteria Scope Financial Physical Technological Reputation Legal Insurance

40 Controls - Level of Detail Determine the attributes to characterize controls. Hint: Keep the list small and add as needed.

41 P reparation U niverse Definition S coring H itting the Mark High-Level Approach - PUSH

42 Scoring Choose Scale Normalize Prioritize and Trim Associate Adjust Compound Scores

43 Choose Scale Define a consistent scale. Numeric (1-5), ( ), (1-3), (0%-100%) Descriptive (Low, Med, High), (Nice-To-Have, Normal, Critical)

44 Normalize Set the Relative Importance of: Risks with respect to other Risks Assets to other Assets Controls to other Controls

45 Prioritize and Trim Goal: To combat the natural exponential growth of assessment efforts by reducing the number of low- priority assets, risks and controls. Approach: Select a threshold for exclusion from further risk assessment efforts while documenting decision. Retain all excluded data to accommodate priority changes and to reduce duplicate analysis next time.

46 Associate 1.Be Selective 2.Use Common Sense 3.Document Reasons for Exceptions

47 Adjust Compound Scores Use Initial Scores with Few Documented Exceptions.

48 P reparation U niverse Definition S coring H itting the Mark High-Level Approach - PUSH

49 Hitting the Mark Evaluate Intended Specific Purpose Write the Final Report Track Actions Over Time Evaluate Project Effectiveness

50 Intended Specific Purpose The Risk Management can only Hit the Mark if it serves a purpose: –Audit Planning –Budgeting –Compliance –Disaster Planning –Policy Writing –Risk Management –Remediation –Vendor Selection Characterize Assets Identify Raw Risks Consider Mitigating Factors Calculate Residual Risk Exposure Create Audit Plan Create Audit Program Advance Important Items Advance Areas of Higher Risk Inventory Assets

51 Write the Final Report Do not –Put too much emphasis on the final deliverable –Think bigger is better Do focus on –Process used (brief) –Discoveries –Trends –Actions (proposed, planned or completed)

52 Copyright © , Chapman Technology Group, Inc. All Rights Reserved. Manage Observations/Findings

53 Copyright © , Chapman Technology Group, Inc. All Rights Reserved. Manage Observations/Findings

54 Evaluate Effectiveness What did you learn through the process? What unexpected benefits did you realize? How did you keep the process from getting too detailed or out of control? How can you improve the process next time? These charts look scientific and absolute - how did you handle the inherent subjectivity? Did you achieve your objectives?

55 Additional Consideration Risk Tolerance Trending Monitoring Disaster Recovery Planning Monte Carlo Simulations Surveys Testing

56 P reparation U niverse Definition S coring H itting the Mark Conclusion - PUSH

57 1.Identify what you want to protect (Assets). What bad things could happen (Risks). Mitigating Factors (Controls). 2.Look at what has changed since last assessment. (Business/Technical Changes, Audit Findings, Incidents, Remediation Activities, Regulatory Changes.) 3.Communicate. What Works!

58 People manage risk ALL THE TIME. Companies manage risks ALL THE TIME. It should feel natural, logical, And, Risk Management should ALWAYS pass the Common Sense test. What Works!

59 I didnt want to… Look like an idiot. Go over/under time too much. Risk Assessment for a Presentation to ISACA

60 Questions? phishline.com ext. 7010

61 Thank You! phishline.com ext. 7010


Download ppt "Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved. Risk Management What Works The Main Event 2 nd Annual GRC Symposium May 16, 2012."

Similar presentations


Ads by Google