Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved.
Risk ManagementWhat Works
The Main Event 2nd Annual GRC SymposiumMay 16, 2012
Brookfield, Wisconsin.
Mark T. Chapman, CISSP, CISM, CRISCChapman Technology Group, Inc.
www.PhishLine.commchapman @ phishline.com
In theory, Risk Management should be easy. Identify critical assets, consider potential risks, evaluate mitigating factors, measure results, take action, and repeat.
In practice, many organizations struggle with the basic terms and concepts. For those who master the concepts, the “exponentially increasing complexity” of risk management efforts can quickly overwhelm organizations of every size.
I primarily didn’t want to:• Look like an idiot.• Get sued for saying or doing
anything dumb.
Secondarily, I didn’t want to• Be rushed to get there or be late.
Risk Assessment for aTelevision Interview
• Extra suit in the car.• Extra laptop.• Charge cellphone and laptops.• Practice the demo.• Gas up the car the night before.• Leave the house early.
Preemptive Mitigation for a Television Interview
• Required Cell phone was completely discharged 2 hours before the shooting.
• I almost tripped on a lighting cable in the studio.
Unanticipated Risks for aTelevision Interview
Financial Loss:
While shooting the in-the-field portion of the story,
I got a parking ticket !
Damage Assessment for aTelevision Interview
Financial Loss
Strategic Harm
Reputation Damage
Technical Breaches
Compliance Failure
Evil D
oers
Competitors
Natural D
isaste
r
Employees
Tech
nology
ConfidentialityIntegrity
AvailabilityLiability
Policy
Risk Area
Threat Source
Category
Financial Loss
Strategic Harm
Reputation Damage
Technical Breaches
Compliance Failures
Evil D
oers
Competitors
Natural D
isaste
r
Employees
Tech
nology
ConfidentialityIntegrity
AvailabilityLiability
Policy
Risk Area
Threat Source
Category
Risk Area
Threat Source
Category
Risk Area
Threat Source
Category
Reputation Damage
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
(Reputation Damage, Employees 5)
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
(Reputation Damage, Employees 5)
(Reputation Damage, Liability 3)
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
(Reputation Damage, Employees 5)
(Reputation Damage, Liability 3)
(Employees, Liability 1)
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
(Reputation Damage, Employees 5)
(Reputation Damage, Liability 3)
(Employees, Liability 1)
Risk Area
Threat Source
Category
Reputation Damage
Employe
es
Liability
(Reputation Damage, Employees 5)
(Reputation Damage, Liability 3)
(Employees, Liability 1)
This “Cublet” is a specific Risk Area, Threat Source, and Category.
The score is computed by theProjected values.
Score(Reputation Damage, Employees, Liability) =Function(1, 3, 5)
• Preemptive Mitigation?• Unanticipated Risks?• Damage Assessment?
• Why or Why Not?
Did the “formal process” help?
• People manage risk ALL THE TIME.• Companies manage risks ALL THE TIME.• It should feel natural, logical,• And, Risk Management should ALWAYS
pass the “Common Sense” test.
What Works!
• Preparation
• Universe Definition
• Scoring
• Hitting the Mark
High-Level Approach – PUSH
PUSH Approach was first presented to the FFIEC Information Technology Conference by Mark Chapman in 2007.
Preparation• Earn Management Buy-In• Decide to In-Source or Outsource • Anticipate the Benefits• Identify the Specific Purpose• Evaluate Automation Options
Earn Management Buy-InMotivators:• Compliance / Fear• Means to justify other
initiatives• New Management Eager to
Learn• “True Believers”
Challenges:• “It costs money”• “I already know the risks
better than anyone”• “We have more important
things to do”
Results:
1. Go through the motions
2. Do it right
In-Source or Outsource?• Current Capability
– Do we have the capability or can we train in-house?– Can we identify a firm with independent,
knowledgeable and sufficient resources?
• Future Capability– Turnover of trained employees– Dependence on consultants
Anticipated Benefits• To learn something new• To validate or quantify a concern• To standardize communication of risk • To establish common language and tools• To satisfy the auditors
Specific Purpose• Audit Planning• Budgeting• Compliance• Disaster Recovery• Policy Writing• Risk Management• Remediation• Vendor Selection
Hint:You must understand the specific purpose of the risk management project
Automation• Paper• Excel / Word• Specialized Software
• Preparation
• Universe Definition
• Scoring
• Hitting the Mark
High-Level Approach - PUSH™
Universe Definition• Goal:
– To Define an Appropriate Universe for the Size and Complexity of the Institution
• Choose the Number of “Dimensions”– Assets, Risks, Controls
• For Each Dimension– Define Scope, Granularity, Level of Detail– Populate the Universe
Copyright © 2005-2008, Chapman Technology Group, Inc. All Rights Reserved.
Risk Assessment MathIt seems Easy!• Assets – “Valuables” which must be protected• Risks – “Bad things” that could happen to “Valuables”• Controls – “Mitigating Factors” to limit impact of “Bad
Things”
Why is it so Difficult to Implement?
• 50 Assets X 50 Risks X 50 Controls = 125,000 Combinations!
• 600 Assets X 70 Risks = 42,000 Combinations before we get to controls!
Copyright © 2005-2008, Chapman Technology Group, Inc. All Rights Reserved.
Risk Management Universe
Assets
Co
ntro
ls
Risks
3-Dimensions*•Assets•Risks•Controls
* Technically, there is a fourth dimension,Instead of “Time” it is “Testing” which gets into Risk Monitoring.
2-Dimensional Example
How Many Dimensions?
Scope Assets Risks Controls
Business Impact Analysis
Inherent Risk Assessment
Risk-Based Audit Plan
Disaster Recovery Plan
Risk-Based Audit
Asset Universe
GranularityHow many levels of
assets do we want to consider?
Buildings
RoomsIndividual Bricks
DetailHow much information
do we want to understand for each
asset?
Asset Type
Asset Owner
Importance
Dependencies
ScopeBusiness Functions
Fixed-Assets
Strategies
Brands
Contracts
Cash
Intellectual Property
Products
People
Assets - Level of Detail
Determine the attributes to characterize assets.
Hint: Keep the list small and add as needed.
Assets – Documentation*Take the opportunity to centralize asset documentation:• Pictures, Diagrams, Schematics, Building Plans• Policies, Procedures• Contracts, Licenses, Vendor Data• Phone #’s, Key Contacts, Password Escrow
*Do the same thing for Risks and ControlsExample #1: Keep pictures of fire suppression, power and other critical infrastructure Example #2: Attach pictures of bad check writers
Risk Universe
GranularityHow many levels of risks do we want to
consider?
City-Wide Blackout
Accidental Power Disconnect
Mouse Chews Through Power Cord
DetailHow much information
do we want to understand for each
risk?
Risk Type
Threat Source
Likelihood
Impact
ScopePower Outage
Pandemics
Water Damage
Fraud
Computer Hacking
Employee Turnover
Tampering
Risks - Level of Detail
Determine the attributes to characterize risks.
Hint: Keep the list small and add as needed.
Controls Universe
GranularityHow many levels of
controls do we want to consider?
Use a Framework
Individual “Bricks”
DetailHow much information
do we want to understand for each
control?
Control Owner
Effectiveness
Compliance Info
Assessment Criteria
ScopeFinancial
Physical
Technological
Reputation
Legal
Insurance
Controls - Level of Detail
Determine the attributes to characterize controls.
Hint: Keep the list small and add as needed.
• Preparation
• Universe Definition
• Scoring
• Hitting the Mark
High-Level Approach - PUSH™
Scoring• Choose Scale• Normalize• Prioritize and Trim• Associate• Adjust Compound Scores
Choose Scale
Define a consistent scale. • Numeric (1-5), (0.0-1.0), (1-3), (0%-100%)• Descriptive (Low, Med, High), (Nice-To-Have, Normal, Critical)
NormalizeSet the Relative Importance of:• Risks with respect to other Risks• Assets to other Assets• Controls to other Controls
Prioritize and TrimGoal:
To combat the natural exponential growth of assessment efforts by reducing the number of low-priority assets, risks and controls.
Approach:
Select a threshold for exclusion from further risk assessment efforts while documenting decision. Retain all excluded data to accommodate priority changes and to reduce duplicate analysis next time.
Associate1. Be Selective
2. Use Common Sense
3. Document Reasons for Exceptions
Adjust Compound ScoresUse Initial Scores with Few Documented Exceptions.
• Preparation
• Universe Definition
• Scoring
• Hitting the Mark
High-Level Approach - PUSH™
Hitting the Mark• Evaluate Intended Specific Purpose• Write the “Final Report”• Track Actions Over Time• Evaluate Project Effectiveness
Intended Specific PurposeThe Risk Management can only “Hit the Mark” if it serves a purpose:– Audit Planning– Budgeting– Compliance– Disaster Planning– Policy Writing– Risk Management– Remediation– Vendor Selection
Characterize Assets
Identify Raw RisksConsider Mitigating Factors
Calculate Residual Risk Exposure
Create Audit PlanCreate Audit Program
Advance Important Items
Advance Areas of Higher Risk
Inventory Assets
Write the “Final Report”• Do not
– Put too much emphasis on the final deliverable– Think “bigger is better”
• Do focus on – Process used (brief)– Discoveries– Trends– Actions (proposed, planned or completed)
Copyright © 2005-2007, Chapman Technology Group, Inc. All Rights Reserved.
Manage Observations/Findings
Copyright © 2005-2007, Chapman Technology Group, Inc. All Rights Reserved.
Manage Observations/Findings
Evaluate Effectiveness• What did you learn through the process?• What unexpected benefits did you realize?• How did you keep the process from getting too
detailed or out of control?• How can you improve the process next time?• These charts look scientific and absolute -
how did you handle the inherent subjectivity?• Did you achieve your objectives?
Additional Consideration• Risk Tolerance• Trending• Monitoring• Disaster Recovery Planning• Monte Carlo Simulations• Surveys• Testing
• Preparation
• Universe Definition
• Scoring
• Hitting the Mark
Conclusion - PUSH™
1. Identify what you want to protect (Assets).What bad things could happen (Risks).Mitigating Factors (Controls).
2. Look at what has changed since last assessment. (Business/Technical Changes, Audit Findings, Incidents, Remediation Activities, Regulatory Changes.)
3. Communicate.
What Works!
• People manage risk ALL THE TIME.• Companies manage risks ALL THE TIME.• It should feel natural, logical,• And, Risk Management should ALWAYS
pass the “Common Sense” test.
What Works!
I didn’t want to…
• Look like an idiot.
• Go over/under time too much.
Risk Assessment for a Presentation to ISACA
Thank You!
mchapman @ phishline.com
262.546.1867 ext. 7010
Top Related