IT Risk Management for Energy Companies

Transcription

1 IT Risk Management for Energy Companies Lars Neupart, Founder & CEO of Neupart, Robert Bursy, Account Manager Neupart D-A-CH

2 About Neupart ISO certified company. IT GRC management solutions All-in-one solution helps organizations manage IT related risks and complex regulatory mandates, risks, compliance, best practices policies and awareness. The ERP of Security Offices in Düsseldorf, Copenhagen, and Washington State. Representatives in many countries Customer portfolio covering a wide range of private enterprises and governmental agencies. BTC is authorized partner

3 300+ Customers

4 Examples Energy & Utility

5 The roots: The ISO standards

6 Solution Areas of SecureAware

7 The news: SecureAware Risk TNG Available Nov 2010 (beta program open now)

8 Why IT Risk Management? Risk is the effect of uncertainty on objectives; positive or negative (ISO 31000). Manage your risks = put yourself in the drivers seat reduce the uncertainty, know where to invest if you want to lower your risk level. Energy & Utility vendors, are now facing targeted attacks such as the Stuxnet worm designed for impacting SCADA systems. IT Risk management shows how much or little - your business depends on your IT systems, and allows you to decide whether to accept or treat risks Compliancerequirements and good practices mandates Risk Management

9 ISO compatible approach Prioritization Proactive Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus Reduce Likelihood Incident Likelihood Cost Benefit Analysis Risk Reduce Consequence Incident Consequence Reactive Security IT Service Continuity Teams IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Emergency Operations Flexibility Standby Equipment Virtualization Backup Incident Prevention Preventive Measures Threat Frequency Threat Effect Corrective Measures IT Service Continuity Threats

10 Vulnerability & control environment assessment Preventive Measures Corrective Measures Administrative Measures Logging Awareness Change Management Security Policy Compliance Checks Business Continuity Strategy System Documentation IT Service Continuity Plan Disaster Recovery Procedures Assessment based on Capability Maturity Model Physical / Technical Measures Firewall Alarm System Antivirus RAID Redundancy Access Control System Server Cluster Standby Equipment Virtualization Server snapshots Fire Suppression Standby Site Backup Assessment based on implementation level and effectiveness

11 Assets: Dependency Hierarchy Asset Hierarchy Server 01 Finance ERP Dynamics AOS HP DL380 Serial abc Finance DB SQL 01 Server 02 HP DL380 Serial xyz Asset Type Hierarchy Business Product Business Service Business Division Business Function Business Process Supporting Process Key Employee External Resource IT Service Outsourced Service Physical Documents Database Data Files Business System Data Storage System Infrastructure System Logical Server Logical Storage Logical Network Software Product Hardware Unit Communication Line Supply System Data Center Com. Center SupplyCenter Document Archive Workspace Impact values are inherited downward Risk (vulnerability) values are inherited upward Data Center A

12 Asset Management

13 Business Impact Assessments

14 Vulnerability Assessments

15 Your best and worst assets

16 Threat Catalogue

17 Risk Management Projects

18 Four justifiable time savers IT risk management justifiable short cuts: Risk Management is a process. Refine over time: Add assets, assessments or treat threats more individually

19 Your next risk management tool? + or Asset inventory? Asssesment data collection? Calculations? Rapports? Conclusions? Decisions? Follow up - tracking? Complete IT risk management and ISMS solution

20 More resources: /energy Online Tutorials Demos Brochures and product information Reference accounts /tng Risk management beta program

21 More resources: German Office: Neupart GmbH Robert Bursy Kaiserswerther Str Ratingen Fon: Fax: Mobil: