The Elephant in the ORM Room Cyber Security and Operational Risk Management in Financial Services

Transcription

1 Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT The Elephant in the ORM Room Cyber Security and Operational Risk Management in Financial Services

2 About Delta Risk is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have All rights reserved.

3 Cyber security should be integrated with enterprisewide risk management efforts in financial services. O perational Risk Management (ORM) is alive and well in the financial services sector. Fueled by the Basel Accords, the regulatory changes stemming from the 2008 financial crisis, and the demands of the competitive market, ORM has taken its place alongside other financial sector risk management areas such as financial and compliance. At the same time, cyber security, which is itself a risk-based discipline, is recognized as being of vital importance. But when it comes to ORM, cyber security is the elephant in the room the thing that occupies a lot of space but that everyone pretends is not there. The cyber security elephant stands there, in its stovepipe, doing a responsibly good risk management job in most cases, but typically not well integrated with the Governance-Risk-Compliance (GRC), Enterprise Risk Management (ERM), or ORM processes and platforms adopted by the enterprise. Cyber security risks loom large and financial services firms certainly pay attention to them. The issue is that in many cases cyber security risk is in its own silo just as other risk silos are being integrated into more comprehensive ERM and GRC approaches. In many firms, cyber security seems to be forever next in the queue for integration with broader business processes. This Delta Risk Viewpoint offers the perspective that the integration of cyber security with other risk domains in an integrated ORM/ERM and GRC management program should be an urgent priority in the financial services sector. This stance is based on the fact that cyber security has major enterprise risk implications in this sector that merit immediate and sustained CEO- and Board-level attention. Recommendations are made in three areas: 1. Integrating cyber security with ERM and GRC 2. Special challenges and opportunities in cyber security risk management: Continuous Controls Monitoring Cyber Threat Intelligence Big Cyber Security Data 3. Communicating cyber security risks with the business leadership. These recommendations outline specific actions for integrating cyber security with enterprise-wide risk management efforts for all firms, regardless of the initial state of play. Page 1

4 The Integrated Approach to Risk Management Risk management as a discipline seeks to manage to the defined risk tolerance parameters of the enterprise ideally based on a formal statement of risk appetite. 1 Historically, and naturally enough, risk management grew up in individual functional domains financial, legal, compliance, and so on. Integrating the domains to create enterprise-wide approaches to risk management landed on the corporate agenda in the 1990s, was accelerated by Y2K preparations, Basel II, the Sarbanes-Oxley Act of 2002, and regulatory changes following the 2008 financial crisis, and has continued to gain momentum ever since. There are many terms and classification schemes used to describe the inter-related risks in business today. With frameworks that initially focused primarily on financial and compliance risks, cyber security risk was an awkward fit. Operational Risk, succinctly defined by Basel II as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events, is clearly the domain in which cyber security risk belongs. (IT risk, with which cyber security risk is closely linked, also fits here.) Figure 1 illustrates this schematically. There are many variations on this model, but a framework like this is needed to underpin an enterprise approach to the integrated management of risk. In most organizations, there are multiple semi-independent risk management activities spread over business units and functional areas, each using their own frameworks, data, analytical methods, and Figure 1. Risk Management Domains and Their Relationships Governance-Risk-Compliance (GRC) More Strategic Compliance Management Audit Management Enterprise-wide Risk Management Policy Management Asset Management Business Focus Explicitly Responsive to Business Goals Financial Risk Compliance Risk Strategic Risk Operational Risk Management Operational Focus With Implicit Links to Business Goals Notes: Credit Risk Market Risk Underwriting Risk Liquidity Risk 1. This graphic depicts relationships among risk management domains, generally reflecting the COSO ERM Framework and accepted practices. Individual industries and enterprises may use different terms or assign different relationships to suit their needs. 2. Reality is somewhat more complicated than this graphic would imply because there are overlaps among the risk domains. 3. Not shown here are the relationships of Information Security Risk Management with the Physical Security Risk Management domain (that includes areas such as investigations, personnel protection, and others depending on the organization) as well as with IT Risk Management. 4. Relevant organizational roles associated with GRC, not depicted here, include those of CEO, CFO, General Counsel, General Auditor, Chief Compliance Officer, Chief Risk Officer, Chief Ethics Officer, Chief Governance Officer, Chief Privacy Officer, and others. Roles and responsibilities vary by organization. 5. Technology platforms for GRC, IT-GRC, and ERM are not strictly aligned by the risk categories shown here, as vendors take differing approaches to the problem. Cyber Security Risk IT Risk Physical Security Risk Financial Reporting Risk Policy and Process Risk Fraud Risk Litigation Risk Safety Risk Others More Functional While the concept of risk appetite is clear enough, expressing a risk appetite for cyber in a useful way is difficult. The financial services sector is ahead of most others and has produced some useful benchmarks and methodologies. Page 2

5 reporting practices. An enterprise approach that includes a comprehensive statement of risk appetite and imposes a common framework, a common lexicon, compatible risk data aggregation processes, integrated analysis, and a unified reporting approach is appealing. However, moving to a single integrated risk management environment can be a complex and difficult undertaking for a large institution, typically involving transformation in at least the dimensions of process, organization, and technology. From a process standpoint, the key is to build in process hooks across the verticals for the exchange of risk management plans, data, findings, and for developing coherent risk reporting. Process maps can be very useful for developing and documenting these processes, and defined risk management methodologies will facilitate process development. Organizationally, roles and responsibilities should be aligned with the firm s statement of risk appetite within an inclusive model of risk domains, such as that shown in Figure 1. A baseline organizational approach would provide for parallel structure across functions and business units. Careful definition of responsibilities and the expectation of close dialog among the players are crucial elements. 2 Ultimately, the organizational structure should reflect the fact that risk, though managed by a functional leader, is owned by a business leader. Tools and technology platforms are an essential part of risk management for large or complex businesses. About a dozen vendors offer top-tier ERM/GRC platforms, several of which focus specifically on the financial services sector. These platforms help organize the compliance requirements of multiple source authorities, and they support enterprise-level financial reporting compliance, audit management, policy management, and risk management. Vendors and analysts place these products into categories such as ERM, Enterprise GRC, and IT-GRC, but there are often overlaps and indefinite boundaries among them. The inset box shows some of the risk management functions of these tools. What Can ERM Tools Do? Link risk to business strategy Create and map policies to regulations and compliance requirements Assess risk management controls Support risk assessment and mitigation Provide business leaders with an enterprise view of risk As with any enterprise solution, adopting a GRC tool demands not only a high level system engineering approach that addresses the needs of the business units and creates a common architecture and interoperable systems, but also a change management process to fuse it into enterprise operations. Cyber Security Risk Management Cyber security, which aims to protect enterprise information assets, is usually viewed as having three components: confidentiality, integrity, and availability. 3 That is: are secrets kept secret? are data, devices, and network connections trustworthy and uncorrupted? are the information and systems there when you need them? The main focus of the Chief Information Security Officer (CISO) today is on managing the risks associated with the information and resources in cyberspace. 4 2 For this purpose, a responsibility assignment matrix such as the R-A-C-I (Responsible-Accountable-Consulted-Informed) model can be very helpful. 3 The FFIEC Information Security IT Examination Handbook adds Accountability (the ability to trace actions to their source) and Assurance (the confidence that technical and operational security measures work as intended). 4 Some cyber security risk management functions, such as security controls that comprise technology solutions in the enterprise infrastructure, operations, incident response, and disaster recovery, are shared responsibilities between the cyber security risk manager (usually the Chief Information Security Officer) and others. Page 3

6 Value Proposition Cyber security practitioners have long recognized that their goal must be to manage risks, simply because of the impossibility of achieving complete security. The community is well versed in the concepts of controls, threats, vulnerabilities, likelihood, impact, and residual risk. While the importance of cyber security risk management in financial services firms is obvious, the reasons for integrating it with the management of other enterprise risks may not be. The value proposition includes: Better management of risks that cross risk management domains. Many risks have more than one home they are manifest in multiple risk domains. For example, cybercrime should typically be addressed in a coordinated fashion by both the cyber security and the fraud risk domain, and possibly others. The cyber security risks associated with network connections to partner organizations, vendors, and IT service providers also need the attention of risk managers in both cyber security and other parts of the business. There is strong linkage between cyber security and IT risks programmatic, architectural, and operational. Other areas, such as business continuity, disaster recovery, and supply chain exhibit overlaps across multiple risk domains. When dealing with overlapping risks, it is important to understand the controls originating in different risk domains to avoid redundancy or interference. Assuring the IT-centric business models of the financial sector. The increasing reliance of financial services firms on IT for conducting business pulls cyber security into mainstream business processes. This goes beyond securing back-office functions (important in their own right) and extends to the middle office and front office, enabling the primary business processes trading, order management, market connectivity, online and mobile banking, teller services, payment card transactions, etc. Risks that might have once been thought of as belonging to the IT shop now rise to the level of business risks that call for broader and more senior-level attention. When the entire business literally depends on IT systems, the stakes for cyber security could not be higher. Addressing cases in which different root causes have similar effects. Sometimes a cyber attack can have effects that are at least initially indistinguishable from other possible root causes. A denial of service attack in cyberspace may initially look just like a connectivity failure or other system glitch. Cybercrime may be detected by fraud surveillance systems or money laundering safeguards. Communication across risk domains is critical in these circumstances. The potential for events such as these also calls for cross-domain integration in disaster recovery planning, investigations, and response actions. Consolidating data sets that are common to multiple risk areas. As with other risk domains, cyber security generates its own data sets (firewall and system logs, cyber threat data feeds, and vulnerability data, for example). Additionally, there are other data sets in which cyber security is but one participant. Aggregating data sets from different risk domains can make authoritative data available for any risk domain that needs it the elusive single version of the truth. Dealing with overlapping compliance requirements. Laws and regulations pertaining to financial institutions often contain compliance requirements in multiple domains. Gramm-Leach-Bliley, for example, which undid previous restrictions on bank mergers, also called on the regulatory authorities in financial services to establish standards to protect the confidentiality and integrity of customer records, and to guard against their unauthorized use; Dodd-Frank, which primarily restructured the regulation of financial institutions, also required disaster recovery and business continuity planning, to cite just two. Rationalizing and tracking compliance requirements are inherently cross-domain activities. Page 4

7 The Disappointing Reality Conceptually at least, there is great business value to be realized from having cyber security on the same risk template as the other key risks to the enterprise. With the volume of data that cyber security risk management deals with, consideration of automated tools is almost inevitable. However, the real-world track record with such tools is generally not encouraging. In practice, most efforts to apply automated tools to cyber security risk management are less than fully successful operationally within the information security domain itself, to say nothing of further integration with GRC tools. The reasons for this are simply the realities of the real-world IT enterprise: the ongoing (and not unhealthy) tension between security and operational performance; inadequate methods of assigning priority to the huge number of discrete vulnerabilities and risks in the infrastructure; practical difficulties in holding configurations constant throughout the vulnerability scanning/risk mitigation cycle; process gaps or breakdowns between the information security and IT operations functions; and others. However, these evident difficulties do not make the quest for an integrated solution unworthy, they simply represent obstacles that must be deliberately addressed in what needs to be seen as an IT transformation project. What to Do This section offers recommendations in three areas that are important to enterprises in the financial sector where risk management and compliance play such a crucial role. Risk management needs and priorities vary with organization. Some firms are well along in implementing enterprise approaches to GRC while others are closer to the starting point. With this in mind, each recommendation presented here is annotated with an Advised, Advantageous, or Advanced qualifier, corresponding to increasing levels of difficulty, as defined in the inset box. Self-assessment against a published maturity model may provide a useful reference point on the organization s readiness to pursue risk management integration projects. The technology solutions outlined here are costly, but the greater cost is in the operational tail once the deployment is complete. A decision to proceed implies a commitment to operational success. 1. Integrating cyber security with GRC. One of the first steps to integrating risk domains with a broad GRC effort is to get the basics in alignment common vocabulary, compatible risk management methods, recognition of the intersections among risk management domains, and consistent reporting concepts. Subsequent steps may then focus on integrating cyber security with enterprise GRC platforms, initially with limited data feeds and perhaps manual data inputs (some data is often maintained in spreadsheets and other manual databases) and later with more automated data feeds. In firms that are adopting technology products that focus on IT risks (i.e., IT-GRC), integrating cyber security data with them would be a good initial step on a more extensive roadmap. Recommendations As a starting point, harmonize the risk management approaches of the cyber security, IT, and physical security domains, consistent with COSO and COBIT5 frameworks and/or ISO guidelines. Initial focus should be on unifying frameworks, defining risk aggregations methodologies, agreeing on risk language, integrating and synchronizing processes, optimizing oversight responsibilities, and streamlining Recommendation Qualifiers Advised. Recommendations applicable to all enterprises. Advantageous. Recommendations that would provide clear benefits but may require significant resources depending upon the initial state. Advanced. Recommendations that would require leading-edge work and original development, most likely in partnership with platform vendors. Page 5

8 reporting methods. Later, expand the scope to other risk domains. Ensure top-down statements of risk appetite are understood across the organization. (Advised) Develop and implement a roadmap for integrating cyber security risk management with IT- GRC platforms and also with enterprise-wide GRC platforms. Collaborate with IT leadership and other risk management stakeholders on process integration and IT architectural approaches. Concentrate initially on integrating manual processes and those automated data sources already available that can be readily imported by existing GRC platforms. Devise initial analytics and reporting processes based on available capability. (Advantageous) 2. Special challenges and opportunities in cyber security risk management. There are three related challenges within cyber security risk management that have implications to the design of integration solutions. These challenges stem from the data-intensive nature of cyber security. There are technology solutions available from multiple vendors, but a lack of interoperability across vendor product lines can plague implementation. The development and adoption of integrated solutions will be an ongoing activity over the coming years. Continuous Controls Monitoring Risk management theory stresses the importance of getting closed-loop feedback on the effectiveness of controls: monitoring their performance, reviewing their effectiveness in mitigating the risks they are designed to mitigate, and adjusting the controls as necessary based on the findings. This is an especially tough challenge for IT and cyber security in large enterprises because of the wide range of controls and the large volume of data associated with them and the typically large number of network devices in the enterprise. Audit logs and other data sets drawn from network devices such as firewalls, intrusion detection and prevention systems, vulnerability scanners, and security configuration assessment solutions produce raw data by the terabyte every day. Security Information and Event Management (SIEM) technology automates the collection, analysis, and management of this vast quantity of network and device data. Primary SIEM functions include: real-time anomaly detection and alerting; event correlation across multiple data streams (e.g., between user activity and event logs); forensic analysis of network and server logs; security policy auditing; automated compliance reporting. Over the past decade, SIEM solutions have gone mainstream, though they are still often difficult for enterprises to implement, difficult to tune, and resource-intensive to operate for top performance. 5 Because the threat is highly adaptive and new IT vulnerabilities are discovered every week, reviewing the hundreds of information security controls in an enterprise is a difficult proposition. The term Continuous Controls Monitoring (CCM) is now used within cyber security risk management to emphasize the importance of constant vigilance to ensure controls are appropriate and effective. Each control should be reviewed on a regular basis at a frequency suited to its function and operational dynamics. 5 SIEM and other security platforms, by virtue of the amount of data they move, can also put an unwelcome burden on the corporate infrastructure. The same is true of the traffic generated by regular controls reviews such as vulnerability and configuration scanning. Security platforms and risk management processes must be carefully designed and architected into both the network infrastructure and IT operations to avoid introducing performance impacts. The data itself can be quite sensitive and may require its own protections such as encryption or out-of-band communication links. Nonetheless, centralizing the storage and management of this sensitive information can be better from a security standpoint than having it distributed in an uncontrolled manner throughout the enterprise. Page 6

9 Recommendations Implement a formal information security risk assessment methodology (such as OCTAVE or NIST ) and impose processes to instill disciplined and regular review and analysis of all information security controls in the enterprise. Develop and implement a plan for how each control will be monitored, the frequency, and the standard of performance. Recognize that while some control reviews can be automated, manual surveillance, analytical, and reporting processes will be needed for some controls. (Advised) Adopt SIEM (Security Information and Event Management) platforms throughout the enterprise network, importing as many automated cyber security data feeds as practical. Analyze vendor solutions to understand capabilities and interoperability features. Identify security requirements for the overall SIEM capability. Adopt system and data architectures and interface protocols that will enable future scalability and integration of SIEM and other data sources with current and planned IT-GRC and GRC platforms. (Advantageous) Cyber Threat Intelligence Cyber security is at a turning point, and the new direction is to employ cyber threat intelligence as a risk management tool. The maturing of real-time automated threat information sharing and event correlation within and beyond the enterprise network represents a powerful new way to manage risk. It moves detection and analysis upstream towards real-time and predictive identification of advanced threats. In financial services, this approach is rapidly becoming not just a best practice but a practical requirement. It changes the game by addressing one of the sophisticated hacker s techniques: multiple coordinated small-signature forays from seemingly independent sources, possibly over an extended period of time. Cyber threat intelligence is new and different from previous approaches that focused on looking for attack patterns or signatures that had been observed previously. It helps move the enterprise from a reactive to a proactive stance in dealing with cyber threats. Cyber threat intelligence has two complementary components, those addressed by technology and those addressed by human analysts. On the technology side, it is similar to business intelligence (BI) in its algorithmic analysis of data producing quantitative insights or hard-data correlations. On the human analyst side, it is similar to national security intelligence in that human analysts employ the methods of the intelligence discipline to connect the dots to produce judgments and qualitative findings. Human analysts are better than machines at grasping certain relationships and insights, such as culture, motivation, and the hacker mentality. A vast amount of data on vulnerabilities and threats is available publicly from many sources. Sources range from U.S. government data (e.g., the National Vulnerability Database of the National Institute of Standards and Technology, alerts from the FBI-sponsored InfraGard program, US-CERT, and others) to anti-virus vendors, to commercial providers of cyber threat data feeds that combine data in many categories, such as whitelist/blacklist updates, threat IP addresses, and attack signatures. Commercial threat intelligence platforms are designed to ingest data from many sources under many formats. Another important dimension of cyber threat intelligence is the sharing of specific threat information within the financial services sector. Insight into what other institutions are seeing can enhance the enterprise s ability to derive meaning from local observations. In financial services, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is an invaluable resource that consolidates threat and vulnerability intelligence of particular relevance to the sector. Page 7

10 Ultimately cyber threat intelligence is valuable to the extent it provides timely and actionable insights. It is thus critically important that intelligence products, whether from automated tools or human analysts, are integrated into IT security operations at the tactical level and also at a strategic level into enterprise-wide risk management processes. Recommendations Establish cyber threat information sharing relationships with other financial institutions, with FS-ISAC, and with U.S. government Critical Infrastructure Protection initiatives. Maximize the analysis of cyber threat intelligence from all available external and internal sources. Integrate cyber threat intelligence into daily information security operations. (Advantageous) Invest in a comprehensive Cyber Threat Intelligence program through the adoption of: (1) cyber threat intelligence technology platforms that perform automatic cross-enterprise event correlation, analysis, and reporting; and (2) human threat analysts who conduct all-source intelligence analysis to produce insights on the intent and capabilities of the adversary before a directed attack is launched. Consider interoperability with current and planned security, SIEM, IT-GRC, and GRC platforms when defining architectural options. Develop and coordinate detailed process maps to establish how the threat intelligence data will be used, recognizing the different purposes and audiences for tactical and strategic information. (Advanced) Big Cyber Security Data Continuous Controls Monitoring and cyber threat intelligence can be seen as Big Data problems for a large enterprise, both in the size of the data sets and in the type of analysis needed in cyber security risk management. 6 The ability to detect patterns and relationships within and across data sets is what affords the ability to thwart sophisticated hacking attempts in near-real-time or find root causes during forensic investigations of previous attacks. This may require significant investment but can yield deeper understanding and better predictive capability. 7 Recommendation Explore architectural concepts for converging data streams generated by security controls and threat intelligence platforms for integrated analysis using Big Data analytics and data visualization tools. Coordinate this effort with other Big Data programs within the enterprise for efficiency and synergy. (Advanced) 6 Data scientists might justifiably question the use of the term Big Data in connection with cyber security threat platforms and SIEM systems. Though the data sets themselves are typically large enough to be considered big (even as the definition of big continues to evolve), the data warehouse architectures and analytic techniques in use thus far usually deviate from those of mainstream Big Data. This is changing, however. True Big Data solutions are starting to emerge in the cyber security market and will become more prevalent as technology solutions co-evolve with risk management approaches. We can expect greater use of distributed threat data sets, and also data sets (such as asset registries, network traffic data, and online customer transaction records) that serve more than one risk domain. Big Cyber Security Data is likely to become one of the most pervasive Big Data applications in the corporate world. 7 When embarking on efforts to collect large amounts of security risk-related data, involve legal counsel early to consider the possibility that discoverable threat and vulnerability data could lead to a plausible claim of negligence should a breach occur. This area of law is evolving. Page 8

11 3. Communicating cyber security risks with the business leadership. One of the key benefits of a comprehensive ORM/ERM/GRC program is that it can help crystallize risk factors for C-level executives and the Board. Getting the actionable information that leaders at these levels need for decision making requires careful thought. The cyber security risk message to senior leadership should be developed from the following four categories: Top risk exposures and how they relate to the statement of risk appetite (possibly in graphical, quantitative, or dashboard formats). Example Risk Indicators and Reporting Lagging (Controls Status) Access controls Certificate management Current policy deviations (e.g., ports and protocols, access controls, devices, passwords, etc) Vulnerability scanning results Risk assessment results Project Schedule Variances Disaster Recovery test results Malware event rate Mean- Time- to- Discovery of malicious attacks Leading (KRIs) New classes of threats Data on current attacks on vendors, trading partners, and other industry players Analysis of state- sponsored hacker capabilities Evidence of ongoing surveillance of the enterprise network Analysis of social network data associated with known hackers or hacker personas. Indicators of compromise Potential future exposures (probably in narrative form) based on strategic threat intelligence analysis. Examples include the risk implications of: cyber events experienced elsewhere in the industry; new developments in cybercrime and hacker tradecraft; recent rulings in cybercrime prosecutions and court cases; information on cybercrime trends and hacker motivations and intentions relevant to the enterprise. Key Risk Indicators (KRIs) metrics that provide an early warning of increasing risk exposures. Well designed KRIs are leading indicators of risk. Predictive threat intelligence analysis is the most likely source of KRIs. They could also be developed from aggregations of other risk indicators that give new insights about current trends and developments. KRIs are often derived through cross-domain analysis of risks that arise due to overlaps and intersections but that may not be recognized in one domain alone. For example, the cyber security risk posture of potential partner companies or acquisition targets can present future risks as these entities get connected to the enterprise network. Risk Management Key Performance Indicators (KPIs). In the general case, KPIs are parametric measures of the as-is state, and as such are usually lagging indicators of whatever process they measure. The KPI idea can be extended to risk management by considering risk-related status metrics. Cyber security examples include metrics on: vulnerability scanning results; configuration management data; certificate management; access controls; current policy deviations (e.g., ports and protocols, access controls, devices, passwords); risk assessment results. Managers can define thresholds for KPIs that will trigger actions to adjust controls. The inset box shows illustrative examples of risk management KPIs and KRIs. These four categories are not completely independent of one another, and in fact, synergies among the categories can help improve understanding of the risk exposure and sharpen the message. Cyber security risk also needs to be communicated horizontally across business units and functions, as well as within the information security domain itself. These process links are important because, for an organization to know something, the information must be embedded into the workflow that drives the operation. Page 9

12 Recommendation Develop reporting metrics in the categories of: top risk exposures; potential future exposures based on strategic intelligence; Key Risk Indicators (KRIs); and cyber security-related Key Performance Indicators (KPIs). Link metrics to business objectives, and incorporate them into concise reporting formats. Implement processes to produce these reporting metrics regularly and consistently. From the total set of metrics, identify those that are appropriate for consumption by senior leadership and those more suited for tactical purposes and for being communicated cross-functionally. (Advised) Key Take-Aways This Delta Risk Viewpoint recommends that cyber security be integrated with other risk verticals in enterprise-wide risk management programs. In regulated industries such as the financial services sector, the integrated approach should usually be part of an overall Governance, Risk, and Compliance program. In many large firms, multiple GRC-related point solutions exist in business units and functional areas; rationalizing them to create a true enterprise view may require significant transformation in process, organization, and methods and tools. A summary of the recommendations is shown in the table below. Integrating Information Security with GRC Summary of Recommendations As a starting point, harmonize the risk management approaches of the information security, IT, and physical security domains, consistent with COSO and COBIT5 frameworks and/or ISO guidelines. Develop and implement a roadmap for integrating information security risk management with IT-GRC platforms and also with enterprise-wide GRC platforms. Special Challenges and Opportunities in Information Security Risk Management Implement a formal information security risk assessment methodology (such as OCTAVE or NIST ) and impose processes to instill disciplined and regular review and analysis of all information security controls in the enterprise. Adopt SIEM (Security Information and Event Management) platform(s) throughout the enterprise network, importing as many automated information security data feeds as practical. Establish information sharing relationships within the financial services sector, with FS-ISAC, and with U.S. government Critical Infrastructure Protection initiatives. Invest in a comprehensive Cyber Threat Intelligence program through the adoption of: (1) cyber threat intelligence technology platform(s) that perform automatic cross-enterprise event correlation, analysis, and reporting; and (2) human threat analysts who conduct all-source intelligence analysis to produce insights on the intent and capabilities of the adversary before an attack is launched. Communicating Information Security Risks with the Business Leadership Explore architectural concepts for converging data streams generated by security controls and threat intelligence platforms for integrated analysis using Big Data analytics and data visualization tools. Develop reporting metrics in the categories of: top risk exposures; potential future exposures based on strategic intelligence; Key Risk Indicators (KRIs); and information security-related Key Performance Indicators (KPIs). Page 10

13 Contact Information To discuss these ideas please contact us at Delta Risk offices: San Antonio, Texas 106 St. Mary's Street, Suite 428 San Antonio, TX Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA