A CobiT Case Study Drawing on CobiT for the implementation of an Enterprise Risk Management Framework December 2008 Presenter: Clive E. Waugh, CISSP C/EH 1
Risk Management Framework Objectives CobiT provided guidance with essential framework elements: Governance Strategic Alignment Business Focus Control Objectives Establishment of Risk Appetite Assessment and Management of Risks Performance Management 2
CobiT Case Study The framework in practice 3
The framework in practice: 4 Domains CobiT Framework is comprised of 4 Domains, 34 Processes, 200 Control Objectives Plan and Organize Processes Acquire and Implement Process PO1 Define a Strategic IT Plan AI2 Acquire and Maintain Application PO2 Define the Information Architecture Software PO4 Define Organization and Relationships PO6 Communicate Management Aims and Direction PO9 Assess and Manage IT Risks PO10 Manage Projects Deliver and Support Processes DS2 Manage Third-party Services DS4 Ensure Continuous Service DS5 Ensure Systems Security Monitor and Evaluate Processes ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME4 Provide IT Governance 4 Clive E. Waugh CISSP, C/EH
The framework in practice: Plan & Organize Plan and Organize process description: PO1 Define a Strategic IT Plan PO1.2 Business-IT Alignment Strategic Alignment PO2 Define the Information Architecture PO2.2 Data Classification Scheme PO4 Define the Organization & Relationships PO4.8 Responsibility for Risks, Security & Compliance PO4.15 Relationships PO6 Communicate Management Aims & Direction PO6.2 Enterprise IT Risk and Control Framework Risk Management Framework 5 Clive E. Waugh CISSP, C/EH
The framework in practice: Plan & Organize Plan and Organize process description continued: PO9 Assess and Manage IT Risks PO9.1 IT Risk Management Framework PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.4 Risk Assessment PO9.5 Risk Response PO9.6 Maintenance & Monitoring of a Risk Action Plan PO10 Manage Projects PO10.3 Project Management Approach PO10.4 Stakeholder Commitment PO10.9 Project Risk Management PO10.13 Project Performance Measurement, Reporting & Monitoring 6 Clive E. Waugh CISSP, C/EH
The framework in practice: Acquire & Implement Acquire and Implement process description: AI2 Acquire and Maintain Application Software AI2.4 Application Security and Availability SDLC integration 7 Clive E. Waugh CISSP, C/EH
The framework in practice: Deliver & Support Deliver and Support process description: DS2 Manage Third-party Services DS2.3 Supplier Risk Management Vendor Assessments DS4 Ensure Continuous Service DS4.2 IT Continuity Plans BIA & Risk Assessment DS5 Ensure Systems Security DS5.5 Security Testing, Surveillance & Monitoring Regular Vulnerability Assessments 8 Clive E. Waugh CISSP, C/EH
The framework in practice: Monitor & Evaluate Monitor and Evaluate process description: ME1 Monitor & Evaluate IT Performance ME1.5 Board and Executive Reporting ME1.6 Remedial Actions ME2 Monitor & Evaluate Internal Control ME2.3 Control Exceptions ME2.4 Control Self-assessment ME2.5 Assurance of Internal Control ME2.6 Internal Control at Third Parties ME2.7 Remedial Actions 9 ME4 Provide IT Governance ME4.1 Establishment of an IT Governance Framework ME4.2 Strategic Alignment ME4.5 Risk Management Clive E. Waugh CISSP, C/EH
The framework in practice: RM Functions Four main Risk Management Functions: Risk Cataloging Risk Reporting Remediation Planning Risk Acceptance Handling 10
Risk Cataloging Process Flow External audit Security Internal audit Customer Other Initial Risk Assmt. Critical High Medium Low Queued Immediate Group and Segment Leaders Immediately address risk Risk Mgmt Dept leaders Weekly Prioritization Documented, prioritized risks Group Leaders (SMT) Senior BU Leaders Risk Repository Confirms Details As Documented 11
Risk Cataloging - Overview of Prioritization Standards Risk Prioritization Sessions are conducted on a weekly basis Risk Prioritization Committee membership consists of Risk Management Dept management staff Risk Prioritization Standards are as follows: 1) Risks are first ranked into quadrants as follows (definitions on subsequent slides): a) Critical b) High c) Medium d) Low 2) Risks within High and Medium quadrants are then force ranked by business unit, from highest risk to lowest. 12
Risk Cataloging Risk Management Dept Role Risk Management Department s role in Cataloging risk: 1) Escalates Critical risks immediately 2) Queues non-critical risks for review by Ops-Security mgt during regular prioritization sessions 3) Captures risk data including description, impact, likelihood, BU ownership, priority, ranking 4) Proposes strategies for the remediation of immediate risk, and of root cause 5) Educates Business Unit and requests confirmation of risk details as documented. 13
Risk Cataloging Business Unit Role Business Unit s role in cataloging risk: Both the Business Unit Manager and designated Risk Management Coordinator for the BU are: 1) Informed of new risks by RM department as they are cataloged 2) Reviews and acknowledges documented risk details. 14
Risk Reporting Process Flow Risk Mgmt Dept Reports Actionable Data Changes in status / nature of risk Top Risks / Metrics Understands BU Mgr Risk And Coordinator Top Risks / Metrics Risk Mgt Cmmte Understands Risk Top Risks / Metrics Board Understands Risk 15
Risk Reporting Risk Management Dept Role Risk Management Department s role in the risk reporting process: 1) Briefs BU to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. 2) Collects status of BU risk management activity. 3) Briefs Risk Management Committee regularly to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. 4) Briefs IFID Board of Directors regularly to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with planned remediation strategies. 16
Risk Reporting Business Unit Role Business Unit s role in the risk reporting process: 1) Obtains an understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. of highest-risk items for use in BU remediation planning efforts (discussed later). 2) Provides changes in status or nature of risk to Risk Management Department 17
Risk Reporting Business Unit Coordinator Defined Theme: Each business unit that owns risk drives risk management activity as directed by the business unit manager. Accomplished by a coordinator within the business unit, as assigned by business unit management. Responsibilities: 1) Receives the same risk briefings that are delivered to the business unit manager and to the Risk Management Committee. 2) Reports changes in status or nature of risk to Risk Management Department. 3) Provides quarterly plans for remediation of risk, as committed to by the business unit manager. 4) Drives remediation activities as committed to by the business unit manager. 18
Risk Reporting Risk Management Committee Role Risk Management Committee s role in the risk reporting process: 1) Obtains an understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies, for use in monitoring and directing BU risk management efforts (discussed later). 19
Remediation Planning Process Flow Risk Mgmt Dept Consults with BU Ensure impact/likelihood understood Understands risk and bus. priorities, BU Mgr proposes And plans Coordinator Balance risk vs. business priorities Risk Mgt Cmmte Understands risk and bus. priorities, approves plans 20
Remediation Planning Risk Management Dept Role Risk Management Department s role in the remediation planning process: 1) Supports business unit as needed to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. 21
Remediation Planning Business Unit Role Business unit s role in the remediation planning process: 1) Balances the potential for loss associated with highest known risk items against other known business priorities in an effort to help protect against anticipated loss. 2) Develops and proposes roadmap plan to Risk Management Committee for approval, using a standard format that clearly reflects intended progress against known risks. 22
Remediation Planning Risk Mgt Committee Role Risk Management Committee s role in the remediation planning process: 1) Consults with Risk Mgt Dept to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies. 2) Balances the potential for loss associated with highest known risk items against other known business priorities in an effort to protect against anticipated loss. 3) Reviews and approves proposed roadmap plans that clearly reflect intended progress against known risks. 23
Risk Acceptance Handling Process Flow BU Representative Develop and deliver proposal for acceptance of risk 1 2 3 Risk Mgt Dept Recommends either acceptance or remediation BU chain of command Approves or rejects proposal for acceptance Risk Mgt Cmmtte Approves or rejects proposal for acceptance Balance risk vs. business priorities 24
Risk Acceptance Risk Management Dept Role Risk Management Department s role in the risk acceptance process: 1) Reviews proposal for acceptance of risk as presented by the business unit that owns the risk. 2) Ensures effective representation of the nature of the risk, including impact and likelihood of related failures. 3) Provides recommendation for either acceptance or remediation of risk for review by the business unit chain of command, and by the Risk Management Committee. 4) Supports Business Unit in escalating through the business unit chain of command, and in presentation to the Risk Management Committee. 5) Records and Retains the results of decisions made. 25
Risk Acceptance Business Unit Role Business Unit s role in the risk acceptance process: 1) Develops proposal for acceptance of risk for review by the Risk Management Department. 2) Escalates proposal for acceptance of risk, including recommendation from the Risk Management Department, through the business unit chain of command. (Uses standard / consistent format) 3) Presents proposal, to the Risk Management Committee. (Uses standard / consistent format) 26
Risk Acceptance Risk Management Committee Role Risk Management Committee s role in the risk acceptance process: 1) Reviews proposal for acceptance of risk as presented by the business unit and Risk Management Department. (Uses standard / consistent format) 2) Votes for either acceptance or remediation of risk. 27
Documentation 28
~ Charter ~ Enterprise Risk Management Enterprise Risk Management Mission Statement Deliver for our end users secure, always-available service and support in a cost effective manner that builds confidence. Responsibility Responsibilities include, but are not limited to, the following activities: Contributes to the strategic direction of offerings to customers Defining and publishing security policy requirements Implementation and maintenance of security infrastructure Administering access and privilege Security oversight of system and application development Security testing of the enterprise infrastructure Performing vendor and partner security assessments Identifying, prioritizing, managing the status of known risks issues Authority The Enterprise Risk Management Operations team is authorized to: Publish enterprise-level security policy requirements, and enforce Obtain the necessary assistance of personnel from related Business Units The Risk Management and Security department s authority extends to all risks 29
The Framework in practice Documentation Procedures Documentation: SOP: Risk Reporting Risk Management Committee Briefing and Decision Making SOP: Division President Briefing and Decision Making SOP: Escalation of Issues and Exceptions SOP: Business Impact Analysis (BIA) SOP: Asset Vulnerability Identification SOP: Risk Prioritization, Ranking and Approval SOP: Risk Inventory Maintenance SOP: Risk Treatment Planning SOP: Ongoing Coordination and Status Collection 30 Clive E. Waugh CISSP, C/EH
CobiT Case Study??? Questions??? 31