pptx

advertisement
Slide Heading
Data Security Risk Assessment
David Fanson, CISA, MBA
Practice Director, Technology Risk
Titus
December 12, 2012
Introductions
–
–
–
–
–
Wisconsin based national consulting firm founded in 2000
Risk Management, Finance, Recruiting, and Energy
Multi-year winner of Southeastern Wisconsin’s “Future 50”
Winner of Inc. Magazine’s List of Fastest Growing companies in the US
Independent and employee owned
• David Fanson, CISA, MBA
–
–
–
–
–
Director of Tech Risk Practice at Titus
IT professional for 15 Years
Specializing in IT Risk management
Accenture (Andersen Consulting), PwC, Fortune 500 Telco
System Development, Strategic Planning, and Risk Management
Agenda
Data Security Program
Risk Assessment Process Overview
Data Security
Impact and Likelihood
Slide
Heading
Collaborative Exercise
Parting Thoughts and Discussion
Data Security Program – Key Ingredients
• Data Classification - Management knows what
data they have and has rules for managing it.
• Data Mapping – Management knows where their
data is and how it moves.
• Control Programs – Management has a risk &
control program in place to protect their data.
• Preparedness – Management is prepared for data
breaches with security, legal, and public relations
programs.
Recent Example from NASA
“NASA told its staff this week that a laptop containing sensitive
personal information for a large number of employees and
contractors was stolen two weeks ago from a locked vehicle.
Although the laptop was password protected, the information
had not been encrypted, which could give skilled hackers full
access to the contents.
…And as recently as March, the company reported a breach
that was also caused by a stolen laptop.”
-New York Times, November 14, 2012
Risk Assessment - Objectives
• Help management achieve organization objectives
• Risk management activities should be tied to strategic
objectives
• Risk Assessments are then tied to Risk Management
Objectives
• Focus risk management activities on highest risk
areas.
• Improve the effectiveness of audits
• Audit activity should focus on the highest risk areas in
the organization
Risk Assessment – Key Ingredients
• Risk Universe
• Spectrum of risk areas across an organization,
function, or process
• Example: IT Department risk universe could include:
• Application Management
• Data Management
• Infrastructure
• Resource Management
• The risk profile of each area in the Risk Universe will be
compared to each other, scored, and ranked
Risk Assessment – Key Equation
Impact
Likelihood
Risk
Impact - What happens to your organization in the event
of a risk being realized.
Likelihood - The probability that a risk will be realized.
Risk Assessment – Impact
• Impact Analysis
• Each area in the Risk Universe is evaluated for impact
to the organization should the risk be realized.
• Impact is determined by analyzing different Impact
Factors.
• Types of Impact Factors
•
•
•
•
•
Strategic Impact
Financial Impact
Operational Impact
Legal
Reputation etc.
Risk Assessment – Likelihood
• Likelihood Analysis
• Each area in the Risk Universe is evaluated for
likelihood the risk be realized.
• Likelihood is determined by analyzing different
likelihood factors.
• Example Likelihood Factors
•
•
•
•
•
Prior Findings
Monitoring
Complexity
Customization
Frequency of Change
Risk Assessment – Scoring/Ranking
Impact
Likelihood
Risk
Risk Universe
Impact
Likelihood
Score
Rank
ERP Application
High
High
10
1
Medium
High
7
3
Oracle Database
High
Low
5
4
Unix
High
Medium
8
2
Active Directory
Low
Low
2
5
Custom App
Data Security Risk Assessment
• Data Security Risk Universe
What does the Data Security Risk
Universe look like?
Data Security Risk Assessment
• Data Security Risk Universe
• Two Primary Drivers of Data Security Risk
• Type of data
• Which would have a higher impact to an organization if it
gets leaked to the public?
• Earnings
• Organizational Chart
• Location of data
• Which data location is more likely to cause a data leak?
• Earnings data on a database behind firewall
• Earnings data on a flash drive in controller’s
pocket?
Data Security Risk Assessment
• Data Security Risk Universe
• We need to conduct two risk assessments
1. Data Types
•
•
•
What types of data does an organization have?
Has the organization classified its data?
Is all data equal or is some higher risk than others?
2. Data Locations
• Where does data reside in an organization?
• Does management know where all its data is?
• Where could data reside in an organization?
Data Type Risk Assessment
• Data Type Risk Universe
• Consider the different types of data in your organization
• Data can be thought of by business process
• Revenue, Payroll, Purchasing, Manufacturing
• Data can be thought of by Structured vs. Unstructured
• Data Type Impact Factors
• What questions can we ask to determine the impact
different data types can have?
• Let’s begin building a Data Type Risk Assessment!
Data Location Risk Assessment
• Data Location Risk Universe
• Consider the different locations data could be in your
organization
• Is data always electronic?
• Does data stay still or is it on the move?
• Data Location Likelihood Factors
• What questions can we ask to determine the likelihood
that a data location could cause a data breach?
• Let’s begin building a Data Location Risk Assessment!
Pulling Type and Location Together
• The Impact of a data security breach is driven by
the type of data it is.
• The Likelihood of a data a security breach is
driven by where the data is.
• What insights do we get when we combine the
impact of a type of data with the likelihood of its
location?
• Let’s find out!
Insights From This Exercise
• What insights would a data security manager gain
from a risk ranked list of data types?
• What insights can be drawn from the data location
exercise?
• How can the combining of data type and location
assessment impact an audit plan?
Insights From This Exercise
• Has this exercise addressed our objectives?
• Help management achieve organization objectives
• Focus risk management activities on highest risk areas.
• Improve the effectiveness of audits
• Can this exercise contribute to an organization’s Data
Security Program?
•
•
•
•
Data Classification – Building Data Type Universe
Data Mapping – Building Data Location Universe
Control Programs – Data Location Risk Assessment.
Preparedness –. Data Type Risk Assessment
In Summary
• An effective data security program must be able to:
1. Identify, classify, and prioritize its data.
2. Map its data to specific locations and quantify the risks associated
with those locations.
3. Build control programs to safeguard its data, wherever it is.
4. Be prepared for a data breach if and when it happens.
• A Data Security Risk Assessment helps by:
1.
2.
3.
4.
Building a data type universe that can be classified and prioritized.
Driving risk management of hardware, devices and networks.
Identifying the high risk areas control and monitoring programs.
Facilitating the analysis and planning for emergency response.
Questions?
Closing comments
Happy Holidays!
David Fanson, CISA, MBA,
Practice Director, Technology Risk
Titus
608-556-0906
david.fanson@titus-us.com
Download