Chance favors only the prepared mind

1

• Chance favors only the prepared mind
• Louis Pasteur

2
Information RiskIntegrating Information Risk,
Security and Continuity across the Governance
Agenda Radisson Hotel Vienna 04 Nov 04
James Royds
3
The Agenda

• The Context
• Vulnerabilities and Threats
• The Corporate and Regulatory Environment
• Integrated Planning Process
• Tomorrow Case Study 05 Nov 04

4
Breadth and Scope
This is all about planning ah
ead!
5
CIR Awards 2004
Awarded for the organization or individual
regarded as (a) most proactively highlighting
and reducing the identified operational risks as
part of a continuity programme. (b) managing
operational risk and continuity management
which crosses international sector boundaries.
Winners of the Cross-border, Cross-sector
Operational Risk Strategy of the Year 2004
6
Information Management
Sign
The total of relevant knowledge is often called
intellectual capital. This includes not only
knowledge as a single conception, as an
individuals personal resource but as knowledge
of an organization appearing in patents, in
company-specific process models and routines.
Even culture and Customer supplier relationships
belong to intellectual capital.
Source Based on an idea by Thomas Auer Sept 2003
7
BCM and ISM

• Business Continuity Management
• ?????
• Formulate Business Continuity Policy
• Allocate roles and responsibilities
• Educate train all members of staff
• Report all incidents
• Implement Incident Management Team
• Develop exercise contingency plans
• Safeguard intellectual property
• Store organizational records off site
• Comply with all regulatory requirements
• Comply with your BCM plans

• Information Security Management
• ?????
• Formulate Information Security Policy
• Allocate roles and responsibilities
• Educate train all members of staff
• Report all security breaches
• Implement virus access controls
• Develop exercise contingency plans
• Safeguard proprietary software
• Store information records off site
• Comply with all regulatory requirements
• Comply with your ISM plans

8
Is there a need to integrate
Business interruption is costly whether
you comply or not, and affects...

• Budgets
• Cash flow
• Stakeholder confidence
• Productivity
• Morale
• Financial credibility
• Reputation
• Assets (especially information)

9
Incident Management
10
Business Information

• Some day on the corporate balance sheet, there
  will be an entry which reads information, for in
  most cases the information is more valuable than
  the hardware which possess it.
  
• Admiral Grace Murray Hopper, United States Navy.

11
Intellectual Capital

• an intangible asset, usually not included on
  an organizations balance sheet, that is
  approximately equal in value to the difference
  between the market capitalization of the company
  and its tangible (or net asset or book) value

Source IT Governance Ltd (2003) Board Briefing
on IT Governance, UK
12
Why now

• Impact of global connectivity
• The expanding threat spectrum and rising cost of
  mitigation
• Technical and information dependency
• The marketplace (our customers) expecting high
  standards against which compliance and
  performance can be judged
• Regulation / legislation seeping across
  industries and international boundaries quickly
  becoming best practice, which is permeating the
  audit / compliance culture

13
For example
Regulation of Investigatory Powers Act
Information Assurance Corporate Governance
Interception of Communications Act
Children and Young Persons Act
SEC Rule 17a-4
ISO 17799
SEI-CMM
95/46/EC
KonTraG
COBIT
Basel II
18 USC 2701
KYC
Combined Code
FFIEC
99/93/EC
HIPAA
NIIPA
FISMA
BDSG
USA PATRIOT Act
ISF
Sarbanes Oxley
GASSP
PAPAA
SAS70
02/58/EC
SB1386
PAS56
OFR
CRAMM
FDA 21 CFR Part 11
King II
NPP
PIPEDA
FRAP
24 hour Manifest Rule
FERC
CC / EAL
Safe Harbor
ITIL
Encryption Laws
Data Protection Act
etc etc!!
Customs Trade Partnership Against Terrorism
FSA
GLBA
Source Brian Prangle SCC Security Solutions
14
Exam Question

• Governance and Compliance is all well and good
  but what happens when controls fail?

15
Drivers

• Governance proliferation of standards,
  regulations and legislation
• Increased awareness of, and focus on, Information
  Security
• Business partners and stakeholders demanding
  security
• Threat of legal liability /action
• Better Value ISM BCP 2 for the price of one

Source Based on an idea by Brian Prangle SCC
Security Solutions
16
But

• There is no such thing as perfect security
• Balance between convenience and risk
• Security often thought of as inconvenient
• Security gets in the way of business objectives
• Not appreciated/not noticed when it works
• Temptation to cover up security breaches to
  protect reputation / share price / brand value

Source Brian Prangle SCC Security Solutions
17
Global Security statistics
Source KPMG Global Information Security Survey
2002
18
Context
The loss, denial or unavailability for more
than a few hours of any critical information,
organisational process, capability or service
function can have a significant impact on
your organisation possibly threatening its
very survival.
Question Is this the right context?
19
The Growing Problem
20
Risk Perception
21
Boards and Risk

• Since profits are, in part, the reward for
  successful risk-taking the purpose of internal
  control (aka Governance) is to help manage and
  control risk appropriately rather than to
  eliminate it.
• Turnbull Report 1999

22
Boards what they must do

• Your board must ensure that your system of
  internal controls is effective in managing risks
  in the manner which it has approved.
• Turnbull 1999
• Your boards role is to provide entrepreneurial
  leadership of your company within a framework of
  prudent and effective controls which enable risk
  to be assessed and managed.
• Higgs 2003

23
How business responds
24
Corporate interest in ISM
25
Risk Management
Value
Owners
Minimise
Impose
Reduce
Controls
May Possess
Manage
Identify
Vulnerabilities
Threat Agent
Linked
Risk
Gives Rise
Exploit
Increase
Threats
Assets
Access
Intention to Abuse/ Damage
Source BSI
26
Risk in Context

• Corporate Effects or
• Consequences
• Premises Denial
• Power Loss
• Communications
• Networks Loss
• ICT Systems Loss
• Digital Records Loss
• Information Loss
• Unavailability of Key Staff
• Supply Chain Failures
• The Pace of Change
• Corporate Reputation
• etc

Risk Vulnerability X Threat X Asset
value
27
Conventional Terrorism
Massive loss of information
28
Digital Terrorism
1. Access target 2. Obtain root privilege on
target 3. Subvert target for later reuse Target
can now be used as an intermediate link
Massive loss of Data
Q Is this the right context?
29
Hack Sophistication vs. Intruder Technical
Knowledge
Source Cert Carnegie Mellon
30
Why is digital context important

• 4bn What the MyDoom computer virus is
  estimated to have cost the UK in 2004.
  Source Money Week 6 Feb 2004.
  
• Viruses cause the most damage YET the vast
  majority of organizations have the best
  anti-virus software money can buy
• While most businesses restore normal operations
  within one day, 20 of large organizations take
  more than a week to recover.

Download full 2002 report from...
www.security-survey.gov.uk
31
The Effects
The attacks on the Twin Towers in New York
demonstrate the full capability of anasymmetric
attack by which adversaries
use unconventional methods to cause
disproportionate effects.
A computer virus is the payload equivalent of
the attacks on the Twin Towers whereby an
irresponsible virus writer causes
disproportionate effects with far-reaching
consequences for your business information,
network and computer system security.
32
Whats happening

• Threats on the increase
• Viruses, hackers, fraud and espionage
• Exposure dependency on the increase
• IT, networks, communications, technology
  enablers, less central control, new entry points
  for intruders
• Expectations on the increase
• Stakeholders, managers, business partners,
  auditors and regulators all demanding more
  protective measures

33
Key deliverable
Business Continuity Management (BCM) and
Information Security Management (ISM) is the
organisational means by which integrated strategy
is designed, developed, implemented and
maintained, to ensure that organisations are
capable of planning for, responding to, coping
with, and recovering from, major disruptions to
normal operations from events across the
spectrum.
34
Principles of Integrated planning
Information Security
Disaster Recovery
Business Continuity
Incident Management

• Asset Dispersion
• Focus on Critical Capabilities
• Interoperability
• Teamwork Mutual Support
• Training and rehearsals
• Iterative planning process driven by risk and
  threat assessment
• Flexible response
• Situational awareness

35
Process Components
Decision Support Material
Analysis
The Essence?
Strategic Options
What you must do What you should so What you
might do
Business Impact Risk Threat Assessment Dependen
cies etc
36
Focus on Information because

• Your information is unique to you.
• Your organizational DNA, your footprint.
• In times of crisis, your people, process,
  product, price and promotion (P5) are all
  replaceable information is often not.
• Information value provides justification for
  integrated planning while information is the key
  to decision making.

37
Focus on Information because

• Without information there is no power to decide.
• Without decisions there is no mandate to act.
• Without action there is no future.

38
Integrated Planning
Business Continuity Information
Security Planning
Long term Decisions Decision Support Material


Information
Assurance
Corporate
Governance
The Essence?
Incident Management
Rapid Decisions Decision Making
39
The Information Landscape

• By effectively navigating this new
  (information) landscape, the potential to revise
  and realise new corporate visions and achieve new
  levels of corporate excellence abounds.
• Forward-thinking executives will endeavour to
  harness the mandated changes to drive better
  business performance.
• Source Deloitte Touche

40
(No Transcript)
41
Thank you for listening.