This year's Gartner Risk Management and Compliance Summit track on IT Security stresses the importance of Information Security's ability to relate the information security risks to business risk. How does the risk impact the business? Aligning your information security management program to provide information about the risks to the Lines of Business, targeting IT processes that are critical to business success. Understanding the Roles and Responsibilities in each process is critical for success. You need to keep the awareness and expression of risk and compliance to executive management, line of business managers, and end users consistent and simple. Jay Heisner's session on "Ending the Culture Wars" calls for the "Criticality" scale to be High, Medium or Low. "Enable the business to understand its own risk, and to accept its own risk."
According to ISACA the Final Acceptance of Residual Risk takes into account the following:
1. Organizational Policy (appetite for risk)
2. Risk Identification and Measurement
3. Uncertainty incorporated in the risk assessment approach
4. Cost and Effectiveness of the Implementation
By understanding the Trust Relationships and Business Processes between Business Units will help determine whether the Residual Risk accepted by one organization would have a business impact on another organization.
Paul Proctor's Session - "Five Practical Tips to Link IT Risk Management and Compliance to Corporate Performance" outlines how to relate your operational risk to executive management aligning your goals to corporate initiatives. Not to use Operational Language: MS08-67 Vulnerability in Server Service Could Allow Remote Code Execution (958644), but use Maturity Model Scales levels 1 - 5 display the status of the Current State, Planned State, Desired State, Developing Project Plans.
Mark Nicolett's session on Applying Monitoring, Assessment and Operations Technologies to Reduce Risk and Improve Compliance - discusses the SOC (Security Operation Center) and NOC (Network Operation Center) integration of work flows. This allows IT Operations to support 24/7 monitoring with security specialists providing 2nd level support. There are some issues though as Mark points out on Privilege User Monitoring and Security Incident Management. Mark outlines the broad scope of SIEM, user access monitoring, real time event aggregation, correlation, alerts, reporting and historical analysis:
1. To Monitor external threats
2. To Monitor the activities of privileged users
3. To Monitor server and database resource access (NDAM and ADAM)
4. To Monitor the activity of a user across multiple systems.
The items above that I have covered only cover a fraction of the sessions available at the IT RISK Summit. INFORMATION SECURITY RISK is just one of the Summit's Tracks and I covered a small section of that. Next Year's RISK and Compliance Summit will be held in Washington D.C.
I recommend reading "IT RISK turning business threats into competitive advantage"
by George Westerman and Richard Hunter and also "Implementing IT Governance using COBIT and VAL IT" a course offered by ISACA.
netForensics SIEM and RISK Management
nFX SIM One version 4.1 introduces CMDB integration into its SIEM Business Topology Frame Work.
Assets can be imported by their CMDB domain with their associated asset attributes, including quantitative or qualitative asset valuation. CMDB is a fundamental component of the ITIL framework's Configuration Management process.
nFX SIM One assets are grouped by Customers, Business Units and Asset groups. This allows the SIM One information security management framework to match the Business Organizational structure or Mission Area Types providing a consistent view of the organization to ITIL Operations, as well as to SOC and NOC Operations.
Vulnerability Assessment Scans of corresponding assets are automatically linked to CMDB defined assets. CMDB integration and Vulnerability Scan Assessment integration can be defined as automated processes or manual processes.
nFX SIM One reports on synchronization differences between the last and current CMDB state of its asset information and also reports on assets that are defined in nFX SIM One to those not seen in CMDB. Assets can be automatically created and assigned value from Vulnerability Assessment Scans, so it could be that assets were detected by Assessment Scanners that are not defined in CMDB.
HP UCMDB asset valuation modifications and other attribute changes are sent to HP OVO as an alarm that the asset valuation has changed for this particular asset,
with the nFX HP OVO Connector.
This allows information security to view what controls are protecting critical business processes and allows information security to view the effectiveness and efficiency
of the controls in place.
nFX SIM One's Vulnerability Correlation Engine correlates the threat criticality with the vulnerability criticality and the asset criticality to the business in real-time and offers the ability to notify ITIL operations, NOC and SOC when the attack matched a specific vulnerability.
nFX SIM One's Rules Based Correlation Engine allows information security to build custom rules that will help identify trust relationship issues between service providers, business partners, business units, asset groups, assets, applications or users. Identifying when threats are getting closer through layered controls to critical business assets and that have a severe business impact.
nFX SIM One provides integration with Network and IT Operations Center monitoring systems, selected events or incidents can be sent to end users for notification and analysis, provides Helpdesk ticket integration with major help desk vendors.
To provide segregation and integrity of incident management, nFX Sim One provides it's own Incident Management Resolution Built-in Application where security analysts can work on various Investigations without having other operational users be able have access to that information. nFX SIM One also has the ability to allow its incident management system to have two way integration with OVO letting the operations staff and IT management know what state a incident is being worked on and to whom it is assigned by the request of the analyst or incident manager working on the incident status at the time.
nFX SIM One allows the CIO, Risk Management, and the CISO the ability to jumpstart their information security program, reduce risks, and improve compliance.
NIST FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. NIST SP800-60 1 and 2 provides the guidelines for the classification of Mission Area types.
Leave a comment