Gestión de riesgos. Concepto de Riesgo. Gestión de riesgos en las TIC. Os presentáis a un examen sin estudiar?!

Transcripción

1 Gestión de riesgos Os presentáis a un examen sin estudiar?! Vais con la bicicleta por el carril bici o por la carretera?! Compráis una máquina Dell o IBM?! Desarrolláis una aplicación en Java o Python?! Grado de Ingeniería Informática, Universitat de les Illes Balears Subcontratáis a otra empresa! Gestión de riesgos en las TIC isaac.lera@uib.es!!! Marco de la gestión Risk is something we need to manage Gestión de riesgos Concepto de Riesgo Ha de dar soporte a :! Planificación! Aprovisionamiento! Instalación! Operación! Mantenimiento! Administración SEGURIDAD RIESGO INFORMACIÓN CONTROL DE COSTES Definimos el riesgo como la probabilidad de realización de una consecuencia no deseada que conduce a un resultado no deseado como la pérdida, daños, lesiones o oportunidades perdidas.! el riesgo viene de no saber lo que está haciendo. Warren Buffet! Threat : Lower Probability Event! Risk : High Probability Event 3 4

2 Enterprise Risk Management ERM is the process for effective identification, assessment, and management of all significant risks to an entity. This includes not only the traditional areas of financial and hazard risk, but also larger operational and strategic risks. ERM refers to the people, tools, systems, and structures that are part of a broader framework of Governance, Risk, and Compliance.! Buenas prácticas:! COSO (Committee of Sponsoring Organization of the Treadway Commission) ISO Risk Management: Using ISO can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. Apple Enterprise Risk Factors: 10-K Report!! Global economic conditions could materially adversely affect the company.!!! Global markets for the company s products and services are highly competitive and subject to rapid technological change, and the company may be unable to compete effectively in these markets.!! To remain competitive and stimulate customer demand, the company must successfully manage frequent product introductions and transitions.!! The company faces substantial inventory and other asset risk in addition to purchase commitment cancellation risk.!! Future operating results depend upon the company s ability to obtain components in sufficient quantities.!! The company depends on component and product manufacturing and logistical services provided by outsourcing partners, many of whom are located outside of the United States.!! The company relies on third-party intellectual property and digital content, which may not be available to the company on commercially reasonable terms or at all.!!! Thecompanyisfrequentlyinvolvedinintellectualpropertylitigationandcouldbe found to have infringed on intellectual property rights. 5 Apple Enterprise Risk Factors: 10-K Report!! The company s success depends largely on the continued service and availability of key personnel.!!! The company s business may be impacted by political events, war, terrorism, public health issues, natural disasters, and other circumstances.!!! The company s business and reputation may be impacted by information system failures or network disruptions.!!! The company may be subject to breaches of its information technology which could damage business partner and customer relationships, curtail or otherwise adversely impact access to online stores and services, and could subject the company to significant reputational, financial, legal, and operational consequences.! Google RISKs 10K New technologies could block our ads, which would harm our business.! If we were to lose the services of Larry, Sergey, Eric, or other members of our senior management team, we may not be able to execute our business strategy.! We rely on highly skilled personnel and, if we are unable to retain or motivate key personnel, hire qualified personnel, or maintain our corporate culture, we may not be able to grow effectively.! Interruption or failure of our information technology and communications systems could hurt our ability to effectively provide our products and services, which could damage our reputation and harm our operating results.! The availability of our products and services depends on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems. Some of our data centers are located in areas with a high risk of major earthquakes. Our data centers are also subject to break-ins, sabotage, and intentional acts

3 10K FORM Conceptos 10K FORM - APPLE filingid= &cik=#d783162d10k_htm_toc783162_2 10K FORM - Google Risk Event. Es la realización del riesgo. No tan solo son discretos o ocurrencias temporales, sino también, son continuos cuando afectan al rendimiento de la operación. ejemplos? 10 Conceptos: threat vectors Actividad It describes where a threat originates and the path it takes to reach a target.! Un listado de vectores de amenazas! dentro del CTI IT-equipament 11 12

4 Conceptos Actividad Risk Exposure and Vulnerability. La cantidad medible de potencial perdido como resultado a un evento de riesgo.! La vulnerabilidad no es posible de cuantificar Un riesgo es que un trabajador se vaya de la empresa.! Se os ocurre alguna manera de medir el impacto sobre la empresa de dicho evento ejemplos? Conceptos Conceptos Risk Resilience se refiere a la capacidad de recuperarse o adaptarse a la desgracia o el cambio Risk Appetite refleja el grado de riesgo de que una organización o individuo está dispuesto a aceptar o tomar en la búsqueda de sus objetivos.! Risk averse - Ningún riesgo ejemplos? ejemplos de empresas? 15 16

5 Conceptos Conceptos Risk Analysis es el proceso de evaluar cualitativa y cuantitativamente los riesgos potenciales dentro de un sistema.! Contempla: la identificación de riesgos y la evaluación o de estos eventos, como mínimo, en dos dimensiones. Estas dimensiones incluyen la probabilidad de ocurrencia de un riesgo y el impacto en caso de materializarse el riesgo de convertirse en un evento de riesgo. Risk Response Plan, es una extensión lógica de un análisis de riesgo. El plan de riesgos es un documento que define los riesgos conocidos e incluye descripciones, causas, probabilidades o probabilidad de ocurrencia de riesgos, los costes y las respuestas de gestión de riesgos propuestas Conceptos Risk Compliance incluye las actividades internas adoptadas para cumplir con las normas y reglamentos necesarios o impuestos, ya sean gubernamentales, de una industria específica, o impuestos internamente.! Las empresas siempre han tenido requisitos de cumplimiento relacionados con la información financiera, el cumplimiento ambiental, y otras áreas.! Se logra a través de los procesos de gestión donde (1) se identifican las leyes, reglamentos, contratos, estrategias y políticas; (2) se evalúan el estado actual de cumplimiento; (3) se evalúan los riesgos y los costes potenciales de incumplimiento en contra de los gastos proyectados para lograr el cumplimiento; y (4) priorizar, financiar y poner en marcha las medidas correctoras que se consideren necesarias. El tanque del Ford Pinto, explotaba con ciertas colisiones traseras, con graves resultados de muerte. Ford conocía los riesgos durante la reproducción y continuo con la comercialización. Fue una decisión de negocios: resulta más barato pagar demandas que hacer la reparación. Deshumanizar el riesgo 19

6 Tipos de riesgos Ejemplos de riesgos según tipos de riesgos Strategic Risk aquellos riesgos que impiden la consecución de la estrategia empresarial, de objetivos y efectos sobre la marca! Hazard Risk, interrupciones aleatorias por causas naturales o humanas.! Financial Risk, internas o externas dificultades económicas! Operational Risk, riesgos que interrumpen la operación Strategic Risk aquellos riesgos que impiden la consecución de la estrategia empresarial, de objetivos y efectos sobre la marca! Hazard Risk, interrupciones aleatorias por causas naturales o humanas.! Financial Risk, internas o externas dificultades económicas! Operational Risk, riesgos que interrumpen la operación Riesgos sobre las TIC? Tipos de riesgos Ejemplos de tipos de riesgos Operational Risk, riesgos que interrumpen la operación! Demand Risk! Customer Risk! Product Risk. Poor product portfolio management! Logistics Risk! Process Risk! Known Risks: medibles y planificables : IT failures,! Unknown Risks! Chronic Risks Operational Risk, riesgos que interrumpen la operación! Demand Risk! Customer Risk! Product Risk. Poor product portfolio management! Logistics Risk! Process Risk! Known Risks: medibles y planificables : IT failures,! Unknown Risks! Chronic Risks 23 24

7 Buenas prácticas en la gestión de IT Risk ISO 31000:2009! ISO/IEC 27005:2011! NIST Special Publication (USA)! AS/NSZ 4360 (Australia)!! ISACA: The IT risk Framework (2009) 25 ISO ISO Risk management create and protects value. Contribución cuantificable en la consecución de objetivos y mejora del rendimiento.! ISO Risk management - Principles and guidelines provides a framework and a generic process to manage risk in all part of any type of organisation.! Define 11 principios que deberían considerarse. 2. Risk management is an integral part of all organisational processes. Forma parte de las actividades de gestión en los procesos organizacionales, incluyendo la estrategia de planificación y la gestión de cambios.! 3. Risk management is part of decision making. Ayuda a la toma de decisiones respecto a alternativas y prioriza acciones! 4. Risk management explicitly addresses uncertainty. Tiene en cuenta la incertidumbre y como ha de enfocarse.! 5. Risk management is systematic, structured and timely. Contribuye a una consistente y eficiente comparación y confianza de resultados! 6. Risk management is based on the best available information. (historical data, experience, stakeholder feedback, observation, forecasts and expert judgement) 27 28

8 ISO Risk Management is tailored.! 8. Risk Management takes human and cultural factors into account.! 9. Risk management is transparent and inclusive! 10. Risk management is dynamic, iterative and responsive to change! 11. Risk management facilitates continual improvement of the organisation. 29 ISO/IEC 27005:2011 ISO/IEC 27005:2011 provides an iterative process for risk management which advances to be the framework for several methodologies in the domain of risk management.! Proceso > 32

9 Context Establishment Risk Assessment I La propuesta de gestión de riesgo, los criterios de evaluación, el impacto y su aceptación! Definición de los ámbitos y límites en la gestión del riesgo! Definición de la organización y responsabilidades del gestor de riesgos Identificación del riesgo y posibles fuentes de perdida! Los bienes definidos en el ámbito! Las amenazas y sus fuentes! Controles actuales y planificados! Vulnerabilidades que pueden ser explotadas por amenazas con impacto negativo sobre los bienes y la organización! Las consecuencias respecto a la integridad, disponibilidad y confidencialidad sobre los bienes! El proceso de negocio Risk Assessment II El análisis y estimación del riesgo:! Escala de la medición: cualitativa, cuantitativa, o ambas.! Evaluación de las consecuencias: confidencialidad, integridad y disponibilidad! Evaluación de la probabilidad de ocurrencia! Determinación del nivel de riesgos para todos los escenarios relevantes. 35

10 Risk Treatment Cuatro grandes opciones:! Risk modification: el riesgo residual sea aceptable! Risk retention: aceptando el riesgo sin más! Risk avoidance: abandonando la actividad donde está presente el riesgo! Risk sharing: compartir el riesgo con terceros (aseguradores, subcontratación, ) 37 ISACA Risk IT Framework The Risk IT framework is based on the principles of enterprise risk management (ERM) standards/frameworks such as COSO ERM2 and ISO and provides insight on how to apply this guidance to IT.! It is dedicated to helping enterprises manage IT-related risk! It complements ISACA s COBIT, which provides a comprehensive framework for the control and governance of businessdriven information-technology-based (ITbased) solutions and services. (Information Systems Audit and Control Association)! Benefits Applying good IT risk management practices will provide tangible business benefits, e.g., fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and innovative applications supporting new business initiatives

11 Risk IT Principles Risk Hierarchy Principios a tener en cuenta durante la gestión de riesgos The Risk IT framework explains IT risk and enables users to:! Integrate the management of IT risk into the overall ERM of the enterprise: risk-returnaware decisions! Make well-informed decisions about the extent of the risk, and the risk appetite and the risk tolerance of the enterprise! Understand how to respond to the risk Categories IT benefit/value enablement risk: associated with (missed) opportunities to use technology to improve efficiency of effectiveness of risk business processes, or as an enabler for new business initiatives Categories IT programme and project delivery risk: associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes

12 Categories Process model of each domain IT operations and service delivery risk: associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the enterprise.! Risk Governance (RG):! RG1 Establish and maintain a common risk view! RG2 Integrate with ERM! RG3 Make risk-aware business decisions! Risk Evaluation (RE):! RE1 Collect data! RE2 Analyse risk! RE3 Maintain risk profile! Risk Response (RR):! RR1 Articulate risk! RR2 Manage risk! IT risk always exists, whether or not it is detected or recognised by an enterprise.! RR3 React to events Essentials of Risk Governance Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk.! Risk appetite is the amount of risk an entity is prepared to accept when trying to achieve its objectives. Two major factors are important:! Risk Maps: The enterprise s objective capacity to absorb loss, e.g., financial loss, reputation damage! The (management) culture or predisposition towards risk taking cautious or aggressive. Ryanair +Ejemplos 47

13 Ejemplos Essentials of Risk Governance Risk tolerance is the tolerable deviation from the level set by the risk appetite and business objectives, e.g., standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.! Actividad De 0 a 5 vuestro número de asignaturas a aprobar? De 0 a 5 el número de HD dañados? Responsibility belongs to those who must ensure that the activities are completed successfully.! Risk awareness is about acknowledging that risk is an integral part of the business.! Risk communication is a key part in this process; it refers to the idea that people are naturally uncomfortable talking about risk. Risk Communication Risk Culture Information on expectations from risk management: risk strategy, policies, procedures, awareness training, continuous reinforcement of principles, etc.! Information on current risk management capability.! Information on the actual status with regard to IT risk. It includes information such as:! Risk profile of the enterprise.! Event/loss data! Root cause of loss events! Options to mitigate (cost and benefits) risks Behaviour towards taking risk - How much risk does the enterprise feel it can absorb and which risks is it willing to take?! Behaviour towards following policy: To what extent will people embrace and/or comply with policy?! Behaviour towards negative outcomes: how does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause? 51 52

14 Casos Risk Culture Un estudio de CISCO encontró que el 61% de empleados no se hacían responsables de proteger la información y dispositivos. Un 70% ignora las políticas de IT! Los dispositivos de la empresa sufren un mayor número de daños. Como no es mío, no importa! Ejemplos Ejemplos Risk Appetite:! Management of a financial service firm has determined that the main processing platform and applications cannot be unavailable for any period longer than two hours and the system should be able to process yearly transaction growth of 15 percent without performance impact.! IT management needs to translate this into specific availability and redundancy requirements for the servers and other infrastructure on which the applications are running. In turn, this leads to:! Detailed technical capacity requirements and forecast requirements! Specific IT procedures for performance monitoring and capacity planning Risk Tolerance:! Risk tolerance is the tolerable deviation from the level set by the risk appetite and business objectives. Examples include:! Standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.! Service levels for system uptime require 99.5 percent availability on a monthly basis; however, isolated cases of 99.4 percent will be tolerated.! The enterprise is very security risk-averse and does not want to accept any external intrusions; however, single isolated intrusions with limited damage can be tolerated.! 55 56

15 Actividad Grupal Process model of each domain Grupos de 4:! 2 Gestionan y 2 Administran!! Risk Governance (RG):! RG1 Establish and maintain a common risk view! Una propuesta de gestión sobre la aceptación (tolerancia / apetito) de un riesgo IT dentro de la empresa?! RG2 Integrate with ERM! RG3 Make risk-aware business decisions! Una propuesta de administración de como dar solución a esa gestión?! Metodología: Debate rápido Risk Evaluation (RE):! RE1 Collect data! RE2 Analyse risk! Ejemplo Gestión: No es tolerable que un sistema IT permanezca sin servicio en días festivos! Administración: Guardias - Monitorización - Disponibilidad - RE3 Maintain risk profile! Risk Response (RR):! RR1 Articulate risk! RR2 Manage risk! RR3 React to events Essentials of Risk Evaluation Methods Describing business impact:! An IT person should understand how IT-related failures or events can impact enterprise objectives and cause direct or indirect loss to the enterprise! A business person should understand how-it related failures or events can affect key services and processes.!! How to express IT risk in business terms? Methods 59

16 Methods Ejemplos: Alineamiento entre Objetivos e Impacto y su importancia dentro del método elegido : Risk Scenarios IT Risk Scenario Development One of the challenges for IT risk management is to identify the important and relevant risks amongst all that can possibly go wrong with IT or in relation to IT, given the pervasive presence of IT and the business s dependence on it.! 63

17 IT Risk Scenario Components Ejemplos Ejemplos Actividad Escenarios:! 1. Destrucción de la infraestructura! 2. Database integrity! 3. Operational IT errors 68

18 IT Risk Scenario Development Risk factors Risk factors are those factors that influence the frequency and/or business impact of risk scenarios; they can be of different natures, and can be classified in two major categories:! Environmental factors - degree of control that an enterprise has over them:! Internal: strategic importance of IT, complexity of IT, complexity of the entity, degree of change, risk management philosophy, risk appetite, operating model! External : market, rate of change, competition, geopolitical situation, regulatory environment, technology status and evolution! Capabilities: how good the enterprise is in a number of IT-related activities? 70 Ejemplos IT Risk Scenario Development

19 Impact Risk Impact Key Risk indicators (KRIs) are metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.! Criteria to select KRIs include:! Impact - Indicators for risks with high business impact are more likely to be KRIs! Effort to implement, measure and report! Reliability - The indicator must possess a high correlation with the risk and be a good predictor or outcome measure! Sensitivity - The indicator must be representative for risk and capable of accurately indicating variances in the risk Impact of Asset Loss Probability of Threat Vulnerability Exposure = Total Risk Points! Scale of 1 to 5! e.g., Microprocessor design, might warrant a rating of 5! Ejemplos Customer Relationship Office Director del IT departamento Process model of each domain! Risk Governance (RG):! RG1 Establish and maintain a common risk view! RG2 Integrate with ERM! RG3 Make risk-aware business decisions! Risk Evaluation (RE):! RE1 Collect data! RE2 Analyse risk! RE3 Maintain risk profile! Risk Response (RR):! RR1 Articulate risk! RR2 Manage risk! RR3 React to events 75 76

20 Risk Response Selection and Prioritisation Risk Response Parameters to be taken into account:! Cost of the response, e.g., in the case of risk transfer, the cost of the insurance premium; in the case of risk mitigation, the cost (capital expenses, salaries, consulting) to implement control measures! Importance of the risk addressed by the response, i.e., its position on the risk map (wich relefects combined frequency and magnitude levels)! The enterprise s capability to implement the response. When the enterprise is mature in its risk management processes, more sophisticated responses can be implemented; when the enterprise is rather immature, some very basic responses may be better.! Effectiveness of the response, i.e., the extent to which the response will reduce the frequency and impact of the risk! Efficiency of the response, i.e., the relative benefits promised by the response Ejemplos Ejemplos Risk Avoidance:! Relocating a data centre away from a region with significant natural hazards! Declining to engage in a very large project when the business case shows a notable risk of failure! Deciding not to use a certain technology or software package because it would prevent future expansion Risk Reduction - with controls:! Data centre operation control: setups and scheduling, operator actions, and data backup and recovery procedures,! Access security controls: controls that prevent inappropriate and unauthorised use of the system.! Risk sharing:!! Where applications hosting is outsourced, the organisation always remains accountable for protecting client privacy, but it the outsourcer is negligent and a breach occurs, risk (financial impact) might at least be shared with the outsourcer.! 79 80

21 Risk IT Framework 81

22 Riesgos en el cloud Disponibilidad! SLA! Compensación: económica, o mediante servicio.! Data Persistence! Espionage - EEUU : Patriot Act Ramification! Política: no permitido el cloud computing! PCI políticas: dónde exactamente está el CPD y físicamente están los datos.! Migración! Confidencialidad 86 Defensa, Detección, Disuasión, Riesgo Residual Conclusions A. Fuga, robo o exposición de datos! B. Espionage, packet sniffing! C. Inappropriate administrator access! D. Storage Persistence! E. Pishing! F. Denial of service (DDos)! G. Inestabilidad and fallo de aplicaciones! H. Slowness! I. Backup failure! J. Mobile device risks! A. Fuzzing! B. IT Risk must:! Take a complete look at technology across the enterprise! be grounded in business risk and business context! IT risk measures:! use quantitative factors in addition to the qualititative measures! focus on the maturity of the risk assessment over time! involve and educate the IT organisation in the risk assessment process! Use IT risk to:! drive the audit plan! enable the entire audit organisation to assess risk 87 88

23 Actividad Risk description from high level scenarios! Template file: Risk Description-form! Groups of 2/3 person! Top five practices have a medal!! Scenarios IT programme selection! New technologies! Technology selection! IT investment decision making! Accountability over IT! Integration of IT within business processes! State of infrastructure technology! Ageing of application software! Architectural agility and flexibility! Regulatory compliance! Software implementation! IT project termination! IT project economics! Project delivery! Project quality Selection/performance of third-party suppliers! Infrastructure theft! Destruction of infrastructure! IT staff! IT expertise and skills! Software integrity! Infrastructure (hardware)! Software performance! System capacity! Ageing of infrastructural software! Malware! Logical attacks! Information media! Utilities performance! Industrial action! Data(base) integrity! Logical trespassing IT Risk Scenario Development Risk Response 92