Managing Enterprise IT Security Risk: Get Ahead Of the Problem

Managing Enterprise IT Security Risk:
Get Ahead Of the Problem Preventsys, Inc. 2131 Palomar Airport Road Suite 200 Carlsbad, CA 92009 USA T: +1 760.268.7800 F: +1 760.476.1011 info@preventsys.com www.preventsys.com
Copyright © 2004 - 2005 Preventsys, Inc. All Rights Reserved. v1.0 PR E V E N T S Y S WH I T E P A P E R : MA N A G I N G EN T E R P R I S E IT SE C U R I T Y RI S K
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................1
ENTERPRISE RISK MANAGEMENT DEFINED .....................................1
OPERATIONAL RISK MANAGEMENT ............................................. 2
A LOOK AT ENTERPRISE IT SECURITY MANAGEMENT ........................ 4 IT Security Is a Fire Drill.......................................................... 4 Security Management Systems are Reactive.................................................. 5 The Reality of Security is not Recognized ...................................................... 5 Organizations Are Exhausted.................................................. 6 IT and Security Are At Odds ......................................................................... 6 Business Executives Are Frustrated ...............................................................7 Security and Audit Are Overwhelmed ............................................................ 8 Organizations Are Different .................................................... 8 Proactive Security Defined ..................................................... 9 Business-Driven Security & Compliance ................................. 11
AUTOMATING ERM ..............................................................12
SUMMARY ......................................................................... 13
APPENDIX A - STEPS TO GET STARTED .....................................14
REFERENCES ......................................................................14

Copyright © 2004 - 2005 Preventsys, Inc. All Rights Reserved. Preventsys® is a registered trademark of Preventsys, Inc. PolicyLabT, RedAlert Threat IntelligenceT, Preemptive Threat DefenseT, SmartShieldT and SMART EngineT are trademarks of Preventsys, Inc. All other trademarks are the property of their respective owners. All content included in this Document, including trade names or trademarks, service names or service marks, text and graphics (collectively the "Content") and the selection and arrangement thereof, are the sole and exclusive property of Preventsys, Inc. However, subject to the Terms of Use and other written agreements you may have with Preventsys, Inc., you are free to view, copy, print, and distribute the Content as long as: ƒ The Content is used for non-commercial purposes only within your organization in support of Preventsys, Inc. ƒ The Content is used for information purposes only.
CO P Y R I G H T ©2004-2005 PR E V E N T S Y S , IN C . ii PR E V E N T S Y S WH I T E P A P E R : MA N A G I N G EN T E R P R I S E IT SE C U R I T Y RI S K
Executive Summary
Much has been written and discussed about Enterprise Risk Management (ERM) as it relates to compliance, corporate governance, financial controls and the Sarbanes-Oxley Act of 2002 (SOX). Until now, there was very little available to the risk manager on how to apply ERM to day-to-day operations, with even less focus on your most vulnerable assets: people, facilities and IT systems. In developing operational risk strategies, you need to be proactive and not reactive; the approach needs to be a continuous process and not a project. Automation ensures consistency and this reduces liability and ensures compliance. For risk and compliance to be consistently managed, a framework is necessary to provide context and a consistent language within the organization. In response to SOX, most organizations have used the Internal Control Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) at www.coso.org. Recently, this organization has developed a de facto standard Enterprise Risk Management - Integrated Framework as an overarching approach to building an enterprise risk management process. When managing risk, the first and often the hardest step is to understand what threats or hazards (i.e., "e... [download for more]