Professional Documents
Culture Documents
1 ISACA JOURNAL VOLUME 4, 2013 2013 ISACA. All rights reserved. www.isaca.org
Risk: Securitys New Compliance Figure 1A Holistic View of Risk
Another factor in determining the actual risk posed by a
vulnerability is business impact. Vulnerabilities that threaten
critical business assets represent a far higher risk than those Exploits
Threats Reach
that are associated with less-critical business assets.
Altogether, an organizations focus should be on risk and
not just security.
To gain insight into their risk posture, organizations Compliance Enterprise
Posture Risk Vulnerabilities
must go beyond assessing compliance by taking threats and
vulnerabilities as well as business impact into account
(see figure 1). Only a combination of these three factors assures Control/Policy Mapping Physical Environments
a holistic view of risk. Compliance posture is typically not tied to Policy Distribution Business Virtual Environents
Policy Attestation Impact Networks
the business criticality of assets. Instead, compensating controls Control Assessments Applications
are applied generically and tested accordingly. Without a clear Web Applications
understanding of the business criticality that an asset represents
Source: Agiliance Inc. Reprinted with permission.
to an organization, an organization is unable to prioritize
remediation efforts. A risk-driven approach addresses both
security posture and business impact to increase operational The first concept was prevalent in the 1990s and can be best
efficiency, improve assessment accuracy, reduce attack surfaces described as a reactive approach, whereby security is seen as a
and improve investment decision-making. necessary evil. In this approach, silo-based point products are
In general, there are four different approaches enterprises leveraged to monitor the companys security posture.
can use to tackle security (see figure 2). However, the usage of these tools is primarily of a reactive
and tactical nature.
Once the frequency of data
Figure 2Risk: Securitys New Compliance breaches increased and consumer
interests were threatened, industry
Reactive Compliance- Risk-Based Business-Oriented standards and government regulations
Approach Driven Approach Approach Approach were introduced and forced a
compliance-driven approach to
Security is Check-box Pro-active Connected into security. Here the objective is to
seen as mentality interconnected, enterprise risk
necessary evil Tactical threat and continuous processes, achieve point-in-time compliance
Silo-based defense is monitoring and taking input certification, whereby the tactical
monitoring supplemented assessments across financial, reactive approach is supplemented
Reactive and with layered Closed-loop, operational, and
tactical security controls automated IT risks with layered security controls.
remediaiton Since many regulations and
Objective is Objective is based on risk Increased industry standards lack the notion
to defend to achieve operational
against point-in-time Prevention efficiency and of continuous monitoring, many
threats compliance mentality effective enterprises using this approach adopt
certification business a check-box mentality and implement
decisions
minimum requirements to pass the
annual certification audits.
Tactical Strategic The rising tide of insider and
advanced persistent threats,
mounting regulatory pressure
Source: Agiliance Inc. Reprinted with permission.
2013 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 4, 2013 2
and the impact of big security data on an organizations Figure 3Elements of Security Automation in
operational efficiency have led many progressive organizations Accordance With NIST
to adopt either a risk-based or business-oriented approach
to security. A risk-based approach to security assumes
a prevention mentality, taking a proactive approach by
interconnecting otherwise silo-based security and IT tools and
continuously monitoring and assessing the data.
A business-oriented approach extends the risk-based
approach by connecting into enterprise risk processes, taking
input across financial, operational and IT risk factors. The
ultimate goal is increased operational efficiency and effective
business decision making.
3 ISACA JOURNAL VOLUME 4, 2013 2013 ISACA. All rights reserved. www.isaca.org
of up to US $500,000. Furthermore, Fiserv was able to save US 1
CI Security Standards Council, Payment Card Industry
P
$1 million in overhead expenses by automating risk assessment Data Security Standard, Requirements and Security
efforts while at the same time shortening the policy control Assessment Procedures, Version 2.0, October 2010
process from four to two months, saving an additional US 2
Verizon, 2012 Data Breach Investigations Report, A study
$200,000. In addition, Fiserv achieved increased credibility with conducted by the Verizon RISK Team with cooperation
its board, management and regulators. from the Australian Federal Policy, Dutch National High
Tech Crime Unit, Irish Reporting and Information Security
Conclusion Service, Police Central e-Crime Unit, and United States
Cyberattacks can occur any timeso a solely compliance- Secret Service, April 2012
driven approach to security is no longer effective. Instead, a 3
Agiliance, Managing Security Risk for NERC/FERC
risk-based approach to security as recommended by NIST in Compliance, Case Study Results, 2010
SP 800-137 (among others) is the best approach. 4
CSO Magazine, GRCs ROI: Fiserv Gets a Handle on
When applying a risk-based approach to security, Governance, Risk and Compliance, April 2012
organizations must automate many otherwise manual, labor-
intensive tasks. This, in turn, results in tremendous time and
cost savings, reduced risk, improved response readiness, and
increased risk-posture visibility.
k Ass
Ris ets
i
Des
ses
te
Goa
Engine Engine
Security Managers Finance Managers
BU Executives Operations Managers
nts
Risk Automation
Catalogs Engine
IT Managers
Analytics Risk
atio n
Anay
Engine Registers
iti z
lti c
Risk Workflow
Re
iat
or
io r
Indicators Engine
t
s
ed
Risk Intelligence m
Re Risk Posture
Pr
C-Suite CISO/CRO/CIO
Board Me ion
Security Ops
Auditors tric at
s M iti g
IT Ops
2013 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 4, 2013 4