Enterprise Risk Management Approach
In a previous blog post, Marc Lankhorst discussed the value of EA in managing risk, compliance and security in the enterprise. He suggested a number of steps to take next; two of these steps are discussed in more detail in this blog:
- Capture and visualize risk and security aspects of your organization. Visualize hazards, risks and mitigation measures in relation to the overall architecture and business strategy.
- Measure and visualize the impact of risks and use these insights for decision making. Visualize data from e.g. penetration tests and use this to decide at the business level about necessary IT measures.
Enterprise Risk Management approach overview
The two steps from above are incorporated in an Enterprise Risk Management approach, visualized in Figure 1. This approach helps in understanding the consequences of risk & security policies, because the definition of risks and control measures on a strategic level are step by step detailed step by step into operational control measures.
This is a model driven and cyclic approach which can be started on multiple points in the cycle, depending whether you are using a more top-down approach or a more bottom-up approach. Each phase will be explained briefly below:
- Assess risks: In this step, the risks that the enterprise has to cope with are identified and documented. This covers multiple risk types: these can be IT related (like cyber-attacks) risks, but also business related risks. Furthermore, risks can be based on identified threats (see step 6).
- Specify required control measures: Determine which control measures are required for each identified risk. Some risks may require extensive control measures (because of the high impact of the risk), and others may require less control measures. The combination of risks and control measures can be modeled with elements of the ArchiMate motivation extension (Assessment, Goal and Requirement) which makes the relation between these aspects clear. Furthermore, it can be incorporated in your existing EA models by linking risks and control measures to ArchiMate core elements.
- Implement control measures: The required control measures need to be implemented. This is the step where the shift from design to implementation is made. Control measures can be implemented in several ways: some may be IT control measures like firewalls or authentication mechanisms. Others can be business focused control measures like the four-eyes principle.
- Execute & monitor: The implemented control measures need to be executed. Furthermore, monitoring on an operational level is necessary to get statistics of the performance and effectiveness of implemented controls. An example is to use pentesting on the technical infrastructure. With pentesting you look for weak spots in the infrastructure with a systematic and automated approach. Results of pentests are used to analyze vulnerabilities in the infrastructure and define new control measures.
- Analyze vulnerabilities: From executing & monitoring you obtained the necessary insights about performance and effectiveness of implemented controls for example via pentesting). In this step this data is analyzed to determine which vulnerabilities there are and how dangerous these are. The link is made between vulnerabilities and identified risks from step 2, by using the existing EA models. This gives insights into how well the risks are managed or that new or improved control measures are needed.
- Identify threats. In this step threats from the external or internal environment are identified. Threats from the internal environment can be based on the results of the previous step (analyze vulnerabilities). The identification of new threats can lead to new or changed risk assessments in step 1.
Top down vs. bottom up
The approach described above can be applied top down or bottom up. A top down approach will begin with the identification of threats and assessment of risks, which serve as a basis for design and implementation of control measures. A bottom up approach would typically start at the monitor & execute step: investigating the current implementation with pentests or other mechanisms and use this information to determine vulnerabilities in the current landscape.
Which approach fits best in your organization, depends on a number of aspects. In general, organizations with a more mature EA approach can follow more easily a top down approach.
Benefits of this approach
This approach includes the following benefits:
- Systematic analysis of threats and vulnerabilities
- Integrated design of control measures
- EA models support business impact analysis of technical risks/vulnerabilities
- Translate business risk & security decisions into effective enterprise changes. This requires a strong cooperation between business and IT.
These benefits help to embed security more in the business layer of your organization and will help to make well informed decisions based on operational risk impact and costs.