Operational Risk Management: Managing Technology Risk (Columbia University) PDF

Summary

This document is a set of lecture notes on operational risk management, specifically focusing on technology risk. It covers topics like the introduction to IT risk, technology risk frameworks, business impact analysis, and system change management. Presented by Columbia University.

Full Transcript

1
Operational Risk Management
Managing Technology Risk

ORM Lecture 9
 Topics
1. Introduction to IT Risk

2. Technology Risk Frameworks

3. Business Operations Impact

4. System Change Management

3
 IT Risk: One of the Enterprise Risks

Enterprise Risk
Management

Organization Vision

Compliance Risks
Operational Risks

Technology Risks
Strategic Risks
Financial Risks

Market Risks

Credit Risks
Risk Management Framework

4
 IT Risk: One of the Enterprise Risks

What is IT Risk?

The potential for an unplanned, negative business outcome involving the
failure or misuse of IT.

Other Names for IT Risk
Cyber risk
Technology risk
Information technology risk

Source: Gartner

5
IT: Computing Evolution

Source: Unknown

6
 Defining IT Risk: Threat Landscape

Digital transformation will continue, and therefore, the cybersecurity landscape is constantly
evolving.

There are more devices attached to the internet today than the world population. Due to IoT, by
2025, we will have more than 30 billion internet-attached devices.

Artificial Intelligence (AI) and upcoming quantum technology increase the complexity of cyber
defense.

Since hackers only need to be right once, and those who protect the organization must always be
right, your cybersecurity program must constantly evolve.

To evolve, it is vital to understand who is after you, what motivates them, and what they are after.

7
 Capital One/ Amazon Data Breach
What Happened
The Amazon Capital One cloud compromise, which became widely known in 2019, involved a significant data
breach affecting over 100 million Capital One customers.
A former Amazon Web Services (AWS) employee, Paige Thompson, was convicted of seven federal crimes related
to her hacking of Capital One.
Thompson exploited a misconfigured Web Application Firewall (WAF) to gain unauthorized access to sensitive data
stored on Capital One's cloud infrastructure hosted by AWS.
The data accessed included social security numbers, bank account numbers, credit histories, and other personal
information.
Thompson utilized a server-side request forgery (SSRF) attack to trick the server into executing commands it should
not have, exploiting what is considered one of the most severe vulnerabilities in public clouds.

Vulnerabilities
The breach underscored the rising issue of misconfigurations in cloud environments, which has become more
prevalent as these environments grow in complexity and criticality.
It also served as a stark reminder of the shared responsibility model, where cloud providers like AWS are responsible
for the security of the cloud infrastructure, while customers are responsible for security in the cloud.
Capital One's breach was primarily due to flawed configuration work within their control, highlighting a common
misunderstanding among cloud customers of their security responsibilities in the cloud.

Significance of Event
This incident highlighted critical vulnerabilities and risks associated with cloud security, especially in the context of
misconfigurations and the shared responsibility model in cloud environments.
This incident has sparked discussions around the need for organizations to better understand and manage their cloud
security, especially as the adoption of cloud services continues to increase.
By 2025, it's predicted that over 95% of new digital workloads will be deployed in cloud computing environments,
further emphasizing the importance of robust cloud security controls.

8
 The “CIA” of Security

The purpose of confidentiality is to
ensure that only those individuals
who have the authority to view a
piece of information may do so. No
unauthorized individual should ever
be able to view data they are not Integrity
entitled to access.

Integrity is a related concept but Confidentiality Availability
deals with the generation and
modification of data. Only
authorized individuals should ever CIA
be able to create or change (or Security
delete) information. Model

The goal of availability is to ensure
that the data, or the system itself,
is available for use when the
authorized user wants it.

9
 IT Frameworks: Standards Bodies

Standards
Why: Ethics, consistency, quality, management of the commons,
interoperability, liability…many reasons

Types
Technical/Engineering: IEEE; radio spectrum usage, EM emissions, etc.
Scientific: NIST; Ethics, experimental design, publication
Management/Process: ISO sets standards for process management; ISO
9000 is the most famous related to quality.
Professional Practice: AICPA sets practice standards for public accounting.

Cyber Risk
Many types of standards bodies issue cyber risk-related documents
The documents overlap significantly
If your organization uses ISO for other functions, consider standardizing on
ISO.

10
 IT Frameworks: Standards Bodies

Information Systems International Standards National Institute of
Audit and Control Organization (27000) Standards and
Association Technology
International International National*
Professional Non-Governmental Government
Organization (NGO)
Focused Broad Broad

Frequent Updates Slower Updates Slowest Updates

* Worldwide translations and adaptations

11
 COBIT

COBIT (Control Objectives for Information and Related Technology) helps
organizations meet business challenges in regulatory compliance, risk
management and aligning IT strategy with organizational goals. COBIT 5, the
latest iteration of the framework, was released in 2012.

Benefits
Improve and maintain high-quality information to support business decisions.
Use IT effectively to achieve business goals.
Use technology to promote operational excellence.
Ensure IT risk is managed effectively.
Ensure organizations realize the value of their investments in IT; and
Achieve compliance with laws, regulations and contractual agreements.

Related Required Reading
COBIT (Zip file tool-kit)

12
 ISO 27001

ISO/IEC 27001 is the international Standard for best-practice information
security management systems (ISMS). It is a rigorous and comprehensive
specification for protecting and preserving your information under the
principles of confidentiality, integrity, and availability.

Benefits
Internationally recognized approach for establishing and maintaining an ISMS.
provides a holistic approach to creating an ISMS that encompasses people, processes,
and technology
Risk-based controls to help your organization achieve certified compliance
Relies on independent audit and certification bodies
Use technology to promote operational excellence.
Ensure IT risk is managed effectively.

Related Required Reading
ISO/IEC 27001

13
 NIST Cybersecurity Framework (CSF)
The National Institute of Standards and Technology (NIST) is a physical sciences
laboratory and a non-regulatory agency of the United States Department of
Commerce. It was founded in 1901.
NIST CSF v1.1 was launched in April 2018 after enhancements to version 1.0
introduced in February 2010. NIST CSF 2.0 was launched 2024.

Benefits
Designed as flexible, voluntary frameworks.
Integrates well with other NIST standards, 800-53
One of the most influential cybersecurity frameworks in use today.
Required for any organization selling to the US Gov

Related Required Reading
NIST CSF

14
 Business Operations Impact
Business Operations Impact is commonly known as Business Impact Analysis

Business impact analysis (BIA): A document that details the specific impact
of elements on a business operation (this may also be referred to as
a business impact assessment).
Purpose:
Outlines what the loss of any of your critical functions will mean to the
organization;
Serves as a document used to establish a wide range of priorities, including
system backups and restoration, which are needed to maintain continuity of
operation, and more.
Represents business-level analysis of the criticality of all elements with
respect to the business as a whole.
Takes into account the increased risk from minimal operations and is
designed to determine and justify what is essentially critical for a business
to survive versus what someone may state or wish.

15
 Business Impact Analysis

Key Components of a BIA:

Inventory of Critical Systems and Components
Identification and Removal of Single Points of Failure
Risk Assessment
Succession Planning

16
 Conducting a BIA

Assess the Review the
Create Impact Set Criticality Set RTO and
impact on overall impact
Ratings Levels RPO
operations of the downtime

Recovery time objective (RTO) is used to describe the target time that is set for a
resumption of operations after an incident. This is a period of time that is defined by the
business, based on the needs of the enterprise.
Recovery point objective (RPO), is the time period representing the maximum period
of acceptable data loss. The RPO determines the frequency of backup operations
necessary to prevent unacceptable levels of data loss.

17
 System Change Management

Change Management is the process of managing system changes and
modifications and transporting them through the pipeline from the development to
the test system and finally to the production system.

These modifications can be prompted by several events, including new legislation,
updated versions of software or hardware, implementation of new software or
hardware, or improvements to the infrastructure.

Examples of changes:

Application Change
Operating System Change
Database Change
Configuration Change
Network Change

18
 Change Classification

Major Changes: Major changes are project development-type initiatives that involve
extensive (> 40 hours) effort to release new functionality, features, or changes that are
performed.

Minor Changes: Minor changes require