Vikram Andem, Senior Manager, United Airlines, Trusted Computing Group, RSA® Conference 2015. A model for effectively managing IT Security Risk Management
Vikram Andem RSA conference 2015 - Trusted Computing Group
1. Page 1
Author: Vikram Andem
RSA® Conference 2015 : Trusted Computing Group
Vikram Andem
Senior Manager
United Airlines
An approach for effective Enterprise IT Security Risk Management
Harvard University
Stanford University
MIT
Blockchain
Cryptography
Security
Enterprise Architecture
2. Page 2
Author: Vikram Andem
RSA® Conference 2015 : Trusted Computing Group
Authentication
Access
Control
Authorization
Cryptography
Logging &
Monitoring
Controls
Layers
High-Risk
Confidential
Confidential Internal Public
Confidentiality
Critical Trusted Reliable Untrusted
Integrity
Availability
Gap
Gap
Gap
Gap
Gap
Gap
Gap
TIER 1
TIER 2A
TIER 2B
TIER 3
TIER 4
TIER 2B
TIER 3
TIER 4
Gap
Gap
Gap
Gap
Gap
Gap
Gap
AUTHN AUTHZ LOG AC CRYPTO
TIER 1
TIER 2A
TIER 2B
TIER 3
TIER 4
TIER 2B
TIER 3
TIER 4
+
Data Asset A on Tier 3
Authentication
Authorization
Logging
&
Monito
ring
Access
Control
Cryptography
Network Layer
Application Layer
Data Layer
OS Layer
Gap Profile
Min Max
Control Gap
Optimal
Current
Does not satisfy
Partially satisfies
Satisfies
Tier 1 Tier 2 Tier 3 Tier 4
100%
MUST
Uptime
(24/7)
Mission Critical (2A)
Business Critical (2B)
Desirable Discretionary
3. Page 3
Author: Vikram Andem
RSA® Conference 2015 : Trusted Computing Group
NW
App
Data
OS
T2b T3 T4
T2a
T1
IT Asset B
NW
App
Data
OS
T2b T3 T4
T2a
T1
IT Asset C
NW
App
Data
OS
T2b T3 T4
T2a
T1
IT Asset A
Authentication Logging & Monitor
Cryptography
Authorization
Access Control
NW
App
Data
OS
T2b T3 T4
T2a
T1
IT Asset E
NW
App
Data
OS
T2b T3 T4
T2a
T1
IT Asset D
Visual representation of
IT Security gaps at a time
snap during routine IT
Security Administration
4. Page 4
Author: Vikram Andem
RSA® Conference 2015 : Trusted Computing Group
=
+
Low
Risks
Medium Risks
High Risks
2nd
1st
4th
... nth
...
3rd
5th
6th
Ideal scenario if all gaps and findings are satisfied