SlideShare une entreprise Scribd logo

Visualizing BI technical cyber risks. Enterprise Risk and Security

BiZZdesign
BiZZdesign

Method for business impact analysis of technical risks is explained, which combines the disciplines of technical risk analysis and Enterprise Architecture. Our method is supported by software tooling to (semi-)automatically import results of a penetration test into an Enterprise Architecture model, and to analyze and visualize the business impact of these technical risks. This both enhances the value of penetration testing and increases the return-on-investment of the Enterprise Architecture effort.

Données & analyses
1  sur  48
Télécharger pour lire hors ligne
Visualizing the Business Impact of Technical Cyber Risks May 21, 2014 Henk Jonkers Senior Research Consultant, BiZZdesign
Agenda • Introduction and problem statement • Enterprise Architecture with ArchiMate® and TOGAF® • Enterprise Risk & Security Management with ArchiMate • Case Study: Pentest-based Business Impact Analysis • Visualizing the business impact of cyber risks • Conclusions
Henk Jonkers • Senior Research Consultant at BiZZdesign – Enterprise architecture, ArchiMate and TOGAF – Editor of the ArchiMate 2.1 standard – Enterprise Risk & Security Management – Business Decision Management • h.jonkers@bizzdesign.com Case study in collaboration with Bart Seghers, Thales Cyber Security
Integrated service offering Enterprise Architecture Management Business Model Management Business Process Management Business Decision Management Consulting services Tooling Training Best practices
Customers, offices and partners worldwide Partners • Latin America: Dux Diligens • Mexico: Unycorp • Australia: Neodata • Portugal: Process Sphere • Netherlands: Enschede, Amersfoort • North America: Toronto, Boston • Belgium: Leuven • UK: London • Slovakia / Eastern Europe: Bratislava • France: Paris • Germany / Central Europe: Düsseldorf • Sweden / Nordic countries: Stockholm
What you will learn today • How to incorporate risk and security aspects in your EA models • Combining Enterprise Risk & Security Management with ArchiMate brings risk and security to the boardroom • How to visualize vulnerabilities of the IT infrastructure in your EA models • How to achieve more balanced decision making based on risk and security measures
Problem statement • Organizations are increasingly networked and thus more complex • Attacks on information systems are becoming increasingly sophisticated • Attacks use digital, physical and social engineering and the departments responsible for each of these domains within an organization operate in silos • Current risk management methods cannot handle the resulting complexity
Limitations of current approaches • Existing information security and risk management methods do not systematically identify potential attacks • They are based on, e.g., checklists, heuristics and experience • Security controls are applied in a bottom-up way • They are not based on a thorough analysis of risks and vulnerabilities • No explicit definition of security principles and requirements • Focus on only IT security • They have difficulties in dealing with complex attacks on socio-technical systems, combining physical/digital access, and social engineering • Focus on preventive security controls • Corrective and curative controls are not considered
Characteristics of Enterprise Risk & Security Management • Integral vision on security: protection of business, information, application and technology assets • Structured identification and analysis of risks and vulnerabilities • Supports strategic risk management • Supports “Security by Design”
ENTERPRISE ARCHITECTURE WITH ARCHIMATE® AND TOGAF®
What is Enterprise Architecture? • A discipline, with the objective of steering changes • A product – A design that shows the coherence between products, processes, organisation, information supply and infrastructure, based on a vision and certain explicit starting points, principles and preferences • A process – Way of working – Aimed at the development and use of enterprise architectures within an enterprise – With people and resources Process architecture Application architecture Technical architecture Information architecture ?
Ingredients for a successful EA practice ArchiMateTOGAF View- points Process Language Repository, Reference Models
The TOGAF Architecture Development Method (ADM)
The ArchiMate language ArchiMate languageHigh-level modelling within domains Modeling relationships between domains Visualizations Analysis Relating detailed design models A basis for
BusinessApplicationTechnology Passive structure Behavior Active structure Motivation Implementation &Migration
ArchiMate + TOGAF Free download of the whitepaper “Enterprise Architecture with TOGAF 9.1 and ArchiMate” here: http://www.bizzdesign.com/downloadmanager /download/293
ENTERPRISE RISK & SECURITY MANAGEMENT WITH ARCHIMATE
Why ArchiMate for Risk & Security Architecture? • Widely accepted open standard for modeling enterprise architecture • Tool support widely available • Good fit with other EA and security frameworks (TOGAF, Zachman, SABSA) • ArchiMate models integrate business, information, application and technology architecture • Link with (security) requirements, principles goals (Motivation extension) → Traceability • Link with detailed design languages for business processes and IT solutions (e.g., BPMN and UML) • Suitable as a basis for (qualitative and quantitative) analysis and visualization
ArchiMate Risk project • Collaboration of ArchiMate Forum and Security Forum • Two areas of concern: – Risk analysis – Security deployment (risk mitigation) • Investigate how (specializations of) existing ArchiMate concepts (Core and extensions) can be used • Inspired on well-established risk and security standards and frameworks, including COSO, FAIR, SABSA • White paper in progress
Proposal for a “Risk Overlay” for ArchiMate
Proposal for a “Risk Overlay” for ArchiMate
Enterprise Risk Management with ArchiMate ArchiMate Core Analyze vulnerabilities Identify threats Assess risks Specify required control measures Implement control measures Execute & monitor
CASE STUDY: PENTEST-BASED BUSINESS IMPACT ANALYSIS
Case study partners • Tools, methods and best practices for Enterprise Architecture, Business Process Management, Enterprise Risk& Security Mgt. • Cyber security consultancy, solutions and services • Pentesting and Pentest-based BIA
What is a pentest? • Goal pentest: • Find weak spots and threats in a network infrastructure and/or a web application • Advise on ways to fix and mitigate these weak spots and threats • Pentesting from different perspectives: • External: “what can a hacker (ab)use or do from the internet?” • Internal: “what can a hacker or employee do when he/she is in your network?”
Pentest approach • Partly automated (vulnerability scan) • Human interpretation and customized advice
Automated vulnerability scans
HTML report of a vulnerability scan
Details of a vulnerability
Host perspective
Approach – Option 1 Option 1 – configuration from EA 1. Use the enterprise architecture to set the scope of the pentest – Top-down analysis 2. Perform a focused pentest 3. Import and analyze results in EA model – Bottom-up analysis – Insight in risks to (critical) business processes
Approach – Option 2 Option 2 – Manual configuration 1. Perform pentest or use results from a previously performed pentest 2. Create Enterprise Architecture – Possibly partly automated, based on pentest results 3. Import and analyze pentest results in the EA model – Bottom-up analysis – Insight in risks to (critical) business processes
Top-down analysis
Perform pentest
Bottom-up analysis
Business impact of technical risks Example: Missing critical patches on Database Server VA – 01 Missing critical patches which can lead to jeopardization of the server Technical risk Complexity (to exploit) Effort (to solve) High Meidum Low Present on system(s) 192.168.1.101 (Database Server) Description This system misses critical patches for the Microsoft Operating System concerning the following security bulletins: • MS08-067: Conficker patch – Published in 2008 • MS06-040: Published in 2006 This leads to multiple weaknesses on the system. Exploiting these weaknesses can lead to • Running own/arbitrary code on the system • Buffer overflow in the server service which may put the system in jeopardy Recommendation Install missing patches Impact on Business Business processes “Intake” and “Notify requester” depend on this Database Server and are the processes that “fill” this server with (sensitive) data. When this server is compromised by exploitation of abovementioned vulnerabilities, then the attacker can steal personal data from the registering applicants as well as modify who will be informed on its registration request. Business risk Medium Business recommendation Because of the low effort necessary to process the (technical) recommendation in combination with the Medium business risk, we recommend to process the technical recommendation within 1 month.
Summary of a pentest-based BIA
VISUALIZING THE BUSINESS IMPACT OF CYBER RISKS
Risk analysis
Example visualization: Risk factor versus process criticality UnacceptableAcceptable with mitigation Acceptable
Example visualization: Confidentiality, Availability and Integrity
CONCLUSIONS
Business value of pentest-based BIA A pentest-based BIA: – Makes the business impact as a result of cyber risks visible and measurable – Powerful management dashboard – Facilitates focused testing of technical components supporting critical business processes – Provides insight in the business risk when adding new components to your technical infrastructure – Increases the return on investment for your enterprise architecture effort Insight in the impact that cyber risks have on your business Top-down-analyse Bottom-up-analyse (“business impact”)
Summary • Current risk management approaches, working in isolation, fall short in the complexity of current organizations • A model-based approach for Enterprise Risk & Security Management is needed – Systematic analysis of threats and vulnerabilities – Integrated design of control measures • The ArchiMate language provides the hooks for integrated risk & security modeling, integrated with Enterprise Architecture • EA models support business impact analysis of technical risks / vulnerabilities
Integrated tool suite • Architecture Tools – Design, communicate & analyze architectures – Incorporating risk & security aspects – Easy to use – Integrated in one repository – http://www.bizzdesign.com/ tools/bizzdesign-architect/
Consultancy on Enterprise Architecture and Enterprise Risk & Security Management • Integrated consultancy – Workshops and consultancy services – Kick-start your EA or Enterprise Risk & Security Management initiative – Implementing TOGAF, ArchiMate, Enterprise Risk & Security Management
Training on Enterprise Architecture • ArchiMate & Architect training, 3 days (open/in house) – ArchiMate language – BiZZdesign Architect – includes ArchiMate certification • TOGAF certified training, 4 days (open/in house) – Foundation 2 days, Practitioner 2 days – Includes TOGAF certification • Security architecture training, 1 day – Modelling a security architecture with ArchiMate
Contact info and more information A copy of these slides: www.bizzdesign.com/downloads and select “webinars" blog.bizzdesign.com • http://www.bizzdesign.com/blog/the-value- of-enterprise-architecture-in-managing-risk- compliance-and-security/ • http://www.bizzdesign.com/blog/designing- secure-organizations-risk-management- enterprise-security-management-and- archimate/ • Downloadable versions of the full specifications of ArchiMate and TOGAF at http://www.opengroup.org • Many whitepapers, and recorded webinars • General information about BiZZdesign: http://www.bizzdesign.com • The website of our Academy: http://www.bizzdesign.com/training • Our Tool, BiZZdesign Architect http://bizzdesign.com/tools/bizzdesign-architect/ • Free trial version: www.bizzdesign.com/tools/bizzdesign-architect/ • Whitepaper EA with ArchiMate® and TOGAF ® : http://www.bizzdesign.com/downloadmanager/ download/293

Recommandé

Webinar slide-deck-enterprise-architecture-capability-assessments
Webinar slide-deck-enterprise-architecture-capability-assessmentsWebinar slide-deck-enterprise-architecture-capability-assessments
Webinar slide-deck-enterprise-architecture-capability-assessmentsBiZZdesign
 
Week01 introduction
Week01 introductionWeek01 introduction
Week01 introductionminhasg
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept WorkshopAlan McSweeney
 
Northern Finishing School: IT Project Managment
Northern Finishing School: IT Project ManagmentNorthern Finishing School: IT Project Managment
Northern Finishing School: IT Project ManagmentSiwawong Wuttipongprasert
 
Solution Architecture and Solution Complexity
Solution Architecture and Solution ComplexitySolution Architecture and Solution Complexity
Solution Architecture and Solution ComplexityAlan McSweeney
 
Business Architecture as an Approach to Connect Strategy & Projects
Business Architecture as an Approach to Connect Strategy & ProjectsBusiness Architecture as an Approach to Connect Strategy & Projects
Business Architecture as an Approach to Connect Strategy & ProjectsEnterprise Architects
 
Implementing agile iterative project delivery approach and achieving business...
Implementing agile iterative project delivery approach and achieving business...Implementing agile iterative project delivery approach and achieving business...
Implementing agile iterative project delivery approach and achieving business...Alan McSweeney
 
Key role of business analysis in project success
Key role of business analysis in project successKey role of business analysis in project success
Key role of business analysis in project successAbid Khan
 

Recommandé

Webinar slide-deck-enterprise-architecture-capability-assessments
Webinar slide-deck-enterprise-architecture-capability-assessmentsWebinar slide-deck-enterprise-architecture-capability-assessments
Webinar slide-deck-enterprise-architecture-capability-assessmentsBiZZdesign
 
Week01 introduction
Week01 introductionWeek01 introduction
Week01 introductionminhasg
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept WorkshopAlan McSweeney
 
Northern Finishing School: IT Project Managment
Northern Finishing School: IT Project ManagmentNorthern Finishing School: IT Project Managment
Northern Finishing School: IT Project ManagmentSiwawong Wuttipongprasert
 
Solution Architecture and Solution Complexity
Solution Architecture and Solution ComplexitySolution Architecture and Solution Complexity
Solution Architecture and Solution ComplexityAlan McSweeney
 
Business Architecture as an Approach to Connect Strategy & Projects
Business Architecture as an Approach to Connect Strategy & ProjectsBusiness Architecture as an Approach to Connect Strategy & Projects
Business Architecture as an Approach to Connect Strategy & ProjectsEnterprise Architects
 
Implementing agile iterative project delivery approach and achieving business...
Implementing agile iterative project delivery approach and achieving business...Implementing agile iterative project delivery approach and achieving business...
Implementing agile iterative project delivery approach and achieving business...Alan McSweeney
 
Key role of business analysis in project success
Key role of business analysis in project successKey role of business analysis in project success
Key role of business analysis in project successAbid Khan
 
Project Management Essentials
Project Management Essentials Project Management Essentials
Project Management Essentials SriramITISConsultant
 
04. Project Management
04. Project Management04. Project Management
04. Project ManagementBhuWan Khadka
 
Disciplined Agile Business Analysis
Disciplined Agile Business AnalysisDisciplined Agile Business Analysis
Disciplined Agile Business AnalysisScott W. Ambler
 
Technology Planning and Implementation
Technology Planning and ImplementationTechnology Planning and Implementation
Technology Planning and ImplementationSteve Heye
 
Agile Project and Delivery Management
Agile Project and Delivery ManagementAgile Project and Delivery Management
Agile Project and Delivery ManagementiZenBridge Consultancy Pvt. Ltd.
 
PMI Professional in Business Analyisis (PMI-PBA) Certification
PMI Professional in Business Analyisis (PMI-PBA) Certification PMI Professional in Business Analyisis (PMI-PBA) Certification
PMI Professional in Business Analyisis (PMI-PBA) Certification International Institute for Learning
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business AnalysisShwetha-BA
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Alan McSweeney
 
Enterprise Analysis
Enterprise AnalysisEnterprise Analysis
Enterprise AnalysisShwetha-BA
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides ljmcneill33
 
Project integration management
Project integration managementProject integration management
Project integration managementPrabudh Dhingra
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Logitrain: New Zealand
 
Software Project Management Basics
Software Project Management BasicsSoftware Project Management Basics
Software Project Management BasicsAmarjeet Singh
 
Top 10 Microsoft Project Problems
Top 10 Microsoft Project ProblemsTop 10 Microsoft Project Problems
Top 10 Microsoft Project ProblemsMark Corker
 
DISE - Introduction to Project Management
DISE - Introduction to Project ManagementDISE - Introduction to Project Management
DISE - Introduction to Project ManagementRasan Samarasinghe
 
Agile Methodologies & Key Principles
Agile Methodologies & Key Principles Agile Methodologies & Key Principles
Agile Methodologies & Key Principles Orchestrate Mortgage and Title Solutions, LLC
 
The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...Association for Project Management
 
Cobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignmentCobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignmentKathryn Howard
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesljmcneill33
 
Mindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamareMindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamareLalit Bhamare
 
Data & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization WorkshopData & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization Workshopnsrivast
 
Data Visualization in Health
Data Visualization in HealthData Visualization in Health
Data Visualization in HealthRamon Martinez
 

Contenu connexe

Tendances

04. Project Management
04. Project Management04. Project Management
04. Project ManagementBhuWan Khadka
 
Disciplined Agile Business Analysis
Disciplined Agile Business AnalysisDisciplined Agile Business Analysis
Disciplined Agile Business AnalysisScott W. Ambler
 
Technology Planning and Implementation
Technology Planning and ImplementationTechnology Planning and Implementation
Technology Planning and ImplementationSteve Heye
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business AnalysisShwetha-BA
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Alan McSweeney
 
Enterprise Analysis
Enterprise AnalysisEnterprise Analysis
Enterprise AnalysisShwetha-BA
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides ljmcneill33
 
Project integration management
Project integration managementProject integration management
Project integration managementPrabudh Dhingra
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Logitrain: New Zealand
 
Software Project Management Basics
Software Project Management BasicsSoftware Project Management Basics
Software Project Management BasicsAmarjeet Singh
 
Top 10 Microsoft Project Problems
Top 10 Microsoft Project ProblemsTop 10 Microsoft Project Problems
Top 10 Microsoft Project ProblemsMark Corker
 
DISE - Introduction to Project Management
DISE - Introduction to Project ManagementDISE - Introduction to Project Management
DISE - Introduction to Project ManagementRasan Samarasinghe
 
The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...Association for Project Management
 
Cobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignmentCobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignmentKathryn Howard
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesljmcneill33
 
Mindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamareMindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamareLalit Bhamare
 

Tendances (20)

Project Management Essentials
Project Management Essentials Project Management Essentials
Project Management Essentials
 
04. Project Management
04. Project Management04. Project Management
04. Project Management
 
Disciplined Agile Business Analysis
Disciplined Agile Business AnalysisDisciplined Agile Business Analysis
Disciplined Agile Business Analysis
 
Technology Planning and Implementation
Technology Planning and ImplementationTechnology Planning and Implementation
Technology Planning and Implementation
 
Agile Project and Delivery Management
Agile Project and Delivery ManagementAgile Project and Delivery Management
Agile Project and Delivery Management
 
PMI Professional in Business Analyisis (PMI-PBA) Certification
PMI Professional in Business Analyisis (PMI-PBA) Certification PMI Professional in Business Analyisis (PMI-PBA) Certification
PMI Professional in Business Analyisis (PMI-PBA) Certification
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business Analysis
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
 
Enterprise Analysis
Enterprise AnalysisEnterprise Analysis
Enterprise Analysis
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides
 
Project integration management
Project integration managementProject integration management
Project integration management
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)
 
Software Project Management Basics
Software Project Management BasicsSoftware Project Management Basics
Software Project Management Basics
 
Top 10 Microsoft Project Problems
Top 10 Microsoft Project ProblemsTop 10 Microsoft Project Problems
Top 10 Microsoft Project Problems
 
DISE - Introduction to Project Management
DISE - Introduction to Project ManagementDISE - Introduction to Project Management
DISE - Introduction to Project Management
 
Agile Methodologies & Key Principles
Agile Methodologies & Key Principles Agile Methodologies & Key Principles
Agile Methodologies & Key Principles
 
The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...The value of integration: systems thinking in project management by Andrew Wr...
The value of integration: systems thinking in project management by Andrew Wr...
 
Cobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignmentCobit from Mars ITIL from Venus - alignment
Cobit from Mars ITIL from Venus - alignment
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslides
 
Mindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamareMindmaps and heuristics tester's best friends - lalit bhamare
Mindmaps and heuristics tester's best friends - lalit bhamare
 

En vedette

Data & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization WorkshopData & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization Workshopnsrivast
 
Data Visualization in Health
Data Visualization in HealthData Visualization in Health
Data Visualization in HealthRamon Martinez
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuNashvilleTechCouncil
 
Project time management
Project time managementProject time management
Project time managementJivan Nepali
 
The Importance of Data Visualization
The Importance of Data VisualizationThe Importance of Data Visualization
The Importance of Data VisualizationCenterline Digital
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
 

En vedette (6)

Data & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization WorkshopData & Analytics Club - Data Visualization Workshop
Data & Analytics Club - Data Visualization Workshop
 
Data Visualization in Health
Data Visualization in HealthData Visualization in Health
Data Visualization in Health
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
 
Project time management
Project time managementProject time management
Project time management
 
The Importance of Data Visualization
The Importance of Data VisualizationThe Importance of Data Visualization
The Importance of Data Visualization
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 

Similaire à Visualizing BI technical cyber risks. Enterprise Risk and Security

Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Daljit Banger
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture Daljit Banger
 
Advanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatAdvanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatTripwire
 
Supporting material for my Webinar to the ACS - June2017
Supporting material for my Webinar to the ACS - June2017Supporting material for my Webinar to the ACS - June2017
Supporting material for my Webinar to the ACS - June2017Daljit Banger
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 
Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Daljit Banger
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architectureangelohammond
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentortmbainjr131
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxAshishRanjan546644
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 

Similaire à Visualizing BI technical cyber risks. Enterprise Risk and Security (20)

Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture
 
Advanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatAdvanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce Threat
 
Supporting material for my Webinar to the ACS - June2017
Supporting material for my Webinar to the ACS - June2017Supporting material for my Webinar to the ACS - June2017
Supporting material for my Webinar to the ACS - June2017
 
ISV Net iq
ISV Net iqISV Net iq
ISV Net iq
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessments
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Shruti ppt
Shruti pptShruti ppt
Shruti ppt
 
CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptx
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 

Dernier

Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...amitlee9823
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...Elaine Werffeli
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...gajnagarg
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...amitlee9823
 
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...gajnagarg
 
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Pooja Nehwal
 
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...gajnagarg
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...amitlee9823
 
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...gajnagarg
 
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...amitlee9823
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 

Dernier (20)

Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
 
CHEAP Call Girls in Rabindra Nagar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Rabindra Nagar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Rabindra Nagar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Rabindra Nagar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
 
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls kakinada Escorts ☎️9352988975 Two shot with one girl...
 
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
 
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls Bellary Escorts ☎️9352988975 Two shot with one girl ...
 
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
 

Visualizing BI technical cyber risks. Enterprise Risk and Security

  • 1. Visualizing the Business Impact of Technical Cyber Risks May 21, 2014 Henk Jonkers Senior Research Consultant, BiZZdesign
  • 2. Agenda • Introduction and problem statement • Enterprise Architecture with ArchiMate® and TOGAF® • Enterprise Risk & Security Management with ArchiMate • Case Study: Pentest-based Business Impact Analysis • Visualizing the business impact of cyber risks • Conclusions
  • 3. Henk Jonkers • Senior Research Consultant at BiZZdesign – Enterprise architecture, ArchiMate and TOGAF – Editor of the ArchiMate 2.1 standard – Enterprise Risk & Security Management – Business Decision Management • h.jonkers@bizzdesign.com Case study in collaboration with Bart Seghers, Thales Cyber Security
  • 5. Customers, offices and partners worldwide Partners • Latin America: Dux Diligens • Mexico: Unycorp • Australia: Neodata • Portugal: Process Sphere • Netherlands: Enschede, Amersfoort • North America: Toronto, Boston • Belgium: Leuven • UK: London • Slovakia / Eastern Europe: Bratislava • France: Paris • Germany / Central Europe: Düsseldorf • Sweden / Nordic countries: Stockholm
  • 6. What you will learn today • How to incorporate risk and security aspects in your EA models • Combining Enterprise Risk & Security Management with ArchiMate brings risk and security to the boardroom • How to visualize vulnerabilities of the IT infrastructure in your EA models • How to achieve more balanced decision making based on risk and security measures
  • 7. Problem statement • Organizations are increasingly networked and thus more complex • Attacks on information systems are becoming increasingly sophisticated • Attacks use digital, physical and social engineering and the departments responsible for each of these domains within an organization operate in silos • Current risk management methods cannot handle the resulting complexity
  • 8. Limitations of current approaches • Existing information security and risk management methods do not systematically identify potential attacks • They are based on, e.g., checklists, heuristics and experience • Security controls are applied in a bottom-up way • They are not based on a thorough analysis of risks and vulnerabilities • No explicit definition of security principles and requirements • Focus on only IT security • They have difficulties in dealing with complex attacks on socio-technical systems, combining physical/digital access, and social engineering • Focus on preventive security controls • Corrective and curative controls are not considered
  • 9. Characteristics of Enterprise Risk & Security Management • Integral vision on security: protection of business, information, application and technology assets • Structured identification and analysis of risks and vulnerabilities • Supports strategic risk management • Supports “Security by Design”
  • 11. What is Enterprise Architecture? • A discipline, with the objective of steering changes • A product – A design that shows the coherence between products, processes, organisation, information supply and infrastructure, based on a vision and certain explicit starting points, principles and preferences • A process – Way of working – Aimed at the development and use of enterprise architectures within an enterprise – With people and resources Process architecture Application architecture Technical architecture Information architecture ?
  • 12. Ingredients for a successful EA practice ArchiMateTOGAF View- points Process Language Repository, Reference Models
  • 13. The TOGAF Architecture Development Method (ADM)
  • 14. The ArchiMate language ArchiMate languageHigh-level modelling within domains Modeling relationships between domains Visualizations Analysis Relating detailed design models A basis for
  • 16. ArchiMate + TOGAF Free download of the whitepaper “Enterprise Architecture with TOGAF 9.1 and ArchiMate” here: http://www.bizzdesign.com/downloadmanager /download/293
  • 17. ENTERPRISE RISK & SECURITY MANAGEMENT WITH ARCHIMATE
  • 18. Why ArchiMate for Risk & Security Architecture? • Widely accepted open standard for modeling enterprise architecture • Tool support widely available • Good fit with other EA and security frameworks (TOGAF, Zachman, SABSA) • ArchiMate models integrate business, information, application and technology architecture • Link with (security) requirements, principles goals (Motivation extension) → Traceability • Link with detailed design languages for business processes and IT solutions (e.g., BPMN and UML) • Suitable as a basis for (qualitative and quantitative) analysis and visualization
  • 19. ArchiMate Risk project • Collaboration of ArchiMate Forum and Security Forum • Two areas of concern: – Risk analysis – Security deployment (risk mitigation) • Investigate how (specializations of) existing ArchiMate concepts (Core and extensions) can be used • Inspired on well-established risk and security standards and frameworks, including COSO, FAIR, SABSA • White paper in progress
  • 20. Proposal for a “Risk Overlay” for ArchiMate
  • 21. Proposal for a “Risk Overlay” for ArchiMate
  • 22. Enterprise Risk Management with ArchiMate ArchiMate Core Analyze vulnerabilities Identify threats Assess risks Specify required control measures Implement control measures Execute & monitor
  • 23. CASE STUDY: PENTEST-BASED BUSINESS IMPACT ANALYSIS
  • 24. Case study partners • Tools, methods and best practices for Enterprise Architecture, Business Process Management, Enterprise Risk& Security Mgt. • Cyber security consultancy, solutions and services • Pentesting and Pentest-based BIA
  • 25. What is a pentest? • Goal pentest: • Find weak spots and threats in a network infrastructure and/or a web application • Advise on ways to fix and mitigate these weak spots and threats • Pentesting from different perspectives: • External: “what can a hacker (ab)use or do from the internet?” • Internal: “what can a hacker or employee do when he/she is in your network?”
  • 26. Pentest approach • Partly automated (vulnerability scan) • Human interpretation and customized advice
  • 28. HTML report of a vulnerability scan
  • 29. Details of a vulnerability
  • 31. Approach – Option 1 Option 1 – configuration from EA 1. Use the enterprise architecture to set the scope of the pentest – Top-down analysis 2. Perform a focused pentest 3. Import and analyze results in EA model – Bottom-up analysis – Insight in risks to (critical) business processes
  • 32. Approach – Option 2 Option 2 – Manual configuration 1. Perform pentest or use results from a previously performed pentest 2. Create Enterprise Architecture – Possibly partly automated, based on pentest results 3. Import and analyze pentest results in the EA model – Bottom-up analysis – Insight in risks to (critical) business processes
  • 36. Business impact of technical risks Example: Missing critical patches on Database Server VA – 01 Missing critical patches which can lead to jeopardization of the server Technical risk Complexity (to exploit) Effort (to solve) High Meidum Low Present on system(s) 192.168.1.101 (Database Server) Description This system misses critical patches for the Microsoft Operating System concerning the following security bulletins: • MS08-067: Conficker patch – Published in 2008 • MS06-040: Published in 2006 This leads to multiple weaknesses on the system. Exploiting these weaknesses can lead to • Running own/arbitrary code on the system • Buffer overflow in the server service which may put the system in jeopardy Recommendation Install missing patches Impact on Business Business processes “Intake” and “Notify requester” depend on this Database Server and are the processes that “fill” this server with (sensitive) data. When this server is compromised by exploitation of abovementioned vulnerabilities, then the attacker can steal personal data from the registering applicants as well as modify who will be informed on its registration request. Business risk Medium Business recommendation Because of the low effort necessary to process the (technical) recommendation in combination with the Medium business risk, we recommend to process the technical recommendation within 1 month.
  • 37. Summary of a pentest-based BIA
  • 38. VISUALIZING THE BUSINESS IMPACT OF CYBER RISKS
  • 40. Example visualization: Risk factor versus process criticality UnacceptableAcceptable with mitigation Acceptable
  • 41. Example visualization: Confidentiality, Availability and Integrity
  • 43. Business value of pentest-based BIA A pentest-based BIA: – Makes the business impact as a result of cyber risks visible and measurable – Powerful management dashboard – Facilitates focused testing of technical components supporting critical business processes – Provides insight in the business risk when adding new components to your technical infrastructure – Increases the return on investment for your enterprise architecture effort Insight in the impact that cyber risks have on your business Top-down-analyse Bottom-up-analyse (“business impact”)
  • 44. Summary • Current risk management approaches, working in isolation, fall short in the complexity of current organizations • A model-based approach for Enterprise Risk & Security Management is needed – Systematic analysis of threats and vulnerabilities – Integrated design of control measures • The ArchiMate language provides the hooks for integrated risk & security modeling, integrated with Enterprise Architecture • EA models support business impact analysis of technical risks / vulnerabilities
  • 45. Integrated tool suite • Architecture Tools – Design, communicate & analyze architectures – Incorporating risk & security aspects – Easy to use – Integrated in one repository – http://www.bizzdesign.com/ tools/bizzdesign-architect/
  • 46. Consultancy on Enterprise Architecture and Enterprise Risk & Security Management • Integrated consultancy – Workshops and consultancy services – Kick-start your EA or Enterprise Risk & Security Management initiative – Implementing TOGAF, ArchiMate, Enterprise Risk & Security Management
  • 47. Training on Enterprise Architecture • ArchiMate & Architect training, 3 days (open/in house) – ArchiMate language – BiZZdesign Architect – includes ArchiMate certification • TOGAF certified training, 4 days (open/in house) – Foundation 2 days, Practitioner 2 days – Includes TOGAF certification • Security architecture training, 1 day – Modelling a security architecture with ArchiMate
  • 48. Contact info and more information A copy of these slides: www.bizzdesign.com/downloads and select “webinars" blog.bizzdesign.com • http://www.bizzdesign.com/blog/the-value- of-enterprise-architecture-in-managing-risk- compliance-and-security/ • http://www.bizzdesign.com/blog/designing- secure-organizations-risk-management- enterprise-security-management-and- archimate/ • Downloadable versions of the full specifications of ArchiMate and TOGAF at http://www.opengroup.org • Many whitepapers, and recorded webinars • General information about BiZZdesign: http://www.bizzdesign.com • The website of our Academy: http://www.bizzdesign.com/training • Our Tool, BiZZdesign Architect http://bizzdesign.com/tools/bizzdesign-architect/ • Free trial version: www.bizzdesign.com/tools/bizzdesign-architect/ • Whitepaper EA with ArchiMate® and TOGAF ® : http://www.bizzdesign.com/downloadmanager/ download/293