You are on page 1of 10

Takata Information Security

IS Risk Management

Ryan Spencer
Vice President and Chief Information Officer
Takata

Information Services Department 1


Traditional IS Risk Assessment
• Traditional Risk Assessment
identifies the entire IT
infrastructure and assigns a
value to the assets to rank them
in terms of importance.
• Risk Analysis is conducted on IS
assets to determine the
associated risk. Since the
business impact is not
considered, the true risk
exposure to a company’s
operations
ti i nott determined.
is d t i d
Information Services Department 2
Traditional IS Risk Focus
Foc s
• Examples of traditional methods:
– Intrusion Detection
– Firewalls
– Encryption
– O/S Platform Assessment
– Physical Security Review

Information Services Department 3


Ind strial Accident
Industrial
• In 2005 a significant
g industrial event
caused damage to one of our data
centers and the IS infrastructure at a
manufacturing facility
facility.
• Traditional safeguards were in place -
tape backups, fireproof safe, fire
suppression, environmental controls.
• Results of the accident– loss of data
and manufacturing downtime
downtime.
• This event caused a major paradigm
shift with Takata’s view of Risk
Management
Information Services Department 4
Business Impact IS Risk Assessment

The failure of the disaster recovery plan


forced all recovery activities to focus on the
most critical business requirements.

Information Services Department 5


Risk Management Process
Business Process

IS Systems

Technologies
Physical
y
Environments
Processes
People
IS Ass

Information Services Department 6


B siness Dri
Business Driven
en Assessment
• Delivers accurate risk scores to indicate where business
risk exists with regard to supporting IS infrastructure.
• Asset valuation is based on importance in relation to
critical
iti l b
business
i processes.
• Understand the impact of proposed safeguards across
business processes.
• Risk mitigation strategy can be determined based on
business requirements:
– Cost Avoidance
– Pure Risk
– Liability
Li bilit
Information Services Department 7
Remediation Impact on Risk

Risk Index
31%
59%

Information Services Department 8


B siness Re
Business Review
ie
• Review Results of the Risk Assessment
• Develop risk mitigation strategy
– Determine acceptable risk – all risk cannot be mitigated
• Determine Business Area actions
– Manual procedures
– Training
• Determine IS Mitigation Activities
– Technical solutions
– New processes

Information Services Department 9


Risk Management Maintenance
1
Global Risk
Assessment 6
Template Defined Track
Track the Progress of
the Implementation at
2 Each Location
Global Template
Agreement and
Executive Approval 7 Audit
Test all Policies and
Procedures to Ensure
3 Compliance
Risk Assessment
Performed at all
Locations 8 Adapt
Modify Policies and
Procedures to Adapt to
4 High Risk Areas Changes in the Global
Identified – Policies Environment
and Proced
Procedures
res
Created 9 Report
Communicate
5 Policies and
Implementation Status,
Compliance Metrics,
Procedures
and Audit Results
Implemented at all
Locations

Information Services Department 10