Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.

Published bySabrina Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our."— Presentation transcript:

1 Information Systems Security Risk Management

2 © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management

3 © G. Dhillon All Rights Reserved Aspiration Vision

4 © G. Dhillon All Rights Reserved Aspiration Vision

5 © G. Dhillon All Rights Reserved Aspiration Vision

6 © G. Dhillon All Rights Reserved Security is a business enabler Security allows me to do something I couldn’t do [safely] otherwise/before Electronic Commerce Online banking Online brokerage Added value, security is part of the product Help make sale because of security Revenue generated as a result of security Security is not the product – it allows me to do business

7 © G. Dhillon All Rights Reserved Business enabler

8 © G. Dhillon All Rights Reserved Reality For a range of reasons companies have always been under pressure to cut IT costs. Perhaps by outsourcing. Justify expenses. And when choosing being keeping the “shop running” versus securing it, protection mechanisms take a back burner.

9 © G. Dhillon All Rights Reserved Risks Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type)

10 © G. Dhillon All Rights Reserved Glenmeade Vision Risk Management To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type) What is the probability that personal privacy will be compromised when personally identifiable information is accessed in an unauthorized manner? What is the probability of unauthorized access?

11 © G. Dhillon All Rights Reserved Answer Let’s calculate the probability of occurrence of a negative event (privacy breach or unauthorized access in this case) What is going to be the cost to mend the privacy breach? BINGO!! R = P * C

12 © G. Dhillon All Rights Reserved Communicating Risk Well-Formed Risk Statement Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Asset What are you trying to protect? Threat What are you afraid of happening? Threat What are you afraid of happening? Vulnerability How could the threat occur? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Mitigation What is currently reducing the risk?

13 © G. Dhillon All Rights Reserved Reference Documents Publications to help you determine your organization’s risk management maturity level include: ISO Code of Practice for Information Security Management (ISO 17799) International Standards Organization Control Objectives for Information and Related Technology (CobiT) IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP-800-26) National Institute of Standards and Technology

14 © G. Dhillon All Rights Reserved What’s Risk Management? Formally defined “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

15 © G. Dhillon All Rights Reserved More simply put… “Determine what your risks are and then decide on a course of action to deal with those risks.”

16 © G. Dhillon All Rights Reserved Even more colloquially… What’s your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress ?

17 © G. Dhillon All Rights Reserved Risk Management Maturity Assessment LevelState 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized

18 © G. Dhillon All Rights Reserved Classify

19 © G. Dhillon All Rights Reserved Risk management: classification Inherent risks Planning needed Can be assessed and predicted Strategic High Potential Key Operational Support Outcome: high Operational: low Process: low What risk? Outcome: low Operational: high Process: medium Outcome: low Operational: low Process: high

20 © G. Dhillon All Rights Reserved Typical concerns StrategicHigh Potential Outcome risks Opportunity & financial risks? Lack of strategic framework: poor business understanding Conflicts of strategy and problems of coordination IT supplier problems Poor management of change Senior management not involved Large and complex projects; too many stakeholders Rigid methodology and strict budgetary controls Key Operational Support Operational risks Process based risks Too much faith in the ‘technical fix’ Use of technology for its novelty value Poor technical skills in the development team Inexperienced staff Large and complex projects; too many stakeholders Poor testing procedures Poor implementation Lack of technical standards

21 © G. Dhillon All Rights Reserved Generic CSFs for different applications Strategic High Potential Key Operational Support Time Quality Cost Time Quality Cost Time Quality Cost R & D projects

22 © G. Dhillon All Rights Reserved Risk management: core strategies StrategicHigh Potential Key OperationalSupport CONFIGURE COMMUNICATE CONTROL CONSTRAIN

23 © G. Dhillon All Rights Reserved Risk management: directions - 1 StrategicHigh Potential Business and corporate risks Opportunity & financial risks Key OperationalSupport Operational risks Process based risks Controllable Uncontrollable Predictable Unpredictable No problem - carry out plans Practice quick response to manage as events unfold Emphasis forecasting and thus “steer around” these events Develop a contingency planning system

24 © G. Dhillon All Rights Reserved Risk management: directions -2 History Context (external) Context (internal) Business processes Content Risk Outcomes Context oriented risk assessment StrategicHigh Potential Business and corporate risks Key OperationalSupport Operational risks Process based risks Opportunity & financial risks

25 © G. Dhillon All Rights Reserved Risk Management Practices Conduct a mission impact analysis and risk assessment to: 1.Identify various levels of sensitivity associated with information resources 2.Identify potential security threats to those resources

26 © G. Dhillon All Rights Reserved Risk Management Practices (cont.) Conduct a mission impact analysis and risk assessment to: 3.Determine the appropriate level of security to be implemented to safeguard those resources 4.Review, reassess and update as needed or at least every 3 years

27 © G. Dhillon All Rights Reserved

Download ppt "Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our."

Similar presentations

VCU Master Class IT Project Management Critical success and failure factors in IT project management: getting IT right GP Dhillon, PhD.

VCU Master Class IT Project Management Critical success and failure factors in IT project management: getting IT right GP Dhillon, PhD.
©2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

©2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Risk Management Steve Lamb Technical Security Advisor

Security Risk Management Steve Lamb Technical Security Advisor
IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.

IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.
Managing Change Planning for Change Revitalising general Motors is like teaching an elephant to tap dance. You find the sensitive spot and start poking.

Managing Change Planning for Change Revitalising general Motors is like teaching an elephant to tap dance. You find the sensitive spot and start poking.
The Nature of Strategic Management

The Nature of Strategic Management
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Software Development Problems Range of Intervention Theory Prevention, Treatment and Maintenance Planning, Development and Use Cost of Intervention.

Software Development Problems Range of Intervention Theory Prevention, Treatment and Maintenance Planning, Development and Use Cost of Intervention.
Managing Project Risk.

Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
7-1 Risk Management. 7-2 Risk Risk (in general, in finance): deviation, variance The change can be positive or negative Project risk: any possible event.

7-1 Risk Management. 7-2 Risk Risk (in general, in finance): deviation, variance The change can be positive or negative Project risk: any possible event.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Essentials of Management Chapter 4

Essentials of Management Chapter 4

Similar presentations

Ads by Google