Download presentation
Presentation is loading. Please wait.
Published byBenjamin Reynard Thornton Modified over 8 years ago
1
Risk assessment Rolf Sture Normann CISA, CRISC, 27001 Lead implementer Secretary for information security in HE Norway, UNINETT
2
Information security makes it possible to take advantage on ISystems! We need to trust the information to have success on implementing more efficient information systems Privacy Banking tansactions Health informations Etc..
3
Risk assessment? Identify wich assets we have and what can happens to them that have a negative impact on the informations Confidentiality Integrity Availability Assess the risk – combination of impact and likelihood (asset value) for each event Evaluate and treat the risk by implementing proper controls that reduce likelihood and/or impact the incident will cause Bring the risk to a accepted level
4
Why do risk assessment? Comply with regulations and laws To keep a trust between the registrant and the registered Quality Know witch assests you have Important part of the information security!
5
We do it every day… What is our descision based on?..not documented and structured
6
Challenges Time- and resource consuming Need special knowledge or expensive consultant Support from the management Delivering services is more important than securing them?
7
Research report in Norway HE sector http://complexserien.net/content/20140 4-styring-av-informasjonssikkerheten-i- universiteter-og-h%C3%B8yskoler
8
Important topics in white paper As easy as possible (but not easyer) Get started, dont wait until you think you have the perfect system Risk assessment for endusers and highly technical personell Practical Planning Leadership Workshop Do methods really matter Report Risk treatment
9
Risk process in the ISMS
10
Risk assessments different level
11
The business Helicopterview What is the «built in» risks in our sector What kind of information do we have Facilities Regions
12
Business processes Assessing a specific business process Ex. The research and development process Different participants on different stages
13
Business systems Scope Usage og the system What information End users or superusers Technical staff/operations Administrators
14
ROS-workshop Workshop to find what events can occure and theirs impact. Not to many participants. One person with experience in risk assessments should facilitate the workshop. A secretary who takes notes of the events Try to involve persons witch makes a representative of your organisations use of the system/process To avoid invole people that should have been involved can makes «enemies»
15
Workshop-planning The scope Who should attend Dont create «enemies» All types of users Create a preparing document Can be an eye opener (awareness)
16
Workshop - the meeting What are risk assessment Participant are important Discuss the provided examples One should write down the incidents coming up Try to find out when to end this part Likelihood and impact Risk matrix and the values Acceptable criteria
17
How often? Should be done on a regular basis ROS should be done after each changes in the system or environements that can affect the information security Once a thorough ROS is done it is more effecient to use the last assessment as a base it will become less timeconsuming
18
Risk treatment After the ROS is done it is crucial to treat the newly discovered risks. A Risk treatmentplan should be made. There should be based on the policy for treating risk. Methods Reduce (Mitigate) Accept Transfer Avoid Risk should be treated until it is acceptable due to accept criteria set by the management
19
The risk process List of information assets and their value What are the existing controls Mapping of riskelements Risk matrix with values (likelihood and impact) Prioritizing riskelements Establish mitigation controls Acceptance of controls Implement and follow up controls
20
Needs for a wokshop Meeting facilities with whiteboard or projector Short presentation of what is ROS Part 1: Kartlegge riskelements (unwanted events) Part 2: Assess and put values to Impact and likelihood
22
Risikomatrisen
23
Likelihood scale
24
Impact scale
25
Workshop results
26
The report
27
ISMS HE sector in Norway
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.