Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk assessment Rolf Sture Normann CISA, CRISC, 27001 Lead implementer Secretary for information security in HE Norway, UNINETT.

Published byBenjamin Reynard Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk assessment Rolf Sture Normann CISA, CRISC, 27001 Lead implementer Secretary for information security in HE Norway, UNINETT."— Presentation transcript:

1 Risk assessment Rolf Sture Normann CISA, CRISC, 27001 Lead implementer Secretary for information security in HE Norway, UNINETT

2 Information security makes it possible to take advantage on ISystems! We need to trust the information to have success on implementing more efficient information systems Privacy Banking tansactions Health informations Etc..

3 Risk assessment? Identify wich assets we have and what can happens to them that have a negative impact on the informations Confidentiality Integrity Availability Assess the risk – combination of impact and likelihood (asset value) for each event Evaluate and treat the risk by implementing proper controls that reduce likelihood and/or impact the incident will cause Bring the risk to a accepted level

4 Why do risk assessment? Comply with regulations and laws To keep a trust between the registrant and the registered Quality Know witch assests you have Important part of the information security!

5 We do it every day… What is our descision based on?..not documented and structured

6 Challenges Time- and resource consuming Need special knowledge or expensive consultant Support from the management Delivering services is more important than securing them?

7 Research report in Norway HE sector http://complexserien.net/content/20140 4-styring-av-informasjonssikkerheten-i- universiteter-og-h%C3%B8yskoler

8 Important topics in white paper As easy as possible (but not easyer) Get started, dont wait until you think you have the perfect system Risk assessment for endusers and highly technical personell Practical Planning Leadership Workshop Do methods really matter Report Risk treatment

9 Risk process in the ISMS

10 Risk assessments different level

11 The business Helicopterview What is the «built in» risks in our sector What kind of information do we have Facilities Regions

12 Business processes Assessing a specific business process Ex. The research and development process Different participants on different stages

13 Business systems Scope Usage og the system What information End users or superusers Technical staff/operations Administrators

14 ROS-workshop Workshop to find what events can occure and theirs impact. Not to many participants. One person with experience in risk assessments should facilitate the workshop. A secretary who takes notes of the events Try to involve persons witch makes a representative of your organisations use of the system/process To avoid invole people that should have been involved can makes «enemies»

15 Workshop-planning The scope Who should attend  Dont create «enemies»  All types of users Create a preparing document Can be an eye opener (awareness)

16 Workshop - the meeting What are risk assessment Participant are important Discuss the provided examples One should write down the incidents coming up Try to find out when to end this part Likelihood and impact Risk matrix and the values Acceptable criteria

17 How often? Should be done on a regular basis ROS should be done after each changes in the system or environements that can affect the information security Once a thorough ROS is done it is more effecient to use the last assessment as a base  it will become less timeconsuming

18 Risk treatment After the ROS is done it is crucial to treat the newly discovered risks. A Risk treatmentplan should be made. There should be based on the policy for treating risk. Methods Reduce (Mitigate) Accept Transfer Avoid Risk should be treated until it is acceptable due to accept criteria set by the management

19 The risk process List of information assets and their value What are the existing controls Mapping of riskelements Risk matrix with values (likelihood and impact) Prioritizing riskelements Establish mitigation controls Acceptance of controls Implement and follow up controls

20 Needs for a wokshop Meeting facilities with whiteboard or projector Short presentation of what is ROS Part 1: Kartlegge riskelements (unwanted events) Part 2: Assess and put values to Impact and likelihood

21

22 Risikomatrisen

23 Likelihood scale

24 Impact scale

25 Workshop results

26 The report

27 ISMS HE sector in Norway

Download ppt "Risk assessment Rolf Sture Normann CISA, CRISC, 27001 Lead implementer Secretary for information security in HE Norway, UNINETT."

Similar presentations

1 eEurope Awards for eGovernment – 2005 Transforming Public Services Name of your project and registration number Workshop for Finalists, 15 September.

1 eEurope Awards for eGovernment – 2005 Transforming Public Services Name of your project and registration number Workshop for Finalists, 15 September.
The Risk Management Process (AS/NZS 4360, Chapter 3)

The Risk Management Process (AS/NZS 4360, Chapter 3)
The Department of Energy Enterprise Risk Management Model

The Department of Energy Enterprise Risk Management Model
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.

Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.
Control and Accounting Information Systems

Control and Accounting Information Systems
Project Management.

Project Management.
Substantive environmental provisions Prof. Gyula Bándi.

Substantive environmental provisions Prof. Gyula Bándi.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Managing Risk to Reduce Construction Claims (And Improve Project Success) Presented by Laurie Dennis, PE, CVS-Life, FSAVE.

Managing Risk to Reduce Construction Claims (And Improve Project Success) Presented by Laurie Dennis, PE, CVS-Life, FSAVE.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Project Risk Management

Project Risk Management
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

Similar presentations

Ads by Google