Information Security Risk Management

Slides:

Advertisements

Similar presentations

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Internal Control–Integrated Framework

International Risk Management Standard AS/NZS ISO 31000

Lisanne Sison Director ERM Bickmore

Chapter 10 Accounting Information Systems and Internal Controls

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Service Design – Section 4.5 Service Continuity Management.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Security Controls – What Works

Information Security Policies and Standards

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Risk Assessment Frameworks

Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.

61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.

Session 3 – Information Security Policies

A Safety Management System (SMS) is: “A systematic approach to managing safety, including the necessary organizational structures, accountabilities,

Opportunities & Implications for Turkish Organisations & Projects

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Internal Auditing and Outsourcing

Evolving IT Framework Standards (Compliance and IT)

1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.

IRS Enterprise Risk Management (ERM)

Dr. Benjamin Khoo New York Institute of Technology School of Management.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Alaa Mubaied Risk Management Alaa Mubaied

Risk Management - “Local Government Pitfalls.” IMFO – Sustainability Workshop Risk Management 30 March

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

IAEA International Atomic Energy Agency Functional and Security Domains Presented by:

Managing Risk Across the Enterprise A Guide for State Departments of Transportation NCHRP Project

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Information Security Management Goes Global

Information ITIL Technology Infrastructure Library ITIL.

Principles of Good Governance

BruinTech Vendor Meet & Greet December 3, 2015

An Overview on Risk Management

Risk management.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Software Risk Management

With current ethical challenges, is it safe to say Risk Management processes are responsive to an accountable government? CIGFARO- AUDIT &RISK INDABA.

Introduction to the Federal Defense Acquisition Regulation

HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE

Bob Siegel President Privacy Ref, Inc.

Security measures Introducing Risk Assessment in GDPR

The Strategic Information Technology Formulation

Communication and Consultation with Interested Parties by the RB

Alignment of COBIT to Botswana IT Audit Methodology

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Leadership and Management for Safety

Cybersecurity ATD technical

Project Management Group

DSC Contract Management Committee Meeting

Environment and Development Policy Section

An overview of Internal Controls Structure & Mechanism

CORPORATE DIRECTORS PROGRAMME

Awareness and Auditor training kit

Anatomy of a Common Cyber Attack

A Safety Management System (SMS) is: “A systematic approach to managing safety, including the necessary organizational structures, accountabilities,

Presentation transcript:

Information Security Risk Management A Systematic View to Approaches

Content Concept Management Principles Framework Process Approaches Samples

What is an IT Risk? Risk = ƒ (Threat x Vulnerability x Impact) Vulnerability: weakness in the system or situation Threat: probability of occurrence of an event exploiting the vulnerability Impact: consequence Example – Information leakage Vulnerability: Unprotected sensitive traffic, unnecessary services enabled Threat: Eavesdropping, illegal processing of data Impact: Loss of business

How to manage IT Risks? Information Security Risk Management Identify organizational needs on info security in a systematic approach Create an effective information security management system (ISMS) Align with overall enterprise risk management Address risks in an effective and timely manner as needed Be an integral part of all information security management activities Apply both to implementation and ongoing operation of ISMS It is a continual process Organization as a whole, any discrete part of organization, or any IT system Principles apply

What are the Principles? Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization

How to apply the Principles? Risk Management Framework Provide foundations and arrangements to be embedded at all levels Assist in managing risks effectively through application of risk management process at varying levels within specific contexts of the organization Ensure risk information is adequately reported to the management Ensure risk based decision making and accountability The key to success Effectiveness of framework

How does the Framework work? Mandate & Commitment The framework components interrelate in an iterative manner Organization should adapt the components to their specific needs Implemented by Risk Management Process Existing general RM process should be critically reviewed and assessed against IT Security requirements Design framework for managing risk Continually improve the framework Implement risk management Monitor and review the framework Basic Risk Management Framework recommended by ISO 31000:2009

How does the RM Process work? Context Establishment The process components interrelate in an iterative manner provide a good balance between time and effort spent in identifying controls Ensure high risks are appropriately assessed Embedded in the culture and practices Tailored to the business processes of enterprise Risk assessment Risk Identification Risk Analysis Risk Communicate and Consultation Risk Monitoring and Review Risk Evaluation N Y Risk Treatment N Y Risk Acceptance Illustration of an Information Security Risk Management Process by ISO 31000:2009

Why always iterative approach? A systematic approach is necessary for Infor Sec Risk Management Risk Management is a continual process Iterative approach provides good balance between time and effort Information security protection efforts will vary over time Why again? Ultimately, CHANGES! from internal and external parties Including but not limited to technology changes and enemy changes

Sample 1 - Hardware Vulnerability Threat Impact Mitigating control Unprotected storage Threat Theft of media of documents Impact Loss of business information Mitigating control Lock the storage in rooms under video surveillance

Sample 2 - Software Vulnerability Threat Impact Mitigating control Unclear or incomplete specification for developers Threat Software malfunction Impact System shutdown, critical public relationship or project delay, depending on specific business type Mitigating control Peer review and confirm on all specification documents before development

Samples 3 - Network Vulnerability Threat Impact Mitigating control Transfer of passwords in clear Threat Remote spying, illegal access to internal system Impact Damage of reputation or loss of business, depending on specific business type Mitigating control Encrypt password Send password hash code instead of password