IS Risk Management Framework Overview

Slides:

Advertisements

Similar presentations

Organizational Governance

Advertisements

EMS Checklist (ISO model)

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

IMFO Audit & Risk Indaba June 2012

Environmental Management System (EMS)

Teaming with your IT auditor for better security

Service Design – Section 4.5 Service Continuity Management.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.

Security Controls – What Works

The Australian/New Zealand Standard on Risk Management

By: Ashwin Vignesh Madhu

First Practice - Information Security Management System Implementation and ISO Certification.

The Information Systems Audit Process

Risk Assessment Frameworks

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Security Risk Management Paula Kiernan Ward Solutions.

Internal Auditing and Outsourcing

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Auditing Information Systems (AIS)

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Theo Tryfonas Centre in Systems, Faculty of Engineering Embedding Competitor Intelligence Capability in the Software Development Lifecycle Security and.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Implementing and Auditing Ethics Programs

“Mitigating Offshoring Risks in a Global Business Environment“

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

Presented By Tay Un Soo Senior VP, Bank of Commerce President of ISACA - Malaysia Chapter 1999 National Accountants Conference THRIVING IN THE DIGITAL.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Engineering Essential Characteristics Security Engineering Process Overview.

IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.

Ensuring the Safety of Future Developments

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Business Continuity Planning 101

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

IMS Implementation Project

Cybersecurity as a Business Differentiator

An Overview on Risk Management

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Data Architecture World Class Operations - Impact Workshop.

COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,

Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014

GDPR Awareness and Training Workshop

HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE

Updated Isaca CISM Exam Questions | Dumps4download.us

Privacy Project Framework & Structure

Using Risk to Help Define Your Capital Plan

By Jeff Burklo, Director

Cyber security Policy development and implementation

Planning for IT Audit Session 4.

IS Risk Management Report (Template)

ISO management systems

Chapter 7 Corporate governance and social responsibility

Taking the STANDARDS Seriously

Managing IT Risk in a digital Transformation AGE

Cyber Security in a Risk Management Framework

Effective Risk Management in Decision Making Process

DSC Contract Management Committee Meeting

A Risk Management Approach to Business Continuity

Data Governance & Management Skills and Experience

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

DSC Contract Management Committee Meeting

ISO 45001:2018 The importance of a Safety Management System

Presentation transcript:

IS Risk Management Framework Overview QCERT

Target Audience Business Managers (Process Owners) ü ü ü ü ü ü This session is primarily intended for: ü Senior executives/ Decision Makers ü IS/ IT Security Managers and Auditors ü Governance Risk & Compliance Managers ü CIO/ IT Managers ü Business Managers (Process Owners) ü System and Information Owners 2/24/2019

Table of Content Need Risk Management IS Risk Management Why manage IS Risk? Benefits How to manage IS Risk? IS Risk Management Framework Approach Success Factors Organizational Commitment IS Risk Assessment plan 2/24/2019

Need 2/24/2019

Need 2/24/2019

Information Security Risk Management (ISRM) Need “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself and not the enemy, for every victory gained you will suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” Chinese saying in IS Risk Management context Attract threats Biggest vulnerabilities Information Security Risk Management (ISRM) Threshold for pain Organization’s “Crown Jewels” Hacker interest Government implication 2/24/2019

Risk Management What is Risk? Risk is the potential of losing something of value e.g. Information What is Risk? Systematic approach for managing risks within an organization What is Risk Management? 2/24/2019

Information Security Risk IS Risk Management Information Security Risk Data Breach Likelihood of a threat source taking advantage of a vulnerability Information Security Risk How likely is it? What are the Impacts Risk Level MANAGE RISK What could go wrong Information Security Risk Management Process of identifying, assessing information security risks and taking steps to reduce risk to an acceptable level 2/24/2019

regulatory requirements Why manage IS Risk? Failure to meet Organizational goals & objectives Non-compliance to Qatar legal & regulatory requirements Face audit observations Unable to manage risks proactively Excess compliance cost Unable to manage outsourcing or third party risks Non-compliance to Global / regional compliance requirements 2/24/2019

Benefits Qatar National Cyber Security Strategy National Information Assurance Critical Information Infrastructure Protection (CIIP) Law Cyber Crime Law ISO 27005:2011 Standard 2/24/2019

Benefits Visibility to IS risks / opportunities; Compliance with regulatory requirements; Identify critical information assets; Reduces frequency & magnitude of IS incidents; Make more informed decisions; Raise awareness about information security risks; Increase the level of trust from customers and shareholders; Drive business continuity planning; and Demonstrate good corporate governance. Achieve a Balance 2/24/2019

Apply effective controls How to manage IS Risk? Know the risks Apply effective controls Take responsibility 2/24/2019

IS Risk Program Management, Training & Awareness ISRMF Organizational Goals, Strategy, Governance and Policies 1. Risk Identification Threat & Vulnerability Management Legal and Regulatory Requirements 2. Risk Assessment Issues Management 5. Risk Monitoring IS Risk Governance Enterprise Risk Management Incident Management 4. Risk Communication 3. Risk Treatment Intelligence & research, incidents, previous RA and geo-political risk reports Resource Template IS Risk Program Management, Training & Awareness 2/24/2019

Approach ISRM process constitute following phases 2/24/2019 Scope and Boundary Policy & Procedure Steering / Governance Committee Roles and Responsibilities ISRM Criteria(s) Perform BIA Identify Information Assets Vulnerabilities Threats Controls Inherent Risks 1. Risk Identification 2. Risk Assessment 5. Risk Monitoring Monitor Risk Treatment Residual Risk New Risks Identify change Assess Information Asset Value & Classification Vulnerability Factor Threat Likelihood Controls Effectiveness Cost of Control Initial Residual Risk IS Risk Governance 4. Risk Communication 3. Risk Treatment Develop Final ISRM Report Communicate Residual Risks to Management Obtain Management Approval Conduct awareness sessions Select Treatment Option Modify Share Avoid Retain Treat Risks Final Residual Risk 2/24/2019

Success Factors Key factors to implementing a successful security risk management program include: ü Executive sponsorship ü Well-defined list of risk management stakeholders ü Organizational maturity in terms of risk management ü An atmosphere of open communication and teamwork ü Information security risk management team expertise 2/24/2019 14

Organizational Commitment Effective management Organization Commitment to ISRM Continuous relationships Active driving force Systematic risk assessment Specialist know-how Clear rules Independent review Sound basic practices ‘on the ground’ Operational things ‘done right’ Disciplined handling of changes Other risks controlled Controlled access to system capabilities 2/24/2019

For more information, visit www.motc.gov.qa 2/24/2019 2/24/2019 16