Risk Assessment Frameworks

Slides:



Advertisements
Similar presentations
Risk Management at Harvard – Panel Discussion Harvard IT Summit
Advertisements

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Development of internal control: methodology and responsibility
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Purpose of the Standards
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Complying With The Federal Information Security Act (FISMA)
Chapter 4 Internal Controls McGraw-Hill/Irwin
Got Internal Controls? presented by South Texas College Business Office “Count on Satisfaction”
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Central Piedmont Community College Internal Audit.
The role of internal audit in enterprise-wide risk management (ERM)
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.
Where Innovation Is Tradition Mason Initiatives: Efficiency & Effectiveness Enterprise Risk Management Beth Brock, Associate VP & Controller George Mason.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory Joost Houwen, CISA,
NIST Special Publication Revision 1
Introduction to Internal Control Systems
Chapter Three IT Risks and Controls.
INTRODUCTION Why AIS threats are increasing
Copyright T. Rowe Price. All rights reserved 1 Ms. Deborah D. Seidel of T. Rowe Price Financial Services Vice President and Manager of Compliance.
Chapter 5 Internal Control over Financial Reporting
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Internal Control in a Financial Statement Audit
Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.
IRS Enterprise Risk Management (ERM)
Risk Management For the Board of The Law Society 16 February 2005.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.
CAS Spring Meeting June 2007 Introduction to ERM …The Measurements, Quadrants, Tools, and Solutions Prof. Mark C. Vonnahme Fox Family Clinical Professor.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
1 Introduction to Enterprise Risk Management Liz Ryan On Detail to NOAA OCFO Risk Office.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
Company LOGO Chapter4 Internal control systems. Internal control  It is any action taken by management to enhance the likelihood that established objectives.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
#327 – Legal and Regulatory Risk: Silent and Possibly Deadly Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Introduction to Enterprise Risk Management (“ERM”)
#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
JMFIP Financial Management Conference
An Overview on Risk Management
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
A Framework for Control
Internal control - the IA perspective
Good practices for risk assessment and control activities
Presentation transcript:

Risk Assessment Frameworks Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE

Overview Definition(s) of Risk Management & Risk Impact(s) of Risk Enterprise Risk Management ERM Frameworks DHS Risk Management Framework NIST Risk Assessment Framework STF Risk Assessment Framework

Definition of Risk Management Risk management is a scientific approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures that minimize the occurrence of loss or the financial impact of the losses that do occur. (Fundamentals of Risk and Insurance, Vaughan and Vaughan) Meaning: Risk as uncertainty concerning the occurrence of a loss.

Risk Equation Risk = Vulnerability x Threat x Impact *Probability Vulnerability = An error or a weakness in the design, implementation, or operation of a system. Threat = An adversary that is motivated to exploit a system vulnerability and is capable of doing so Impact = the likelihood that a vulnerability will be exploited or that a threat may become harmful. *Probability = likelihood already factored into impact.

Types of Risk Strategic – Goals of the Organization Operational – Processes that Achieve Goals Financial – Safeguarding Assets Compliance – Laws and Regulations Reputational – Public Image

Responses to Risk Severity Frequency High Transfer Avoid Low Accept Accept/Transfer

Enterprise Risk Management (ERM) A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO) A rigorous approach to assessing and addressing the risks from all sources that threatent he achievement of an organization’s strategic objectives. In addition, ERM identifies those risks that represent corresponding opportunities to exploit for competitive advantage. (Tillinghast-Towers Perrin consultancy group) Any issue that impact an organization’s ability to meet its objectives. (Developing A Strategy to Manage Enterprisewide Risk in Higher Education, NACUBO)

ERM Frameworks COSO’s ERM – Integrated Framework Australia/New Zealand Standard – Risk Management ISO Risk Management - Draft Standard The Combined Code and Turnbull Guidance A Risk Management Standard by the Federation of European Risk Management Associations (FERMA)

COSO Integrated Control Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO’s ERM – Integrated Framework Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Australia/New Zealand Standard (ASS/NZS 4360:2004) – Risk Management

ISO Risk Management - Draft Standard

The Combined Code and Turnbull Guidance Risk assessment Does the company have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues? For example, do objectives and related plans include measurable performance targets and indicators? Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? These are likely to include the principal risks identified in the Operating and Financial Review. Is there a clear understanding by management and others within the company of what risks are acceptable to the board?

A Risk Management Standard by the Federation of European Risk Management Associations (FERMA)

Risk Management Framework for Critical Infrastructure Protection National Infrastructure Protection Plan, 2006

NIST Risk Management Framework Define criticality /sensitivity of information system according to potential impact of loss FIPS 199 / SP 800-60 CATEGORIZE Information System Starting Point SP 800-37 / SP 800-53A FIPS 200 / SP 800-53 SELECT Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP 800-37 AUTHORIZE Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP 800-53 / SP 800-30 SUPPLEMENT Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) SP 800-53A ASSESS Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place SP 800-18 DOCUMENT Security Controls Implement security controls; apply security configuration settings IMPLEMENT Security Controls SP 800-70

Risk Assessment Framework – Security Task Force Purpose of Framework: to provide a high-level overview on the subject of conducting a risk assessment of information systems within higher education. Points to Consider: Risk Assessment (RA) is an ongoing process RA requires strong commitment from senior administration and collaboration between cross-functional units RA is part of strategic and continuity planning RA requires planning and strategy that systematically increases the scope RA needs to become a part of the culture of the university community Effective Risk Management (RM) practices require a "risk aware" culture Effective RM can provide the basis for prioritizing and resolving possible funding conflicts policy supporting ongoing risk assessment should be developed

Phases of Risk Assessment Phase 0: Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets (a one-time process) Phase 1: Develop Initial Security Strategies Phase 2: Technological View - Identify Infrastructure Vulnerabilities Phase 3: Risk Analysis - Develop Security Strategy and Plans

Phase 0: Establish Risk Assessment Criteria Goal: to quickly establish the overall criteria for the identification of critical data assets and their appropriate priority level and to obtain senior management's perspective on issues of strategic importance. Process 1: Establish Risk Assessment Criteria Process 2: Apply the Critical Asset Criteria to Classify Data Collections and Related Resources

Phase 1: Develop Initial Security Strategies Goal: Once the information assets have been classified, strategic planning for the rest of the risk management process can begin. Vulnerabilities can be identified, and the process of mitigating the threats that can exploit those vulnerabilities can begin. An institution can decide to specifically focus on the very highest risks, or it may decide to focus first on mitigating risks broadly (or both). The mere process of bringing management together to discuss the organization's strategy about risk mitigation can be extremely fruitful. Process 1: Strategic Perspective - Senior Management Process 2: Operational Perspective - Departmental Management Process 3: Practice Perspective – Staff Process 4: Consolidated View of Security Requirements

Phase 2: Identify Infrastructure Vulnerabilities Goal: To identify areas of potential exposure associated with the systems architecture. Process 1: Evaluation of Key Technology Components Process 2: Evaluation of Selected Technology Components

Phase 3: Develop Security Strategy and Plans Goal: After identifying key information systems resources and evaluating the degree of vulnerability with the systems, quantitatively determine the level of risk associated with each system and system component. This information may then be used to prioritize the allocation of resources to ensure appropriate mitigation of the highest risks and to make appropriate management decisions about the degree of risk that the organization will be willing to accept. Process 1: Risk Assessment Steps 1. Assess the potential impact of threats (and vulnerabilities) to critical assets (qualitative and/or quantitative) 2. Evaluate the likelihood of occurrence of the threats (high, medium, low) 3. Create a consolidated analysis of risks, based on the impact value to critical assets and the likelihood of occurrence Process 2: Protection Strategy and Mitigation Plans

Conclusion It is important to note that this is a process that has no finish line. While a risk assessment - the process of identifying and quantifying risks - might take place on an infrequent basis (e.g., annually), the risk management process - the ongoing process of mitigating the risks to the organization - should be ingrained into the institution's culture to be most effective.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.