Conostix S.A. Sensible defence.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.
Bridging the gap between software developers and auditors.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.
Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security
Security Risk Analysis Prepared By: Ahmed Alkhamaiseh Supervised By: Dr. Lo’a i Tawalbeh Arab Academy for Banking & Financial Sciences (AABFS) 2007.
Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Security Risk Management Paula Kiernan Ward Solutions.
Introduction to Network Defense
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
G53SEC Computer Security Introduction to G53SEC 1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
An Overview of Risk Management
TEL2813/IS2820 Security Management
Risk Management and Risk Control
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
Information Systems Risk Management
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Security Risk Management
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Lecture 32 Risk Management (Cont’d)
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Security Management Practices General overview of good security management processes. Introduces topics used in several other sections.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Risk Management: Controlling Risk
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Eliza de Guzman HTM 520 Health Information Exchange.
Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.
THE LOW DOWN ON RISK ASSESSMENT HOW SAFE ARE OUR CITIES?
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Introduction to Information Security
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD.
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 9 R ISK M ANAGEMENT : C ONTROLLING R ISK Weakness is a better teacher than strength. Weakness.
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Risk management.
TOPIC 3 RISK MANAGEMENT.
RISK MANAGEMENT An Overview: NIPC Model
Security Threats Severity Analysis
Cybersecurity Threat Assessment
Information Security Risks; All-in-One Terminology
Presentation transcript:

Conostix S.A. Sensible defence

Conostix S.A. CIA and prevention/dectection/response Risk management and its pitfalls Economic incentives Liability/regulation/compliance Due care and due dilligence Technology Awareness Conclusion Introduction

Conostix S.A. To ensure the CIA triad we use: Detection Prevention Response How security works

Conostix S.A. Identification Identify the actual threat Impact factor The possible consequences of an attack Frequency The probable frequency of the occurrence of a threat Probability The extent of how confident we are a threat will happen Today’s risk management Identification of a threat

Conostix S.A. Identification of the current risks The cost/benefit justification of the countermeasures Influences the decision making process on hardware, etc Focus on security resources where they are needed most Today’s risk management Risk analysis goals

Conostix S.A. Threat Asset Vulnerability Safeguard Asset value (AV) Exposure factor (EF), value in percentage Single loss expectancy (SLE), dollar figure (EFxAV) Annualized rate of occurrence Annualized loss expectancy (ALE= SLExARO) Today’s risk management Risk analysis – key terms

Conostix S.A. Aims to assign tangible values Relies on qualitative data Process Estimate potential losses to the assets Analyze potential threats to the assets Define impact and frequency levels Define the ALE Today’s risk management Risk analysis – Quantitative

Conostix S.A. Scenario oriented approach Rank threats on a scale to evaluate their risks, costs and outcome In contrast to quantitative analysis a purely qualitative analysis is always possible High guess rating Today’s risk management Risk analysis – Qualitative

Conostix S.A. Misunderstanding between risk and certainty A risk is the anticipated frequency of losses Certainties are occurring with high frequency Reliance on probability, impact and frequency The unknown, controls the probability, frequency and the impact of a future incident. Today’s risk management Pitfalls

Conostix S.A. Benefits vs costs Economic pressure Sensible defence Economic incentives

Conostix S.A. Laws push standards Liability creates awareness Regulatory bodies motivate Sensible defence Liability, regulation, compliance

Conostix S.A. Due care is using reasonable care to protect the interests of an organization Due diligence is practicing the activities to maintain the due care efforts. Common sense security framework Sensible defence Due care and due diligence

Conostix S.A. Functionality vs security User friendly does not mean insecure Ease-of-Use + Common Sense = Security Privacy vs security Sacrifice privacy for security? Should security protect privacy or ignore it to enhance security? Sensible defence Technology

Conostix S.A. Human intelligence most important Reduce risk without technology Limit damage in case of an incident Give users insight in values of company assets and the usage of information systems Sensible defence Awareness

Conostix S.A. Sensible defence is balanced security Balance cost vs economic gain Balance liberty vs privacy Balance functionality vs security Liability, legislation and regulation Sensible defence security is a trade-off

Conostix S.A. Q & A Thanks to: My colleagues Donn Parker Bruce Schneier Rebecca Herolds Sensible defence Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.