Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.

Slides:



Advertisements
Similar presentations
VCU Master Class IT Project Management Critical success and failure factors in IT project management: getting IT right GP Dhillon, PhD.
Advertisements

©2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Service Design – Section 4.5 Service Continuity Management.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Risk Management Steve Lamb Technical Security Advisor
IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.
Managing Change Planning for Change Revitalising general Motors is like teaching an elephant to tap dance. You find the sensitive spot and start poking.
The Nature of Strategic Management
Viewpoint Consulting – Committed to your success.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Software Development Problems Range of Intervention Theory Prevention, Treatment and Maintenance Planning, Development and Use Cost of Intervention.
Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
7-1 Risk Management. 7-2 Risk Risk (in general, in finance): deviation, variance The change can be positive or negative Project risk: any possible event.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Essentials of Management Chapter 4
Enterprise Architecture
Introduction to Hospitality, 6e
Security Risk Management Paula Kiernan Ward Solutions.
FINANCE IN A CANADIAN SETTING Sixth Canadian Edition Lusztig, Cleary, Schwab.
Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Information Technology Audit
Copyright © 2014 McGraw-Hill Higher Education. All rights reserved. CHAPTER 10 Sourcing and Supply Management McGraw-Hill/Irwin.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
VP of Information Technology. Agenda Introductions Introductions VP IT Responsibilities VP IT Responsibilities Putting it all Together Putting it all.
E business Applications
Software Project Management Lecture # 8. Outline Chapter 25 – Risk Management  What is Risk Management  Risk Management Strategies  Software Risks.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Software Project Management Lecture # 8. Outline Earned Value Analysis (Chapter 24) Topics from Chapter 25.
AGENDA 09/09 & 09/10 F Nature of Strategic Challenge & F Strategic Management F The Strategy Concept and Process F Strategic Plan - Team Meetings.
Fifth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
Integrating Safety Management Systems – Opportunities for Improvement
Logistics and supply chain strategy planning
Marketing Your IT Strategic Planning Process: Relationship Building with Business Stakeholders Fred Mapp EFM April 10, 2013.
Expecting the Unexpected By Shaun Lindfield. Nearly 1 in 5 businesses suffer a major disruption every year. Yours could be next. With no recovery plan,
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Large-scale organisations in context VCE Business Management Unit 3.
Economic security of enterprise.. By economic security of the enterprise (ESE) we mean the state of protection of it’s vital interests from internal and.
© 2008 Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al. Chapter 14 E-Commerce Strategy and Global EC.
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
IT Strategic Planning.
Telerik Software Academy Software Quality Assurance.
RISK MANAGEMENT : JOURNEY OR DESTINATION ?. What is Risk? “ Any uncertain event that could significantly enhance or impede a Company’s ability to achieve.
Professional Certificate in Electoral Processes Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.
Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.
Alaa Mubaied Risk Management Alaa Mubaied
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
9789B Manage People Performance. Learning Outcome 1: Determine the scope of various job roles and establish appropriate performance standards.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.
Introduction to Project Management Chapter 9 Managing Project Risk
Software Project Management Lecture # 9. Outline Chapter 25 – Risk Management  What is Risk Management  Risk Management Strategies  Software Risks.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IS Security Policies and Strategies Dr Gurpreet Dhillon Virginia Commonwealth University.
Stoimen Stoimenov QA Engineer SitefinityLeads,SitefinityTeam6 Telerik QA Academy Telerik QA Academy.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Business Continuity Planning 101
Essentials of Planning © 2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Cybersecurity ATD technical
INTERNATIONAL COMPETITIVE STRATEGY
Presentation transcript:

Information Systems Security Risk Management

© G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management

© G. Dhillon All Rights Reserved Aspiration Vision

© G. Dhillon All Rights Reserved Aspiration Vision

© G. Dhillon All Rights Reserved Aspiration Vision

© G. Dhillon All Rights Reserved Security is a business enabler Security allows me to do something I couldn’t do [safely] otherwise/before Electronic Commerce Online banking Online brokerage Added value, security is part of the product Help make sale because of security Revenue generated as a result of security Security is not the product – it allows me to do business

© G. Dhillon All Rights Reserved Business enabler

© G. Dhillon All Rights Reserved Reality For a range of reasons companies have always been under pressure to cut IT costs. Perhaps by outsourcing. Justify expenses. And when choosing being keeping the “shop running” versus securing it, protection mechanisms take a back burner.

© G. Dhillon All Rights Reserved Risks Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type)

© G. Dhillon All Rights Reserved Glenmeade Vision Risk Management To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type) What is the probability that personal privacy will be compromised when personally identifiable information is accessed in an unauthorized manner? What is the probability of unauthorized access?

© G. Dhillon All Rights Reserved Answer Let’s calculate the probability of occurrence of a negative event (privacy breach or unauthorized access in this case) What is going to be the cost to mend the privacy breach? BINGO!! R = P * C

© G. Dhillon All Rights Reserved Communicating Risk Well-Formed Risk Statement Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Asset What are you trying to protect? Threat What are you afraid of happening? Threat What are you afraid of happening? Vulnerability How could the threat occur? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Mitigation What is currently reducing the risk?

© G. Dhillon All Rights Reserved Reference Documents Publications to help you determine your organization’s risk management maturity level include: ISO Code of Practice for Information Security Management (ISO 17799) International Standards Organization Control Objectives for Information and Related Technology (CobiT) IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP ) National Institute of Standards and Technology

© G. Dhillon All Rights Reserved What’s Risk Management? Formally defined “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

© G. Dhillon All Rights Reserved More simply put… “Determine what your risks are and then decide on a course of action to deal with those risks.”

© G. Dhillon All Rights Reserved Even more colloquially… What’s your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress ?

© G. Dhillon All Rights Reserved Risk Management Maturity Assessment LevelState 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized

© G. Dhillon All Rights Reserved Classify

© G. Dhillon All Rights Reserved Risk management: classification Inherent risks Planning needed Can be assessed and predicted Strategic High Potential Key Operational Support Outcome: high Operational: low Process: low What risk? Outcome: low Operational: high Process: medium Outcome: low Operational: low Process: high

© G. Dhillon All Rights Reserved Typical concerns StrategicHigh Potential Outcome risks Opportunity & financial risks? Lack of strategic framework: poor business understanding Conflicts of strategy and problems of coordination IT supplier problems Poor management of change Senior management not involved Large and complex projects; too many stakeholders Rigid methodology and strict budgetary controls Key Operational Support Operational risks Process based risks Too much faith in the ‘technical fix’ Use of technology for its novelty value Poor technical skills in the development team Inexperienced staff Large and complex projects; too many stakeholders Poor testing procedures Poor implementation Lack of technical standards

© G. Dhillon All Rights Reserved Generic CSFs for different applications Strategic High Potential Key Operational Support Time Quality Cost Time Quality Cost Time Quality Cost R & D projects

© G. Dhillon All Rights Reserved Risk management: core strategies StrategicHigh Potential Key OperationalSupport CONFIGURE COMMUNICATE CONTROL CONSTRAIN

© G. Dhillon All Rights Reserved Risk management: directions - 1 StrategicHigh Potential Business and corporate risks Opportunity & financial risks Key OperationalSupport Operational risks Process based risks Controllable Uncontrollable Predictable Unpredictable No problem - carry out plans Practice quick response to manage as events unfold Emphasis forecasting and thus “steer around” these events Develop a contingency planning system

© G. Dhillon All Rights Reserved Risk management: directions -2 History Context (external) Context (internal) Business processes Content Risk Outcomes Context oriented risk assessment StrategicHigh Potential Business and corporate risks Key OperationalSupport Operational risks Process based risks Opportunity & financial risks

© G. Dhillon All Rights Reserved Risk Management Practices Conduct a mission impact analysis and risk assessment to: 1.Identify various levels of sensitivity associated with information resources 2.Identify potential security threats to those resources

© G. Dhillon All Rights Reserved Risk Management Practices (cont.) Conduct a mission impact analysis and risk assessment to: 3.Determine the appropriate level of security to be implemented to safeguard those resources 4.Review, reassess and update as needed or at least every 3 years

© G. Dhillon All Rights Reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.