Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Risk Management

Published byBennett Hampton Modified over 5 years ago

Similar presentations

Presentation on theme: "Information Security Risk Management"— Presentation transcript:

1 Information Security Risk Management
A Systematic View to Approaches

2 Content Concept Management Principles Framework Process Approaches
Samples

3 What is an IT Risk? Risk = ƒ (Threat x Vulnerability x Impact)
Vulnerability: weakness in the system or situation Threat: probability of occurrence of an event exploiting the vulnerability Impact: consequence Example – Information leakage Vulnerability: Unprotected sensitive traffic, unnecessary services enabled Threat: Eavesdropping, illegal processing of data Impact: Loss of business

4 How to manage IT Risks? Information Security Risk Management
Identify organizational needs on info security in a systematic approach Create an effective information security management system (ISMS) Align with overall enterprise risk management Address risks in an effective and timely manner as needed Be an integral part of all information security management activities Apply both to implementation and ongoing operation of ISMS It is a continual process Organization as a whole, any discrete part of organization, or any IT system Principles apply

5 What are the Principles?
Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization

6 How to apply the Principles?
Risk Management Framework Provide foundations and arrangements to be embedded at all levels Assist in managing risks effectively through application of risk management process at varying levels within specific contexts of the organization Ensure risk information is adequately reported to the management Ensure risk based decision making and accountability The key to success Effectiveness of framework

7 How does the Framework work?
Mandate & Commitment The framework components interrelate in an iterative manner Organization should adapt the components to their specific needs Implemented by Risk Management Process Existing general RM process should be critically reviewed and assessed against IT Security requirements Design framework for managing risk Continually improve the framework Implement risk management Monitor and review the framework Basic Risk Management Framework recommended by ISO 31000:2009

8 How does the RM Process work?
Context Establishment The process components interrelate in an iterative manner provide a good balance between time and effort spent in identifying controls Ensure high risks are appropriately assessed Embedded in the culture and practices Tailored to the business processes of enterprise Risk assessment Risk Identification Risk Analysis Risk Communicate and Consultation Risk Monitoring and Review Risk Evaluation N Y Risk Treatment N Y Risk Acceptance Illustration of an Information Security Risk Management Process by ISO 31000:2009

9 Why always iterative approach?
A systematic approach is necessary for Infor Sec Risk Management Risk Management is a continual process Iterative approach provides good balance between time and effort Information security protection efforts will vary over time Why again? Ultimately, CHANGES! from internal and external parties Including but not limited to technology changes and enemy changes

10 Sample 1 - Hardware Vulnerability Threat Impact Mitigating control
Unprotected storage Threat Theft of media of documents Impact Loss of business information Mitigating control Lock the storage in rooms under video surveillance

11 Sample 2 - Software Vulnerability Threat Impact Mitigating control
Unclear or incomplete specification for developers Threat Software malfunction Impact System shutdown, critical public relationship or project delay, depending on specific business type Mitigating control Peer review and confirm on all specification documents before development

12 Samples 3 - Network Vulnerability Threat Impact Mitigating control
Transfer of passwords in clear Threat Remote spying, illegal access to internal system Impact Damage of reputation or loss of business, depending on specific business type Mitigating control Encrypt password Send password hash code instead of password

Download ppt "Information Security Risk Management"

Similar presentations

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
International Risk Management Standard AS/NZS ISO 31000

International Risk Management Standard AS/NZS ISO 31000
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Risk Assessment Frameworks

Risk Assessment Frameworks
Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.

Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.
61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.

61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
A Safety Management System (SMS) is: “A systematic approach to managing safety, including the necessary organizational structures, accountabilities,

A Safety Management System (SMS) is: “A systematic approach to managing safety, including the necessary organizational structures, accountabilities,
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects

Similar presentations

Ads by Google