Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS Risk Management Framework Overview

Published byScott Kerry Watson Modified over 5 years ago

Similar presentations

Presentation on theme: "IS Risk Management Framework Overview"— Presentation transcript:

1 IS Risk Management Framework Overview
QCERT

2 Target Audience Business Managers (Process Owners) ü ü ü ü ü ü
This session is primarily intended for: ü Senior executives/ Decision Makers ü IS/ IT Security Managers and Auditors ü Governance Risk & Compliance Managers ü CIO/ IT Managers ü Business Managers (Process Owners) ü System and Information Owners 2/24/2019

3 Table of Content Need Risk Management IS Risk Management
Why manage IS Risk? Benefits How to manage IS Risk? IS Risk Management Framework Approach Success Factors Organizational Commitment IS Risk Assessment plan 2/24/2019

4 Need 2/24/2019

5 Need 2/24/2019

6 Information Security Risk Management (ISRM)
Need “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself and not the enemy, for every victory gained you will suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” Chinese saying in IS Risk Management context Attract threats Biggest vulnerabilities Information Security Risk Management (ISRM) Threshold for pain Organization’s “Crown Jewels” Hacker interest Government implication 2/24/2019

7 Risk Management What is Risk?
Risk is the potential of losing something of value e.g. Information What is Risk? Systematic approach for managing risks within an organization What is Risk Management? 2/24/2019

8 Information Security Risk
IS Risk Management Information Security Risk Data Breach Likelihood of a threat source taking advantage of a vulnerability Information Security Risk How likely is it? What are the Impacts Risk Level MANAGE RISK What could go wrong Information Security Risk Management Process of identifying, assessing information security risks and taking steps to reduce risk to an acceptable level 2/24/2019

9 regulatory requirements
Why manage IS Risk? Failure to meet Organizational goals & objectives Non-compliance to Qatar legal & regulatory requirements Face audit observations Unable to manage risks proactively Excess compliance cost Unable to manage outsourcing or third party risks Non-compliance to Global / regional compliance requirements 2/24/2019

10 Benefits Qatar National Cyber Security Strategy
National Information Assurance Critical Information Infrastructure Protection (CIIP) Law Cyber Crime Law ISO 27005:2011 Standard 2/24/2019

11 Benefits Visibility to IS risks / opportunities;
Compliance with regulatory requirements; Identify critical information assets; Reduces frequency & magnitude of IS incidents; Make more informed decisions; Raise awareness about information security risks; Increase the level of trust from customers and shareholders; Drive business continuity planning; and Demonstrate good corporate governance. Achieve a Balance 2/24/2019

12 Apply effective controls
How to manage IS Risk? Know the risks Apply effective controls Take responsibility 2/24/2019

13 IS Risk Program Management, Training & Awareness
ISRMF Organizational Goals, Strategy, Governance and Policies 1. Risk Identification Threat & Vulnerability Management Legal and Regulatory Requirements 2. Risk Assessment Issues Management 5. Risk Monitoring IS Risk Governance Enterprise Risk Management Incident Management 4. Risk Communication 3. Risk Treatment Intelligence & research, incidents, previous RA and geo-political risk reports Resource Template IS Risk Program Management, Training & Awareness 2/24/2019

14 Approach ISRM process constitute following phases 2/24/2019
Scope and Boundary Policy & Procedure Steering / Governance Committee Roles and Responsibilities ISRM Criteria(s) Perform BIA Identify Information Assets Vulnerabilities Threats Controls Inherent Risks 1. Risk Identification 2. Risk Assessment 5. Risk Monitoring Monitor Risk Treatment Residual Risk New Risks Identify change Assess Information Asset Value & Classification Vulnerability Factor Threat Likelihood Controls Effectiveness Cost of Control Initial Residual Risk IS Risk Governance 4. Risk Communication 3. Risk Treatment Develop Final ISRM Report Communicate Residual Risks to Management Obtain Management Approval Conduct awareness sessions Select Treatment Option Modify Share Avoid Retain Treat Risks Final Residual Risk 2/24/2019

15 Success Factors Key factors to implementing a successful security risk management program include: ü Executive sponsorship ü Well-defined list of risk management stakeholders ü Organizational maturity in terms of risk management ü An atmosphere of open communication and teamwork ü Information security risk management team expertise 2/24/2019 14

16 Organizational Commitment
Effective management Organization Commitment to ISRM Continuous relationships Active driving force Systematic risk assessment Specialist know-how Clear rules Independent review Sound basic practices ‘on the ground’ Operational things ‘done right’ Disciplined handling of changes Other risks controlled Controlled access to system capabilities 2/24/2019

17 For more information, visit www.motc.gov.qa
2/24/2019 2/24/2019 16

Download ppt "IS Risk Management Framework Overview"

Similar presentations

Organizational Governance

Organizational Governance
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Environmental Management System (EMS)

Environmental Management System (EMS)
Teaming with your IT auditor for better security

Teaming with your IT auditor for better security
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
Security Controls – What Works

Security Controls – What Works
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
The Information Systems Audit Process

The Information Systems Audit Process
Risk Assessment Frameworks

Risk Assessment Frameworks
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)

Similar presentations

Ads by Google