Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.

Published byAleesha Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting."— Presentation transcript:

1 SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O’Connor Davies, LLP Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member – Focus 1 Associates LLC

2 © 2014 Advent Software, Inc. Advent Confidential Speakers Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O’Connor Davies, LLP TDeMayo@odpkf.com 646-449-6353 Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com 267-254-1506 Footer 2

3 © 2014 Advent Software, Inc. Advent Confidential Objectives Discuss how to perform a true cybersecurity risk assessment for your firm Learn how to develop and implement administrative, technical, and physical controls relevant to your firm’s risk exposure Establish a sound cybersecurity program based on applicable regulatory requirements and industry best practices 3

4 © 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Threats – Anything that can cause harm. Common Threat Sources Human - Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Natural - Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Environmental - Long-term power failure, pollution, chemicals, liquid leakage. 4

5 © 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Vulnerabilities – Any hardware, software or procedural weakness that can be exploited (i.e. taken advantage) by a threat. A Threat Vulnerability pair must exist in order to have RISK Risk – The probability of occurrence (likelihood) that a threat will take advantage of a vulnerability and the resulting business impact 5

6 © 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Types of Risk Assessments Qualitative – Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high Quantitative - the likelihood of occurrence of particular threats and the risks or loss associated with these particular threats are estimated and assessed according to predetermined measurement scales 6 Unless your business absolutely requires a Quantitative risk assessment, use a Qualitative approach.

7 © 2014 Advent Software, Inc. Advent Confidential Risk Ranking Definitions Unacceptable – Mitigation Required High – Cost Benefit Analysis Required Moderate – Possible Cost Analysis of Mitigation Low – No Analysis Required 7 When assigning values, trust your initial reaction

8 © 2014 Advent Software, Inc. Advent Confidential Risk Chart 8

9 © 2014 Advent Software, Inc. Advent Confidential Inherent Vs Residual Risk Inherent Risk – The risk associated with a threat and vulnerability pair in the absence of any controls (i.e. what is the risk posed if you don’t apply any controls) Residual Risk – The amount of risk that remains after the application of controls. 9 Understanding the Inherent Risk is key to understanding the extent of controls required to manage the Residual Risk..

10 © 2014 Advent Software, Inc. Advent Confidential Risk Treatment Accept - Knowingly accept the risk as it falls within the organization's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it; Reduce - Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Avoid - Do not undertake the associated business activity; Transfer – Shift the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner) 10

11 © 2014 Advent Software, Inc. Advent Confidential Risk Management 11

12 © 2014 Advent Software, Inc. Advent Confidential Risk Areas to Consider 12

13 © 2014 Advent Software, Inc. Advent Confidential Risk Assessment Framework Industry recognized frameworks most commonly used include NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30- rev1/sp800_30_r1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-30- rev1/sp800_30_r1.pdf OCTAVE http://www.cert.org/resilience/products- services/octave/index.cfmhttp://www.cert.org/resilience/products- services/octave/index.cfm FAIR http://fairwiki.riskmanagementinsight.com/ 13

14 © 2014 Advent Software, Inc. Advent Confidential Risk Assessment Framework Whatever methodology you choose, it should comprise of the following: Identify all critical information resources, including such things as servers, applications, data repositories, etc. Assign a value to those resources. Depending on the Organization’s risk assessment approach, this can be either a quantitative or qualitative value. Determine the threat and vulnerability pairs that exist to those resources. Determine the probability of occurrence and potential business impact of the corresponding threat vulnerability pair = Inherent Risk Value (risk value that exists if no controls are implemented) Identify the existing controls in place to reduce the inherent risk to an acceptable level = residual risk value 14 When mapping controls, consider both the design and operating effectiveness when determining the residual risk value.

15 © 2014 Advent Software, Inc. Advent Confidential Sample Modified Approach 15

16 © 2014 Advent Software, Inc. Advent Confidential Questions? Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, CHFI, MCSE Director, IT Audit and Consulting Services - O’Connor Davies, LLP TDeMayo@odpkf.com 646-449-6353 Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com 267-254-1506 16

Download ppt "SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
Control and Accounting Information Systems

Control and Accounting Information Systems
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Project Risk Management

Software Project Risk Management
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Analysis COEN 250.

Risk Analysis COEN 250.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27.

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague,
Information Systems Risk Management

Information Systems Risk Management
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations

Ads by Google