ENTERPRISE risk management AWARENESS.ppt
106 views
52 slides
Sep 24, 2024
Slide 1 of 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
About This Presentation
ENTERPRISE risk management A
Slide Content
BY
PARABAKARAN
PARABAKARAN
RISK DEFINITIONS
RISK DEFINITION: A Risk is a potential or future event that, should it occur, will
have a (negative) impact on the Business Objectives of an Organisation
oA risk must have Uncertainty, (in terms of Probability or Likelihood). It might
happen
oA risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o“It May Rain Tomorrow”
◦ISSUE DEFINITION: An Issue is a current event that will have a (negative)
impact on the Business Objectives of an Organisation
oE.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o“It is Raining Today”
RISK DEFINITION: A Risk is a potential or future event that, should it occur, will
have a (negative) impact on the Business Objectives of an Organisation
oA risk must have Uncertainty, (in terms of Probability or Likelihood). It might
happen
oA risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o“It May Rain Tomorrow”
◦ISSUE DEFINITION: An Issue is a current event that will have a (negative)
impact on the Business Objectives of an Organisation
oE.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o“It is Raining Today”
Risk Life Cycle
3
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
cuntermeasure by a
3
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
cuntermeasure by a
Risk Management Cycle
4
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
• Each Step output considered
as an input for the next step
R
is
k
C
o
n
t
r
o
l
R
is
k
A
s
s
e
s
s
m
e
n
t
4
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
• Each Step output considered
as an input for the next step
R
is
k
C
o
n
t
r
o
l
R
is
k
A
s
s
e
s
s
m
e
n
t
5
Risk Identification
What is the purpose of this phase ?
The aims of this phase is to identify , classify and
prioritizing the organization’s information assets
( Know ourselves) and identify all important types and
sources of risk and uncertainty (know our enemy),
associated with each of the investment objectives.
This is a crucial phase. If a risk is not identified it cannot
be evaluated and managed
6
What is the purpose of this phase ?
The aims of this phase is to identify , classify and
prioritizing the organization’s information assets
( Know ourselves) and identify all important types and
sources of risk and uncertainty (know our enemy),
associated with each of the investment objectives.
This is a crucial phase. If a risk is not identified it cannot
be evaluated and managed
6
Information Assets
IS
Components
People Procedures Data
Transmission
HWSW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
\Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
7
IS
Components
People Procedures Data
Transmission
HWSW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
\Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
7
Primary sources
of Risk Items
8
Human Threats
Environmental
Threats
Outside &
Natural Threats
network
based attacks
virus infection,
unauthorized access
floods
Earthquakes
hurricanes
Power failure ,
pollution
of Risk Items
8
Human Threats
Environmental
Threats
Outside &
Natural Threats
network
based attacks
virus infection,
unauthorized access
floods
Earthquakes
hurricanes
Power failure ,
pollution
Risk Analysis
•requires an entity to, conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity,
and availability of electronic protected
information held by the entity.
•Risk analysis, which is a tool for risk
management, is a method of identifying
vulnerabilities and threats, and assessing the
possible damage to determine where to
implement security safeguards
•requires an entity to, conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity,
and availability of electronic protected
information held by the entity.
•Risk analysis, which is a tool for risk
management, is a method of identifying
vulnerabilities and threats, and assessing the
possible damage to determine where to
implement security safeguards
Risk Assessment
For each identified component & risk, which has a 'clearly significant' or
'possibly significant' position, each should be assess to establish qualitatively
and Estimate the value
10
For each identified component & risk, which has a 'clearly significant' or
'possibly significant' position, each should be assess to establish qualitatively
and Estimate the value
10
What is Risk Assessment ?
Assessing risk is the process of determining the likelihood of the
threat being exercised against the vulnerability and the resulting
impact from a successful compromise , i.e determine the relative
risk for each of the vulnerabilities
Risk assessment assigns a risk rating or score to each specific
information asset, useful in evaluating the relative risk and making
comparative ratings later in the risk control process.
•Although all elements of the risk management cycle are important,
risk assessments provide the foundation for other elements of the
cycle. In particular, risk assessments provide a basis for establishing
appropriate policies and selecting cost-effective techniques to
implement these policies
١٤٤٦/٠٣/٢١ 11
Assessing risk is the process of determining the likelihood of the
threat being exercised against the vulnerability and the resulting
impact from a successful compromise , i.e determine the relative
risk for each of the vulnerabilities
Risk assessment assigns a risk rating or score to each specific
information asset, useful in evaluating the relative risk and making
comparative ratings later in the risk control process.
•Although all elements of the risk management cycle are important,
risk assessments provide the foundation for other elements of the
cycle. In particular, risk assessments provide a basis for establishing
appropriate policies and selecting cost-effective techniques to
implement these policies
١٤٤٦/٠٣/٢١ 11
Methods of Risk Assessment
There are various methods assessing risk,
First : Quantitative risk assessment :
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk can be
measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.
12
There are various methods assessing risk,
First : Quantitative risk assessment :
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk can be
measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.
12
This approach can be taken by defining
◦Risk in more subjective and general terms such as high, medium, and
low.
◦In this regard, qualitative assessments depend more on the expertise,
experience, and judgment of those conducting the assessment.
Qualitative risk assessments typically give risk results of “High”,
“Moderate” and “Low”. However, by providing the impact and likelihood
definition tables and the description of the impact, it is possible to
adequately communicate the assessment to the organization’s
management.
13
Second : Qualitative Risk Assessment
◦Risk in more subjective and general terms such as high, medium, and
low.
◦In this regard, qualitative assessments depend more on the expertise,
experience, and judgment of those conducting the assessment.
Qualitative risk assessments typically give risk results of “High”,
“Moderate” and “Low”. However, by providing the impact and likelihood
definition tables and the description of the impact, it is possible to
adequately communicate the assessment to the organization’s
management.
13
Second : Qualitative Risk Assessment
Third :Quantitative and Qualitative
◦It is also possible to use a combination of quantitative and qualitative
method
14
◦It is also possible to use a combination of quantitative and qualitative
method
14
WHAT IS RISK MANAGEMENT?
The identification of Risks and their management by defining:
The Risk Description
The Risk Owner
The Probability of the Risk Event occurring
The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective
The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring
with relation to their costs and the reduction of Risk Exposure
The Contingency Plan to recover the Asset once risk is manifested
An understanding of Corporate Risk Appetite and where appropriate the application of Risk
Tolerance
The identification of Risks and their management by defining:
The Risk Description
The Risk Owner
The Probability of the Risk Event occurring
The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective
The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring
with relation to their costs and the reduction of Risk Exposure
The Contingency Plan to recover the Asset once risk is manifested
An understanding of Corporate Risk Appetite and where appropriate the application of Risk
Tolerance
OBJECTIVES OF GENERIC RISK MANAGEMENT
To ensure that all risks to the Business
however they are derived are managed
effectively.
This includes:
Strategic Risks
Programme and Project Risks
Operational Risks (includes Security and
Business Continuity Risks)
Operational Level
(Business as Usual)
Change
Level
Operational Risk
Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic Risks
Programme/Project Risks
Operational Risks
Project Risk Register
Strategic Risk Register
To ensure that all risks to the Business
however they are derived are managed
effectively.
This includes:
Strategic Risks
Programme and Project Risks
Operational Risks (includes Security and
Business Continuity Risks)
Operational Level
(Business as Usual)
Change
Level
Operational Risk
Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic Risks
Programme/Project Risks
Operational Risks
Project Risk Register
Strategic Risk Register
OBJECTIVES OF INFORMATION SECURITY
RISK MANAGEMENT
To ensure that the risks to the Organisation that are derived from, Incidents,
Threats, Vulnerabilities and Audit non-compliances are managed effectively.
In Security Terms these are those risks that impact the:
◦Confidentiality,
◦Integrity,
◦Availability, and the
◦Traceability of Information whilst:
◦At rest
◦Whilst being modified
◦In transit (around a system, e-mail, media device, telephone etc.)
RISK MANAGEMENT
To ensure that the risks to the Organisation that are derived from, Incidents,
Threats, Vulnerabilities and Audit non-compliances are managed effectively.
In Security Terms these are those risks that impact the:
◦Confidentiality,
◦Integrity,
◦Availability, and the
◦Traceability of Information whilst:
◦At rest
◦Whilst being modified
◦In transit (around a system, e-mail, media device, telephone etc.)
WHAT IS NOT RISK MANAGEMENT?
Incident Management
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
!
However, they can be the Source of Infosec Risks…
So, these are issues, NO uncertainty!
Incident Management
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
!
However, they can be the Source of Infosec Risks…
So, these are issues, NO uncertainty!
RISK MATRIX
PROBLEMS WITH RISK MANAGEMENT
COMMON PROBLEMS
(MISUNDERSTANDINGS)?
Poor Risk Descriptions (Risk vs Issue and
Impact confusion) (Qualification vs
Quantification)
Unachievable, ineffective and
disproportionate Mitigation Actions
Poor Control, risk owner vs risk mitigation
owner. Stakeholder Involvement
Reactive vs Proactive Approach
•Reliance on Incidents, Threat and Non-
Compliance Management (Reactive)
•Proactive Risk Identification Workshop
based on Success Criteria
SO WHAT!
Risks occur that could have been managed
Impact on Assets not understood (BIA, CMDB)
Mitigation Action Costs do not reflect the Risk
Exposure Reduction
Systems fail, business and revenue lost,
Corporate data is unavailable when required –
Loss of Business
Regulator penalties, reputational damage occurs
Loss of Customer base and confidence
Loss of IPR.
COMMON PROBLEMS
(MISUNDERSTANDINGS)?
Poor Risk Descriptions (Risk vs Issue and
Impact confusion) (Qualification vs
Quantification)
Unachievable, ineffective and
disproportionate Mitigation Actions
Poor Control, risk owner vs risk mitigation
owner. Stakeholder Involvement
Reactive vs Proactive Approach
•Reliance on Incidents, Threat and Non-
Compliance Management (Reactive)
•Proactive Risk Identification Workshop
based on Success Criteria
SO WHAT!
Risks occur that could have been managed
Impact on Assets not understood (BIA, CMDB)
Mitigation Action Costs do not reflect the Risk
Exposure Reduction
Systems fail, business and revenue lost,
Corporate data is unavailable when required –
Loss of Business
Regulator penalties, reputational damage occurs
Loss of Customer base and confidence
Loss of IPR.
MITIGATION PLANS & CONTINGENCY PLANS
oMitigations or Controls are primarily used to prevent the occurrence of a risk or
to reduce the Probability of Risk occurrence - (Reduce Probability).
oThis is why it is so important to describe the risk event clearly.
oContingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
oThis is why it is so important to clearly describe the risk impact separately from the risk
description
oMitigations or Controls are primarily used to prevent the occurrence of a risk or
to reduce the Probability of Risk occurrence - (Reduce Probability).
oThis is why it is so important to describe the risk event clearly.
oContingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
oThis is why it is so important to clearly describe the risk impact separately from the risk
description
SOURCES OF CYBER SECURITY RISKS
oProliferation of BYOD and smart devices
oCloud computing
oOutsourcing of critical business processes to a third party (and lack of
controls around third-party services)
oDisaster recovery and business continuity
oPeriodic access reviews
oLog reviews
SOURCE: Cyber-security - What the Board of Directors need to ask?,
IIARF Research Report, 2014
oProliferation of BYOD and smart devices
oCloud computing
oOutsourcing of critical business processes to a third party (and lack of
controls around third-party services)
oDisaster recovery and business continuity
oPeriodic access reviews
oLog reviews
SOURCE: Cyber-security - What the Board of Directors need to ask?,
IIARF Research Report, 2014
COMMON CYBER-CRIMINAL ATTACK VECTORS
oApplication vulnerabilities
oRemote access.
oIneffective patch management
oWeak network security/flat networks
oLack of real-time security monitoring
oThird parties
oLack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014
oApplication vulnerabilities
oRemote access.
oIneffective patch management
oWeak network security/flat networks
oLack of real-time security monitoring
oThird parties
oLack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014
WHERE TO START?
Select appropriate Controls / use Security Standards:
ISO27000
PCI DSS
COBIT
HIPAA
Select appropriate Controls / use Security Standards:
ISO27000
PCI DSS
COBIT
HIPAA
ENCOURAGE RISK REPORTING
1.Create risk reporting awareness for the workforce
2.Make it easy, create a simple Risk Submission form
3.Assess the risk submission, ask questions
4.Ensure it is a RISK, not an issue, a service request, a change request
1.Create risk reporting awareness for the workforce
2.Make it easy, create a simple Risk Submission form
3.Assess the risk submission, ask questions
4.Ensure it is a RISK, not an issue, a service request, a change request
MANAGE THE RISKS…
1.Record in a Risk Register
2.Describe the RISK
3.Assess the Likelihood, Impact, and risk rating
4.Agree recommended Risk Mitigation / Treatment
5.Establish a contingency position if possible
6.Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7.Agree a Mitigation Owner
8.Obtain a decision (Reduce, Accept, Avoid, Transfer)
9.Monitor mitigation progress until target risk is achieved – retain
awareness of closed or mitigated risks
10.Produce monthly status reports
1.Record in a Risk Register
2.Describe the RISK
3.Assess the Likelihood, Impact, and risk rating
4.Agree recommended Risk Mitigation / Treatment
5.Establish a contingency position if possible
6.Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7.Agree a Mitigation Owner
8.Obtain a decision (Reduce, Accept, Avoid, Transfer)
9.Monitor mitigation progress until target risk is achieved – retain
awareness of closed or mitigated risks
10.Produce monthly status reports
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 106
- Slides 52
- Age 441 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
35 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
36 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
35 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
30 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
32 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
35 views