Risk Management (1) (1).ppt
10,979 views
52 slides
Dec 20, 2022
Slide 1 of 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
About This Presentation
Escape from Hacker and create great challenge
Slide Content
•RISK DEFINITION: A Risk is a potential or future event that, should it occur,
will have a (negative) impact on the Business Objectives of an Organisation
oA risk must have Uncertainty, (in terms of Probability or Likelihood). It
might happen
oA risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o“It May Rain Tomorrow”
•ISSUE DEFINITION: An Issue is a current event that willhave a (negative)
impact on the Business Objectives of an Organisation
oE.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o“It is Raining Today”
RISK DEFINITIONS
will have a (negative) impact on the Business Objectives of an Organisation
oA risk must have Uncertainty, (in terms of Probability or Likelihood). It
might happen
oA risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o“It May Rain Tomorrow”
•ISSUE DEFINITION: An Issue is a current event that willhave a (negative)
impact on the Business Objectives of an Organisation
oE.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o“It is Raining Today”
RISK DEFINITIONS
3
Risk Life Cycle
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
countermeasured by a
Risk Life Cycle
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
countermeasured by a
4
Risk Management Cycle
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
•Each Step output considered
as an input for the next step
Risk Control
Risk Assessment
Risk Management Cycle
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
•Each Step output considered
as an input for the next step
Risk Control
Risk Assessment
5
6
Risk Identification
What is the purpose of this phase ?
•The aims of this phase is to identify , classify
and prioritizing the organization’s information
assets ( Know ourselves) and identify all
important types and sources of riskand
uncertainty (know our enemy), associated with
each of the investment objectives.
•This is a crucial phase. If a risk is not identified
it cannot be evaluated and managed
Risk Identification
What is the purpose of this phase ?
•The aims of this phase is to identify , classify
and prioritizing the organization’s information
assets ( Know ourselves) and identify all
important types and sources of riskand
uncertainty (know our enemy), associated with
each of the investment objectives.
•This is a crucial phase. If a risk is not identified
it cannot be evaluated and managed
7
Information Assets
IS
Components
People Procedures Data
Transmission
HWSW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
\Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
Information Assets
IS
Components
People Procedures Data
Transmission
HWSW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
\Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
8
Primary sources
of Risk Items
Human Threats
Environmental
Threats
Outside &
Natural Threats
network
based attacks
virus infection,
unauthorized access
floods
Earthquakes
hurricanes
Power failure,
pollution
Primary sources
of Risk Items
Human Threats
Environmental
Threats
Outside &
Natural Threats
network
based attacks
virus infection,
unauthorized access
floods
Earthquakes
hurricanes
Power failure,
pollution
Risk Analysis
•requiresanentityto,conductanaccurateand
thoroughassessmentofthepotentialrisksand
vulnerabilitiestotheconfidentiality,integrity,and
availabilityofelectronicprotectedinformation
heldbytheentity.
•Riskanalysis,whichisatoolforriskmanagement,
isamethodofidentifyingvulnerabilitiesand
threats,andassessingthepossibledamageto
determinewheretoimplementsecurity
safeguards
•requiresanentityto,conductanaccurateand
thoroughassessmentofthepotentialrisksand
vulnerabilitiestotheconfidentiality,integrity,and
availabilityofelectronicprotectedinformation
heldbytheentity.
•Riskanalysis,whichisatoolforriskmanagement,
isamethodofidentifyingvulnerabilitiesand
threats,andassessingthepossibledamageto
determinewheretoimplementsecurity
safeguards
10
Risk Assessment
•For each identified component & risk, which has a 'clearly significant'
or 'possibly significant' position, each should be assessto establish
qualitativelyandEstimatethe value
Risk Assessment
•For each identified component & risk, which has a 'clearly significant'
or 'possibly significant' position, each should be assessto establish
qualitativelyandEstimatethe value
27/05/1444 11
What is Risk Assessment ?
•Assessing risk isthe process of determining the
likelihood of the threat being exercised against the
vulnerabilityand the resulting impact from a successful
compromise , i.e determine the relative risk for each of the
vulnerabilities
•Risk assessmentassigns a risk ratingor score to each
specific information asset, useful in evaluating the relative
riskand making comparative ratings later in the risk control
process.
•Althoughallelementsoftheriskmanagementcycleare
important,riskassessmentsprovidethefoundationforother
elementsofthecycle.Inparticular,riskassessmentsprovide
abasisforestablishingappropriatepoliciesandselecting
cost-effectivetechniquestoimplementthesepolicies
What is Risk Assessment ?
•Assessing risk isthe process of determining the
likelihood of the threat being exercised against the
vulnerabilityand the resulting impact from a successful
compromise , i.e determine the relative risk for each of the
vulnerabilities
•Risk assessmentassigns a risk ratingor score to each
specific information asset, useful in evaluating the relative
riskand making comparative ratings later in the risk control
process.
•Althoughallelementsoftheriskmanagementcycleare
important,riskassessmentsprovidethefoundationforother
elementsofthecycle.Inparticular,riskassessmentsprovide
abasisforestablishingappropriatepoliciesandselecting
cost-effectivetechniquestoimplementthesepolicies
12
Methods of Risk Assessment
There are various methods assessing risk,
First : Quantitative risk assessment:
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk
can be measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.
Methods of Risk Assessment
There are various methods assessing risk,
First : Quantitative risk assessment:
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk
can be measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.
13
This approach can be taken by defining
–Riskinmoresubjectiveandgeneraltermssuchashigh,
medium,andlow.
–Inthisregard,qualitativeassessmentsdependmoreonthe
expertise,experience,andjudgmentofthoseconductingthe
assessment.
•Qualitative risk assessments typically give risk results of “High”,
“Moderate” and“Low”.However, by providing the impact and
likelihood definition tablesand the description of the impact, it is
possible to adequately communicate the assessment to the
organization’s management.
Second : Qualitative Risk Assessment
This approach can be taken by defining
–Riskinmoresubjectiveandgeneraltermssuchashigh,
medium,andlow.
–Inthisregard,qualitativeassessmentsdependmoreonthe
expertise,experience,andjudgmentofthoseconductingthe
assessment.
•Qualitative risk assessments typically give risk results of “High”,
“Moderate” and“Low”.However, by providing the impact and
likelihood definition tablesand the description of the impact, it is
possible to adequately communicate the assessment to the
organization’s management.
Second : Qualitative Risk Assessment
14
Third :Quantitative and Qualitative
–It is also possible to use a combination of quantitative and
qualitative method
Third :Quantitative and Qualitative
–It is also possible to use a combination of quantitative and
qualitative method
•The identification of Risks and their management by defining:
The Risk Description
The Risk Owner
The Probability of the Risk Event occurring
The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk
Event occurring with relation to their costs and the reduction of Risk Exposure
The Contingency Plan to recover the Asset once risk is manifested
An understanding of Corporate Risk Appetite and where appropriate the application
of Risk Tolerance
WHAT IS RISK MANAGEMENT?
The Risk Description
The Risk Owner
The Probability of the Risk Event occurring
The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk
Event occurring with relation to their costs and the reduction of Risk Exposure
The Contingency Plan to recover the Asset once risk is manifested
An understanding of Corporate Risk Appetite and where appropriate the application
of Risk Tolerance
WHAT IS RISK MANAGEMENT?
To ensure that all risks to the Business
however they are derived are
managed effectively.
•This includes:
•Strategic Risks
•Programme and Project Risks
•Operational Risks (includes Security
and Business Continuity Risks)
OBJECTIVES OF GENERIC RISK MANAGEMENT
Operational Level
(Business as Usual)
Change
Level
Operational
Risk Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic
Risks
Programme/Project Risks
Operational Risks
Project Risk
Register
Strategic Risk Register
however they are derived are
managed effectively.
•This includes:
•Strategic Risks
•Programme and Project Risks
•Operational Risks (includes Security
and Business Continuity Risks)
OBJECTIVES OF GENERIC RISK MANAGEMENT
Operational Level
(Business as Usual)
Change
Level
Operational
Risk Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic
Risks
Programme/Project Risks
Operational Risks
Project Risk
Register
Strategic Risk Register
To ensure that the risks to the Organisation that are derivedfrom,
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Security Terms these are those risks that impact the:
•Confidentiality,
•Integrity,
•Availability, and the
•Traceability of Information whilst:
•At rest
•Whilst being modified
•In transit (around a system, e-mail, media device, telephone etc.)
OBJECTIVES OF INFORMATION SECURITY
RISK MANAGEMENT
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Security Terms these are those risks that impact the:
•Confidentiality,
•Integrity,
•Availability, and the
•Traceability of Information whilst:
•At rest
•Whilst being modified
•In transit (around a system, e-mail, media device, telephone etc.)
OBJECTIVES OF INFORMATION SECURITY
RISK MANAGEMENT
Incident Management
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
!However, they can be the Source of Infosec
So, these are issues, NO uncertainty!
WHAT IS NOTRISK MANAGEMENT?
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
!However, they can be the Source of Infosec
So, these are issues, NO uncertainty!
WHAT IS NOTRISK MANAGEMENT?
RISK MATRIX
IMPACT
High Medium High High
Medium Low Medium High
Low Low Low Medium
Low Medium High
LIKELIHOOD
IMPACT
High Medium High High
Medium Low Medium High
Low Low Low Medium
Low Medium High
LIKELIHOOD
COMMON PROBLEMS
(MISUNDERSTANDINGS)?
•Poor Risk Descriptions (Risk vsIssue and
Impact confusion) (Qualification vs
Quantification)
•Unachievable, ineffective and
disproportionate Mitigation Actions
•Poor Control, risk owner vsrisk
mitigation owner. Stakeholder
Involvement
•Reactive vsProactive Approach
•Reliance on Incidents, Threat and
Non-Compliance Management
(Reactive)
•Proactive Risk Identification
Workshop based on Success Criteria
SO WHAT!
•Risks occur that could have been
managed
•Impact on Assets not understood (BIA,
CMDB)
•Mitigation Action Costs do not reflect the
Risk Exposure Reduction
•Systems fail, business and revenue lost,
•Corporate data is unavailable when
required –Loss of Business
•Regulator penalties, reputational damage
occurs
•Loss of Customer base and confidence
•Loss of IPR.
PROBLEMS WITH RISK MANAGEMENT
(MISUNDERSTANDINGS)?
•Poor Risk Descriptions (Risk vsIssue and
Impact confusion) (Qualification vs
Quantification)
•Unachievable, ineffective and
disproportionate Mitigation Actions
•Poor Control, risk owner vsrisk
mitigation owner. Stakeholder
Involvement
•Reactive vsProactive Approach
•Reliance on Incidents, Threat and
Non-Compliance Management
(Reactive)
•Proactive Risk Identification
Workshop based on Success Criteria
SO WHAT!
•Risks occur that could have been
managed
•Impact on Assets not understood (BIA,
CMDB)
•Mitigation Action Costs do not reflect the
Risk Exposure Reduction
•Systems fail, business and revenue lost,
•Corporate data is unavailable when
required –Loss of Business
•Regulator penalties, reputational damage
occurs
•Loss of Customer base and confidence
•Loss of IPR.
PROBLEMS WITH RISK MANAGEMENT
oMitigations or Controls are primarily used to preventthe occurrence of a risk
or to reducethe Probability of Risk occurrence -(Reduce Probability).
oThis is why it is so important to describe the risk event clearly.
oContingency Plans address the Impact of the Risk plans and are used to
recovera system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
oThis is why it is so important to clearly describe the risk impact separately from
the risk description
MITIGATION PLANS & CONTINGENCY PLANS
or to reducethe Probability of Risk occurrence -(Reduce Probability).
oThis is why it is so important to describe the risk event clearly.
oContingency Plans address the Impact of the Risk plans and are used to
recovera system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
oThis is why it is so important to clearly describe the risk impact separately from
the risk description
MITIGATION PLANS & CONTINGENCY PLANS
oProliferation of BYOD and smart devices
oCloud computing
oOutsourcing of critical business processes to a third party (and lack of
controls around third-party services)
oDisaster recovery and business continuity
oPeriodic access reviews
oLog reviews
SOURCE: Cyber-security -What the Board of Directors need to ask?,
IIARF Research Report, 2014
SOURCES OF CYBER SECURITY RISKS
oCloud computing
oOutsourcing of critical business processes to a third party (and lack of
controls around third-party services)
oDisaster recovery and business continuity
oPeriodic access reviews
oLog reviews
SOURCE: Cyber-security -What the Board of Directors need to ask?,
IIARF Research Report, 2014
SOURCES OF CYBER SECURITY RISKS
oApplication vulnerabilities
oRemote access.
oIneffective patch management
oWeak network security/flat networks
oLack of real-time security monitoring
oThird parties
oLack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014
COMMON CYBER -CRIMINAL ATTACK VECTORS
oRemote access.
oIneffective patch management
oWeak network security/flat networks
oLack of real-time security monitoring
oThird parties
oLack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014
COMMON CYBER -CRIMINAL ATTACK VECTORS
Select appropriate Controls / use Security Standards:
ISO27000
PCI DSS
COBIT
HIPAA
WHERE TO START?
ISO27000
PCI DSS
COBIT
HIPAA
WHERE TO START?
1.Create risk reporting awareness for the workforce
2.Make it easy, create a simple Risk Submission form
3.Assess the risk submission, ask questions
4.Ensure it is a RISK, not an issue, a service request, a change request
ENCOURAGE RISK REPORTING
2.Make it easy, create a simple Risk Submission form
3.Assess the risk submission, ask questions
4.Ensure it is a RISK, not an issue, a service request, a change request
ENCOURAGE RISK REPORTING
1.Record in a Risk Register
2.Describe the RISK
3.Assess the Likelihood, Impact, and risk rating
4.Agree recommended Risk Mitigation / Treatment
5.Establish a contingency position if possible
6.Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7.Agree a Mitigation Owner
8.Obtain a decision (Reduce, Accept, Avoid, Transfer)
9.Monitor mitigation progress until target risk is achieved –retain awareness
of closed or mitigated risks
10.Produce monthly status reports
MANAGE THE RISKS …
2.Describe the RISK
3.Assess the Likelihood, Impact, and risk rating
4.Agree recommended Risk Mitigation / Treatment
5.Establish a contingency position if possible
6.Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7.Agree a Mitigation Owner
8.Obtain a decision (Reduce, Accept, Avoid, Transfer)
9.Monitor mitigation progress until target risk is achieved –retain awareness
of closed or mitigated risks
10.Produce monthly status reports
MANAGE THE RISKS …
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10,979
- Slides 52
- Favorites 1
- Age 1076 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
29 views