Introduction to ISO Key Points and Benefits

Transcription

1 Introduction to ISO Key Points and Benefits By Gerard Joyce LinkResQ

2 Managing Risk We all manage risk consciously or unconsciously - but rarely systematically Managing risk means forward thinking Managing risk means balanced thinking Managing risk is all about maximising opportunity and minimising threats Informed and effective decision making

3 History of the ISO Over 80 separate ISO and IEC Technical Committees are addressing aspects of risk management 27 th June 2002, ISO/IEC Guide 73, Risk Management - Vocabulary published ISO Technical Management Board (TMB) Approached by Australia and Japan AS/NZS 4360:2004 to be adopted by ISO. June 2005, TMB sets up Working Group (WG) ISO & ISO Guide 73 published ISO/IEC published.

4 The Definition of Risk risk effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected positive and/or negative. NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events and consequences, or a combination of these. NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. [ISO Guide 73:2009]

5 ISO Users ISO is intended to be used by a wide range of stakeholders including: Those who need to ensure that an organization manages risk Those responsible for implementing risk management within their organization Those who need to manage risk for the organization as a whole or within a specific area or activity Those needing to evaluate an organization s practices in managing risk Developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents.

6 ISO Overview Risk Management Principles and Guidelines 3 Sections Principles There are 11 Framework for Managing Risk Risk Management Process

7 a) Creates and protects value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles (Clause 3) Continual improvement of the Framework (4.6) Mandate and Commitment (4.2) Design of framework (4.3) Monitoring and review of the Framework (4.5) Framework (Clause 4) Implementing risk Management (4.4) C o m u n i c a t i o n & c o n s u l t a t i o n 5.2 Establishing the context (5.3) Risk assessment (5.4) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Process (Clause 5) M o n i t o r i n g & r e v i e w (5.6) ISO 31000:2009 Figure 1 Relationship between the principles, framework and process

8 The Principles Risk management should. 1. Create and protect value 2. Be an integral part of organisational processes 3. Be part of decision making 4. Explicitly address uncertainty 5. Be systematic and structured 6. Be based on the best available information 7. Be tailored 8. Take into account human factors 9. Be transparent and inclusive 10. Be dynamic, iterative and responsive to change 11. Be capable of continual improvement and enhancement

9 The Framework Mandate and commitment (4.2) 4.3 Design of framework Understanding the organization and its context Establishing risk management policy Accountability Integration into organizational processes Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms 4.6 Continual improvement of the framework 4.4 Implementing risk management Implementing the framework for managing risk Implementing the risk management process 4.5 Monitoring and review of the framework

10 ISO Process 5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N 5.4 R I S K 5.3 ESTABLISHING THE CONTEXT External Context Internal Context Risk Management Process Context Developing Risk Criteria RISK IDENTIFICATION What can happen, when, where, how & why RISK ANALYSIS Determine existing controls Determine Likelihood Estimate Level of Risk RISK EVALUATION Compare against criteria. Identify & assess options. Decide on response. Establish priorities. Determine Consequences 5.5 RISK TREATMENT Selection of risk treatment options Preparing and implementing risk treatment plans A S S E S S M E N T 5.7 M O N I T O R & R E V I E W

11 ISO Benefits Avoids organisations re-inventing the wheel Allows all to benefit from proven best practice Provides a universal benchmark Reduces barriers to trade Advises exactly what you need to do and how you need to do it Scalable works for all sizes of organisation

12 Swift 31000:2009 Combination Document ISO31000 ISO Guide 73 Implementation Guidance Swift 31000:2009 Guidance What How Developed by the national committee + practitioners

13 Thank you for listening Gerard Joyce

14 Case Study: Data Breach Nationwide Building Society (UK) Sector: Customers: Background Financial Services 11 Million In 2004 the FSA published a report entitled Countering Financial Crime Risks in Information Security followed by speeches and other publications. Event In August 2006 a laptop was stolen from the home of an employee. It contained confidential customer information.

15 Findings The FSA found that; Case Study ctd. Nationwide did not have adequate IS procedures It did not manage / monitor downloads of large amounts of data onto portable devices Nationwide was not aware that the laptop contained customer information and did not start an investigation until 3 weeks after the theft. Consequences Fine of 1.4 million (reduced to 980,000 for early settlement)

16 FSA Opinion Nationwide breached Principle 3 by failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. Nationwide did not take reasonable care to ensure that it had effective systems and controls to manage the risks relating to information security, specifically the risk that customer information might be lost or stolen

17 Possible Causes? (Source of the risk) Long-standing employee, who needed extensive access to customer information Nationwide failed to assess risks in relation to security of customer information IS procedures were inadequate Failed to implement adequate training on IS procedures Failed to implement adequate controls Failed to have appropriate procedures in place to deal with an incident involving loss of customer information

18 What Nationwide Did Increased anti-fraud measures and monitoring of suspected fraudulent activity On notification of theft of laptop, disable remote access Wrote to all customers and advised how to minimise risk of identity theft Said it will reimburse any customer who suffers a loss as a result of the theft of the information. Commissioned a review of its Information Security procedures and controls

19 Possible Treatments Define what is allowed / not allowed to be stored Prevention of storage of certain information on mobile media. Encryption Data Classification Train employees on good practice Procedure for dealing with lost or stolen devices Disciplinary action for breaches of policy

20 BYOD Policy covering personal devices Allowed applications Minimum security requirements Organisation control of personal device Monitor use / misuse, Detect non-compliance Remote wipe Consequences of using unauthorised devices What happens when an employee leaves the Co