Information Security Risk Management

Similar documents
Comparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide

Project Management for the Professional Professional Part 3 - Risk Analysis. Michael Bevis, JD CPPO, CPSM, PMP

AN INTRODUCTION TO RISK CONSIDERATION

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

4.1 Risk Assessment and Treatment Assessing Security Risks

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

Risk Management: Assessing and Controlling Risk

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Post-Class Quiz: Information Security and Risk Management Domain

Proposed Change to Unsecured Credit Scoring Model

Climate risk management plan. Towards a resilient business

RISK MANAGEMENT PROFESSIONAL. 1 Powered by POeT Solvers Limited

Fundamentals of Project Risk Management

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Managing Project Risk DHY

Security Risk Management

Energize Your Enterprise Risk Management

Managing Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways

Defense trees for economic evaluation of security investments Stefano Bistarelli Fabio Fioravanti Pamela Peretti

Project Theft Management,

Risk Management FUN! Humor Me

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

1. Define risk. Which are the various types of risk?

There are many definitions of risk and risk management.

Oregon Legislative Fiscal Office Fiscal Impact Statement Process and Best Practices

Risk Management at the Deutsche Bundesbank March 2011

MIS 5206 Protection of Information Assets - Unit #4 - Risk Evaluation. MIS 5206 Protecting Information Assets

Project Risk Management

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

NYISO Capital Budgeting Process. Draft 01/13/03

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

CERA Module 1 Exam 2016

13.1 Quantitative vs. Qualitative Analysis

APPENDIX G. Guidelines for Impact Analysis for CCBFC Committees. Definitions. General Issues

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Presented to: Eastern Idaho Chapter Project Management Institute. Presented by: Carl Lovell, PMP Contract and Technical Integration.

MODULE 5 PROJECT RISK MANAGEMENT, PROCUREMENT AND CONTRACTS

Delivering Clarity to Credit Unions Through Expertise and Experience

Risk and Risk Management. Risk and Risk Management. Martin Schedlbauer, Ph.D., CBAP, OCUP Version 1.1

Business Auditing - Enterprise Risk Management. October, 2018

Procedures for Management of Risk

Section II PROJECT MANAGEMENT METHODOLOGY GUIDELINES

Understanding Business Borrowers $150 COURSE DESCRIPTIONS

The Evolution of Risk Management and The Risk Management Process

Cost Risk Assessment Building Success and Avoiding Surprises Ken L. Smith, PE, CVS

Title: Plans and Planning Techniques Speaker: Nathan Neale

Service Efficiency Consultants Studies Extent of Value for Money From Studies Has Not Been Clearly Demonstrated

Unit 9: Risk Management (PMBOK Guide, Chapter 11)

Bournemouth Primary MAT Risk Management Policy

RED 2.1 & 4.2: Quantifying Risk Exposure for ORSA. Moderator: Presenters: Lesley R. Bosniack, CERA, FCAS, MAAA

CONSIDERATION OF OPTIONS PAPER PREPARED BY THE TASK GROUP CO-CHAIRS

Strategic Planning Developing an IR Plan

GENERAL RISK CONTROL AND MANAGEMENT POLICY

Certificate in Advanced Budgeting and Forecasting

Product Training. Risk & Performance Solutions

Financial & Valuation Modeling Boot Camp

Understanding cyber risk management vs uncertainty with confidence in 2017

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

Effective Audit Planning Resources - Templates Table of Contents

This document can be shared by CB participants with Centers for input in advance of Board deliberations. Document Category Standard Document

Introduction to the Fund-Mapping Tool

An Introduction to Risk

Risk Management at Central Bank of Nepal

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Accounting Matters and Disclosure and Internal Control

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Enterprise Risk Management

Zero Base Review Methodology

The Future of China s Insurance Regulation. Haijing Wang FIA Institute and Faculty of Actuaries

Chapter 9 Department of Natural Resources and Energy Mining Taxes and Royalties

2. The group received a summary of the Board s current workplan.

Risk Management Policy

Navigating the New Normal Enterprise Risk Management After e-risk Identification and Assessment

Meeting of Bristol Clinical Commissioning Group Governing Body

HUBTOWN LIMITED REVISED RISK MANAGEMENT POLICY. (Effective from December 1, 2015)

Board Meeting Handout Accounting for Financial Instruments: Hedging March 8, 2017

Do the Math and Build an IT - Finance Partnership. February 25 th, 2015 Learning Lab Session 4B

Applying Risk-based Decision-making Methods/Tools to U.S. Navy Antiterrorism Capabilities

Certificate in Advanced Budgeting and Forecasting

Statement on Climate Change

Prince2 Foundation.exam.160q

RISK M A N A G E M E N T P L A N

Health Insurance Exchange Blueprint Application Progress. Public Meeting Presentation October 10, 2012

Joint Venture on Managing for Development Results

Enterprise Risk Management Integrated Framework

Business Plan FY

Crowe, Dana, et al "EvaluatingProduct Risks" Design For Reliability Edited by Crowe, Dana et al Boca Raton: CRC Press LLC,2001

BANKS - WHAT DOES ENHANCED TRANSPARENCY LOOK LIKE. Gérard Gil - Vincent Papa, CFA

Taking a Critical Look at Cost-Benefit Analysis as Part of an Evaluation. Catherine Mueller February 21, 2013

Inherent risk register

Project Title: INFRASTRUCTURE AND INTEGRATED TOOLS FOR PERSONALIZED LEARNING OF READING SKILL

VANUATU NATIONAL INFRASTRUCTURE MASTERPLAN. Terms of Reference for Consultants

Indicate whether the statement is true or false.

The ORSA opportunity:

REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 597 SESSION OCTOBER Cross government. Managing budgeting in government

Communicating the Value Enterprise Risk Management

RISK AND CONTROL ASSESSMENT SCDOT Indirect Cost Recovery

Transcription:

Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

Target Audience This session is primarily intended for: Systems architects and planners Members of the information security team Security and IT auditors Senior executives, business analysts, and business decision makers Consultants and partners

Motivation for this Presentation Security is a process, not a product. Security products will not save you. Process is composed of technology, people, and tools. This is important because processes involve time and interaction between entities and many of the hard problems in security stem from this inherent interaction.

What is a risk (generic) A definable event Probability of Occurrence Consequence (impact) of occurrence A risk is not a problem. A problem is a risk whose time has come

Assessing Risk Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Overview of the Assessing Risk Phase 4 Measuring Program Effectiveness 1 Plan risk data gathering Gather risk data Prioritize risks Assessing Risk 3 Implementing Conducting Controls Decision Support 2

Understanding the Planning Step The primary tasks in the planning step include the following: Alignment Scoping Stakeholder acceptance Setting expectations

Understanding Facilitated Data Gathering Elements collected during facilitated data gathering include: Organizational assets Asset description Security threats Vulnerabilities Current control environment Proposed controls Keys to successful data gathering include: Meet collaboratively with stakeholders Build support Understand the difference between discussing and interrogating Build goodwill Be prepared

Identifying and Classifying Assets An asset is anything of value to the organization and can be classified as one of the following: High business impact Moderate business impact Low business impact

Organizing Risk Information Use the following questions as an agenda during facilitated discussions: What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future?

Estimating Asset Exposure Exposure: The extent of potential damage to an asset Use the following guidelines to estimate asset exposure: High exposure Severe or complete loss of the asset Medium exposure Low exposure Limited or moderate loss Minor or no loss

Estimating Probability of Threats Use the following guidelines to estimate probability for each threat and vulnerability identified: High threat Medium threat Low threat Likely one or more impacts expected within one year Probable impact expected within two to three years Not probable impact not expected to occur within three years

Facilitating Risk Discussions The facilitated risk discussion meeting is divided into the following sections: 1 2 3 4 5 6 Determining Organizational Assets and Scenarios Identifying Threats Identifying Vulnerabilities Estimating Asset Exposure Estimating Probability of Exploit and Identifying Existing Controls Meeting Summary and Next Steps

Defining Impact Statements Impact data includes the following information:

Understanding Risk Prioritization Start risk prioritization Conduct summarylevel risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed-level risk prioritization Detailed level risk prioritization End of risk prioritization

Conducting Summary-Level Risk Prioritization 1 3 2 4 High. Likely one or more impacts expected within one year Medium. Probable impact expected within two to three years Low. Not probable impact not expected to occur within three years The summary-level prioritization process includes the following: 1 2 3 4 Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders

Conducting Detailed Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: 1 Determine impact and exposure 2 3 4 Identify current controls Determine probability of impact Determine detailed risk level Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)

Quantifying Risk The following tasks outline the process to determine the quantitative value: 1 2 3 4 5 Assign a monetary value to each asset class Input the asset value for each risk Produce the single-loss expectancy value (SLE) Determine the annual rate of occurrence (ARO) Determine the annual loss expectancy (ALE)

Qualitative Risks Matrix

Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback