IT-Risk-Management Best Practice
•
2 gostaram•1,857 visualizações
Referat von Umberto Annino im Rahmen des Hacking Day 2014.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (19)
Semelhante a IT-Risk-Management Best Practice
Semelhante a IT-Risk-Management Best Practice (20)
Mais de Digicomp Academy AG
Mais de Digicomp Academy AG (20)
Último
Último (20)
IT-Risk-Management Best Practice
- 1. IT Risk Management Digicomp Hacking Day, 11.06.2014 Umberto Annino
- 2. • Wer spricht? Umberto Annino WirtschaCsinformaEker, InformaEon Security • Was ist ein Risiko? ! Sicherheit ist das Komplementärereignis zum Risiko ! Risiko ist Schaden mit Potenzial 2
- 3. Risiko 3 Gefahr Bedrohung Schwach-‐ stelle Asset Risiko
- 4. Realitätsabgleich Compliance? Risk Management? OperaEonal Risk, Business ConEnuity? IT, InformaEon Security – Cyber Security? Red Team, Threat Modeling, APT and openSSL? Big Data??? Security ™ vs. Compliance ™ 4
- 5. IT Risiko in der Risiko-‐Hierarchie 5
- 6. COSO Enterprise Risk Management Framework 6
- 7. ISO 31000 Risk Mgmt (2009) Guidelines and Principles and Framework 7
- 8. ISO 31000 Framework 8
- 9. ISO 31000 Processes 9
- 10. ISO 31000 -‐ Processes 10 Design of framework for managing risk Understanding of the organisaEon and its context Establishing risk management policy Accountability IntegraEon into organisaEonal processes Resources Establishing internal communicaEon and reporEng mechanisms Establishing external communicaEon and reporEng mechanisms ImplemenEng risk management ImplemenEng the framework for managing risk ImplemenEng the risk management process Monitoring and review of the framework ConEnual improvement of the framework ! Mandate and commitment
- 11. ISO 31000 -‐ Processes 11 Risk Management Process CommunicaEon and consultaEon Establishing the external context Establishing the internal context Establishing the context of the risk management process Defining risk criteria Risk assessment Risk idenEficaEon Risk analysis Risk evaluaEon Risk treatment Monitoring and review Recording the risk management process
- 12. ISO 31000 Acributes of enhanced risk management • Key outcomes – The organisaEon has a current, correct and comprehensive understanding of its risks – The organisaEon‘s risks are within its risk criteria • Acributes – ConEnual improvement – Full accountability for risks – ApplicaEon of risk management in all decision making – ConEnual communicaEons – Full integraEon in the organisaEon‘s governance structure 12
- 13. ISO 27005 InformaEon Security Risk Management 13
- 14. ISO 27005 Context Establishment 14 Basic Criteria Risk management approach Risk evaluaEon criteria Impact criteria Risk acceptance criteria ! Scope and Boundaries ! OrganisaEon for informaEon security risk management
- 15. ISO 27005 InformaEon security risk assessment 15 Risk idenEficaEon IdenEficaEon of assets IdenEficaEon of threats IdenEficaEon of exisEng controls IdenEficaEon of vulnerabiliEes IdenEficaEon of consequences Risk analysis Risk analysis methodologies Assessment of consequences Assessment of incident likelihood Level of risk determinaEon
- 16. ITGI RiskIT Framework PosiEonierung 16
- 17. IT Risk (high level) categories 17
- 19. Risk maps... • Risk appeEte • Risk tolerance • Risk culture 19
- 20. Risk culture 20
- 21. IT risk scenario development 21
- 22. Risk scenario components 22
- 23. Aber: scenario based... ! keeping it real! 23
- 24. IT Risk Response opEons and prioriEsaEon 24
- 25. Verwalten von IT Risiken Risiko management Risiko analyse Risiko idenEfikaEon Konsolidierung Link to business Risiko bewertung QuanEtaEv QualiEaEv StaEsEsche Basis Risiko lenkung Risiko bearbeitung Admin Disziplin/ Aufwand Kosten ROI Risiko tracking Nachvollzieh-‐ barkeit Konstanz (Zahlen) 25
- 26. QuanEfizieren von IT Risiken 26 Big Data? Loss DB? Komplexität von InformaEonssystemen (und SoCware)?
- 27. QuanEfizieren von IT Risiken • In der Praxis eher qualitaEv stac quanEtaEv – Fehlende staEsEsche Basis – Prinzipiell komplexe Systeme – Wenig akuter Bedarf zur QuanEfizierung ! über Verknüpfung mit Business Process • Konsolidierung der Werte für Management ReporEng als Grundlage für QuanEfikaEon • In der Praxis eher „erste Schrice“ stac best pracEse • ISO 27005, ITGI RiskIT Framework und PracEcEoner Guide bieten brauchbare Grundlagen (Framework) 27
- 28. Risk Treatment 28 Risk treatment Avoid Eliminate Reduce Minimize Transfer Externalize Accept Residual Risk Controls Measures Avoid / Verhindern Detect / Entdecken Minimize / Eindämmen
- 29. Risk Treatment – ISO 27005 29
- 30. Konsolidieren von IT Risiken Disjointed risks 30
- 31. Konsolidieren von IT Risiken shared risks 31
- 32. 32