SlideShare uma empresa Scribd logo

Document Risk Management

M
meulenberghs

Document and Record risk management: methods and tools

1 de 25
Document Risk Management Philip Meulenberghs
Agenda 1. Document risk management 2. EBIOS 3. EBIOS Case 4. Conclusions
1. Document risk management Four questions about document management 1. What is it? 2. Why does it matter? 3. What if it fails? 4. How to protect against failure? 1.DocumentRiskManagement
1. What is it? corporate documents all type of documents created or received by employees during business activities 1.DocumentRiskManagement
Documents: have a Lifecycle1.DocumentRiskManagement
What is a document management programme? • Systematic management of the entire document lifecycle of corporate documents, including: – an inventory of records – which records to keep – which records to archive – which records to destroy 1.DocumentRiskManagement
About document management 2. Why does it matter? – control of the cost of storage – control of the risk 3. What if it fails? – risk of inefficiency – risk of loss and compromising of records – risk of infringement of data protection laws, prosecution, fines – risk of reputational damage 1.DocumentRiskManagement
About document management 4. How to protect against failure? 1. document management programme. 2. document RISK management programme. 1.DocumentRiskManagement
2. Document Risk Management • Documents contain information: often a valuable intangible asset of corporations. Document risk Information risk. • Risk is the effect of uncertainty on objectives. • Organisations want predictable results need to manage this uncertainty. • Document risk can be efficiently managed by implementing a comprehensive programme: – compliant with internationally accepted standards – by using validated and practical standard methods 1.DocumentRiskManagement
International Standards (most relevant ones) • ISO 31000: Risk Management • BS 31100: Code of Practice for Risk Management • ISO guide 73: vocabulary • ISO 27001 : ISMS • ISO 27003: Implementation of the ISMS • ISO 27005: Information Security Risk Management 1.DocumentRiskManagement
Risk management process according to ISO 31000 1.DocumentRiskManagement
Methods 1. Österreichisches IT Sicherheidshandbuch (Austrian IT Security Handbook) 2. CRAMM (CCTA Risk Analysis and Management Method) 3. A&K analyse (Afhankelijkheids en Kwetsbaarheidanalyse) 4. EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) 5. ISAMM or ‘Information Security Assessment & Monitoring Method’ 6. Information Security Forum (ISF) tools 7. MAGERIT 8. MARION 9. MEHARI 10.MIGRA 11.OCTAVE® 12.SP800-30 (NIST): Risk Management Guide for Information Technology systems 1.DocumentRiskManagement
2. EBIOS • Comprehensive: set of guides covers the whole process of ISO 31000. • Professional: Developed by ANSSI. • Validated: In use since 1995, club EBIOS since 2003. • Practical: Club EBIOS manages a user network and a knowledge Base. • Open & transparent: can be customised by the user (vs. black box approach of some other tools). • Flexible: can be used for detailed as well as strategic risk management. • Universal: can be used for any type of risk. • Integrated: compliant with (ISO) standards. • Well documented: Training & documentation available. • Cheap: can be used for free. 2.EBIOS
EBIOS STRUCTURE 2.EBIOS
5 EBIOS Modules 2.EBIOS By applying the 5 EBIOS MODULES: you are sure of covering the ISO 31000 risk management process
2.EBIOS Activity 1.1: Definition of the environment for risk management. •Action 1: framework, objectives and action plan •Action 2: internal and external context •Action 3: perimeter of the study •Action 4: parameters to take in account •Action 5: most relevant threat sources Activity 1.2: Preparing the metrics •Action 1: security criteria and scales •Action 2: gravity scale (impact) •Action 3: likelihood scale •Action 4: risk scale Activity 1.3: Identifying the assets •Action 1: essential assets •Action 2: supporting assets •Action 3: interdependencies between them •Action 4: analysis of existing security measures SAMPLE (Module 1)
2.EBIOS Objectivity maximalised by a separate analysis of impact and likelihood
3. EBIOS CASE • TELCO: small telecom installation company, approx. 10 staff, works for telecom providers e.g. as Belgacom, Telenet and others. • Has many competitors, ‘price war’ • Is loosing market share and contracts to one particular competitor in particular • CEO fears price info could be compromised • Wants «document risk» study, about the offers in particular 3.EBIOSCASE
Referecne EBIOSMODULE EBIOSActivity CEO Secretariat&Assistance Resources Studies&Calculations Sales Installers Documentstodeliver mandaysrequired A 1 Activity 1.1 - setting the framework for the risk management project A I I C R I Objectives of the study 1 B 1 Activity 1.2 - preparing the metrics R I I I I I table with metrics and scale 1 C 1 Activity 1.3 - identifying the assets A C C A C C table with essential and supporting assets 2 D 2 Activity 2.1 - identifying the feared events R I C C C C inventory of feared events 2 E 3 Activity 3.1 - evaluating the threat scenarios A I C C R C list of most relevant threat scenarios and likelihood 2 F 4 Activity 4.1 - assessing the risks A C C C R C risk assessment matrix 1 G 4 Activity 4.2 - Treating the risks A C C R C C Information security strategy for offers 3 H 5 Activity 5.1 - formalising the required security measures A I C R C C Internal Security Policy for Offers 1 TELCO: Document Risk Management: action plan3.EBIOSCASE Module 1
Activity 1.1: FRAMEWORK 3.EBIOSCASE 2. Organisational Perimeter 3. Technological Perimeter Module 1 1. Objective (set by CEO): « reduce the risk for disclosure of confidential offers to  competitors » 4. Parameters -application of ISO 31000 -use of EBIOS
Activity 1.2: METRICS 3.EBIOSCASE Module 1 1. Security (quality) criteria and Scales = scale for confidentiality • Compromised (unknown) • Compromised & detected • Under control 2. Gravity and likelihood Scales Gravity (=impact) •Critical •Important •Unimportant •Likelihood •Almost certainly •Possible •Unlikely 3. Risk Criteria RISK unimportant impact important impact critical impact unlikely scenario acceptable risk acceptable risk acceptable risk possible scenario acceptable risk significant risk unacceptable risk almost certain scenario unacceptable risk unacceptable risk unacceptable risk
Activity 1.3: Identifying the ASSETS 3.EBIOSCASE Module 1 1. Essential Asset • The offer (the price) 2. Supporting assets •staff, equipment etc. 3. Feared event (IMPACT) •Worst things that could happen to our essential asset systematic compromising of our (offers) prices without we knowing about it 4. Threat scenarios (LIKELIHOOD) •How could feared events happen? •By threats that affect the supporting assets •Scenarios: corruption of persons, hacking of equipment, etc… Module 2 and 3 Activity 2.1 and 3.1: Feared events and threat scenarios
Activity 4.1: Assessing the risks 3.EBIOSCASE Module 4 Activity 4.2: Action Plan •Each risk: avoid, reduce, accept or transfer •Cell phone hacked: accept •Sales manager or studies engineer corrupt: accept •Laptop lost: awareness campaign •Sales mgr not careful: awareness clause in contract •Wifi hacked: encryption of files + firewall •Etc….. RISK unimportant important critical unlikely -cell phone is hacked -sales manager or studies engineer corrupt possible -laptop is lost -cell phone is overheard -print outs of offers forgotten on printer -laptop is stolen -sales manager or studies engineer not careful -wifi is hacked -laptop is hacked almost certain IMPACTLIKELIHOOD ACCEPT ACCEPT Awareness Awareness Encryption
Result of the study 1. Encryption of electronic documents containing price info. 2. The personnel shall report loss or theft of laptop computers immediately. 3. It is not allowed to discuss price information over the cell phone when this can be overheard (e.g. in the train) 4. Paper documents: -When offers are printed the personnel shall use the PIN code. -Shredders shall be used to destroy all paper drafts. -All hard copies shall be locked away. -A clean desk policy shall be applied. 5. The personnel shall sign a confidentiality agreement. 6. Any loss or compromise of price information shall be reported to the CEO immediately. 3.EBIOSCASE
4. Conclusions • Documents and records need to be managed to avoid cost & risk. • Risk = effect of uncertainty on objectives. • Uncertainty needs to be managed because corporations want predictable results • Document risk should best be managed in line with international standards and by using existing methods. • EBIOS is an example of a comprehensive method which can achieve this. 4.CONCLUSIONS

Recomendados

IS Risk Assessment example
IS Risk Assessment exampleIS Risk Assessment example
IS Risk Assessment exampleRamiro Cid
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Chapter 2 phisycal security threat
Chapter 2 phisycal security threatChapter 2 phisycal security threat
Chapter 2 phisycal security threatSyaiful Ahdan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 

Recomendados

IS Risk Assessment example
IS Risk Assessment exampleIS Risk Assessment example
IS Risk Assessment exampleRamiro Cid
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Chapter 2 phisycal security threat
Chapter 2 phisycal security threatChapter 2 phisycal security threat
Chapter 2 phisycal security threatSyaiful Ahdan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Spo2 w23 a
Spo2 w23 aSpo2 w23 a
Spo2 w23 aSelectedPresentations
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Securityleminhvuong
 
Chapter 1 introduction to-information_security
Chapter 1 introduction to-information_securityChapter 1 introduction to-information_security
Chapter 1 introduction to-information_securitySyaiful Ahdan
 
Security & control in mis
Security & control in misSecurity & control in mis
Security & control in misVishal Patyal
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
Physical Security
Physical SecurityPhysical Security
Physical Securitykavitha muneeshwaran
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityDr. Lasantha Ranwala
 
Curriculum Vitae Summary
Curriculum Vitae SummaryCurriculum Vitae Summary
Curriculum Vitae SummaryBrokenByte
 

Mais conteúdo relacionado

Mais procurados

Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Securityleminhvuong
 
Chapter 1 introduction to-information_security
Chapter 1 introduction to-information_securityChapter 1 introduction to-information_security
Chapter 1 introduction to-information_securitySyaiful Ahdan
 
Security & control in mis
Security & control in misSecurity & control in mis
Security & control in misVishal Patyal
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 

Mais procurados (20)

Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy Course
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Spo2 w23 a
Spo2 w23 aSpo2 w23 a
Spo2 w23 a
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Security
 
Chapter 1 introduction to-information_security
Chapter 1 introduction to-information_securityChapter 1 introduction to-information_security
Chapter 1 introduction to-information_security
 
Security & control in mis
Security & control in misSecurity & control in mis
Security & control in mis
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Incident response
Incident responseIncident response
Incident response
 

Semelhante a Document Risk Management

Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityDr. Lasantha Ranwala
 
Curriculum Vitae Summary
Curriculum Vitae SummaryCurriculum Vitae Summary
Curriculum Vitae SummaryBrokenByte
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasiNova Novelia
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effortDhani Ahmad
 
Ofer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer JRL Cohen
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
Certified Information Systems Security Professional
Certified Information Systems Security ProfessionalCertified Information Systems Security Professional
Certified Information Systems Security ProfessionalHelen Njuguna
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge DeliverableCurtis Brazzell
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 

Semelhante a Document Risk Management (20)

Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
 
Curriculum Vitae Summary
Curriculum Vitae SummaryCurriculum Vitae Summary
Curriculum Vitae Summary
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Chap01
Chap01Chap01
Chap01
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
 
Ofer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer Cohen - areas of expertise
Ofer Cohen - areas of expertise
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
 
Certified Information Systems Security Professional
Certified Information Systems Security ProfessionalCertified Information Systems Security Professional
Certified Information Systems Security Professional
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Visió holística de la gestio de riscos de les TIC
Visió holística de la gestio de riscos de les TICVisió holística de la gestio de riscos de les TIC
Visió holística de la gestio de riscos de les TIC
 

Document Risk Management

  • 2. Agenda 1. Document risk management 2. EBIOS 3. EBIOS Case 4. Conclusions
  • 3. 1. Document risk management Four questions about document management 1. What is it? 2. Why does it matter? 3. What if it fails? 4. How to protect against failure? 1.DocumentRiskManagement
  • 4. 1. What is it? corporate documents all type of documents created or received by employees during business activities 1.DocumentRiskManagement
  • 5. Documents: have a Lifecycle1.DocumentRiskManagement
  • 6. What is a document management programme? • Systematic management of the entire document lifecycle of corporate documents, including: – an inventory of records – which records to keep – which records to archive – which records to destroy 1.DocumentRiskManagement
  • 7. About document management 2. Why does it matter? – control of the cost of storage – control of the risk 3. What if it fails? – risk of inefficiency – risk of loss and compromising of records – risk of infringement of data protection laws, prosecution, fines – risk of reputational damage 1.DocumentRiskManagement
  • 8. About document management 4. How to protect against failure? 1. document management programme. 2. document RISK management programme. 1.DocumentRiskManagement
  • 9. 2. Document Risk Management • Documents contain information: often a valuable intangible asset of corporations. Document risk Information risk. • Risk is the effect of uncertainty on objectives. • Organisations want predictable results need to manage this uncertainty. • Document risk can be efficiently managed by implementing a comprehensive programme: – compliant with internationally accepted standards – by using validated and practical standard methods 1.DocumentRiskManagement
  • 10. International Standards (most relevant ones) • ISO 31000: Risk Management • BS 31100: Code of Practice for Risk Management • ISO guide 73: vocabulary • ISO 27001 : ISMS • ISO 27003: Implementation of the ISMS • ISO 27005: Information Security Risk Management 1.DocumentRiskManagement
  • 11. Risk management process according to ISO 31000 1.DocumentRiskManagement
  • 12. Methods 1. Österreichisches IT Sicherheidshandbuch (Austrian IT Security Handbook) 2. CRAMM (CCTA Risk Analysis and Management Method) 3. A&K analyse (Afhankelijkheids en Kwetsbaarheidanalyse) 4. EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) 5. ISAMM or ‘Information Security Assessment & Monitoring Method’ 6. Information Security Forum (ISF) tools 7. MAGERIT 8. MARION 9. MEHARI 10.MIGRA 11.OCTAVE® 12.SP800-30 (NIST): Risk Management Guide for Information Technology systems 1.DocumentRiskManagement
  • 13. 2. EBIOS • Comprehensive: set of guides covers the whole process of ISO 31000. • Professional: Developed by ANSSI. • Validated: In use since 1995, club EBIOS since 2003. • Practical: Club EBIOS manages a user network and a knowledge Base. • Open & transparent: can be customised by the user (vs. black box approach of some other tools). • Flexible: can be used for detailed as well as strategic risk management. • Universal: can be used for any type of risk. • Integrated: compliant with (ISO) standards. • Well documented: Training & documentation available. • Cheap: can be used for free. 2.EBIOS
  • 15. 5 EBIOS Modules 2.EBIOS By applying the 5 EBIOS MODULES: you are sure of covering the ISO 31000 risk management process
  • 16. 2.EBIOS Activity 1.1: Definition of the environment for risk management. •Action 1: framework, objectives and action plan •Action 2: internal and external context •Action 3: perimeter of the study •Action 4: parameters to take in account •Action 5: most relevant threat sources Activity 1.2: Preparing the metrics •Action 1: security criteria and scales •Action 2: gravity scale (impact) •Action 3: likelihood scale •Action 4: risk scale Activity 1.3: Identifying the assets •Action 1: essential assets •Action 2: supporting assets •Action 3: interdependencies between them •Action 4: analysis of existing security measures SAMPLE (Module 1)
  • 17. 2.EBIOS Objectivity maximalised by a separate analysis of impact and likelihood
  • 18. 3. EBIOS CASE • TELCO: small telecom installation company, approx. 10 staff, works for telecom providers e.g. as Belgacom, Telenet and others. • Has many competitors, ‘price war’ • Is loosing market share and contracts to one particular competitor in particular • CEO fears price info could be compromised • Wants «document risk» study, about the offers in particular 3.EBIOSCASE
  • 19. Referecne EBIOSMODULE EBIOSActivity CEO Secretariat&Assistance Resources Studies&Calculations Sales Installers Documentstodeliver mandaysrequired A 1 Activity 1.1 - setting the framework for the risk management project A I I C R I Objectives of the study 1 B 1 Activity 1.2 - preparing the metrics R I I I I I table with metrics and scale 1 C 1 Activity 1.3 - identifying the assets A C C A C C table with essential and supporting assets 2 D 2 Activity 2.1 - identifying the feared events R I C C C C inventory of feared events 2 E 3 Activity 3.1 - evaluating the threat scenarios A I C C R C list of most relevant threat scenarios and likelihood 2 F 4 Activity 4.1 - assessing the risks A C C C R C risk assessment matrix 1 G 4 Activity 4.2 - Treating the risks A C C R C C Information security strategy for offers 3 H 5 Activity 5.1 - formalising the required security measures A I C R C C Internal Security Policy for Offers 1 TELCO: Document Risk Management: action plan3.EBIOSCASE Module 1
  • 20. Activity 1.1: FRAMEWORK 3.EBIOSCASE 2. Organisational Perimeter 3. Technological Perimeter Module 1 1. Objective (set by CEO): « reduce the risk for disclosure of confidential offers to  competitors » 4. Parameters -application of ISO 31000 -use of EBIOS
  • 21. Activity 1.2: METRICS 3.EBIOSCASE Module 1 1. Security (quality) criteria and Scales = scale for confidentiality • Compromised (unknown) • Compromised & detected • Under control 2. Gravity and likelihood Scales Gravity (=impact) •Critical •Important •Unimportant •Likelihood •Almost certainly •Possible •Unlikely 3. Risk Criteria RISK unimportant impact important impact critical impact unlikely scenario acceptable risk acceptable risk acceptable risk possible scenario acceptable risk significant risk unacceptable risk almost certain scenario unacceptable risk unacceptable risk unacceptable risk
  • 22. Activity 1.3: Identifying the ASSETS 3.EBIOSCASE Module 1 1. Essential Asset • The offer (the price) 2. Supporting assets •staff, equipment etc. 3. Feared event (IMPACT) •Worst things that could happen to our essential asset systematic compromising of our (offers) prices without we knowing about it 4. Threat scenarios (LIKELIHOOD) •How could feared events happen? •By threats that affect the supporting assets •Scenarios: corruption of persons, hacking of equipment, etc… Module 2 and 3 Activity 2.1 and 3.1: Feared events and threat scenarios
  • 23. Activity 4.1: Assessing the risks 3.EBIOSCASE Module 4 Activity 4.2: Action Plan •Each risk: avoid, reduce, accept or transfer •Cell phone hacked: accept •Sales manager or studies engineer corrupt: accept •Laptop lost: awareness campaign •Sales mgr not careful: awareness clause in contract •Wifi hacked: encryption of files + firewall •Etc….. RISK unimportant important critical unlikely -cell phone is hacked -sales manager or studies engineer corrupt possible -laptop is lost -cell phone is overheard -print outs of offers forgotten on printer -laptop is stolen -sales manager or studies engineer not careful -wifi is hacked -laptop is hacked almost certain IMPACTLIKELIHOOD ACCEPT ACCEPT Awareness Awareness Encryption
  • 24. Result of the study 1. Encryption of electronic documents containing price info. 2. The personnel shall report loss or theft of laptop computers immediately. 3. It is not allowed to discuss price information over the cell phone when this can be overheard (e.g. in the train) 4. Paper documents: -When offers are printed the personnel shall use the PIN code. -Shredders shall be used to destroy all paper drafts. -All hard copies shall be locked away. -A clean desk policy shall be applied. 5. The personnel shall sign a confidentiality agreement. 6. Any loss or compromise of price information shall be reported to the CEO immediately. 3.EBIOSCASE
  • 25. 4. Conclusions • Documents and records need to be managed to avoid cost & risk. • Risk = effect of uncertainty on objectives. • Uncertainty needs to be managed because corporations want predictable results • Document risk should best be managed in line with international standards and by using existing methods. • EBIOS is an example of a comprehensive method which can achieve this. 4.CONCLUSIONS

Notas do Editor

  1. Planning: 1 minute
  2. Timing: 2 minutes document management is about all the documents that are used by employees in the context of their professional duties, regardless of the form of the document (paper, electronic file etc) As illustrated in the drawing
  3. Timing: + 3 minutes the same info in a document can be exposed to different types of risk in function of the stage in the lifecycle
  4. Timing: + 4 minutes
  5. Timing + 5 minutes
  6. Timing + 6 minutes
  7. Timing + 6.5 minutes
  8. Timing + 7 minutes
  9. Timing + 7.5 minutes
  10. Timing + 8.5 minutes
  11. Timing + 9 minutes In EBIOS you are free to use all the modules, actiivties and actions or only a part of them You can go in detail as much as you want, or not at all You can change the order of things and adapt the method to your own needs
  12. Timing + 10 minutes
  13. Timing + 11 minutes
  14. Timing + 12 minutes
  15. Timing + 13 minutes
  16. Timing + 14 minutes Not going in detail of the action plan, just explaining that EBIOS offers detailed guidance for how to make an action plan. Here we agree on what we will do and what we will deliver, and what not. To my personal sense this is a good method but of course a risk manager is free to use an other method for this (flexibility of EBIOS), for example if there is already a standard tool for this in the company.
  17. Timing + 15 minutes EBIOS foresees to make clear agreements (framework) before starting the detail of the study. It is very important indeed that some basic assumptions (for example the objectives or the perimeter, what is included and what not) are not changed halfway the study.)
  18. Timing + 16 minutes Metrics are the way we will measure things In EBIOS this is done beforehand, so that the study is as objective as possible (it is very difficult to do an objective risk assessment if the scale is not agreed upon) The likelihood and the gravity can as well be quantitative or qualitative (description)
  19. Timing + 17 minutes
  20. Timing + 18 minutes
  21. Timing: 19 minutes
  22. Timing 20 minutes