SlideShare uma empresa Scribd logo

Risk Management / Information Security

Nicollai Kostadinov
Nicollai Kostadinov
1 de 7
The process of risk management In its most basic form, the risk management process is closed loop, or iterative, providing a feedback mechanism for continuous process improvement. The current ISO17799-3 standard addresses the application of this process as an information security technique. A process-based ISMS provides the framework within which to implement this technique.
Information Security Program A comprehensive information security program should address strategic, tactical, and operational risk. An information security program is a strategic risk initiative, managed by a tactical risk- based ISMS. This structure allows ready identification and mitigation of operational risk. For example: • The scope of strategic risk is enterprisewide and focused on the risk-mitigating servicesrequired by the enterprise. • The scope of tactical risk is programwide and focused on the risk-mitigating processes required by the strategic services. • The scope of operational risk is based upon a discrete domain that stores, transmits, or processes information in any form. This domain-specific risk is focused on the people, procedure, and products that integrate into the risk-mitigating process.
Threat Forecasting Threats are negative events that occur when a vulnerability or weakness is exploited. Threat forecasting is a proactive process to predict future risk based upon identified or perceived vulnerability. Threats span the organization at all levels. • Threats may be strategic, or enterprisewide, such as regulatory noncompliance. • Threats may be tactical, based upon organizational vulnerabilities, such as ineffective programs. • Threats may be operational, based upon technical vulnerabilities. Threat forecasting examines multiple information sources or sensors. Threat sensors may include: • Legal or regulatory analysts • Program reviews • Technical bulletins from vendors or analysts The potential rate of change to the threat environment must be considered and may drive the frequency of triggering the threat forecasting processes. For example, a strategic threat such as noncompliance with emerging regulations typically has a longer tolerable reaction time than an operational threat such as emerging technical vulnerabilities.
Risk Assessment The processes of threat forecasting and incident evaluation identify relevant threats and vulnerabilities. However, relevant threats and vulnerabilities are not necessarily risks. Identified threats and vulnerabilities must be quantified to determine the existence and magnitude of risk within the applicable environment. Quantified risk allows for defensible prioritization of remediation efforts as well as informed-choice (defensible) decision making. Assessment Scope Strategic Assessment Tactical Assessment Operational Assessment Strategic risk assessments look at Tactical risk assessments look at the Operational risk assessments look at enterprise business processes that ability of the information security a domain’s ability to meet tactical span multiple domains. Not all program to identify and mitigate control objectives in protecting assessed business processes have relevant strategic risk to information. specific information assets. Technical information risk. vulnerability assessments are an example of a specifically focused type of operational risk assessment.
Risk Tolerance Having identified and evaluated the risks attached to specific vulnerabilities, the risks must be addressed. Decisions on risk are based upon the organization’s risk tolerance thresholds and include the following options. Avoid Risk Accept Risk Accept Risk Risk may possibly be Risk may be accepted, although diligence requires care Risk may be transferred avoided, for example, by regarding: to someone with a relocating a data center. • Who is authorized to accept what level of risk higher risk tolerance, for • How is risk acceptance based upon informed-choice example, an insurance decision making company. • Whether the aggregation of accepted risk remains tolerable
Mitigate Risk Selection of Controls Risk may be mitigated to an acceptable level through the Discretionary Controls Mandatory Controls application of compensating controls. It is not practical to eliminate risk completely, Discretionary controls are controls that can Mandatory controls differ from discretionary only to reduce risk to an weigh cost versus benefits. In general, the controls in that cost has no bearing on the acceptable level. cost of mitigating a risk needs to be balanced selection of mandatory controls. These are Control Objectives by the benefits obtained. This is essentially a controls that must be implemented to Control objectives serve as cost–benefit analysis on “at what cost” the mitigate specific risks. There may be no risk the glue to bind specific risk is acceptable. It is important to consider acceptance option due to legal and regulatory vulnerabilities to specific all direct and indirect costs and benefits, requirements, for example. controls. Defining control whether tangible or intangible and measured objectives is the first step in in financial or other terms. More than one deriving the corresponding option can be considered and adopted either control requirements to separately or in combination. For example, mitigate the risk associated mitigating controls such as support contracts with the vulnerability. may reduce risk to a certain degree, with Control objectives give a residual risk transferred via appropriate risk-based justification to insurance or risk financing. allocation of resources.
Risk Metrics Process Metrics Program Metrics Environmental Metrics A process by definition has a CSF defining Program metrics typically measure Environmental metrics are of value when the successful execution of the process. process effectiveness. These tactical trying to evaluate an organization’s risk The CSF is evaluated via process key process effectiveness metrics require a profile and resultant risk strategy. For performance indicators. Key performance “history” against which to measure, with example, a response process (reactive indicators are evaluated via process value being enhanced by history length. control) may be triggered frequently, metrics. Whereas process design deals This type of evaluation is synergistic with giving insight into the external with process effectiveness, process maturity modeling, because maturity environment. This metric says nothing execution deals with process efficiency. modeling is by nature history-based. about the efficiency or effectiveness of For example, a risk-mitigating operational the information security program, but “incident response” process (a reactive may add justification to its existence or control) has been designed to be tactics. tactically effective, but the performance indicators look at operational efficiency factors such as “time to respond.”

Recomendados

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Risk Analysis and Management
Risk Analysis and ManagementRisk Analysis and Management
Risk Analysis and Management
Genie
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk Transformation
Andrew Smart
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
สปสช นครสวรรค์
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 

Recomendados

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Risk Analysis and Management
Risk Analysis and ManagementRisk Analysis and Management
Risk Analysis and Management
Genie
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk Transformation
Andrew Smart
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
สปสช นครสวรรค์
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
Quality Improvement Consulting
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
project risk management
project risk managementproject risk management
project risk management
Ashima Thakur
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
Toño Herrera
 
11 risk management
11 risk management11 risk management
11 risk management
Waseem Siddique
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
r2financial
 
Risk Analysis
Risk AnalysisRisk Analysis
Risk Analysis
Nishodh Saxena Ph. D.
 
Types of-risk
Types of-riskTypes of-risk
Types of-risk
Dr. Ravneet Kaur
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
Yashavanth Nayak
 
Organizational Risk Management
Organizational Risk Management Organizational Risk Management
Organizational Risk Management
Abdullah Ahmed, PMP, RMP
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
Risk management
Risk managementRisk management
Risk management
Bebura Matanda
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
iaemedu
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
Corporater
 
Security Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
Security Risk management Chapther 8: Risk Evaluation and Mitigation StrategiesSecurity Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
Security Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
Ernst Dettbarn
 
Risk Management
Risk ManagementRisk Management
Risk Management
ysshah
 
Historia
Historia Historia
Historia
ninamuxia
 
les marocains du monde , check it !!
les marocains du monde , check it !!les marocains du monde , check it !!
les marocains du monde , check it !!
Wassima Boujrad
 
Juanito el oso. c. e. el Guayabal, Tangua nariño
Juanito el oso. c. e. el Guayabal, Tangua nariñoJuanito el oso. c. e. el Guayabal, Tangua nariño
Juanito el oso. c. e. el Guayabal, Tangua nariño
centroeducativoelguayabal
 
Memorial descritivo e de calculo
Memorial descritivo e de calculoMemorial descritivo e de calculo
Memorial descritivo e de calculo
Thais Manfardini
 
Sumtotal 2013 Learning Trends
Sumtotal 2013 Learning TrendsSumtotal 2013 Learning Trends
Sumtotal 2013 Learning Trends
Darryl Frost☁
 

Mais conteúdo relacionado

Mais procurados

Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
iaemedu
 
Risk Management
Risk ManagementRisk Management
Risk Management
ysshah
 

Mais procurados (17)

Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
project risk management
project risk managementproject risk management
project risk management
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
 
11 risk management
11 risk management11 risk management
11 risk management
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
Risk Analysis
Risk AnalysisRisk Analysis
Risk Analysis
 
Types of-risk
Types of-riskTypes of-risk
Types of-risk
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
 
Organizational Risk Management
Organizational Risk Management Organizational Risk Management
Organizational Risk Management
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Risk management
Risk managementRisk management
Risk management
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
 
Security Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
Security Risk management Chapther 8: Risk Evaluation and Mitigation StrategiesSecurity Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
Security Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
 
Risk Management
Risk ManagementRisk Management
Risk Management
 

Destaque

les marocains du monde , check it !!
les marocains du monde , check it !!les marocains du monde , check it !!
les marocains du monde , check it !!
Wassima Boujrad
 
Enquisa hidromuxia
Enquisa hidromuxiaEnquisa hidromuxia
Enquisa hidromuxia
ninamuxia
 
XP Day: Using cost of delay – Joshua Arnold
XP Day: Using cost of delay – Joshua ArnoldXP Day: Using cost of delay – Joshua Arnold
XP Day: Using cost of delay – Joshua Arnold
Joshua Arnold
 

Destaque (16)

Historia
Historia Historia
Historia
 
les marocains du monde , check it !!
les marocains du monde , check it !!les marocains du monde , check it !!
les marocains du monde , check it !!
 
Juanito el oso. c. e. el Guayabal, Tangua nariño
Juanito el oso. c. e. el Guayabal, Tangua nariñoJuanito el oso. c. e. el Guayabal, Tangua nariño
Juanito el oso. c. e. el Guayabal, Tangua nariño
 
Memorial descritivo e de calculo
Memorial descritivo e de calculoMemorial descritivo e de calculo
Memorial descritivo e de calculo
 
Sumtotal 2013 Learning Trends
Sumtotal 2013 Learning TrendsSumtotal 2013 Learning Trends
Sumtotal 2013 Learning Trends
 
Resultados enquisa-Consumo de alcohol-Programa Quérote+
Resultados enquisa-Consumo de alcohol-Programa Quérote+Resultados enquisa-Consumo de alcohol-Programa Quérote+
Resultados enquisa-Consumo de alcohol-Programa Quérote+
 
World Cup 2014 Schedule
World Cup 2014 ScheduleWorld Cup 2014 Schedule
World Cup 2014 Schedule
 
Reflexións
ReflexiónsReflexións
Reflexións
 
Letras
LetrasLetras
Letras
 
Guerra Fria - Aula
Guerra Fria - AulaGuerra Fria - Aula
Guerra Fria - Aula
 
Enquisa hidromuxia
Enquisa hidromuxiaEnquisa hidromuxia
Enquisa hidromuxia
 
Reflexións
ReflexiónsReflexións
Reflexións
 
XP Day: Using cost of delay – Joshua Arnold
XP Day: Using cost of delay – Joshua ArnoldXP Day: Using cost of delay – Joshua Arnold
XP Day: Using cost of delay – Joshua Arnold
 
WORK LIFE BALANCE
WORK LIFE BALANCEWORK LIFE BALANCE
WORK LIFE BALANCE
 
Joshua Arnold – Using Cost of Delay
Joshua Arnold – Using Cost of DelayJoshua Arnold – Using Cost of Delay
Joshua Arnold – Using Cost of Delay
 
Présentation1
Présentation1Présentation1
Présentation1
 

Semelhante a Risk Management / Information Security

Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
Eng. A.karam Al Malkawi
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
Amar Deep Ghimire
 
Arif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptxArif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptx
ArifMamedov5
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
Tim Smith
 
Risk management in Software Industry
Risk management in Software IndustryRisk management in Software Industry
Risk management in Software Industry
Rehan Akhtar
 

Semelhante a Risk Management / Information Security (20)

Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
Risk Based Thinking - RMSP "RISK MANAGEMENT SYSTEM PROCESS"
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
 
PRM & PPM.pptx
PRM & PPM.pptxPRM & PPM.pptx
PRM & PPM.pptx
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Arif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptxArif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptx
 
Risk management
Risk managementRisk management
Risk management
 
session 12.pptx
session 12.pptxsession 12.pptx
session 12.pptx
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
Risk based thinking
Risk based thinkingRisk based thinking
Risk based thinking
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard
Risk management standardRisk management standard
Risk management standard
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Risk management in Software Industry
Risk management in Software IndustryRisk management in Software Industry
Risk management in Software Industry
 

Risk Management / Information Security

  • 1. The process of risk management In its most basic form, the risk management process is closed loop, or iterative, providing a feedback mechanism for continuous process improvement. The current ISO17799-3 standard addresses the application of this process as an information security technique. A process-based ISMS provides the framework within which to implement this technique.
  • 2. Information Security Program A comprehensive information security program should address strategic, tactical, and operational risk. An information security program is a strategic risk initiative, managed by a tactical risk- based ISMS. This structure allows ready identification and mitigation of operational risk. For example: • The scope of strategic risk is enterprisewide and focused on the risk-mitigating servicesrequired by the enterprise. • The scope of tactical risk is programwide and focused on the risk-mitigating processes required by the strategic services. • The scope of operational risk is based upon a discrete domain that stores, transmits, or processes information in any form. This domain-specific risk is focused on the people, procedure, and products that integrate into the risk-mitigating process.
  • 3. Threat Forecasting Threats are negative events that occur when a vulnerability or weakness is exploited. Threat forecasting is a proactive process to predict future risk based upon identified or perceived vulnerability. Threats span the organization at all levels. • Threats may be strategic, or enterprisewide, such as regulatory noncompliance. • Threats may be tactical, based upon organizational vulnerabilities, such as ineffective programs. • Threats may be operational, based upon technical vulnerabilities. Threat forecasting examines multiple information sources or sensors. Threat sensors may include: • Legal or regulatory analysts • Program reviews • Technical bulletins from vendors or analysts The potential rate of change to the threat environment must be considered and may drive the frequency of triggering the threat forecasting processes. For example, a strategic threat such as noncompliance with emerging regulations typically has a longer tolerable reaction time than an operational threat such as emerging technical vulnerabilities.
  • 4. Risk Assessment The processes of threat forecasting and incident evaluation identify relevant threats and vulnerabilities. However, relevant threats and vulnerabilities are not necessarily risks. Identified threats and vulnerabilities must be quantified to determine the existence and magnitude of risk within the applicable environment. Quantified risk allows for defensible prioritization of remediation efforts as well as informed-choice (defensible) decision making. Assessment Scope Strategic Assessment Tactical Assessment Operational Assessment Strategic risk assessments look at Tactical risk assessments look at the Operational risk assessments look at enterprise business processes that ability of the information security a domain’s ability to meet tactical span multiple domains. Not all program to identify and mitigate control objectives in protecting assessed business processes have relevant strategic risk to information. specific information assets. Technical information risk. vulnerability assessments are an example of a specifically focused type of operational risk assessment.
  • 5. Risk Tolerance Having identified and evaluated the risks attached to specific vulnerabilities, the risks must be addressed. Decisions on risk are based upon the organization’s risk tolerance thresholds and include the following options. Avoid Risk Accept Risk Accept Risk Risk may possibly be Risk may be accepted, although diligence requires care Risk may be transferred avoided, for example, by regarding: to someone with a relocating a data center. • Who is authorized to accept what level of risk higher risk tolerance, for • How is risk acceptance based upon informed-choice example, an insurance decision making company. • Whether the aggregation of accepted risk remains tolerable
  • 6. Mitigate Risk Selection of Controls Risk may be mitigated to an acceptable level through the Discretionary Controls Mandatory Controls application of compensating controls. It is not practical to eliminate risk completely, Discretionary controls are controls that can Mandatory controls differ from discretionary only to reduce risk to an weigh cost versus benefits. In general, the controls in that cost has no bearing on the acceptable level. cost of mitigating a risk needs to be balanced selection of mandatory controls. These are Control Objectives by the benefits obtained. This is essentially a controls that must be implemented to Control objectives serve as cost–benefit analysis on “at what cost” the mitigate specific risks. There may be no risk the glue to bind specific risk is acceptable. It is important to consider acceptance option due to legal and regulatory vulnerabilities to specific all direct and indirect costs and benefits, requirements, for example. controls. Defining control whether tangible or intangible and measured objectives is the first step in in financial or other terms. More than one deriving the corresponding option can be considered and adopted either control requirements to separately or in combination. For example, mitigate the risk associated mitigating controls such as support contracts with the vulnerability. may reduce risk to a certain degree, with Control objectives give a residual risk transferred via appropriate risk-based justification to insurance or risk financing. allocation of resources.
  • 7. Risk Metrics Process Metrics Program Metrics Environmental Metrics A process by definition has a CSF defining Program metrics typically measure Environmental metrics are of value when the successful execution of the process. process effectiveness. These tactical trying to evaluate an organization’s risk The CSF is evaluated via process key process effectiveness metrics require a profile and resultant risk strategy. For performance indicators. Key performance “history” against which to measure, with example, a response process (reactive indicators are evaluated via process value being enhanced by history length. control) may be triggered frequently, metrics. Whereas process design deals This type of evaluation is synergistic with giving insight into the external with process effectiveness, process maturity modeling, because maturity environment. This metric says nothing execution deals with process efficiency. modeling is by nature history-based. about the efficiency or effectiveness of For example, a risk-mitigating operational the information security program, but “incident response” process (a reactive may add justification to its existence or control) has been designed to be tactics. tactically effective, but the performance indicators look at operational efficiency factors such as “time to respond.”