Risk Management 101

2,102
-1

Published on

Published in: Business, Economy & Finance
2 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,102
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
60
Comments
2
Likes
2
Embeds 0
No embeds

No notes for slide

Risk Management 101

  1. 1. Risk Management 101 Barry Caplin Chief Information Security Officer MN Department of Human Services MN Government IT Symposium Thurs. Dec. 13, 2007 Session 74
  2. 2. Agenda <ul><li>In the beginning… </li></ul><ul><li>Definitions – Threat, Vulnerability, Risk </li></ul><ul><li>Types of Risk </li></ul><ul><li>Risk Management components </li></ul><ul><li>Frameworks and standards </li></ul><ul><li>Information Risk Management at DHS </li></ul>
  3. 3. In The Beginning…
  4. 4. In The Beginning… There were Humans…
  5. 5. In The Beginning… And Beasts…
  6. 6. And the concept of Risk was born...
  7. 7. Risk <ul><li>Always been with us </li></ul><ul><li>Viewed as a negative </li></ul><ul><li>Attempt to reduce </li></ul>
  8. 8. Magic?
  9. 9. Definitions
  10. 10. Threat <ul><li>Defn : Source or warning of probable impending danger (Actor) - wikipedia </li></ul><ul><li>Direct/Intended – malicious hacker, thief, malware </li></ul><ul><li>Indirect/Unintended – user, weather </li></ul><ul><li>Person or Thing </li></ul><ul><li>Task : Must analyze assets and environment to determine threats </li></ul>
  11. 11. Vulnerability <ul><li>Defn : the state of being exposed; liable to succumb – dictionary.com </li></ul><ul><li>Measures – physical, financial, operational </li></ul><ul><li>Task : Must analyze vulnerability to identified threats </li></ul>
  12. 12. Impact <ul><li>Defn : to effect, influence or alter – dictionary.com </li></ul><ul><li>Measures – cost, time delays, damage </li></ul><ul><li>Task : determine impact of action of threat to which we are vulnerable </li></ul>
  13. 13. Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
  14. 14. Risk <ul><li>Defn : Exposure to the chance of injury or loss (Event) – dictionary.com </li></ul><ul><li>Based on action of threat </li></ul><ul><li>Components: </li></ul><ul><ul><li>Probability of occurrence </li></ul></ul><ul><ul><li>Impact of event </li></ul></ul><ul><li>Task : Identification and Disposition </li></ul><ul><li>Accept (or Ignore) </li></ul><ul><li>Mitigate </li></ul><ul><li>Transfer </li></ul>
  15. 15. Types of Risk <ul><li>Prof. John Adams, University College London </li></ul><ul><li>UK risk expert </li></ul><ul><li>Direct – directly perceived – obvious </li></ul><ul><li>Scientific – determined via science </li></ul><ul><li>Virtual Risk – everything else! </li></ul>
  16. 16. D irectly perceived
  17. 17. Types of Risk Perceived through science
  18. 18. Types of Risk <ul><li>Virtual Risk </li></ul><ul><li>What we are all involved in! </li></ul><ul><li>Project risk/Operational risk </li></ul><ul><li>Physical/Data security risk </li></ul><ul><li>Terrorism/Homeland Security </li></ul><ul><li>Weather </li></ul>
  19. 19. Virtual Risk <ul><li>Virtual Risk </li></ul><ul><li>Difficult to “prove” </li></ul><ul><li>Experts don’t know or do not agree </li></ul><ul><li>We don’t know what we don’t know </li></ul>
  20. 20. Risk Management A discipline for living with the possibility that future events may cause adverse effects. http://www.sei.cmu.edu/risk/index.html
  21. 21. Risk Management <ul><li>The iterative framework and processes for: </li></ul><ul><li>Identifying threats (imagining virtual threats) </li></ul><ul><li>Assessing </li></ul><ul><li>Evaluating options </li></ul><ul><li>Acting. </li></ul>
  22. 22. Identify Threats <ul><li>Research </li></ul><ul><li>Survey </li></ul><ul><li>Brainstorm </li></ul>
  23. 23. Assess <ul><li>Threat Assessment </li></ul><ul><li>Vulnerability Assessment </li></ul><ul><li>Impact Assessment </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Qualitative – subjective scoring </li></ul><ul><li>Quantitative – objective or measured values </li></ul>
  24. 24. Disposition of Risk <ul><li>Accept (or Ignore) – what is the? </li></ul><ul><li>Mitigate – what is the cost? </li></ul><ul><li>Transfer – via contract or insurance – what terms? Cost? </li></ul>
  25. 25. Economics of Risk Management <ul><li>Cost of control < Cost of loss </li></ul><ul><li>Cost of compliance (pain) < </li></ul><ul><li>Cost of circumvention (gain) </li></ul>
  26. 26. Ineffective Risk Mitigation
  27. 27. Evaluate and Act <ul><li>Risk Management Committee or SMT </li></ul><ul><li>Document decisions </li></ul><ul><li>Get it done! </li></ul>
  28. 28. Frameworks for Risk Management <ul><li>CarnegieMellon (CMU SEI) – software </li></ul><ul><li>NIST/FISMA – information systems </li></ul><ul><li>CRESP – Consortium for Risk Evaluation with Stakeholder Participation - nuclear </li></ul><ul><li>COSO – Committee Of Sponsoring Organizations – info systems </li></ul><ul><li>COBIT – Control Objectives for IT </li></ul><ul><li>SOMAP – Security Officers Management & Analysis Project – Open Information Security RM Handbook </li></ul><ul><li>OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation </li></ul><ul><li>Commercial - many </li></ul>
  29. 29. Treasury Board of Canada <ul><li>Integrated Risk Management Framework – 2001 </li></ul><ul><li>“ Risk-Smart” Workforce and Environment </li></ul><ul><li>4 Elements: </li></ul><ul><ul><li>Develop Risk Profile </li></ul></ul><ul><ul><li>Establish organizational function </li></ul></ul><ul><ul><li>Practice and integrate </li></ul></ul><ul><ul><li>Ensure continuous learning </li></ul></ul><ul><li>http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr01-1_e.asp </li></ul>
  30. 30. Security and Risk Management <ul><li>Security is a subset of Risk Management </li></ul><ul><li>RM -> Security Solutions -> Compliance </li></ul><ul><li>Security/Business balance </li></ul><ul><li>Act on appropriate risks </li></ul><ul><li>Consider the “costs” </li></ul>
  31. 31. At DHS <ul><li>Information Risk Management at DHS </li></ul><ul><li>Based on elements of NIST, COBIT and OCTAVE </li></ul><ul><li>SLM – Security Lifecycle Management </li></ul><ul><li>Information Policy, Awareness and Compliance </li></ul><ul><li>Business Continuity Planning </li></ul>
  32. 32. Resources <ul><li>Information Risk Management at DHS </li></ul><ul><li>CMU SEI – www.sei.cmu.edu/risk </li></ul><ul><li>COBIT – www.isaca.org /cobit </li></ul><ul><li>COSO – www.coso.org </li></ul><ul><li>CRESP – www.cresp.org </li></ul><ul><li>NIST/FISMA – csrc.nist.gov </li></ul><ul><li>SOMAP – www.somap.org </li></ul><ul><li>OCTAVE – www.cert.org /octave </li></ul><ul><li>Prof. John Adams – john- adams.co.uk </li></ul>
  33. 33. Discussion?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×