• Like

IT-Risk-Management Best Practice

  • 228 views
Uploaded on

Referat von Umberto Annino im Rahmen des Hacking Day 2014.

Referat von Umberto Annino im Rahmen des Hacking Day 2014.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
228
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. IT  Risk  Management   Digicomp  Hacking  Day,  11.06.2014   Umberto  Annino  
  • 2. •  Wer  spricht?   Umberto  Annino   WirtschaCsinformaEker,  InformaEon  Security   •  Was  ist  ein  Risiko?   !  Sicherheit  ist  das  Komplementärereignis   zum  Risiko   !  Risiko  ist  Schaden  mit  Potenzial   2  
  • 3. Risiko   3   Gefahr   Bedrohung   Schwach-­‐ stelle   Asset   Risiko  
  • 4. Realitätsabgleich   Compliance?   Risk  Management?   OperaEonal  Risk,  Business  ConEnuity?   IT,  InformaEon  Security  –  Cyber  Security?   Red  Team,  Threat  Modeling,  APT  and  openSSL?   Big  Data???     Security  ™  vs.  Compliance  ™   4  
  • 5. IT  Risiko  in  der  Risiko-­‐Hierarchie   5  
  • 6. COSO   Enterprise  Risk  Management  Framework   6  
  • 7. ISO  31000  Risk  Mgmt  (2009)   Guidelines  and  Principles  and  Framework   7  
  • 8. ISO  31000  Framework   8  
  • 9. ISO  31000   Processes   9  
  • 10. ISO  31000  -­‐  Processes   10   Design  of   framework  for   managing  risk   Understanding  of  the  organisaEon  and  its  context   Establishing  risk  management  policy   Accountability   IntegraEon  into  organisaEonal  processes   Resources   Establishing  internal  communicaEon  and  reporEng  mechanisms   Establishing  external  communicaEon  and  reporEng  mechanisms   ImplemenEng   risk   management   ImplemenEng  the  framework  for  managing  risk   ImplemenEng  the  risk  management  process   Monitoring  and  review  of  the  framework   ConEnual  improvement  of  the  framework   !  Mandate  and  commitment  
  • 11. ISO  31000  -­‐  Processes   11   Risk   Management   Process   CommunicaEon  and  consultaEon   Establishing  the  external  context   Establishing  the  internal  context   Establishing  the  context  of  the  risk   management  process   Defining  risk  criteria   Risk  assessment   Risk  idenEficaEon   Risk  analysis   Risk  evaluaEon   Risk  treatment   Monitoring  and  review   Recording  the  risk  management   process  
  • 12. ISO  31000   Acributes  of  enhanced  risk  management   •  Key  outcomes   –  The  organisaEon  has  a  current,  correct  and   comprehensive  understanding  of  its  risks   –  The  organisaEon‘s  risks  are  within  its  risk  criteria   •  Acributes   –  ConEnual  improvement   –  Full  accountability  for  risks   –  ApplicaEon  of  risk  management  in  all  decision  making   –  ConEnual  communicaEons   –  Full  integraEon  in  the  organisaEon‘s  governance   structure   12  
  • 13. ISO  27005   InformaEon  Security  Risk  Management   13  
  • 14. ISO  27005   Context  Establishment   14   Basic   Criteria   Risk  management  approach   Risk  evaluaEon  criteria   Impact  criteria   Risk  acceptance  criteria   ! Scope  and  Boundaries   ! OrganisaEon  for  informaEon  security  risk  management  
  • 15. ISO  27005   InformaEon  security  risk  assessment   15   Risk   idenEficaEon   IdenEficaEon  of  assets   IdenEficaEon  of  threats   IdenEficaEon  of  exisEng  controls   IdenEficaEon  of  vulnerabiliEes   IdenEficaEon  of  consequences   Risk  analysis   Risk  analysis  methodologies   Assessment  of  consequences   Assessment  of  incident  likelihood   Level  of  risk  determinaEon  
  • 16. ITGI  RiskIT  Framework   PosiEonierung   16  
  • 17. IT  Risk  (high  level)  categories   17  
  • 18. RiskIT  Framework   18  
  • 19. Risk  maps...   •  Risk   appeEte   •  Risk   tolerance   •  Risk   culture   19  
  • 20. Risk  culture   20  
  • 21. IT  risk  scenario  development   21  
  • 22. Risk  scenario  components   22  
  • 23. Aber:  scenario  based...   !  keeping  it  real!   23  
  • 24. IT  Risk  Response   opEons  and   prioriEsaEon   24  
  • 25. Verwalten  von  IT  Risiken   Risiko   management   Risiko   analyse   Risiko   idenEfikaEon   Konsolidierung   Link  to   business   Risiko   bewertung   QuanEtaEv   QualiEaEv   StaEsEsche   Basis   Risiko   lenkung   Risiko   bearbeitung   Admin   Disziplin/ Aufwand   Kosten   ROI   Risiko   tracking   Nachvollzieh-­‐   barkeit   Konstanz   (Zahlen)   25  
  • 26. QuanEfizieren  von  IT  Risiken   26   Big  Data?  Loss  DB?   Komplexität  von  InformaEonssystemen  (und  SoCware)?  
  • 27. QuanEfizieren  von  IT  Risiken   •  In  der  Praxis  eher  qualitaEv  stac  quanEtaEv   –  Fehlende  staEsEsche  Basis   –  Prinzipiell  komplexe  Systeme   –  Wenig  akuter  Bedarf  zur  QuanEfizierung  !  über   Verknüpfung  mit  Business  Process   •  Konsolidierung  der  Werte  für  Management   ReporEng  als  Grundlage  für  QuanEfikaEon   •  In  der  Praxis  eher  „erste  Schrice“  stac  best   pracEse   •  ISO  27005,  ITGI  RiskIT  Framework  und   PracEcEoner  Guide  bieten  brauchbare   Grundlagen  (Framework)   27  
  • 28. Risk  Treatment   28   Risk   treatment   Avoid   Eliminate   Reduce   Minimize     Transfer   Externalize   Accept   Residual  Risk   Controls   Measures   Avoid  /   Verhindern   Detect  /   Entdecken   Minimize  /   Eindämmen  
  • 29. Risk  Treatment  –  ISO  27005   29  
  • 30. Konsolidieren  von  IT  Risiken   Disjointed  risks   30  
  • 31. Konsolidieren  von  IT  Risiken   shared  risks   31  
  • 32. 32