Your SlideShare is downloading. ×
Risk mgmt key to security certifications v2
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Risk mgmt key to security certifications v2


Published on

Presentation about risk management and security compliance, governance and certification

Presentation about risk management and security compliance, governance and certification

1 Comment
  • I appreciate your post. I also wrote that SMS advertising provides a cost effective method of targeting promotions to specific customer profiles. You might want to remind customers of specific events or promotions, but for whatever reasons, SMS allows you to pass information directly to the right customer at very affordable prices and fast delivery.
    iso 9000
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Risk Management Key to Security Certifications Risk Management Summit
  • 2. Standards ISO 27000 – principles and vocabulary ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – (ISO/ IEC 17799:2005) ISO 27003 – ISMS Implementation guidelines ISO 27004 – ISMS Metrics and measurement ISO 27005 – ISMS Risk Management ISO 27031 - ICT readiness for business continuity BS25999 – Business Continuity Management
  • 3. Certification Objective
  • 4. British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
  • 5. High level BC & Security policy management technical risk assets threats vulnerability influence Possibility of occurence Non-technical Risk management Implement of plan Policy Driven Process
  • 6. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
  • 7. ISO 27005: ISMS Risk Management A new standard on ‘Information Security Risk Management’ This standard is being drawn up by the DTI/Cabinet Office – with significant input from CSIA (central Sponsor for Information Assurance) Will be linked to MITS-2 - a new management standard for ICT risk management Leverages ISO13335-4
  • 8. Organizational Operational 1. Security policy 2. Organizating security 3. Asset Management 7. Access control 4. HR security 5. Physical and environmental security 8. Systems development and maintenance 6. Communicati ons and operations management 9. Business continuity management 10. Compliance 11. Incidence Managment 11 Key contexts ISO27001
  • 9. Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Review of existing security controls Risk Assessment Rating/ranking of Risks Risk Management Identification of new security controls Policy and Procedures Implementation and Risk Reduction Risk Acceptance (Residual risk) Gap analysis Degree of Assurance Risk Assessment & Mgmt Process
  • 10. Quantitative Risk Analysis 2 fundamental elements probability of event likely loss Annual Loss Expectancy, ALE’ or ‘Estimated Annual Cost, EAC’ ALE or EAC calculated by multiplying the potential loss by the probability Rank events in order of risk & make priorities Problem with risk analysis: associated with the unreliability & inaccuracy of the data Probability not precise Controls and countermeasures often tackle interrelated events
  • 11. Qualitative Risk Analysis Most widely used approach to risk analysis Probability data NOT required Make use of the following interrelated elements: Threats: things that can go wrong or can ‘attack’ the system. E.g. fire or fraud Vulnerabilities: make a system more prone to attack E.g. a vulnerability for fire would be the presence of inflammable materials (e.g. paper) Impact: loss as a result of threats. E.g. loss of reputation and interruption of business activity.
  • 12. Process Asset Register Project evaluation Process Mapping Evaluating System Risk Assessment Applying Controls Writing Statement Initial Assessment Pre- Assessment Awareness Client timeline Implementation Process Gap Analyses
  • 13. Threats Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
  • 14. Business Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  • 15. Threats and Risk
  • 16. 16 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
  • 17. 17 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
  • 18. Examples - 1
  • 19. Examples - 2
  • 20. Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
  • 21. Sources of Disaster Survey of Disasters
  • 22. Impact of Disaster 22 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
  • 23. Importance of Critical Infrastructures
  • 24. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  • 25. Business Continuity timeline Active Business A successful recovery
  • 26. Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
  • 27. Processes - Workflow
  • 28. Risk and PDCA Model Plan Act Check Do Test BCP BCP Residual Risks Implement Training Plan Risk Assessment
  • 29. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
  • 30. Risk = Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
  • 31. Metrics and Risk
  • 32. Risk Management Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
  • 33. DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
  • 34. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  • 35. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  • 36. New Technologies, New Risks Laptops Mobiles Bluetooth PDA Smart Card
  • 37. Social Engineering Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from Bar of chocolate
  • 38. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  • 39. 39 0 5 10 15 20 25 30 Number of Responses (n=35) Unauthorized manipulation of components, switches, breakers, etc. from the SCADA system Denial of service to SCADA system Disaster Recovery Software / patch management Operating system vulnerabilities Vandalism or sabotage (electronic) Computer viruses, worms, Trojan horses, zero day attacks Remote access/VPN SCADA Security Survey – May 2005 Example: Top SCADA Risks
  • 40. Integration of Logical and Physical Business Security Management Physical Security Management ICT Security Management
  • 41. Leveraging Standards ICT & Business Continuity Risk Key Performance Indicators CoBiT, Metrics ITIL ISO20000 ( & BS15000) ISO27001 ISO27031 BS25999
  • 42. Risk Provides Focus High Medium Low High A B C Medium B B C Low C C D Business Impact Vulnerability
  • 43. Part of Defense in depth
  • 44. Risk Trade Offs Secure Low Risk Fast/EasyCheap In Risk Management there are trade-offs
  • 45. Risk Management ISO27001 SOA Risk Assessment Risk Mitigation Controls ISO27031 BS25999 Risk Analysis Risk Management/Security Certifications
  • 46. Questions