0
Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMEN...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Standards:
• ISO 27001
• ISO 31000
• COSO ERM
• RCMP HTRA
• ISO 90...
CRISC
Identify &
Evaluate
Respond to
Risks
Monitor
Risks
Design
Controls
Implement
Controls
Monitor
Controls
Maintain
Cont...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Product /Service
Risk Universe
Operational
Risk
Compliance
Risk
St...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
THREAT
There are thousands of threats but only a few may maintain ...
Threats
Human Non-Human Acts of Nature
MaliciousNon-Malicious
• Earthquakes
• Floods
• Fires
• Hurricanes
• Software bugs
...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Program
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS...
**** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
Mark E.S. Bernard
Dissecting and Demystifying a Risk Management Pr...
Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA
Dissecting and Demystifying a Risk Management Program
Mobile: 604-349-6...
Upcoming SlideShare
Loading in...5
×

Risk Management Presentation to ISACA Vancouver

1,592

Published on

Risk Management Presentation to ISACA Vancouver

Published in: Business

Transcript of "Risk Management Presentation to ISACA Vancouver"

  1. 1. Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
  2. 2. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  3. 3. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Standards: • ISO 27001 • ISO 31000 • COSO ERM • RCMP HTRA • ISO 9001 Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  4. 4. CRISC Identify & Evaluate Respond to Risks Monitor Risks Design Controls Implement Controls Monitor Controls Maintain Controls **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  5. 5. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  6. 6. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Goals: • Announcing • Motivating • Educating • Informing • Supporting Decision making Implement Controls CRISC Respond to Risks Implement Controls Maintain Controls
  7. 7. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  8. 8. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Level 1 - Knowledge: Exhibit memory of previously learned materials by recalling facts, terms, basic concepts and answers. Level 3 - Application: Using new knowledge. Solve problems in new situations by applying acquired knowledge, facts, techniques and rules in a different way. Level 2 - Comprehension: Demonstrate understanding of facts and ideas by organizing, comparing, translating, interpreting, giving descriptions, and stating the main ideas. Level 6 - Evaluation: Present and defend opinions by making judgments about information, validity of ideas or quality of work based on a set of criteria. solutions. Level 4 - Analysis: Examine and break information into parts by identifying motives or causes. Make inferences and find evidence to support generalizations. Level 5 - Synthesis: Compile information together in a different way by combining elements in a new pattern or proposing alternative solutions.
  9. 9. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  10. 10. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates. Identify & Evaluate CRISC
  11. 11. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Product /Service Risk Universe Operational Risk Compliance Risk Strategic Risk Financial Risk People Information Software Hardware Telecommunications Facilities P S I H T P P P T F H F F T H S I P S I T H F H I S F I T S Mark E.S. Bernard - Dissecting and Demystifying a Risk Management Program
  12. 12. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** THREAT There are thousands of threats but only a few may maintain the capability, motive or opportunity to impact our organization. VULNERABILITY INCIDENT DAMAGE PREVENTIVECORRECTIVE There are hundreds of vulnerabilities in the average business deliver channel, some are known while many others are unknown. Incidents occur when a threat agent successfully exploits a vulnerability. Prior to the security incident actually occurring there may be hundreds or thousands of security events. Damage occurs during and after the incident. The impact can be serious including loss of life or reputational damage, loss of services, loss of customers, and financial implications. RISK TREATMENTINVESTIGATION Mark E.S. Bernard - Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  13. 13. Threats Human Non-Human Acts of Nature MaliciousNon-Malicious • Earthquakes • Floods • Fires • Hurricanes • Software bugs • Network bugs • Virus • Worm • Trojan • Unaware • Uninformed Trusted Insider External **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  14. 14. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Asset Architecture Threats Vulnerabilities Controls Decision Treatment Is this a change to our currently stable architecture? What are the associated threats? What are the associated vulnerabilities? Is this a new asset? What is its value? Are there existing controls? Management decides to Accept, Remediate or Share the risk? Assignment of Corrective Action and/or Preventive Action? The formula is based on ‘threat’ x ‘business impact’ x ‘vulnerability’ – ‘existing control effectiveness’ = risk rating. CRISC Respond to Risks
  15. 15. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program CRISC Respond to Risks
  16. 16. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  17. 17. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program CRISC Implement Controls
  18. 18. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  19. 19. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Enterprise Risk Management • Strategic Risk • Financial Risk • Compliance Risk • Operational Risk
  20. 20. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  21. 21. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  22. 22. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  23. 23. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  24. 24. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Under pinning contracts and Service Level Agreements New agreements are fairly straight forward and its important for the information security officer to work with procurement and/or contract management. Any existing Underpinning Contracts (UC) and Service Level Agreements (SLA) must be revised during the OLA design process. Everyone involved should be aware of any UC’s or OLA’s that apply to the provision of a specific service. Driven by the contractual, legal and regulatory requirements of the organization. The Service Provider provides the following services in that context: • Performance and Capacity Planning • 24x7 Performance Monitoring • Custom Infrastructure Design and Build • Systems Security Management • Procurement, License, Maintenance and Audit of Licenses • Business Continuity, High Availability, and Disaster Recovery • Problem and Incident Handling • Secure Data Storage • Production Deployment Monitor Risks CRISC
  25. 25. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Key A=Acceptable, M=Marginal, U=Unsatisfactory Monitor Risks CRISC
  26. 26. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Key A=Acceptable, M=Marginal, U=Unsatisfactory Monitor Risks CRISC
  27. 27. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 1 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected. Using a work around or manual process cannot reduce the impact. All involved parties, including individuals in the Customer’s organization, are expected to work continuously (24 X 7) until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 15 minutes; •Incident is updated within 1 hour with updates provided every hour until resolution; •Target Resolution time is 2 hours Monitor Risks CRISC
  28. 28. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 2 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. A limited work around or manual process is available. All involved parties, including individuals in the Customer’s organization, are expected to work during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: • Incident is accepted within 30 minutes; • Incident is updated within 90 minutes with updates provided every 90 minutes until resolution; • Target Resolution time is 4 hours. Monitor Risks CRISC
  29. 29. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 3 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the SLA /OLA terms. Work is expected to continue during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 4 hours with updates provided every 4 hours until resolution; •Target Resolution time is 1 business day. Monitor Risks CRISC
  30. 30. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 4 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. Work is expected to continue during business hours until the incident is resolved. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 1 business day with updates provided every business day; •Target Resolution time is 3 business days. Monitor Risks CRISC
  31. 31. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  32. 32. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Service Reports must be provided on daily, weekly, monthly, quarterly and annually or at the intervals agreed to within the SLA /OLA. These reports compare the agreed to service levels and the service levels against factually results. The following is a sample of the monthly Services Management Report: •Production Environment Support during Published Hours of Service •Monitoring and Support of Nightly Process Activity •Test Infrastructure and Application Support during Published Hours of Service •User Application Support •Non-Business Hours on Call Response •Information Security Threat, Vulnerability and Risk, Remediation •Continuous Improvement Initiatives •Fiscal Year 2013/14 Release Management •Change Management •Infrastructure and Application Support Services •Accomplishments this Month •Investigations and Resolutions •Operations Support Services •Accomplishments this Month •Scheduled Service Interruptions •Unscheduled Service Interruptions •Business Continuity Plan •Security Patch Monitor Risks CRISC
  33. 33. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  34. 34. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  35. 35. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  36. 36. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  37. 37. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Legal Obligations #1. Statutory Obligations •California Corporations Code •California Financial Code •California Public Records Act Requests •Health Insurance Portability and Accountability Act #2. Regulatory Obligations •United States Securities and Exchange Commission (SEC) •Financial Industry Regulatory Authority (FINRA) •Municipal Securities Rulemaking Board (MSRB). •California Code of Regulations •California State Bank Charter - The Charter of Choice •Cooperative Agreements •Department of Financial Institutions Administrative Orders •Department of Financial Institutions Approved Regulations •Department of Financial Institutions Legal Precedent System Identify & Evaluate CRISC
  38. 38. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program #3. Contractual Obligations a). Customers /Partners •Serves more than 500+ financial institutions •Total representatives and financial advisors–1000+ b). Vendors and suppliers •Software and licensing •Hardware •Internet Service Providers •Managed Services Identify & Evaluate CRISC
  39. 39. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  40. 40. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  41. 41. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  42. 42. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  43. 43. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  44. 44. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  45. 45. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  46. 46. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  47. 47. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  48. 48. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  49. 49. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  50. 50. Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA Dissecting and Demystifying a Risk Management Program Mobile: 604-349-6557 or email: mesbernard@gmail.com **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** THANK YOU!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×