Your SlideShare is downloading. ×
0
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Risk Management Presentation to ISACA Vancouver
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Risk Management Presentation to ISACA Vancouver

1,537

Published on

Risk Management Presentation to ISACA Vancouver

Risk Management Presentation to ISACA Vancouver

Published in: Business
2 Comments
6 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,537
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
201
Comments
2
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ****
  • 2. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 3. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Standards: • ISO 27001 • ISO 31000 • COSO ERM • RCMP HTRA • ISO 9001 Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  • 4. CRISC Identify & Evaluate Respond to Risks Monitor Risks Design Controls Implement Controls Monitor Controls Maintain Controls **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  • 5. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 6. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Goals: • Announcing • Motivating • Educating • Informing • Supporting Decision making Implement Controls CRISC Respond to Risks Implement Controls Maintain Controls
  • 7. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  • 8. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Level 1 - Knowledge: Exhibit memory of previously learned materials by recalling facts, terms, basic concepts and answers. Level 3 - Application: Using new knowledge. Solve problems in new situations by applying acquired knowledge, facts, techniques and rules in a different way. Level 2 - Comprehension: Demonstrate understanding of facts and ideas by organizing, comparing, translating, interpreting, giving descriptions, and stating the main ideas. Level 6 - Evaluation: Present and defend opinions by making judgments about information, validity of ideas or quality of work based on a set of criteria. solutions. Level 4 - Analysis: Examine and break information into parts by identifying motives or causes. Make inferences and find evidence to support generalizations. Level 5 - Synthesis: Compile information together in a different way by combining elements in a new pattern or proposing alternative solutions.
  • 9. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  • 10. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates. Identify & Evaluate CRISC
  • 11. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Product /Service Risk Universe Operational Risk Compliance Risk Strategic Risk Financial Risk People Information Software Hardware Telecommunications Facilities P S I H T P P P T F H F F T H S I P S I T H F H I S F I T S Mark E.S. Bernard - Dissecting and Demystifying a Risk Management Program
  • 12. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** THREAT There are thousands of threats but only a few may maintain the capability, motive or opportunity to impact our organization. VULNERABILITY INCIDENT DAMAGE PREVENTIVECORRECTIVE There are hundreds of vulnerabilities in the average business deliver channel, some are known while many others are unknown. Incidents occur when a threat agent successfully exploits a vulnerability. Prior to the security incident actually occurring there may be hundreds or thousands of security events. Damage occurs during and after the incident. The impact can be serious including loss of life or reputational damage, loss of services, loss of customers, and financial implications. RISK TREATMENTINVESTIGATION Mark E.S. Bernard - Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  • 13. Threats Human Non-Human Acts of Nature MaliciousNon-Malicious • Earthquakes • Floods • Fires • Hurricanes • Software bugs • Network bugs • Virus • Worm • Trojan • Unaware • Uninformed Trusted Insider External **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  • 14. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Asset Architecture Threats Vulnerabilities Controls Decision Treatment Is this a change to our currently stable architecture? What are the associated threats? What are the associated vulnerabilities? Is this a new asset? What is its value? Are there existing controls? Management decides to Accept, Remediate or Share the risk? Assignment of Corrective Action and/or Preventive Action? The formula is based on ‘threat’ x ‘business impact’ x ‘vulnerability’ – ‘existing control effectiveness’ = risk rating. CRISC Respond to Risks
  • 15. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program CRISC Respond to Risks
  • 16. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 17. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program CRISC Implement Controls
  • 18. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 19. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Enterprise Risk Management • Strategic Risk • Financial Risk • Compliance Risk • Operational Risk
  • 20. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  • 21. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  • 22. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 23. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Risks CRISC
  • 24. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Under pinning contracts and Service Level Agreements New agreements are fairly straight forward and its important for the information security officer to work with procurement and/or contract management. Any existing Underpinning Contracts (UC) and Service Level Agreements (SLA) must be revised during the OLA design process. Everyone involved should be aware of any UC’s or OLA’s that apply to the provision of a specific service. Driven by the contractual, legal and regulatory requirements of the organization. The Service Provider provides the following services in that context: • Performance and Capacity Planning • 24x7 Performance Monitoring • Custom Infrastructure Design and Build • Systems Security Management • Procurement, License, Maintenance and Audit of Licenses • Business Continuity, High Availability, and Disaster Recovery • Problem and Incident Handling • Secure Data Storage • Production Deployment Monitor Risks CRISC
  • 25. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Key A=Acceptable, M=Marginal, U=Unsatisfactory Monitor Risks CRISC
  • 26. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Key A=Acceptable, M=Marginal, U=Unsatisfactory Monitor Risks CRISC
  • 27. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 1 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected. Using a work around or manual process cannot reduce the impact. All involved parties, including individuals in the Customer’s organization, are expected to work continuously (24 X 7) until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 15 minutes; •Incident is updated within 1 hour with updates provided every hour until resolution; •Target Resolution time is 2 hours Monitor Risks CRISC
  • 28. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 2 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. A limited work around or manual process is available. All involved parties, including individuals in the Customer’s organization, are expected to work during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: • Incident is accepted within 30 minutes; • Incident is updated within 90 minutes with updates provided every 90 minutes until resolution; • Target Resolution time is 4 hours. Monitor Risks CRISC
  • 29. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 3 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the SLA /OLA terms. Work is expected to continue during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 4 hours with updates provided every 4 hours until resolution; •Target Resolution time is 1 business day. Monitor Risks CRISC
  • 30. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Priority 4 - Indicates a deficiency with services, which has a critical impact on our customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. Work is expected to continue during business hours until the incident is resolved. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 1 business day with updates provided every business day; •Target Resolution time is 3 business days. Monitor Risks CRISC
  • 31. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 32. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Service Reports must be provided on daily, weekly, monthly, quarterly and annually or at the intervals agreed to within the SLA /OLA. These reports compare the agreed to service levels and the service levels against factually results. The following is a sample of the monthly Services Management Report: •Production Environment Support during Published Hours of Service •Monitoring and Support of Nightly Process Activity •Test Infrastructure and Application Support during Published Hours of Service •User Application Support •Non-Business Hours on Call Response •Information Security Threat, Vulnerability and Risk, Remediation •Continuous Improvement Initiatives •Fiscal Year 2013/14 Release Management •Change Management •Infrastructure and Application Support Services •Accomplishments this Month •Investigations and Resolutions •Operations Support Services •Accomplishments this Month •Scheduled Service Interruptions •Unscheduled Service Interruptions •Business Continuity Plan •Security Patch Monitor Risks CRISC
  • 33. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 34. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  • 35. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  • 36. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Identify & Evaluate CRISC
  • 37. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Legal Obligations #1. Statutory Obligations •California Corporations Code •California Financial Code •California Public Records Act Requests •Health Insurance Portability and Accountability Act #2. Regulatory Obligations •United States Securities and Exchange Commission (SEC) •Financial Industry Regulatory Authority (FINRA) •Municipal Securities Rulemaking Board (MSRB). •California Code of Regulations •California State Bank Charter - The Charter of Choice •Cooperative Agreements •Department of Financial Institutions Administrative Orders •Department of Financial Institutions Approved Regulations •Department of Financial Institutions Legal Precedent System Identify & Evaluate CRISC
  • 38. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program #3. Contractual Obligations a). Customers /Partners •Serves more than 500+ financial institutions •Total representatives and financial advisors–1000+ b). Vendors and suppliers •Software and licensing •Hardware •Internet Service Providers •Managed Services Identify & Evaluate CRISC
  • 39. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  • 40. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Design Controls CRISC
  • 41. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  • 42. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  • 43. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Maintain Controls CRISC
  • 44. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 45. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  • 46. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  • 47. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program Monitor Controls CRISC
  • 48. Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** • Improve the effectiveness of communication concerning information security risks. • Effectively strategize the acceptance and uptake of information security risk management. • Establish an Enterprise wide information security program and culture. • Quantify and qualify information security threats and vulnerabilities. • Establish a risk treatment plan and continuous improvement. • Establish a risk registry and articulate the management of open ongoing risks. • Establish risk management within procurement and service management. • Improve the capability of monitoring open information security risks. • Apply control design techniques to address compliance with statutes, regulations and contractual obligations. • Establish continuous auditing and evidence of control effectiveness available daily. • Create a risk management policy, procedure, standards and templates.
  • 49. **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** Mark E.S. Bernard Dissecting and Demystifying a Risk Management Program
  • 50. Mark E.S. Bernard, CISM, CISSP, CRISC, CGEIT, CISA Dissecting and Demystifying a Risk Management Program Mobile: 604-349-6557 or email: mesbernard@gmail.com **** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS **** THANK YOU!

×