Document Risk Management
Philip Meulenberghs
Agenda
1. Document risk management
2. EBIOS
3. EBIOS Case
4. Conclusions
1. Document risk management
Four questions about document management
1. What is it?
2. Why does it matter?
3. What if it f...
1. What is it?
corporate documents
all type of documents
created or received
by employees
during business
activities
1.Doc...
Documents: have a Lifecycle1.DocumentRiskManagement
What is a document management
programme?
• Systematic management of the
entire document lifecycle of
corporate documents, ...
About document management
2. Why does it matter?
– control of the cost of storage
– control of the risk
3. What if it fail...
About document management
4. How to protect against failure?
1. document management programme.
2. document RISK management...
2. Document Risk Management
• Documents contain information: often a valuable
intangible asset of corporations.
Document r...
International Standards
(most relevant ones)
• ISO 31000: Risk Management
• BS 31100: Code of Practice for Risk
Management...
Risk management process
according to ISO 31000
1.DocumentRiskManagement
Methods
1. Österreichisches IT Sicherheidshandbuch (Austrian IT
Security Handbook)
2. CRAMM (CCTA Risk Analysis and Manage...
2. EBIOS
• Comprehensive: set of guides covers the whole
process of ISO 31000.
• Professional: Developed by ANSSI.
• Valid...
EBIOS STRUCTURE
2.EBIOS
5 EBIOS Modules
2.EBIOS By applying the 5 EBIOS MODULES: you are sure of
covering the ISO 31000 risk management process
2.EBIOS
Activity 1.1: Definition of the environment for risk management.
•Action 1: framework, objectives and action plan
...
2.EBIOS
Objectivity maximalised by a separate
analysis of impact and likelihood
3. EBIOS CASE
• TELCO: small telecom installation company,
approx. 10 staff, works for telecom providers e.g.
as Belgacom,...
Referecne
EBIOSMODULE
EBIOSActivity
CEO
Secretariat&Assistance
Resources
Studies&Calculations
Sales
Installers
Documentsto...
Activity 1.1: FRAMEWORK
3.EBIOSCASE
2. Organisational Perimeter
3. Technological Perimeter
Module 1
1. Objective (set by C...
Activity 1.2: METRICS
3.EBIOSCASE
Module 1
1. Security (quality) criteria and
Scales
= scale for confidentiality
• Comprom...
Activity 1.3: Identifying the ASSETS
3.EBIOSCASE
Module 1
1. Essential Asset
• The offer (the price)
2. Supporting assets
...
Activity 4.1: Assessing the risks
3.EBIOSCASE
Module 4
Activity 4.2: Action Plan
•Each risk: avoid, reduce, accept or tran...
Result of the study
1. Encryption of electronic documents containing price info.
2. The personnel shall report loss or the...
4. Conclusions
• Documents and records need to be managed to avoid
cost & risk.
• Risk = effect of uncertainty on objectiv...
Upcoming SlideShare
Loading in …5
×

Document Risk Management

272
-1

Published on

Document and Record risk management: methods and tools

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
272
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Planning: 1 minute
  • Timing: 2 minutes
    document management is about all the documents that are used by employees in the context of their professional duties, regardless of the form of the document (paper, electronic file etc)
    As illustrated in the drawing
  • Timing: + 3 minutes
    the same info in a document can be exposed to different types of risk in function of the stage in the lifecycle
  • Timing: + 4 minutes
  • Timing + 5 minutes
  • Timing + 6 minutes
  • Timing + 6.5 minutes
  • Timing + 7 minutes
  • Timing + 7.5 minutes
  • Timing + 8.5 minutes
  • Timing + 9 minutes
    In EBIOS you are free to use all the modules, actiivties and actions or only a part of them
    You can go in detail as much as you want, or not at all
    You can change the order of things and adapt the method to your own needs
  • Timing + 10 minutes
  • Timing + 11 minutes
  • Timing + 12 minutes
  • Timing + 13 minutes
  • Timing + 14 minutes
    Not going in detail of the action plan, just explaining that EBIOS offers detailed guidance for how to make an action plan.
    Here we agree on what we will do and what we will deliver, and what not.
    To my personal sense this is a good method but of course a risk manager is free to use an other method for this (flexibility of EBIOS), for example if there is already a standard tool for this in the company.
  • Timing + 15 minutes
    EBIOS foresees to make clear agreements (framework) before starting the detail of the study.
    It is very important indeed that some basic assumptions (for example the objectives or the perimeter, what is included and what not) are not changed halfway the study.)
  • Timing + 16 minutes
    Metrics are the way we will measure things
    In EBIOS this is done beforehand, so that the study is as objective as possible
    (it is very difficult to do an objective risk assessment if the scale is not agreed upon)
    The likelihood and the gravity can as well be quantitative or qualitative (description)
  • Timing + 17 minutes
  • Timing + 18 minutes
  • Timing: 19 minutes
  • Timing 20 minutes
  • Document Risk Management

    1. 1. Document Risk Management Philip Meulenberghs
    2. 2. Agenda 1. Document risk management 2. EBIOS 3. EBIOS Case 4. Conclusions
    3. 3. 1. Document risk management Four questions about document management 1. What is it? 2. Why does it matter? 3. What if it fails? 4. How to protect against failure? 1.DocumentRiskManagement
    4. 4. 1. What is it? corporate documents all type of documents created or received by employees during business activities 1.DocumentRiskManagement
    5. 5. Documents: have a Lifecycle1.DocumentRiskManagement
    6. 6. What is a document management programme? • Systematic management of the entire document lifecycle of corporate documents, including: – an inventory of records – which records to keep – which records to archive – which records to destroy 1.DocumentRiskManagement
    7. 7. About document management 2. Why does it matter? – control of the cost of storage – control of the risk 3. What if it fails? – risk of inefficiency – risk of loss and compromising of records – risk of infringement of data protection laws, prosecution, fines – risk of reputational damage 1.DocumentRiskManagement
    8. 8. About document management 4. How to protect against failure? 1. document management programme. 2. document RISK management programme. 1.DocumentRiskManagement
    9. 9. 2. Document Risk Management • Documents contain information: often a valuable intangible asset of corporations. Document risk Information risk. • Risk is the effect of uncertainty on objectives. • Organisations want predictable results need to manage this uncertainty. • Document risk can be efficiently managed by implementing a comprehensive programme: – compliant with internationally accepted standards – by using validated and practical standard methods 1.DocumentRiskManagement
    10. 10. International Standards (most relevant ones) • ISO 31000: Risk Management • BS 31100: Code of Practice for Risk Management • ISO guide 73: vocabulary • ISO 27001 : ISMS • ISO 27003: Implementation of the ISMS • ISO 27005: Information Security Risk Management 1.DocumentRiskManagement
    11. 11. Risk management process according to ISO 31000 1.DocumentRiskManagement
    12. 12. Methods 1. Österreichisches IT Sicherheidshandbuch (Austrian IT Security Handbook) 2. CRAMM (CCTA Risk Analysis and Management Method) 3. A&K analyse (Afhankelijkheids en Kwetsbaarheidanalyse) 4. EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) 5. ISAMM or ‘Information Security Assessment & Monitoring Method’ 6. Information Security Forum (ISF) tools 7. MAGERIT 8. MARION 9. MEHARI 10.MIGRA 11.OCTAVE® 12.SP800-30 (NIST): Risk Management Guide for Information Technology systems 1.DocumentRiskManagement
    13. 13. 2. EBIOS • Comprehensive: set of guides covers the whole process of ISO 31000. • Professional: Developed by ANSSI. • Validated: In use since 1995, club EBIOS since 2003. • Practical: Club EBIOS manages a user network and a knowledge Base. • Open & transparent: can be customised by the user (vs. black box approach of some other tools). • Flexible: can be used for detailed as well as strategic risk management. • Universal: can be used for any type of risk. • Integrated: compliant with (ISO) standards. • Well documented: Training & documentation available. • Cheap: can be used for free. 2.EBIOS
    14. 14. EBIOS STRUCTURE 2.EBIOS
    15. 15. 5 EBIOS Modules 2.EBIOS By applying the 5 EBIOS MODULES: you are sure of covering the ISO 31000 risk management process
    16. 16. 2.EBIOS Activity 1.1: Definition of the environment for risk management. •Action 1: framework, objectives and action plan •Action 2: internal and external context •Action 3: perimeter of the study •Action 4: parameters to take in account •Action 5: most relevant threat sources Activity 1.2: Preparing the metrics •Action 1: security criteria and scales •Action 2: gravity scale (impact) •Action 3: likelihood scale •Action 4: risk scale Activity 1.3: Identifying the assets •Action 1: essential assets •Action 2: supporting assets •Action 3: interdependencies between them •Action 4: analysis of existing security measures SAMPLE (Module 1)
    17. 17. 2.EBIOS Objectivity maximalised by a separate analysis of impact and likelihood
    18. 18. 3. EBIOS CASE • TELCO: small telecom installation company, approx. 10 staff, works for telecom providers e.g. as Belgacom, Telenet and others. • Has many competitors, ‘price war’ • Is loosing market share and contracts to one particular competitor in particular • CEO fears price info could be compromised • Wants «document risk» study, about the offers in particular 3.EBIOSCASE
    19. 19. Referecne EBIOSMODULE EBIOSActivity CEO Secretariat&Assistance Resources Studies&Calculations Sales Installers Documentstodeliver mandaysrequired A 1 Activity 1.1 - setting the framework for the risk management project A I I C R I Objectives of the study 1 B 1 Activity 1.2 - preparing the metrics R I I I I I table with metrics and scale 1 C 1 Activity 1.3 - identifying the assets A C C A C C table with essential and supporting assets 2 D 2 Activity 2.1 - identifying the feared events R I C C C C inventory of feared events 2 E 3 Activity 3.1 - evaluating the threat scenarios A I C C R C list of most relevant threat scenarios and likelihood 2 F 4 Activity 4.1 - assessing the risks A C C C R C risk assessment matrix 1 G 4 Activity 4.2 - Treating the risks A C C R C C Information security strategy for offers 3 H 5 Activity 5.1 - formalising the required security measures A I C R C C Internal Security Policy for Offers 1 TELCO: Document Risk Management: action plan3.EBIOSCASE Module 1
    20. 20. Activity 1.1: FRAMEWORK 3.EBIOSCASE 2. Organisational Perimeter 3. Technological Perimeter Module 1 1. Objective (set by CEO): « reduce the risk for disclosure of confidential offers to  competitors » 4. Parameters -application of ISO 31000 -use of EBIOS
    21. 21. Activity 1.2: METRICS 3.EBIOSCASE Module 1 1. Security (quality) criteria and Scales = scale for confidentiality • Compromised (unknown) • Compromised & detected • Under control 2. Gravity and likelihood Scales Gravity (=impact) •Critical •Important •Unimportant •Likelihood •Almost certainly •Possible •Unlikely 3. Risk Criteria RISK unimportant impact important impact critical impact unlikely scenario acceptable risk acceptable risk acceptable risk possible scenario acceptable risk significant risk unacceptable risk almost certain scenario unacceptable risk unacceptable risk unacceptable risk
    22. 22. Activity 1.3: Identifying the ASSETS 3.EBIOSCASE Module 1 1. Essential Asset • The offer (the price) 2. Supporting assets •staff, equipment etc. 3. Feared event (IMPACT) •Worst things that could happen to our essential asset systematic compromising of our (offers) prices without we knowing about it 4. Threat scenarios (LIKELIHOOD) •How could feared events happen? •By threats that affect the supporting assets •Scenarios: corruption of persons, hacking of equipment, etc… Module 2 and 3 Activity 2.1 and 3.1: Feared events and threat scenarios
    23. 23. Activity 4.1: Assessing the risks 3.EBIOSCASE Module 4 Activity 4.2: Action Plan •Each risk: avoid, reduce, accept or transfer •Cell phone hacked: accept •Sales manager or studies engineer corrupt: accept •Laptop lost: awareness campaign •Sales mgr not careful: awareness clause in contract •Wifi hacked: encryption of files + firewall •Etc….. RISK unimportant important critical unlikely -cell phone is hacked -sales manager or studies engineer corrupt possible -laptop is lost -cell phone is overheard -print outs of offers forgotten on printer -laptop is stolen -sales manager or studies engineer not careful -wifi is hacked -laptop is hacked almost certain IMPACTLIKELIHOOD ACCEPT ACCEPT Awareness Awareness Encryption
    24. 24. Result of the study 1. Encryption of electronic documents containing price info. 2. The personnel shall report loss or theft of laptop computers immediately. 3. It is not allowed to discuss price information over the cell phone when this can be overheard (e.g. in the train) 4. Paper documents: -When offers are printed the personnel shall use the PIN code. -Shredders shall be used to destroy all paper drafts. -All hard copies shall be locked away. -A clean desk policy shall be applied. 5. The personnel shall sign a confidentiality agreement. 6. Any loss or compromise of price information shall be reported to the CEO immediately. 3.EBIOSCASE
    25. 25. 4. Conclusions • Documents and records need to be managed to avoid cost & risk. • Risk = effect of uncertainty on objectives. • Uncertainty needs to be managed because corporations want predictable results • Document risk should best be managed in line with international standards and by using existing methods. • EBIOS is an example of a comprehensive method which can achieve this. 4.CONCLUSIONS

    ×