The importance of information security risk management

2,213 views
2,100 views

Published on

Vigilant Software discusses the importance of ISO27001 and ISO27005, including the business benefits of information security risk assessments.

The importance of information security risk management

  1. 1. The Importance of Risk Management Alan Calder CEO, Vigilant Software Thursday March 7th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING. Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICE “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  2. 2. Alan Calder• CEO and founder of Vigilant Software• Acknowledged information security/risk management thought leader• Managed the world’s first successful ISO27001 (then BS7799) implementation project in 1996• Frequent media commentator on risk management issues• Co-author of vsRisk™ – the definitive cybersecurity risk assessment tool “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  3. 3. Today’s Webinar in Context• Today’s webinar is #2 in an educational series.• The 4 webinars are designed to take you on a learning journey: • Webinar 1 - Why ISO 27001 for my Organisation? • Webinar 2 (Today) – The Importance of risk management. • Webinar 3 – Carrying out a risk assessment using vsRisk. • Webinar 4 – Maintaining/updating your risk assessment using vsRisk. Registration details of future webinars at the end. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  4. 4. Today’s Agenda• A short 20-30 minutes educational and informative talk: • Quick recap of last week’s webinar – Why ISO 27001 for my Organisation? • The importance of risk management.• Ample time for Q&A.• Next steps. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  5. 5. Recap – last week’s webinarIn last week’s webinar we covered: • What is information security? • What is an information security management system (ISMS)? • What is ISO 27001? • Why should I and my organisation care about ISO 27001? “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  6. 6. Information Security Terms and PhrasesInformation security: preservation of confidentiality, integrity and availability ofinformation; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processesIntegrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entityAsset: anything that has value to the organization “The definitive risk assessment tool for ISO27001 certification” 6 Copyright © Vigilant Software Ltd 2013
  7. 7. What is a Risk?A risk exists where there is an identifiable likelihood of anidentified threat exploiting an identified vulnerability inrelation to the confidentiality, availability or integrity of anasset, and where that compromise will have a quantifiableimpact on the organisation.Without likelihood and impact, there is no risk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  8. 8. What is a risk assessment?• A risk assessment is the core competence of information security management.• ISO 27001 explicitly asks for: • a risk assessment to be carried out before any controls are selected and implemented. • every control to be justified by a risk assessment. • Plan-do-check-act model. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  9. 9. Plan-Do-Check-Act “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  10. 10. What is a risk assessment?• The risk assessment must: • Identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of each asset within a scope. • This must be done from a business, compliance or contractual perspective. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  11. 11. Benefits of risk assessment? • Spend on controls is balanced against business harm likely to result from security failures. • Existing over-expenditure can be re-allocated to areas of weakness • Information security management decisions are entirely made by the outcomes from a risk assessment – so they are objective “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  12. 12. Assets Threats Vulnerabilities Analysis Risks Treatment Countermeasures/Safeguards Identification and implementation “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  13. 13. Risk Management: Asset DocumentationProduce inventory of all assets: All physical computing resources (computers, servers, PDAs, etc.) Buildings Telephones, mobile phones Storage facilities Information assets: databases, documentation, blueprints PeopleMaintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  14. 14. Risk Management: Asset Management• Responsibility for assets.• Information classification.• Sensitivity guidelines.• Sensitivity labelling. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  15. 15. Risk Assessment - ObjectiveTo inform a proper balance of safeguards against risk offailing to meet business objectives. • For a given exposure, removal of safeguards will increase the risk of loss. • Too many safeguards could make the security system too expensive/bureaucratic. • Method by which expenditure on security and contingency can be justified. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  16. 16. Risk assessment• Define approach. • Comparable and reproducible.• Develop criteria for acceptance of risk and identifying acceptable level of risk.• Risk Acceptance Criteria “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  17. 17. Treatment of RiskAfter completing analysis of risk, you need to decide how tomanage it.Treatment of risk. • Accept? (Criteria already developed). • Eliminate the risk by work around or other arrangements. • Control the risk to bring it to an acceptable level. • Transfer it to a third party (e.g. via insurance).Then select controls. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  18. 18. Safe and Secure - The Importance of RiskManagement• An Information Security Management System (ISMS) will help your organisation to become ISO 27001 certified.• This certification will tell your potential customers, employees and partners that your information systems are safe and secure. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  19. 19. Safe and secure – so what?• It’s not your word – your information systems are safe and secure to a recognisable, externally audited, international standard.• Tells existing and potential customers, employees and partners, as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationship.• You are good to do business with! “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  20. 20. Summary• Information Security risk analysis is a difficult task involving experience and knowledge of the environment being analysed.• A number of risk analysis and management methods have been proposed for both commercial and government sectors: These methods are currently available either in the form of guidelines to be applied manually or as software packages.• There are tools to help – vsRisk demoed in next week’s webinar. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  21. 21. Next Steps – Upcoming Educational Webinars• Webinar 3 – Carrying out a Risk Assessment using vsRisk - Thursday March 14th, 4pm UK Time.• Webinar 4 - Maintaining and Updating your Risk Assessment using vsRisk - Thursday March 21st, 4pm UK Time.• Register for both/either at http://www.vigilantsoftware.co.uk/webinars.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  22. 22. Before the next webinars…Read a book… Download a free trial of vsRiskRead the worlds first practical e-book The cyber security risk assessmentguidance on achieving ISO 27001 tool compliant to ISO 27001 thatcertification and the nine automates and accelerates the riskessential steps to an effective ISMS management process.implementation. 15-day free trial atAvailable for £29.95 at http://www.vigilantsoftware.co.ukhttp://www.vigilantsoftware.co.uk/product/1651.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  23. 23. Next Steps – Special March offer of riskassessment software vsRisk• Purchases of vsRisk in March will include for free the information security risk management standard, ISO 27005 (worth £100) and a copy of the book Information Security Risk Management for ISO 27001/ISO 27002 (worth £39.95).• To claim this offer, please visit www.vigilantsoftware.co.uk.• Offer valid until Thursday March 28th. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  24. 24. Next Steps – Want to know more?If you would like to know more about ISO 27001, includinghow to carry out an ISO 27001-compliant risk assessment,please visit http://www.vigilantsoftware.co.uk or emailservicecentre@vigilantsoftware.co.uk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  25. 25. Questions – we welcome them all!Please type your questions into the Webex chat window –responses will generally be verbal and shared with alldelegates. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013

×