e-Symposium_ISACA_Ramsés_Gallego

517 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
517
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

e-Symposium_ISACA_Ramsés_Gallego

  1. 1. The Changing Security Landscape: Risk is Everywhere Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified General Manager Entel Security & Risk Management
  2. 2. What is risk? <ul><li>An inherent part of any business </li></ul><ul><li>Impractical to eliminate it all </li></ul><ul><li>Risk = Value x Threats x Vulnerabilities </li></ul>
  3. 3. How many risks do we face? <ul><li>Different categories: reputation risk, project management risk, supplier risk, etc. </li></ul><ul><li>Related to: </li></ul><ul><ul><li>its origin </li></ul></ul><ul><ul><li>a certain activity, event or incident </li></ul></ul><ul><ul><li>its consequences or impact </li></ul></ul><ul><ul><li>a reason </li></ul></ul><ul><ul><li>protective mechanisms or controls </li></ul></ul><ul><ul><li>time and place of occurrence </li></ul></ul>
  4. 4. What to do with risk <ul><li>Terminate the activity </li></ul><ul><li>Transfer risk </li></ul><ul><li>Tolerate/Accept risk </li></ul><ul><li>Treat risk </li></ul>
  5. 5. Security Risk Management <ul><li>Part of Enterprise Risk Management </li></ul><ul><li>Aimed to an efficient balance between opportunities and loss </li></ul><ul><li>Needs of a risk assessment combined with a BIA </li></ul>
  6. 6. Implementing Risk Management <ul><li>Five main processes: </li></ul><ul><ul><li>Definition of Scope </li></ul></ul><ul><ul><li>Risk Assessment </li></ul></ul><ul><ul><li>Risk Treatment </li></ul></ul><ul><ul><li>Risk Communication </li></ul></ul><ul><ul><li>Monitor & Review </li></ul></ul>
  7. 7. Risk Analysis Framework <ul><li>Start with asset valuation </li></ul><ul><li>Consider aggregated risk </li></ul>
  8. 8. Risk Assessment <ul><li>Can be quantitative or qualitative </li></ul><ul><li>Operate at multiple levels </li></ul><ul><li>Visibility on a company-wide basis </li></ul><ul><li>Management support is a must </li></ul>
  9. 9. What really matters on asset valuation <ul><li>Value at risk (VAR) </li></ul><ul><li>Single Loss Expectancy (SLE) </li></ul><ul><li>Annual Loss Expectancy (ALE) </li></ul><ul><li>Exposure Factor (EF) </li></ul>
  10. 11. Risk Communication <ul><li>Communication channels must be established </li></ul><ul><li>Multi-dimension communication </li></ul><ul><li>Linked with Incident Management and Response </li></ul><ul><li>Metrics and indicators </li></ul>
  11. 12. CSFs, KGIs and KPIs: what are they? <ul><li>CSFs : Critical Success Factors or “vital elements” </li></ul><ul><li>KGIs : Key Goals Indicators or “what” has to be accomplished </li></ul><ul><li>KPIs : Key Performance Indicators or “how well” the process is performing </li></ul>
  12. 13. Monitor vs. Manage Level 2 Centralize access to data content and applications Level 1 DATA INFORMATION Refine, analyze and sort data that delivers security information Value (and Cost) MONITORING Level 4 Level 3 Apply business relevance to information to determine business priorities KNOWLEDGE ACTION Act on real business knowledge in a single place according to business need MANAGEMENT
  13. 14. It’s a continuous process
  14. 15. Evolution on time
  15. 16. The Changing Security Landscape: Risk is Everywhere THANK YOU Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified General Manager Entel Security & Risk Management
  16. 17. Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.

×