The Changing Security Landscape: Risk is Everywhere Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified General Manage...
What is risk? <ul><li>An inherent part of any business </li></ul><ul><li>Impractical to eliminate it all </li></ul><ul><li...
How many risks do we face? <ul><li>Different categories: reputation risk, project management risk, supplier risk, etc. </l...
What to do with risk <ul><li>Terminate the activity </li></ul><ul><li>Transfer risk </li></ul><ul><li>Tolerate/Accept risk...
Security Risk Management <ul><li>Part of Enterprise Risk Management </li></ul><ul><li>Aimed to an efficient balance betwee...
Implementing Risk Management <ul><li>Five main processes: </li></ul><ul><ul><li>Definition of Scope </li></ul></ul><ul><ul...
Risk Analysis Framework <ul><li>Start with asset valuation </li></ul><ul><li>Consider aggregated risk </li></ul>
Risk Assessment <ul><li>Can be quantitative or qualitative </li></ul><ul><li>Operate at multiple levels </li></ul><ul><li>...
What really matters on asset valuation <ul><li>Value at risk (VAR) </li></ul><ul><li>Single Loss Expectancy (SLE) </li></u...
 
Risk Communication <ul><li>Communication channels must be established </li></ul><ul><li>Multi-dimension communication </li...
CSFs, KGIs and KPIs: what are they? <ul><li>CSFs : Critical Success Factors or “vital elements” </li></ul><ul><li>KGIs : K...
Monitor vs. Manage Level 2  Centralize access to data content and applications Level 1  DATA INFORMATION Refine, analyze a...
It’s a continuous process
Evolution on time
The Changing Security Landscape: Risk is Everywhere THANK YOU Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified Gene...
Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.
Upcoming SlideShare
Loading in...5
×

e-Symposium_ISACA_Ramsés_Gallego

309

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
309
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "e-Symposium_ISACA_Ramsés_Gallego"

  1. 1. The Changing Security Landscape: Risk is Everywhere Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified General Manager Entel Security & Risk Management
  2. 2. What is risk? <ul><li>An inherent part of any business </li></ul><ul><li>Impractical to eliminate it all </li></ul><ul><li>Risk = Value x Threats x Vulnerabilities </li></ul>
  3. 3. How many risks do we face? <ul><li>Different categories: reputation risk, project management risk, supplier risk, etc. </li></ul><ul><li>Related to: </li></ul><ul><ul><li>its origin </li></ul></ul><ul><ul><li>a certain activity, event or incident </li></ul></ul><ul><ul><li>its consequences or impact </li></ul></ul><ul><ul><li>a reason </li></ul></ul><ul><ul><li>protective mechanisms or controls </li></ul></ul><ul><ul><li>time and place of occurrence </li></ul></ul>
  4. 4. What to do with risk <ul><li>Terminate the activity </li></ul><ul><li>Transfer risk </li></ul><ul><li>Tolerate/Accept risk </li></ul><ul><li>Treat risk </li></ul>
  5. 5. Security Risk Management <ul><li>Part of Enterprise Risk Management </li></ul><ul><li>Aimed to an efficient balance between opportunities and loss </li></ul><ul><li>Needs of a risk assessment combined with a BIA </li></ul>
  6. 6. Implementing Risk Management <ul><li>Five main processes: </li></ul><ul><ul><li>Definition of Scope </li></ul></ul><ul><ul><li>Risk Assessment </li></ul></ul><ul><ul><li>Risk Treatment </li></ul></ul><ul><ul><li>Risk Communication </li></ul></ul><ul><ul><li>Monitor & Review </li></ul></ul>
  7. 7. Risk Analysis Framework <ul><li>Start with asset valuation </li></ul><ul><li>Consider aggregated risk </li></ul>
  8. 8. Risk Assessment <ul><li>Can be quantitative or qualitative </li></ul><ul><li>Operate at multiple levels </li></ul><ul><li>Visibility on a company-wide basis </li></ul><ul><li>Management support is a must </li></ul>
  9. 9. What really matters on asset valuation <ul><li>Value at risk (VAR) </li></ul><ul><li>Single Loss Expectancy (SLE) </li></ul><ul><li>Annual Loss Expectancy (ALE) </li></ul><ul><li>Exposure Factor (EF) </li></ul>
  10. 11. Risk Communication <ul><li>Communication channels must be established </li></ul><ul><li>Multi-dimension communication </li></ul><ul><li>Linked with Incident Management and Response </li></ul><ul><li>Metrics and indicators </li></ul>
  11. 12. CSFs, KGIs and KPIs: what are they? <ul><li>CSFs : Critical Success Factors or “vital elements” </li></ul><ul><li>KGIs : Key Goals Indicators or “what” has to be accomplished </li></ul><ul><li>KPIs : Key Performance Indicators or “how well” the process is performing </li></ul>
  12. 13. Monitor vs. Manage Level 2 Centralize access to data content and applications Level 1 DATA INFORMATION Refine, analyze and sort data that delivers security information Value (and Cost) MONITORING Level 4 Level 3 Apply business relevance to information to determine business priorities KNOWLEDGE ACTION Act on real business knowledge in a single place according to business need MANAGEMENT
  13. 14. It’s a continuous process
  14. 15. Evolution on time
  15. 16. The Changing Security Landscape: Risk is Everywhere THANK YOU Ramsés Gallego CISM, CISSP, SCPM, ITIL, COBIT Certified General Manager Entel Security & Risk Management
  16. 17. Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.

×