Your SlideShare is downloading. ×
0
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

From technology risk_to_enterprise_risk_the_new_frontier

517

Published on

This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that …

This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
517
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. From Technology Risk to Enterprise Risk: The New Frontier Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 1
  • 2. 2
  • 3. 3
  • 4. Definitions frontier noun • the farthermost limits of knowledge or achievement in a particular subject • a line of division between things <the frontiers separating science and the humanities — R. W. Clark> • a new field for exploitative or developmental activity frontierless adjective ORIGIN late Middle English : from Old French frontiere, based on Latin frons, front- ‘front.’ 4
  • 5. What is risk? •  An  inherent  part  of  any  ac3vity •  Imprac3cal  to  eliminate  totally •  The  risk  equa3on  includes:  value,  threats,   vulnerabili3es,  impact,... 5
  • 6. Some facts •  36%  of  companies  do  not  know  the  threats  that   they  are  exposed  to •  24%  admit  that  the  organiza3on  lacks  the   procedures  that  would  allow  to  manage  them •  19%  acknowledge  that  does  not  have  the  tools   to  analyze  and  control  risks Soruce: Merrill Lynch CISO Survey, Deloitte 2009 Security Survey 6
  • 7. The changing face of risk •  Risk  is  the  level  of  exposure  to  uncertain3es  that  an  organiza(on   must  understand  and  manage  effec(vely  while  performing  its   du3es  to  achieve  objec3ves  and  create  value •  The  uncertainty  of  an  event  happening  (or  not)  can  have  an   impact  on  the  achievement  of  corporate  goals 7
  • 8. What type of risks are we facing? •  Different  categories:  reputa3onal  risk,  project  management  risk,   provisioning  risk,  HR  risk,  hygienic  risk,  fraud  risk,  legal  risk,  environmental   risk,  opera3onal  risk,  financial  risk,  TECHNOLOGY  RISK,  ... •  Related  to: –  its  origin –  a  specific  ac3vity,  an  event  or  an  incident –  its  consequences  or  impact –  a  reason –  protec3on  mechanisms  or  countermeasures –  3me  of  occurrence 8
  • 9. Risk Hierarchy 9
  • 10. What can we do with risk? •  Transfer  risk •  Tolerate  or  accept •  Terminate  the  ac3vity •  Treat  risk 10
  • 11. Technology risk management •  Part  of  Global  Risk  Management •  Focused  towards  and  efficient   balance  between  opportuni3es   and  losses •  Needs  a  risk  analysis  combined   with  a  business  impact  analysis   (BIA) 11
  • 12. Implementing Risk Management •  Five  core  processes: –  Defini3on  of  scope –  Risk  analysis –  Risk  Treatment –  Risk  Communica3on –  Monitor  and  review 12
  • 13. Framework for a risk analysis •  Start  a  value  analysis •  Consider  aggregated  risk 13
  • 14. The Risk IT Framework 14
  • 15. 15
  • 16. 16
  • 17. Risk Analysis •  Can  be  quan3ta3ve  or  qualita3ve •  Works  at  mul3ple  levels •  Visibility  across  the  company •  Management  support  is  instrumental 17
  • 18. The value of assets •  Value  at  Risk  (VAR) •  Single  Loss  Expectancy  (SLE) •  Annualized  Loss  Expectancy  (ALE) •  Exposure  Factor  (EF) 18
  • 19. Risk Communication •  Communica3on  channels  must  be  created •  Mul3-­‐dimensional •  Related  with  incident  &  response   management  disciplines •  Metrics  and  indicators 19
  • 20. Risk Communication 20
  • 21. 21
  • 22. 22
  • 23. Business  drives  IT 23
  • 24. Alignment?  with  the  business 24
  • 25. What is a control? •  An  ac(on  taken  by  Management  in  order  to  manage   risk  so  that  objec(ves  are  met •  Preven3ve,  Correc3ve  and  Detec3ve 25
  • 26. CSFs, KGIs, KPIs: what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” needs to be accomplished • KPIs: Key Performance Indicators or “how good” the process is behaving 26
  • 27. Monitor vs. Manage R A GE ITO Refine,  observe,   MA N M ON analize  and   classify  data   Value (and cost) provided  by   Act with systems business knowledge, in a Centralize single place access  to  data   Apply business relevance to the according to content  and   information to business needs applica3ons determine business priorities DATA INFORMATION KNOWLEDGE ACTION Level 1 Level 2 Level 3 Level 4 27
  • 28. Sample Risk Scenarios
  • 29. Some  examples... © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com 29
  • 30. ...from  the  real  world 30
  • 31. From  technology... 31
  • 32. ...to  what  really  maOers 32
  • 33. A continuous process 33
  • 34. Time-relevant 34
  • 35. THANK YOU Ramsés Gallego CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt , General Manager - Entel Security & Risk Management rgallego@entel.es 35

×