SlideShare a Scribd company logo

Risk Management (1) (1).ppt

Download as PPT, PDF
A
AjjuSingh2

Escape from Hacker and create great challenge

Engineering
1 of 52
• RISK DEFINITION: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation o A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen o A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) o “It May Rain Tomorrow” • ISSUE DEFINITION: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation o E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure o “It is Raining Today” RISK DEFINITIONS
3 Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Exploits Leads to Can damage And cause an Can be countermeasured by a
4 Risk Management Cycle Identify Risks Assess Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iteration •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment
5
6 Risk Identification What is the purpose of this phase ? • The aims of this phase is to identify , classify and prioritizing the organization’s information assets ( Know ourselves) and identify all important types and sources of risk and uncertainty (know our enemy), associated with each of the investment objectives. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed
7 Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
8 Primary sources of Risk Items Human Threats Environmental Threats Outside & Natural Threats network based attacks virus infection, unauthorized access floods Earthquakes hurricanes Power failure, pollution
Risk Analysis • requires an entity to, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected information held by the entity. • Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats, and assessing the possible damage to determine where to implement security safeguards
10 Risk Assessment • For each identified component & risk, which has a 'clearly significant' or 'possibly significant' position, each should be assess to establish qualitatively and Estimate the value
27/05/1444 11 What is Risk Assessment ? • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise , i.e determine the relative risk for each of the vulnerabilities • Risk assessment assigns a risk rating or score to each specific information asset, useful in evaluating the relative risk and making comparative ratings later in the risk control process. • Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In particular, risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies
12 Methods of Risk Assessment There are various methods assessing risk, First : Quantitative risk assessment : generally estimates values of Information Systems components as ; information, systems, business processes, recovery costs, etc., risk can be measured in terms of direct and indirect costs , based on (1) the likelihood that a damaging event will occur (2) the costs of potential losses (3) the costs of mitigating actions that could be taken.
13 This approach can be taken by defining – Risk in more subjective and general terms such as high, medium, and low. – In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment. • Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. However, by providing the impact and likelihood definition tables and the description of the impact, it is possible to adequately communicate the assessment to the organization’s management. Second : Qualitative Risk Assessment
14 Third :Quantitative and Qualitative – It is also possible to use a combination of quantitative and qualitative method
• The identification of Risks and their management by defining:  The Risk Description  The Risk Owner  The Probability of the Risk Event occurring  The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective  The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure  The Contingency Plan to recover the Asset once risk is manifested  An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance WHAT IS RISK MANAGEMENT?
To ensure that all risks to the Business however they are derived are managed effectively. • This includes: • Strategic Risks • Programme and Project Risks • Operational Risks (includes Security and Business Continuity Risks) OBJECTIVES OF GENERIC RISK MANAGEMENT Operational Level (Business as Usual) Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Strategic Level Strategic Risks Programme/Project Risks Operational Risks Project Risk Register Strategic Risk Register
To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: • Confidentiality, • Integrity, • Availability, and the • Traceability of Information whilst: • At rest • Whilst being modified • In transit (around a system, e-mail, media device, telephone etc.) OBJECTIVES OF INFORMATION SECURITY RISK MANAGEMENT
Incident Management Audit Non-Compliances Problem Management Threat Management Vulnerability Management Exception / Waiver Management ! However, they can be the Source of Infosec So, these are issues, NO uncertainty! WHAT IS NOT RISK MANAGEMENT?
RISK MATRIX IMPACT High Medium High High Medium Low Medium High Low Low Low Medium Low Medium High LIKELIHOOD
COMMON PROBLEMS (MISUNDERSTANDINGS)? • Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) • Unachievable, ineffective and disproportionate Mitigation Actions • Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement • Reactive vs Proactive Approach • Reliance on Incidents, Threat and Non-Compliance Management (Reactive) • Proactive Risk Identification Workshop based on Success Criteria SO WHAT! • Risks occur that could have been managed • Impact on Assets not understood (BIA, CMDB) • Mitigation Action Costs do not reflect the Risk Exposure Reduction • Systems fail, business and revenue lost, • Corporate data is unavailable when required – Loss of Business • Regulator penalties, reputational damage occurs • Loss of Customer base and confidence • Loss of IPR. PROBLEMS WITH RISK MANAGEMENT
o Mitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability). o This is why it is so important to describe the risk event clearly. o Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) o This is why it is so important to clearly describe the risk impact separately from the risk description MITIGATION PLANS & CONTINGENCY PLANS
o Proliferation of BYOD and smart devices o Cloud computing o Outsourcing of critical business processes to a third party (and lack of controls around third-party services) o Disaster recovery and business continuity o Periodic access reviews o Log reviews SOURCE: Cyber-security - What the Board of Directors need to ask?, IIARF Research Report, 2014 SOURCES OF CYBER SECURITY RISKS
o Application vulnerabilities o Remote access. o Ineffective patch management o Weak network security/flat networks o Lack of real-time security monitoring o Third parties o Lack of a data retention policy SOURCE: HANS HENRIK BERTHING Cyber Assurance and the IT Auditor Nov 2014 COMMON CYBER-CRIMINAL ATTACK VECTORS
Select appropriate Controls / use Security Standards: ISO27000 PCI DSS COBIT HIPAA WHERE TO START?
1. Create risk reporting awareness for the workforce 2. Make it easy, create a simple Risk Submission form 3. Assess the risk submission, ask questions 4. Ensure it is a RISK, not an issue, a service request, a change request  ENCOURAGE RISK REPORTING
1. Record in a Risk Register 2. Describe the RISK 3. Assess the Likelihood, Impact, and risk rating 4. Agree recommended Risk Mitigation / Treatment 5. Establish a contingency position if possible 6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder) 7. Agree a Mitigation Owner 8. Obtain a decision (Reduce, Accept, Avoid, Transfer) 9. Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks 10. Produce monthly status reports MANAGE THE RISKS…

Recommended

Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk ManagementFAA Safety Team Central Florida
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
Risk & Risk Management
Risk & Risk ManagementRisk & Risk Management
Risk & Risk Managementansula
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk management
Risk management Risk management
Risk management mamta bhaurya
 
Risk management
Risk managementRisk management
Risk managementbaderali2141
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 

Recommended

Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk ManagementFAA Safety Team Central Florida
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
Risk & Risk Management
Risk & Risk ManagementRisk & Risk Management
Risk & Risk Managementansula
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk management
Risk management Risk management
Risk management mamta bhaurya
 
Risk management
Risk managementRisk management
Risk managementbaderali2141
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
Risk management
Risk managementRisk management
Risk managementHarold Malamion
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Zanders Treasury, Risk and Finance
 
Risk management
Risk managementRisk management
Risk managementBabasab Patil
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides SlideTeam
 
Risk Management
Risk ManagementRisk Management
Risk ManagementStefan Csosz
 
Risk mangement
Risk mangementRisk mangement
Risk mangementcollege
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Risk management
Risk managementRisk management
Risk managementbaderali2141
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Risk management
Risk managementRisk management
Risk managementManish Tiwari
 
Enterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation SlidesEnterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation SlidesSlideTeam
 
Introduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation SlidesIntroduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation SlidesSlideTeam
 
Risk Assessment Report
Risk Assessment ReportRisk Assessment Report
Risk Assessment ReportSlideKraft Studio LLP
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
RiskAssesment.ppt
RiskAssesment.pptRiskAssesment.ppt
RiskAssesment.pptAbdulSalamSagir1
 

More Related Content

What's hot

Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Zanders Treasury, Risk and Finance
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides SlideTeam
 
Risk mangement
Risk mangementRisk mangement
Risk mangementcollege
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Enterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation SlidesEnterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation SlidesSlideTeam
 
Introduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation SlidesIntroduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation SlidesSlideTeam
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 

What's hot (20)

Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
 
Risk management
Risk managementRisk management
Risk management
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk mangement
Risk mangementRisk mangement
Risk mangement
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
 
Risk management
Risk managementRisk management
Risk management
 
Enterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation SlidesEnterprise Risk Management Overview Powerpoint Presentation Slides
Enterprise Risk Management Overview Powerpoint Presentation Slides
 
Introduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation SlidesIntroduction To Risk Management Powerpoint Presentation Slides
Introduction To Risk Management Powerpoint Presentation Slides
 
Risk Assessment Report
Risk Assessment ReportRisk Assessment Report
Risk Assessment Report
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 

Similar to Risk Management (1) (1).ppt

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...samahhamed3
 
Various steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazVarious steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazMDAnwarIbrahimMiraz
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsToño Herrera
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Qrm presentation
Qrm presentationQrm presentation
Qrm presentationGeetha Svcp
 

Similar to Risk Management (1) (1).ppt (20)

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
RiskAssesment.ppt
RiskAssesment.pptRiskAssesment.ppt
RiskAssesment.ppt
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
Various steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazVarious steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim miraz
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Reliability
ReliabilityReliability
Reliability
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
Qrm presentation
Qrm presentationQrm presentation
Qrm presentation
 

Recently uploaded

Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixingviprabot1
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 

Recently uploaded (20)

Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixing
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 

Risk Management (1) (1).ppt

  • 1.
  • 2. • RISK DEFINITION: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation o A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen o A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) o “It May Rain Tomorrow” • ISSUE DEFINITION: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation o E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure o “It is Raining Today” RISK DEFINITIONS
  • 3. 3 Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Exploits Leads to Can damage And cause an Can be countermeasured by a
  • 4. 4 Risk Management Cycle Identify Risks Assess Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iteration •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment
  • 5. 5
  • 6. 6 Risk Identification What is the purpose of this phase ? • The aims of this phase is to identify , classify and prioritizing the organization’s information assets ( Know ourselves) and identify all important types and sources of risk and uncertainty (know our enemy), associated with each of the investment objectives. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed
  • 7. 7 Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
  • 8. 8 Primary sources of Risk Items Human Threats Environmental Threats Outside & Natural Threats network based attacks virus infection, unauthorized access floods Earthquakes hurricanes Power failure, pollution
  • 9. Risk Analysis • requires an entity to, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected information held by the entity. • Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats, and assessing the possible damage to determine where to implement security safeguards
  • 10. 10 Risk Assessment • For each identified component & risk, which has a 'clearly significant' or 'possibly significant' position, each should be assess to establish qualitatively and Estimate the value
  • 11. 27/05/1444 11 What is Risk Assessment ? • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise , i.e determine the relative risk for each of the vulnerabilities • Risk assessment assigns a risk rating or score to each specific information asset, useful in evaluating the relative risk and making comparative ratings later in the risk control process. • Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In particular, risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies
  • 12. 12 Methods of Risk Assessment There are various methods assessing risk, First : Quantitative risk assessment : generally estimates values of Information Systems components as ; information, systems, business processes, recovery costs, etc., risk can be measured in terms of direct and indirect costs , based on (1) the likelihood that a damaging event will occur (2) the costs of potential losses (3) the costs of mitigating actions that could be taken.
  • 13. 13 This approach can be taken by defining – Risk in more subjective and general terms such as high, medium, and low. – In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment. • Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. However, by providing the impact and likelihood definition tables and the description of the impact, it is possible to adequately communicate the assessment to the organization’s management. Second : Qualitative Risk Assessment
  • 14. 14 Third :Quantitative and Qualitative – It is also possible to use a combination of quantitative and qualitative method
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. • The identification of Risks and their management by defining:  The Risk Description  The Risk Owner  The Probability of the Risk Event occurring  The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective  The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure  The Contingency Plan to recover the Asset once risk is manifested  An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance WHAT IS RISK MANAGEMENT?
  • 39. To ensure that all risks to the Business however they are derived are managed effectively. • This includes: • Strategic Risks • Programme and Project Risks • Operational Risks (includes Security and Business Continuity Risks) OBJECTIVES OF GENERIC RISK MANAGEMENT Operational Level (Business as Usual) Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Strategic Level Strategic Risks Programme/Project Risks Operational Risks Project Risk Register Strategic Risk Register
  • 40. To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: • Confidentiality, • Integrity, • Availability, and the • Traceability of Information whilst: • At rest • Whilst being modified • In transit (around a system, e-mail, media device, telephone etc.) OBJECTIVES OF INFORMATION SECURITY RISK MANAGEMENT
  • 41. Incident Management Audit Non-Compliances Problem Management Threat Management Vulnerability Management Exception / Waiver Management ! However, they can be the Source of Infosec So, these are issues, NO uncertainty! WHAT IS NOT RISK MANAGEMENT?
  • 42.
  • 43.
  • 44. RISK MATRIX IMPACT High Medium High High Medium Low Medium High Low Low Low Medium Low Medium High LIKELIHOOD
  • 45.
  • 46. COMMON PROBLEMS (MISUNDERSTANDINGS)? • Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) • Unachievable, ineffective and disproportionate Mitigation Actions • Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement • Reactive vs Proactive Approach • Reliance on Incidents, Threat and Non-Compliance Management (Reactive) • Proactive Risk Identification Workshop based on Success Criteria SO WHAT! • Risks occur that could have been managed • Impact on Assets not understood (BIA, CMDB) • Mitigation Action Costs do not reflect the Risk Exposure Reduction • Systems fail, business and revenue lost, • Corporate data is unavailable when required – Loss of Business • Regulator penalties, reputational damage occurs • Loss of Customer base and confidence • Loss of IPR. PROBLEMS WITH RISK MANAGEMENT
  • 47. o Mitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability). o This is why it is so important to describe the risk event clearly. o Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) o This is why it is so important to clearly describe the risk impact separately from the risk description MITIGATION PLANS & CONTINGENCY PLANS
  • 48. o Proliferation of BYOD and smart devices o Cloud computing o Outsourcing of critical business processes to a third party (and lack of controls around third-party services) o Disaster recovery and business continuity o Periodic access reviews o Log reviews SOURCE: Cyber-security - What the Board of Directors need to ask?, IIARF Research Report, 2014 SOURCES OF CYBER SECURITY RISKS
  • 49. o Application vulnerabilities o Remote access. o Ineffective patch management o Weak network security/flat networks o Lack of real-time security monitoring o Third parties o Lack of a data retention policy SOURCE: HANS HENRIK BERTHING Cyber Assurance and the IT Auditor Nov 2014 COMMON CYBER-CRIMINAL ATTACK VECTORS
  • 50. Select appropriate Controls / use Security Standards: ISO27000 PCI DSS COBIT HIPAA WHERE TO START?
  • 51. 1. Create risk reporting awareness for the workforce 2. Make it easy, create a simple Risk Submission form 3. Assess the risk submission, ask questions 4. Ensure it is a RISK, not an issue, a service request, a change request  ENCOURAGE RISK REPORTING
  • 52. 1. Record in a Risk Register 2. Describe the RISK 3. Assess the Likelihood, Impact, and risk rating 4. Agree recommended Risk Mitigation / Treatment 5. Establish a contingency position if possible 6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder) 7. Agree a Mitigation Owner 8. Obtain a decision (Reduce, Accept, Avoid, Transfer) 9. Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks 10. Produce monthly status reports MANAGE THE RISKS…