Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Module 2 information security risk management student slides ver 1.0
1. 12/13/2011
1
Module Two
1BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Risk Management scope and definitions
A general overview of the information security
risk management process
Context establishment
Risk assessment
Risk treatment
Risk acceptance
Risk communication
Risk monitoring and review
2BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
2. 12/13/2011
2
3BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Adverse change to the level of business
objectives achieved
4BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
3. 12/13/2011
3
Potential that a given threat will exploit
vulnerabilities of an asset or group of assets and
thereby cause harm to the organization
5BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
decision not to become involved in, or action to
withdraw from, a risk situation
6BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
4. 12/13/2011
4
Exchange or sharing of information about risk
between the decision-maker and other
stakeholders
7BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Process to assign values to the probability and
consequences of a risk
8BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
5. 12/13/2011
5
Process to find, list and characterize elements of
risk
9BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
actions taken to lessen the probability, negative
consequences, or both, associated with a risk
10BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
6. 12/13/2011
6
Acceptance of the burden of loss or benefit of
gain from a particular risk
11BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Sharing with another party the burden of loss or
benefit of gain, for a risk
12BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
7. 12/13/2011
7
Input
Identifies any required information to perform the
activity.
Action
Describes the activity.
Output
Identifies any information derived after performing
the activity
13BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
14BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
8. 12/13/2011
8
Risks being identified
Risks being assessed in terms of their
consequences to the business and the likelihood
of their occurrence
The likelihood and consequences of these risks
being communicated and understood
Priority order for risk treatment being
established
Priority for actions to reduce risks occurring
15BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Stakeholders being involved when risk management
decisions are made and kept informed of the risk
management status
Effectiveness of risk treatment monitoring
Risks and the risk management process being
monitored and reviewed regularly
Information being captured to improve the risk
management approach
Managers and staff being educated about the risks
and the actions taken to mitigate them
16BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
9. 12/13/2011
9
17BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
The following factors can assist in dealing with
incidents and unexpected events in the most
effective manner:
Awareness by managers and staff of the risks
The nature of the controls in place to mitigate the
risks
The areas of concern to the organization
18BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
10. 12/13/2011
10
ISMS Process Information Security Risk Management
Process
Plan Establishing the context
RiskAssessment
Developing RiskTreatment Plan
Risk Acceptance
Do Implementation of risk treatment plan
Check Continual monitoring and reviewing of risks
Act Maintain and improve the Information
Security Risk Management Process
19BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
20BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
11. 12/13/2011
11
Input
All information about the organization relevant to the information
security risk management context establishment.
Action
The context should be established, which involves:
▪ Setting the basic criteria necessary for information security risk management
▪ Defining the scope and boundaries
▪ Establishing an appropriate organization operating the information security
risk management
Output
The specification of basic criteria, the scope and boundaries, and the
organization for the information security risk management process.
21BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
An appropriate risk management approach should be selected
or developed that addresses basic criteria such as:
Risk Evaluation Criteria
Impact Criteria
Risk Acceptance Criteria.
The organization should assess whether necessary resources
are available to:
Perform risk assessment and establish a risk treatment plan
Define and implement policies and procedures, including
implementation of the controls selected
Monitor controls
Monitor the information security risk management process
22BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
12. 12/13/2011
12
Should be developed to evaluate the organization‘s
information security risk considering the followings:
The strategic value of the business information process
The criticality of the information assets involved
Legal and regulatory requirements, and contractual obligations
Operational and business importance of availability,
confidentiality and integrity
Stakeholders expectations and perceptions, and negative
consequences for goodwill and reputation
Can be used to specify priorities for risk treatment.
23BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Should be developed and specified in terms of the degree
of damage or costs to the organization caused by an
information security event considering the following:
Level of classification of the impacted information asset
Breaches of information security (e.g. loss of confidentiality,
integrity and availability)
Impaired operations (internal or third parties)
Loss of business and financial value
Disruption of plans and deadlines
Damage of reputation
Breaches of legal, regulatory or contractual requirements
24BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
13. 12/13/2011
13
Should be developed and specified, depends on
the organization's policies, goals, objectives and
the interests of stakeholders.
An organization should define its own scales for
levels of risk acceptance.
25BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
The following should be considered during development:
May include multiple thresholds, with a desired target level of risk,
but provision for senior managers to accept risks above this level
under defined circumstances
May be expressed as the ratio of estimated profit (or other business
benefit) to the estimated risk
May apply to different classes of risk, e.g. risks that could result in
noncompliance with regulations or laws may not be accepted, while
acceptance of high risks may be allowed if this is specified as a
contractual requirement
May include requirements for future additional treatment, e.g. a risk
may be accepted if there is approval and commitment to take action
to reduce it to an acceptable level within a defined time period
26BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
14. 12/13/2011
14
May differ according to how long the risk is expected
to exist, e.g. the risk may be associated with a
temporary or short term activity.
Should be set up considering the following:
Business criteria
Legal and regulatory aspects
Operations
Technology
Finance
Social and humanitarian factors
27BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
To ensure that all relevant assets are taken into account in
the risk assessment.
Need to be identified to address those risks that might
arise through these boundaries.
Information about the organization should be collected to
determine the environment it operates in and its
relevance to the information security risk management
process.
Provide justification for any exclusion from the scope.
Examples
IT application, IT infrastructure, a business process, or a defined
part of an organization.
28BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
15. 12/13/2011
15
The organization should consider the following information:
The organization's strategic business objectives, strategies and policies
Business processes
The organization's functions and structure
Legal, regulatory and contractual requirements applicable to the
organization
The organization's information security policy
The organization's overall approach to risk management
Information assets
Locations of the organization and their geographical characteristics
Constraints affecting the organization
Expectation of stakeholders
Socio-cultural environment
Interfaces (i.e. information exchange with the environment)
29BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
The organization and responsibilities for the information security risk
management process should be set up and maintained.
This organization should be approved by the appropriate managers of the
organization.
The following are the main roles and responsibilities of this organization:
Development of the information security risk management process suitable for the
organization
Identification and analysis of the stakeholders
Definition of roles and responsibilities of all parties both internal and external to the
organization
Establishment of the required relationships between the organization and
stakeholders, as well as interfaces to the organization's high level risk management
functions (e.g. operational risk management), as well as interfaces to other relevant
projects or activities
Definition of decision escalation paths
Specification of records to be kept
30BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
16. 12/13/2011
16
31BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
Basic criteria, the scope and boundaries, and the
organization for the information security risk management
process being established.
Action
Risks should be identified, quantified or qualitatively
described and prioritized against risk evaluation criteria
and objectives relevant to the organization.
Output
A list of assessed risks prioritized according to risk
evaluation criteria.
32BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
17. 12/13/2011
17
Purpose
Determine what could happen to cause a potential
loss, and to gain insight into how, where and why the
loss might happen.
The steps described in the following slides should
collect input data for the risk estimation activity.
33BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
Scope and boundaries for the risk assessment to be
conducted
List of constituents with owners, location, function, etc.
Action
The assets within the established scope should be
identified
Output
A list of assets to be risk-managed
A list of business processes related to assets and their
relevance.
34BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
18. 12/13/2011
18
Input
Information on threats obtained from incident
reviewing, asset owners, users and other sources,
including external threat catalogues.
Action
Threats and their sources should be identified
Output
A list of threats with the identification of threat type
and source.
35BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
Documentation of controls, risk treatment
implementation plans
Action
Existing and planned controls should be identified
Output
A list of all existing and planned controls, their
implementation and usage status.
36BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
19. 12/13/2011
19
Input
A list of assets, a list of business processes, and a list of
threats and vulnerabilities, where appropriate, related to
assets and their relevance.
Action
The consequences that losses of confidentiality, integrity
and availability may have on the assets should be
identified
Output
A list of incident scenarios with their consequences related
to assets and business processes.
37BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
38BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
20. 12/13/2011
20
May be qualitative or quantitative, or a combination
of these, depending on the circumstances.
Qualitative estimation is practically used first to obtain a
general indication of the level of risk and to reveal the
major risks.
Quantitative estimation may be necessary to undertake
more specific or quantitative analysis on the major risks
because it is usually less complex and less expensive to
perform qualitative than quantitative analysis.
39BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Uses a scale of qualifying attributes to describe the magnitude of
potential consequences (e.g. Low, Medium and High) and the likelihood
that those consequences will occur.
Easy to understand by all relevant personnel but is dependent on
subjective choice of the scale.
Scales can be adapted or adjusted to suit the circumstances and
different descriptions may be used for different risks.
Usage:
As an initial screening activity to identify risks that require more detailed
analysis
Where this kind of analysis is appropriate for decisions
Where the numerical data or resources are inadequate for a quantitative
estimation
Should use realistic information and data where available.
40BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
21. 12/13/2011
21
Uses a scale with numerical values (rather than the
descriptive scales) for both consequences and
likelihood, using data from a variety of sources.
The quality depends on the accuracy and
completeness of the numerical values and the
validity of the models used.
Uses historical incident data, providing the
advantage that it can be related directly to the
information security objectives and concerns of the
organization.
41BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Disadvantages:
The lack of such data on new risks or information security
weaknesses.
May occur where factual, auditable data is not available thus creating
an illusion of worth and accuracy of the risk assessment.
The way in which consequences and likelihood are expressed
and the ways in which they are combined to provide a level of
risk will vary according to the type of risk and the purpose for
which the risk assessment output is to be used.
The uncertainty and variability of both consequences and
likelihood should be considered in the analysis and
communicated effectively.
42BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
22. 12/13/2011
22
Input
A list of identified relevant incident scenarios, including
identification of threats, vulnerabilities, affected assets,
consequences to assets and business processes.
Action
The business impact upon the organization that might result
from possible or actual information security incidents should be
assessed, taking into account the consequences of a breach of
information security such as loss of confidentiality. integrity or
availability of the assets
Output
A list of assessed consequences of an Incident scenario
expressed with respect to assets and impact criteria
43BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
A list of identified relevant incident scenarios, including
identification of threats, affected assets exploited
vulnerabilities and consequences to assets and business
processes. Furthermore, lists of all existing and planned
controls, their effectiveness, Implementation and usage status.
Action
The likelihood of the incident scenarios should be assessed
Output
Likelihood of incident scenarios (quantitative or qualitative)
44BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
23. 12/13/2011
23
Input
A list of Incident scenarios with their consequences
related to assets and business processes and their
likelihood (quantitative or qualitative).
Action
The level of risk should be estimated for all relevant
incident scenarios
Output
A list of risks with value levels assigned
45BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
A list of risks with value levels assigned and risk
evaluation criteria.
Action
Level of risks should be compared against risk
evaluation criteria and risk acceptance criteria
Output
A list of risks prioritized according to risk evaluation
criteria in relation to the incident scenarios that lead
to those risks.
46BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
24. 12/13/2011
24
47BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
48BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
25. 12/13/2011
25
Input
A list of risks prioritized according to risk evaluation
criteria in relation to the incident scenarios that lead to
those risks.
Action
Controls to reduce, retain. avoid, or transfer the risks
should be selected and a risk treatment plan defined.
Output
Risk treatment plan and residual risks subject to the
acceptance decision of the organization‘s managers.
49BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Action
The level of risk should be reduced through the
selection of controls so that the residual risk can be
reassessed as being acceptable.
50BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
26. 12/13/2011
26
Action
The decision on retaining the risk without further
action should be taken depending on risk evaluation.
51BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Action
The activity or condition that gives rise to the
particular risk should be avoided.
52BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
27. 12/13/2011
27
Action
The risk should be transferred to another party that
can most effectively manage the particular risk
depending on risk evaluation.
53BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
Risk treatment plan and residual risk assessment subject
to the acceptance decision of the organization's managers.
Action
The decision to accept the risks and responsibilities for the
decision should be made and formally recorded
Output
A list of accepted risks with justification for those that do
not meet the organization's normal risk acceptance
criteria.
54BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
28. 12/13/2011
28
Input
All risk Information obtained from the risk management
activities
Action
Information about risk should be exchanged and/or shared
between the decision-maker and other stakeholders.
Output
Continual understanding of the organization's information
security risk management process and results.
55BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
56BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
29. 12/13/2011
29
Input
All risk information obtained from the risk management
activities (see Figure 1).
Action
Risks and their factors (i.e, value of assets, impacts, threats,
vulnerabilities, likelihood of occurrence) should be monitored
and reviewed to identify any changes in the context of the
organization at an early stage, and to maintain an overview of
the complete risk picture.
Output
Continual alignment of the management of risks with the
organization's business objectives, and with risk acceptance
criteria
57BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Input
All risk information obtained from the risk management
activities
Action
The information security risk management process should
be continually monitored, reviewed and improved as
necessary and appropriate
Output
Continual relevance of the information security risk
management process to the organization‘s business
objectives or updating the process.
58BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
30. 12/13/2011
30
59BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Direct
In-Direct
Subjective
Objective
60BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
31. 12/13/2011
31
Revenue Loss
Brand image Loss and recovery
Loss of share value
Loss of interest on overnight balances
Cost of interest on lost cash flow
Delays in customer accounting, accounts receivable
and billing/invoicing
Loss of control over debtors
Loss of credit control and increased bad debt.
Loss of revenue for service contracts from failure to
provide service or meet service levels
61BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Lost ability to respond to contract opportunities
Penalties from failure to produce annual accounts or
produce timely tax payments
Where company share value underpins loan
facilities, share prices could drop and loans be called
in or be re-rated at higher interest levels.
Cost of replacement of buildings and plant
Cost of replacing equipment
Cost of replacing software
Replacing Staff that may have been lost because of
disaster.
62BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
32. 12/13/2011
32
Salaries paid to staff unable to undertake billable
work
Salaries paid to staff to recover work backlog and
maintain deadlines
Cost of re-creation and recovery of lost data
Loss of cash flow
Interest value on deferred billings
Penalty clauses invoked for late delivery and failure
to meet Service Levels
Loss of customers (lifetime value of each) and
market share
Loss of profits
63BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Additional cost of credit through reduced credit rating
Recruitment costs for new staff on staff turnover
Training / retraining costs for staff
Fines and penalties for non-compliance
Liability claims
Additional cost of advertising, PR and marketing to
reassure customers and prospects to retain market share
Additional cost of working; administrative costs; travel and
subsistence etc.
Potential prosecution for non compliance and contract
adherence.
64BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
33. 12/13/2011
33
65BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
66BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
34. 12/13/2011
34
67BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Total Business Lost = (Gross Revenue) x (% of Lost
Customers due to Outage)
This equation is targeted at transaction-based
organizations that might see customer attrition as an
impact of unreliable availability.
68BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
35. 12/13/2011
35
Application-Based Business Lost = ((Annual Gross
Revenue generated by Application / 365 days) /
(24 hours))
This formula calculates the per hour impact a specific
application’s unavailability has on overall corporate
revenue. You can adjust the number of days and hours
in the formula as applicable to your business.
69BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Lost Production Capacity = (Number of Units Not
Produced) x (Unit Price)
Used specifically for manufacturing organizations, this
calculation determines the lost production due to
application unavailability.
70BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
36. 12/13/2011
36
Lost Net Revenue = (Number of Units Not
Produced) x ((Unit Price) – (Unit Production Cost))
Again, this formula is primarily for manufacturing
organizations and helps quantify the cost of lost
production time due to application unavailability.
71BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Productivity
Number of employees affected x hours x rate
Revenue
Direct loss
Compensatory payments
Lost future revenues
Billing losses
Investment losses
72BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
37. 12/13/2011
37
Damaged reputation
Customers
Suppliers
Financial markets
Banks
Partners
Financial performance
Know your downtime costs per hour, day, week,
etc
73BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Total Cost of Recovery = Cost of People Time Lost
+ Cost of Lost Data + Replacement Infrastructure
+ Cost of Recovery Services
Cost of People Time Lost = ((Average Time to
Recover) x (Average Wage of Users) x (Number of
Users))
Cost of Lost Data = ((Gross Revenues from the
Application / Business Days per Year) x
(Percentage of Data Unrecoverable))
74BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
38. 12/13/2011
38
Objective
Evaluate the critical operations for the organization
and determine timeframes, priorities, resources and
interdependencies
Some key tasks
Determine the scope of the analysis
Identify key business processes
Gather and verify information
Analyze and present the results
75BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
Some key deliverables
A list of outages and probability of occurrence
The costs of loss versus the costs of prevention
Recovery priorities – RTO, RPO & interdependencies
76BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting
39. 12/13/2011
39
77BC & DR Course [StudentSlides],Copyright @2011 Secrivacy.com,Part of Al-TaysirConsulting