SlideShare a Scribd company logo

CISM Certification and Information Security Governance

•
•
D
dotco

The document discusses the Certified Information Security Manager (CISM) certification and provides information on information security governance. It covers topics such as establishing an information security program, developing a strategy and requirements, governance frameworks, roles and responsibilities, metrics, and legal/regulatory requirements. The CISM certification indicates expertise in information security governance, program development/management, incident management, and risk management.

Education
1 of 42
Certified Information Security Manager (CISM)
CISM • ISACA's Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management, and risk management. • Whether you are seeking a new career opportunity or striving to grow within your current organization, a CISM certification proves your expertise in these work-related domains: • Information security governance • Information risk management • Information security program development and management • Information security incident management • Ideal for IT risk professionals, IT auditors, CISOs, information security managers, and risk management professionals.
Information Security Governance • Governance can be defined as a set of rules to direct, monitor, and control an organization's activities. • Governance can be implemented by way of policies, standards, and procedures. • The information security governance model is primarily impacted by the complexity of an organization's structure. • An organization's structure includes objectives, its vision and mission, different function units, different product lines, hierarchy structure, leadership structure, and other relevant factors. • The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. • Senior management holds the responsibility to ensure that security aspects are integrated with business processes. • The role of an information security steering committee is to provide oversight on the security environment of the organization.
Information Security Governance • Steps for establishing the governance 1. Determine the objectives of an information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that you are willing to take. 2. The information security manager develops a strategy and requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the strategy to move to the desired state of security from its current state of security. 3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. • The security manager needs to consider various factors such as time limits, resource availability, the security budget, laws and regulations, and other relevant factors. Governance framework • The governance framework is a structure or outline that supports the implementation of the information security strategy. • EXAMPLE - COBIT and ISO 27000
Information Security Governance The following are the objectives of information security governance: • To ensure that security initiatives are aligned with the business's strategy and support organizational objectives. • To optimize security investments and ensure the high-value delivery of business processes. • To monitor the security processes to ensure that security objectives are achieved. • To integrate and align the activities of all assurance functions for effective and efficient security measures. • To ensure that residual risks are well within acceptable limits. This gives comfort to the management. GRC: • GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance. • Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. • it is mostly focused on the financial, IT, and legal areas. • Financial GRC focuses on effective risk management and compliance for finance processes. • IT GRC focuses on information technology processes. • Legal GRC focuses on the overall enterprise-level regulatory compliance. • GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.
Information Security Governance • A maturity model is a tool that helps the organization to assess the current effectiveness of a process and to determine what capabilities they need to improve their performance. • Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. • The following list defines the different maturity levels of an organization: • Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose. • Level 1: Performed: On this level, the process can achieve its intended purpose. • Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled. • Level 3: Established: Apart from the Level 2 process, there is a well-defined, documented, and established process to manage the process. • Level 4: Predictable: On this level, the process is predictable and operates within defined parameters and limits to achieve its intended purpose. • Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals. • The CMM indicates a scale of 0 to 5 based on process maturity level, and it is the most common method applied by organizations to measure their existing state and then to determine the desired one.
Information Security Governance • Information security roles and responsibilities • One of the simplest ways of defining roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed. • Responsible: This is the person who is required to execute a particular job function. • Accountable: This is the person who is required to supervise a job function. • Consulted: This is the person who gives suggestions and recommendations for executing a job function. • Informed: This is the person who should be kept updated about the progress of the job function. • Board of directors: The intent and objectives of information security governance must be communicated from the board level down. • Senior management: The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. • Business process owners: The role of a business process owner is to own the security- related risks impacting their business processes.
Information Security Governance • A steering committee comprises the senior management of an organization. • The role of a steering committee is as follows: • To ensure that security programs support the business objectives • To evaluate and prioritize the security programs • To evaluate emerging risk, security practices, and compliance-related issues • The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the chief executive officer (CEO). The role of the CISO is fundamentally a regulatory role, whereas the role of the CIO is to generally focus on IT performance. • The chief operating officer (COO) is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives. • The data custodian is a staff member who is entrusted with the safe custody of data. • A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals through the approval of the data owner.
Information Security Governance The following list consists of some of the indicators of a successful security culture: • The involvement of the information security department in business projects. • The end users are aware of the identification and reporting of the incidents. • There is an appropriate budget for information security programs. • The employees are aware of their roles and responsibilities with regard to information security. Governance of third-party relationships • Policies and requirements of information security should be developed before the creation of any third-party relationship. • Also, the security manager should understand the following challenges of third-party relationships: • The cultural differences between an organization and the service provider. • Technology incompatibilities. • The business continuity arrangements of the service provider may not have aligned to the requirements of the organization. • Differences in incident management processes. • Differences in disaster recovery capabilities.
Information Security Governance • The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. • A culture that favors taking risks will have a different implementation approach to a culture that is risk- averse. • An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization. • The process should be in place to scan all the new regulations and determine the applicability of regulations to the organization. • The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address the new regulations. If not, then further controls should be implemented to address the new regulations. • The information security manager is required to assess the impact of privacy law on business processes.
Information Security Governance • For the effective implementation of security governance, support and commitment from senior management is the most important prerequisite. • It is very important for the information security manager to gain support from senior management. The most effective way to gain this is to ensure that the security program continues to be aligned with and supports the business objectives. • The primary driver for investment in an information security project is value analysis and a sound business case. • To obtain approval for an information security budget, the budget should primarily include a cost-benefit analysis. Senior management is more interested in the benefit that is derived from the budget. • Information security should support the achievement of organizational objectives by minimizing business disruptions. • Another aspect of determining the strategic alignment is to review the business balanced scorecard. A business scorecard contains important metrics from a business perspective. It will help to determine the alignment of the security goals with the business goals.
Information Security Governance • A business case is a justification for a proposed project. • The business case is prepared to justify the effort and investment in a proposed project. It captures the reasoning for initiating a project or task. • The business case is a key element in decision-making for any project. The proposed returns on investments (ROIs), along with any other expected benefits, are the most important consideration for decision-making in any new project. IS Governance Metrics • A metric is a measurement of a process to determine how well the process is performing. Security-related metrics indicate how well the controls can mitigate the risks. • On the basis of effective metrics, an organization evaluates and measures the achievement and performance of various processes and controls. The main objective of a metric is to help the management in decision-making. • Good metrics should be SMART. That is, specific, measurable, attainable, relevant, and timely. • Specific: The metric should be specific, clear, and concise. • Measurable: The metric should be measurable so that it can be compared over a period. • Attainable: The metric should be realistic and achievable. • Relevant: The metric should be linked to specific risks or controls. • Timely: The metric should be able to be monitored on a timely basis.
Information security strategy and plan • An information security strategy is a set of actions to achieve the security objectives. • The strategy includes what should be done, how it should be done, and when it should be done in order to achieve the security objectives. • A strategic plan should include the desired state of information security. A strategy is considered to be effective if control objectives are met. • The final responsibility for the appropriate protection of an organization's information falls to the board of directors. • The Chief Information Security Officer (CISO) is primarily responsible for the design and development of the information security strategy in accordance with the security policy. • Security policies are developed based on the security strategy. • Policies take the form of a high-level document containing the intent and direction of management.
Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
Business Case • A business case is a justification for a proposed project. The business case is prepared to justify the effort and investment in a proposed project. • The business case is a key element in decision-making for any project. • Development of the business case is the responsibility of the project sponsor. • Statement of Work • A statement of work is a contractual document that defines the ownership, liabilities, responsibilities and work agreements between two parties, usually clients and service providers.
Enterprise information security architecture • An enterprise architecture (EA) is a blueprint that defines the structure and operation of the organization. • It describes how different elements such as processes, systems, data, employees, and other infrastructure are integrated to achieve the current and future objectives of the organization. • The security architecture is a subset of the overall EA. The objective of the security architecture is to improve the security posture of the organization. • A security architecture provides detailed information on how a business operates and what security controls are required. This helps the security manager to determine the processes and systems where efforts toward security should be focused.
Organizational structure • Organizational structure means the roles and responsibilities of different individuals, the reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so on. • A flexible and evolving organizational structure is more open to the adoption of a security strategy as opposed to a more constrained organizational structure. Board of directors: • The ultimate responsibility for the appropriate protection of an organization's information falls to the board of directors. • The involvement of board members in information security initiatives indicates good governance. • The company directors can be protected from liability if the board has exercised due diligence. • Many laws and regulations make the board responsible in the event of data breaches. • Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage. Security steering committee • The security steering committee is generally composed of senior management from different business units. • The security steering committee is best placed to determine the level of acceptable risk for the organization. • The security steering committee monitors and controls the security strategy. They also ensure that the security policy is aligned with business objectives.
Organizational structure • Organizations' security functions can work in either a centralized or decentralized way. • In a centralized process, information security activities are handled from a central location, usually the head office of the organization. In a decentralized process, the implementation and monitoring of security activities are delegated to local offices of the organization. • Centralization of information security management results in greater uniformity and easier monitoring of the process. This in turn will advance better adherence to security policies. • In a decentralized environment, more emphasis is placed on the needs and requirements of business.
Record retention • A record retention policy will specify what types of data and documents are required to be preserved, and what should be destroyed. It will also specify the number of years for which that data is required to be preserved. • The information security manager should ensure that an adequate record retention policy is in place and that this is followed throughout the organization. • Record retention should primarily be based on the following two factors: • Business requirements • Legal requirements • Electronic discovery (e-discovery) is the process of the identification, collection, and submission of electronic records in a lawsuit or investigation.
Awareness and education • End users are one of the most important elements for consideration in the overall security strategy. • Training, education, and awareness are of extreme importance to ensure that policies, standards, and procedures are appropriately followed. • The most effective way to increase the effectiveness of security training is to customize the training to the target audience and to address the systems and procedures applicable to that particular group. • For example, system developers need to undergo an enhanced level of training covering aspects of security related to coding, while data entry operators should be trained on the aspects of security related to their functions.
Legal, Regulatory and Contractual Requirements • In the field of IT, the most common objectives of laws and regulations include the safeguarding of privacy and the confidentiality of personal data, the protection of intellectual property rights, and the integrity of financial information. • Adherence to laws and regulations is one of the most important external requirements for an organization. Control should be implemented and monitored at periodic intervals to ensure that the organization is complying with legal and regulatory requirements. • Privacy laws could prevent the flow of information across borders • Most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives - A compliance-oriented gap analysis
Information Risk Management • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • The prime objective of a risk management process is to achieve an optimum balance between maximizing business opportunities and minimizing vulnerabilities and threats. • To achieve this objective, the information security manager should have a thorough understanding of the nature and extent of the risks that an organization may encounter. • A mature organization has a dedicated enterprise risk management (ERM) group to monitor and control such risks. • The effectiveness of risk management depends on how well risk management is integrated into an organization's culture and the extent to which risk management becomes everyone's responsibility.
Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on. • Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
Risk Terminology • Asset: Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
Phases of Risk Management • Step 1: Risk identification: In risk identification, various risks impacting the business objectives are identified by way of risk scenarios. In risk identification, the threat landscape and vulnerabilities are identified. • Step 2: Risk analysis: In risk analysis, the impact and the level of the risk are determined (that is, high, medium, or low). Risk analysis helps determine the exposure to the business and to plan for remediation. • Step 3: Risk evaluation: In risk evaluation, it is determined whether the risk is within an acceptable range or whether it should be mitigated. Thus, based on risk evaluation, risk responses are decided. • Step 4: Risk response: Risk response can be in the form of risk mitigation, risk acceptance, risk avoidance, or risk transfer. • The most important outcome of an effective risk management program is to reduce the incident that's impacting the business objectives. This can be done by addressing the threat and reducing the vulnerabilities and their exposure.
Risk capacity, appetite, and tolerance • Risk capacity: This is the maximum risk an organization can afford to take. • Risk appetite: This is the amount of risk that an organization is willing to take. • Risk tolerance: acceptable deviations from risk appetite, and that they are always lower than the risk capacity. • Mr. A's total savings are $1,000. He wants to invest in equities to earn some income. Since he is risk-averse, he decides to only invest up to $700. If the markets are good, he is willing to invest a further $50. Let's derive the risk capacity, risk appetite, and risk tolerance for this example, as follows: • Risk capacity: Total amount available; that is, $1,000 • Risk appetite: His willingness to take risks; that is, $700 • Risk tolerance: The acceptance deviation from risk appetite; that is, $750 • Risk capacity is always greater compared to tolerance and appetite. • Tolerance can either be equal to, or greater than, appetite. Risk acceptance should generally be within the risk appetite of the organization. In no case should it exceed the risk capacity.
Risk management process Sequence: • Determine the scope and boundaries of the program. • Determine the assets and processes that need to be protected. • Conduct a risk assessment by identifying the risks, analyzing the level of risk based on the impact, and evaluating whether the risk meets the criteria for acceptance. • Determine the risk treatment options for risks that are above the acceptable level. • Risk Treatment can be in any of the following forms: • Mitigating the risk by implementing additional controls. • Accepting the risk (generally, this option is selected when the impact is low and the cost of treatment exceeds the impact). • Avoid the risk (generally, this option is selected when the feasibility study or business case does not indicate positive results). • Transfer the risk to third parties such as insurance companies (generally, this option is selected for a low probability risk that has a high impact, such as natural disasters). • Determine the acceptability of the residual risk (that is, any risks remaining after treatment) by management. • Monitor the risk continuously and develop an appropriate procedure to report the results of risk monitoring to management.
Risk management process • During all these steps, it is equally important to share relevant information about risk management activities with concerned stakeholders. Having an effective communication process improves the whole risk management process. • Effective risk management requires participation, support, and acceptance by the relevant members of the organization, starting with senior management. • Employees must understand their responsibilities and be able to perform their required roles. • Risk controls are measures and are considered to be sufficient when the residual risk is less than or equal to an acceptable risk. • Risk should be prioritized based on its criticality. High-level risks should be addressed first.
Risk Management Process Risk Assessment Context Establishment Risk Treatment Risk Identification Risk Analysis Risk Evaluation Assets Vulnerabilities Threads Existing Controls consequences Qualitative Quantitative Risk Mitigation Risk Acceptance/Retention Risk Transfer/Sharing Risk Avoidance
Risk Management Framework • A framework is a structure or outline that supports the implementation of any program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. • COBIT • ISO 31000 on Enterprise Risk Management • ISO 27001 on the Information Security Management System • Gap analysis is the process of determining the gap between the existing level of the risk management process compared to the desired state. Based on the desired state, control objectives are defined. • The objective of gap analysis is to identify whether control objectives can be achieved through the risk management process. • Cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit and that the best control is implemented for the given cost. Cost-benefit analysis helps justify the implementation of a specific control measure.
Risk Management Phases Risk identification: • In this phase, significant business risks are identified. • Risk identification is generally conducted by risk scenarios. A risk scenario is a visualization of a possible event that can have adverse impact on the business objective. • Organizations use risk scenarios to imagine what could go wrong and create hurdles for achieving the business objectives. Risk analysis: • Risk analysis is where you rank a risk based on its impact on business processes. • The impact can be either quantifiable in dollar terms or can be qualitative, such as high risk, medium risk, or low risk. • Both the probability of the event and the impact on the business are considered to determine the level of risk. • Risk analysis results help prioritize risk responses and allocate resources. Risk evaluation: • Risk evaluation is the process of comparing the result of risk analysis against the acceptable level of risk. • If the level of risk is more than the acceptable risk, then risk treatment is required to bring down the level of risk.
Risk Management Phases Asset identification • identify and list all the information assets and determine their value based on criticality or sensitivity. • Assets can be in the form of people, processes, system and network components, databases, or any other factor that can have an impact on business processes. • Assets aren't only tangible assets but intangible assets such as the reputation of the organization. Asset valuation • Once all the assets have been identified, the next step is to determine their valuation. • This is to avoid underprotecting or overprotecting the asset. • The efforts required to protect an asset should be justified by its criticality. It does not make sense to spend $100 to protect a $10 asset. • valuation should not be based only on the actual cost or replacement cost but based on the impact it will have on the business if such an asset is not available. Aggregated risk: • Aggregated risk means having a significant impact caused by a large number of minor vulnerabilities. • Such minor vulnerabilities individually do not have a major impact but when all these vulnerabilities are exploited at the same time, they can cause a huge impact. Cascading risk • Cascading risk is where one failure leads to a chain reaction of failures. • This is more relevant when IT and operations have close dependencies.
Risk Management Phases Identifying risk • Risk management begins with risk identification. • Risk identification is the process of identifying and listing the risks in the risk register. • The primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets, and controls of the organization. Risk practitioners can use the following sources to identify the risk: • Review past audit reports. • Review incident reports. • Review public media articles and press releases. • Through systematic approaches such as vulnerability assessment, penetration testing, reviewing BCP and DRP documents, conducting interviews with senior management and process owners, scenario analysis, and more. • All the identified risks should be captured in the risk register, along with details such as description, category, probability, impact, and risk owner. Maintaining the risk register process starts with the risk identification process. • An advanced persistent threat (APT) is a type of cyberattack that's performed on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period. • During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data.
Risk Analysis Methodologies • Risk analysis is the process of ranking various risks so that areas of high risk can be prioritized for treating them. • Risk can be measured and ranked by use of any of the following methods: • Quantitative Risk Assessment • Qualitative Risk Assessment • Semi-quantitative Risk Assessment • Factor that influences the selection for the above technique is availability of accurate data for risk assessment. • Quantitative Risk Assessment: Risk is measured on the basis of numerical values. • Major challenge for conducting quantitative risk assessment is availability of reliable data. • Quantitative risk assessment is not feasible for the events where probability or impact cannot be quantified or expressed in numerical terms.
• Qualitative Risk Assessment • In a qualitative risk assessment, risks are measured on some qualitative parameters such as high, medium a low or on a scale of 1 to 5. • Qualitative assessment is considered more subjective as compared to quantitative assessment. • Qualitative risk assessment is more relevant to examine the new emerging threats and advanced persistent threats (APTs). Qualitative risk analysis method involves conducting interviews of various stakeholders. • Semi Quantitative Risk Assessment • hybrid approach which considers input of qualitative approach combined with numerical scale to determine the impact of a quantitative risk assessment. • A risk practitioner would always prefer a quantitative approach. Quantitative approach helps in cost benefit analysis as risk in monetary terms can be easily compared to cost of various risk responses. • However, a major challenge in conducting a quantitative risk analysis is availability of accurate data. In absence of proper data or when data accuracy is questionable, qualitative analysis is more preferable. Risk Analysis Methodologies
• Annual loss expectancy is a calculation that helps you determine the expected monetary loss for an asset due to a particular risk over a single year. • The annualized loss expectancy is the product of the annual rate of occurrence and the single loss expectancy. • ALE = ARO*SLE • For example, a particular risk event can have an impact of $1,000 every time it occurs. $1,000 is the single loss expectancy (SLE). Now it is expected that this particular risk event will materialize 5 times a year. 5 is the annual rate of occurrence (ARO). So, in this case, the annual loss expectancy is $5,000. Evaluating risk • In the risk evaluation phase, the level of each risk is compared against the acceptable risk criteria. • If the risk is within an acceptable level, then the risk is accepted as-is. • If the risk exceeds the acceptable level, then treatment will be some form of mitigation. Risk ranking • A risk with high impact is ranked higher and given priority to address the same. More resources are allocated to high-risk areas. • Ranking each risk based on impact and likelihood is critical in determining the risk mitigation strategy. Ranking the risk helps the organization determine its priority. Risk Analysis Methodologies
• For successful risk management, each risk should have assigned ownership and accountability. • Risk should be owned by a senior official who has the necessary authority and experience to select the appropriate risk response based on analyses and guidance provided by the risk practitioner. • Risk owners should also own associated controls and ensure the effectiveness and adequacy of the controls. Risk should be assigned to an individual employee rather than as a group or a department. • The accountability for risk management lies with senior management and the board. • Risk ownership is best established by mapping risk to specific business process owners. • The details of the risk owner should be documented in the risk register. • The results of the risk monitoring process should be discussed and communicated with the risk owner. This is because they own the risk and are accountable for maintaining the risk within acceptable levels. Risk ownership and accountability
Risk avoidance: • In this approach, projects or activities that cause the risk are avoided. Risk avoidance is the last choice when no other response is adequate. For example, declining a project when business cases show a high risk of failure. Risk mitigation: • In this approach, efforts are made to reduce the probability or impact of the risk event by designing the appropriate controls. • The objective of risk mitigation is to reduce the risk to an acceptable level. Risk sharing/transferring: • In this approach, the risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means. • Natural disasters have a very low probability but a high impact. The response to such a risk should be risk transfer. Risk acceptance: • In this approach, the risk is accepted as per the risk appetite of the organization. Risk is accepted where the cost of controlling the risk is more than the cost of the risk event. • However, organizations need to be careful while accepting the risk. If the risk is accepted while the correct level of risk isn't known, it may result in a higher level of liabilities. Risk treatment options
Inherent risk • This is the risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). Residual risk • This is the risk that remains after controls are considered (the net risk or risk after controls). Residual Risk = Inherent Risk - Controls. • For a successful risk management program, residual risk should be within the risk appetite (acceptable risk level). Security baseline • The security baseline is the minimum security requirement across the organization. • The baseline may be different based on asset classification. For highly classified assets, the baseline will be more stringent. • Baseline security should form part of the control objective. The baseline should be reviewed at regular intervals to ensure that it is aligned with the organization's overall objectives. Risk treatment options

Recommended

crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
it grc
it grc it grc
it grc 9535814851
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxShreeveni
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Isms
IsmsIsms
Ismspenetration Tester
 

Recommended

crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
it grc
it grc it grc
it grc 9535814851
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxShreeveni
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Isms
IsmsIsms
Ismspenetration Tester
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALChristopher Mandelaris
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt20214Mohan
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfDanteHayashi
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxStevenTharp2
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
Internal controls
Internal controlsInternal controls
Internal controlsGeetali Tare
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision fileVithyea You
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 

More Related Content

Similar to CISM Certification and Information Security Governance

Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALChristopher Mandelaris
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt20214Mohan
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfDanteHayashi
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxStevenTharp2
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
Internal controls
Internal controlsInternal controls
Internal controlsGeetali Tare
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision fileVithyea You
 

Similar to CISM Certification and Information Security Governance (20)

Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINAL
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdf
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
 
Internal controls
Internal controlsInternal controls
Internal controls
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision file
 

More from dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptxdotco
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

More from dotco (12)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Recently uploaded

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonJericReyAuditor
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxAnaBeatriceAblay2
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 

Recently uploaded (20)

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lesson
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 

CISM Certification and Information Security Governance

  • 2. CISM • ISACA's Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management, and risk management. • Whether you are seeking a new career opportunity or striving to grow within your current organization, a CISM certification proves your expertise in these work-related domains: • Information security governance • Information risk management • Information security program development and management • Information security incident management • Ideal for IT risk professionals, IT auditors, CISOs, information security managers, and risk management professionals.
  • 3. Information Security Governance • Governance can be defined as a set of rules to direct, monitor, and control an organization's activities. • Governance can be implemented by way of policies, standards, and procedures. • The information security governance model is primarily impacted by the complexity of an organization's structure. • An organization's structure includes objectives, its vision and mission, different function units, different product lines, hierarchy structure, leadership structure, and other relevant factors. • The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. • Senior management holds the responsibility to ensure that security aspects are integrated with business processes. • The role of an information security steering committee is to provide oversight on the security environment of the organization.
  • 4. Information Security Governance • Steps for establishing the governance 1. Determine the objectives of an information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that you are willing to take. 2. The information security manager develops a strategy and requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the strategy to move to the desired state of security from its current state of security. 3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. • The security manager needs to consider various factors such as time limits, resource availability, the security budget, laws and regulations, and other relevant factors. Governance framework • The governance framework is a structure or outline that supports the implementation of the information security strategy. • EXAMPLE - COBIT and ISO 27000
  • 5. Information Security Governance The following are the objectives of information security governance: • To ensure that security initiatives are aligned with the business's strategy and support organizational objectives. • To optimize security investments and ensure the high-value delivery of business processes. • To monitor the security processes to ensure that security objectives are achieved. • To integrate and align the activities of all assurance functions for effective and efficient security measures. • To ensure that residual risks are well within acceptable limits. This gives comfort to the management. GRC: • GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance. • Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. • it is mostly focused on the financial, IT, and legal areas. • Financial GRC focuses on effective risk management and compliance for finance processes. • IT GRC focuses on information technology processes. • Legal GRC focuses on the overall enterprise-level regulatory compliance. • GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.
  • 6. Information Security Governance • A maturity model is a tool that helps the organization to assess the current effectiveness of a process and to determine what capabilities they need to improve their performance. • Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. • The following list defines the different maturity levels of an organization: • Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose. • Level 1: Performed: On this level, the process can achieve its intended purpose. • Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled. • Level 3: Established: Apart from the Level 2 process, there is a well-defined, documented, and established process to manage the process. • Level 4: Predictable: On this level, the process is predictable and operates within defined parameters and limits to achieve its intended purpose. • Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals. • The CMM indicates a scale of 0 to 5 based on process maturity level, and it is the most common method applied by organizations to measure their existing state and then to determine the desired one.
  • 7. Information Security Governance • Information security roles and responsibilities • One of the simplest ways of defining roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed. • Responsible: This is the person who is required to execute a particular job function. • Accountable: This is the person who is required to supervise a job function. • Consulted: This is the person who gives suggestions and recommendations for executing a job function. • Informed: This is the person who should be kept updated about the progress of the job function. • Board of directors: The intent and objectives of information security governance must be communicated from the board level down. • Senior management: The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. • Business process owners: The role of a business process owner is to own the security- related risks impacting their business processes.
  • 8. Information Security Governance • A steering committee comprises the senior management of an organization. • The role of a steering committee is as follows: • To ensure that security programs support the business objectives • To evaluate and prioritize the security programs • To evaluate emerging risk, security practices, and compliance-related issues • The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the chief executive officer (CEO). The role of the CISO is fundamentally a regulatory role, whereas the role of the CIO is to generally focus on IT performance. • The chief operating officer (COO) is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives. • The data custodian is a staff member who is entrusted with the safe custody of data. • A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals through the approval of the data owner.
  • 9. Information Security Governance The following list consists of some of the indicators of a successful security culture: • The involvement of the information security department in business projects. • The end users are aware of the identification and reporting of the incidents. • There is an appropriate budget for information security programs. • The employees are aware of their roles and responsibilities with regard to information security. Governance of third-party relationships • Policies and requirements of information security should be developed before the creation of any third-party relationship. • Also, the security manager should understand the following challenges of third-party relationships: • The cultural differences between an organization and the service provider. • Technology incompatibilities. • The business continuity arrangements of the service provider may not have aligned to the requirements of the organization. • Differences in incident management processes. • Differences in disaster recovery capabilities.
  • 10. Information Security Governance • The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. • A culture that favors taking risks will have a different implementation approach to a culture that is risk- averse. • An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization. • The process should be in place to scan all the new regulations and determine the applicability of regulations to the organization. • The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address the new regulations. If not, then further controls should be implemented to address the new regulations. • The information security manager is required to assess the impact of privacy law on business processes.
  • 11. Information Security Governance • For the effective implementation of security governance, support and commitment from senior management is the most important prerequisite. • It is very important for the information security manager to gain support from senior management. The most effective way to gain this is to ensure that the security program continues to be aligned with and supports the business objectives. • The primary driver for investment in an information security project is value analysis and a sound business case. • To obtain approval for an information security budget, the budget should primarily include a cost-benefit analysis. Senior management is more interested in the benefit that is derived from the budget. • Information security should support the achievement of organizational objectives by minimizing business disruptions. • Another aspect of determining the strategic alignment is to review the business balanced scorecard. A business scorecard contains important metrics from a business perspective. It will help to determine the alignment of the security goals with the business goals.
  • 12. Information Security Governance • A business case is a justification for a proposed project. • The business case is prepared to justify the effort and investment in a proposed project. It captures the reasoning for initiating a project or task. • The business case is a key element in decision-making for any project. The proposed returns on investments (ROIs), along with any other expected benefits, are the most important consideration for decision-making in any new project. IS Governance Metrics • A metric is a measurement of a process to determine how well the process is performing. Security-related metrics indicate how well the controls can mitigate the risks. • On the basis of effective metrics, an organization evaluates and measures the achievement and performance of various processes and controls. The main objective of a metric is to help the management in decision-making. • Good metrics should be SMART. That is, specific, measurable, attainable, relevant, and timely. • Specific: The metric should be specific, clear, and concise. • Measurable: The metric should be measurable so that it can be compared over a period. • Attainable: The metric should be realistic and achievable. • Relevant: The metric should be linked to specific risks or controls. • Timely: The metric should be able to be monitored on a timely basis.
  • 13. Information security strategy and plan • An information security strategy is a set of actions to achieve the security objectives. • The strategy includes what should be done, how it should be done, and when it should be done in order to achieve the security objectives. • A strategic plan should include the desired state of information security. A strategy is considered to be effective if control objectives are met. • The final responsibility for the appropriate protection of an organization's information falls to the board of directors. • The Chief Information Security Officer (CISO) is primarily responsible for the design and development of the information security strategy in accordance with the security policy. • Security policies are developed based on the security strategy. • Policies take the form of a high-level document containing the intent and direction of management.
  • 14. Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
  • 15. Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
  • 16. Business Case • A business case is a justification for a proposed project. The business case is prepared to justify the effort and investment in a proposed project. • The business case is a key element in decision-making for any project. • Development of the business case is the responsibility of the project sponsor. • Statement of Work • A statement of work is a contractual document that defines the ownership, liabilities, responsibilities and work agreements between two parties, usually clients and service providers.
  • 17. Enterprise information security architecture • An enterprise architecture (EA) is a blueprint that defines the structure and operation of the organization. • It describes how different elements such as processes, systems, data, employees, and other infrastructure are integrated to achieve the current and future objectives of the organization. • The security architecture is a subset of the overall EA. The objective of the security architecture is to improve the security posture of the organization. • A security architecture provides detailed information on how a business operates and what security controls are required. This helps the security manager to determine the processes and systems where efforts toward security should be focused.
  • 18. Organizational structure • Organizational structure means the roles and responsibilities of different individuals, the reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so on. • A flexible and evolving organizational structure is more open to the adoption of a security strategy as opposed to a more constrained organizational structure. Board of directors: • The ultimate responsibility for the appropriate protection of an organization's information falls to the board of directors. • The involvement of board members in information security initiatives indicates good governance. • The company directors can be protected from liability if the board has exercised due diligence. • Many laws and regulations make the board responsible in the event of data breaches. • Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage. Security steering committee • The security steering committee is generally composed of senior management from different business units. • The security steering committee is best placed to determine the level of acceptable risk for the organization. • The security steering committee monitors and controls the security strategy. They also ensure that the security policy is aligned with business objectives.
  • 19. Organizational structure • Organizations' security functions can work in either a centralized or decentralized way. • In a centralized process, information security activities are handled from a central location, usually the head office of the organization. In a decentralized process, the implementation and monitoring of security activities are delegated to local offices of the organization. • Centralization of information security management results in greater uniformity and easier monitoring of the process. This in turn will advance better adherence to security policies. • In a decentralized environment, more emphasis is placed on the needs and requirements of business.
  • 20. Record retention • A record retention policy will specify what types of data and documents are required to be preserved, and what should be destroyed. It will also specify the number of years for which that data is required to be preserved. • The information security manager should ensure that an adequate record retention policy is in place and that this is followed throughout the organization. • Record retention should primarily be based on the following two factors: • Business requirements • Legal requirements • Electronic discovery (e-discovery) is the process of the identification, collection, and submission of electronic records in a lawsuit or investigation.
  • 21. Awareness and education • End users are one of the most important elements for consideration in the overall security strategy. • Training, education, and awareness are of extreme importance to ensure that policies, standards, and procedures are appropriately followed. • The most effective way to increase the effectiveness of security training is to customize the training to the target audience and to address the systems and procedures applicable to that particular group. • For example, system developers need to undergo an enhanced level of training covering aspects of security related to coding, while data entry operators should be trained on the aspects of security related to their functions.
  • 22. Legal, Regulatory and Contractual Requirements • In the field of IT, the most common objectives of laws and regulations include the safeguarding of privacy and the confidentiality of personal data, the protection of intellectual property rights, and the integrity of financial information. • Adherence to laws and regulations is one of the most important external requirements for an organization. Control should be implemented and monitored at periodic intervals to ensure that the organization is complying with legal and regulatory requirements. • Privacy laws could prevent the flow of information across borders • Most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives - A compliance-oriented gap analysis
  • 23. Information Risk Management • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • The prime objective of a risk management process is to achieve an optimum balance between maximizing business opportunities and minimizing vulnerabilities and threats. • To achieve this objective, the information security manager should have a thorough understanding of the nature and extent of the risks that an organization may encounter. • A mature organization has a dedicated enterprise risk management (ERM) group to monitor and control such risks. • The effectiveness of risk management depends on how well risk management is integrated into an organization's culture and the extent to which risk management becomes everyone's responsibility.
  • 24. Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on. • Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
  • 25. Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
  • 26. Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
  • 27. Risk Terminology • Asset: Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
  • 28. Phases of Risk Management • Step 1: Risk identification: In risk identification, various risks impacting the business objectives are identified by way of risk scenarios. In risk identification, the threat landscape and vulnerabilities are identified. • Step 2: Risk analysis: In risk analysis, the impact and the level of the risk are determined (that is, high, medium, or low). Risk analysis helps determine the exposure to the business and to plan for remediation. • Step 3: Risk evaluation: In risk evaluation, it is determined whether the risk is within an acceptable range or whether it should be mitigated. Thus, based on risk evaluation, risk responses are decided. • Step 4: Risk response: Risk response can be in the form of risk mitigation, risk acceptance, risk avoidance, or risk transfer. • The most important outcome of an effective risk management program is to reduce the incident that's impacting the business objectives. This can be done by addressing the threat and reducing the vulnerabilities and their exposure.
  • 29. Risk capacity, appetite, and tolerance • Risk capacity: This is the maximum risk an organization can afford to take. • Risk appetite: This is the amount of risk that an organization is willing to take. • Risk tolerance: acceptable deviations from risk appetite, and that they are always lower than the risk capacity. • Mr. A's total savings are $1,000. He wants to invest in equities to earn some income. Since he is risk-averse, he decides to only invest up to $700. If the markets are good, he is willing to invest a further $50. Let's derive the risk capacity, risk appetite, and risk tolerance for this example, as follows: • Risk capacity: Total amount available; that is, $1,000 • Risk appetite: His willingness to take risks; that is, $700 • Risk tolerance: The acceptance deviation from risk appetite; that is, $750 • Risk capacity is always greater compared to tolerance and appetite. • Tolerance can either be equal to, or greater than, appetite. Risk acceptance should generally be within the risk appetite of the organization. In no case should it exceed the risk capacity.
  • 30. Risk management process Sequence: • Determine the scope and boundaries of the program. • Determine the assets and processes that need to be protected. • Conduct a risk assessment by identifying the risks, analyzing the level of risk based on the impact, and evaluating whether the risk meets the criteria for acceptance. • Determine the risk treatment options for risks that are above the acceptable level. • Risk Treatment can be in any of the following forms: • Mitigating the risk by implementing additional controls. • Accepting the risk (generally, this option is selected when the impact is low and the cost of treatment exceeds the impact). • Avoid the risk (generally, this option is selected when the feasibility study or business case does not indicate positive results). • Transfer the risk to third parties such as insurance companies (generally, this option is selected for a low probability risk that has a high impact, such as natural disasters). • Determine the acceptability of the residual risk (that is, any risks remaining after treatment) by management. • Monitor the risk continuously and develop an appropriate procedure to report the results of risk monitoring to management.
  • 31. Risk management process • During all these steps, it is equally important to share relevant information about risk management activities with concerned stakeholders. Having an effective communication process improves the whole risk management process. • Effective risk management requires participation, support, and acceptance by the relevant members of the organization, starting with senior management. • Employees must understand their responsibilities and be able to perform their required roles. • Risk controls are measures and are considered to be sufficient when the residual risk is less than or equal to an acceptable risk. • Risk should be prioritized based on its criticality. High-level risks should be addressed first.
  • 32. Risk Management Process Risk Assessment Context Establishment Risk Treatment Risk Identification Risk Analysis Risk Evaluation Assets Vulnerabilities Threads Existing Controls consequences Qualitative Quantitative Risk Mitigation Risk Acceptance/Retention Risk Transfer/Sharing Risk Avoidance
  • 33. Risk Management Framework • A framework is a structure or outline that supports the implementation of any program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. • COBIT • ISO 31000 on Enterprise Risk Management • ISO 27001 on the Information Security Management System • Gap analysis is the process of determining the gap between the existing level of the risk management process compared to the desired state. Based on the desired state, control objectives are defined. • The objective of gap analysis is to identify whether control objectives can be achieved through the risk management process. • Cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit and that the best control is implemented for the given cost. Cost-benefit analysis helps justify the implementation of a specific control measure.
  • 34. Risk Management Phases Risk identification: • In this phase, significant business risks are identified. • Risk identification is generally conducted by risk scenarios. A risk scenario is a visualization of a possible event that can have adverse impact on the business objective. • Organizations use risk scenarios to imagine what could go wrong and create hurdles for achieving the business objectives. Risk analysis: • Risk analysis is where you rank a risk based on its impact on business processes. • The impact can be either quantifiable in dollar terms or can be qualitative, such as high risk, medium risk, or low risk. • Both the probability of the event and the impact on the business are considered to determine the level of risk. • Risk analysis results help prioritize risk responses and allocate resources. Risk evaluation: • Risk evaluation is the process of comparing the result of risk analysis against the acceptable level of risk. • If the level of risk is more than the acceptable risk, then risk treatment is required to bring down the level of risk.
  • 35. Risk Management Phases Asset identification • identify and list all the information assets and determine their value based on criticality or sensitivity. • Assets can be in the form of people, processes, system and network components, databases, or any other factor that can have an impact on business processes. • Assets aren't only tangible assets but intangible assets such as the reputation of the organization. Asset valuation • Once all the assets have been identified, the next step is to determine their valuation. • This is to avoid underprotecting or overprotecting the asset. • The efforts required to protect an asset should be justified by its criticality. It does not make sense to spend $100 to protect a $10 asset. • valuation should not be based only on the actual cost or replacement cost but based on the impact it will have on the business if such an asset is not available. Aggregated risk: • Aggregated risk means having a significant impact caused by a large number of minor vulnerabilities. • Such minor vulnerabilities individually do not have a major impact but when all these vulnerabilities are exploited at the same time, they can cause a huge impact. Cascading risk • Cascading risk is where one failure leads to a chain reaction of failures. • This is more relevant when IT and operations have close dependencies.
  • 36. Risk Management Phases Identifying risk • Risk management begins with risk identification. • Risk identification is the process of identifying and listing the risks in the risk register. • The primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets, and controls of the organization. Risk practitioners can use the following sources to identify the risk: • Review past audit reports. • Review incident reports. • Review public media articles and press releases. • Through systematic approaches such as vulnerability assessment, penetration testing, reviewing BCP and DRP documents, conducting interviews with senior management and process owners, scenario analysis, and more. • All the identified risks should be captured in the risk register, along with details such as description, category, probability, impact, and risk owner. Maintaining the risk register process starts with the risk identification process. • An advanced persistent threat (APT) is a type of cyberattack that's performed on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period. • During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data.
  • 37. Risk Analysis Methodologies • Risk analysis is the process of ranking various risks so that areas of high risk can be prioritized for treating them. • Risk can be measured and ranked by use of any of the following methods: • Quantitative Risk Assessment • Qualitative Risk Assessment • Semi-quantitative Risk Assessment • Factor that influences the selection for the above technique is availability of accurate data for risk assessment. • Quantitative Risk Assessment: Risk is measured on the basis of numerical values. • Major challenge for conducting quantitative risk assessment is availability of reliable data. • Quantitative risk assessment is not feasible for the events where probability or impact cannot be quantified or expressed in numerical terms.
  • 38. • Qualitative Risk Assessment • In a qualitative risk assessment, risks are measured on some qualitative parameters such as high, medium a low or on a scale of 1 to 5. • Qualitative assessment is considered more subjective as compared to quantitative assessment. • Qualitative risk assessment is more relevant to examine the new emerging threats and advanced persistent threats (APTs). Qualitative risk analysis method involves conducting interviews of various stakeholders. • Semi Quantitative Risk Assessment • hybrid approach which considers input of qualitative approach combined with numerical scale to determine the impact of a quantitative risk assessment. • A risk practitioner would always prefer a quantitative approach. Quantitative approach helps in cost benefit analysis as risk in monetary terms can be easily compared to cost of various risk responses. • However, a major challenge in conducting a quantitative risk analysis is availability of accurate data. In absence of proper data or when data accuracy is questionable, qualitative analysis is more preferable. Risk Analysis Methodologies
  • 39. • Annual loss expectancy is a calculation that helps you determine the expected monetary loss for an asset due to a particular risk over a single year. • The annualized loss expectancy is the product of the annual rate of occurrence and the single loss expectancy. • ALE = ARO*SLE • For example, a particular risk event can have an impact of $1,000 every time it occurs. $1,000 is the single loss expectancy (SLE). Now it is expected that this particular risk event will materialize 5 times a year. 5 is the annual rate of occurrence (ARO). So, in this case, the annual loss expectancy is $5,000. Evaluating risk • In the risk evaluation phase, the level of each risk is compared against the acceptable risk criteria. • If the risk is within an acceptable level, then the risk is accepted as-is. • If the risk exceeds the acceptable level, then treatment will be some form of mitigation. Risk ranking • A risk with high impact is ranked higher and given priority to address the same. More resources are allocated to high-risk areas. • Ranking each risk based on impact and likelihood is critical in determining the risk mitigation strategy. Ranking the risk helps the organization determine its priority. Risk Analysis Methodologies
  • 40. • For successful risk management, each risk should have assigned ownership and accountability. • Risk should be owned by a senior official who has the necessary authority and experience to select the appropriate risk response based on analyses and guidance provided by the risk practitioner. • Risk owners should also own associated controls and ensure the effectiveness and adequacy of the controls. Risk should be assigned to an individual employee rather than as a group or a department. • The accountability for risk management lies with senior management and the board. • Risk ownership is best established by mapping risk to specific business process owners. • The details of the risk owner should be documented in the risk register. • The results of the risk monitoring process should be discussed and communicated with the risk owner. This is because they own the risk and are accountable for maintaining the risk within acceptable levels. Risk ownership and accountability
  • 41. Risk avoidance: • In this approach, projects or activities that cause the risk are avoided. Risk avoidance is the last choice when no other response is adequate. For example, declining a project when business cases show a high risk of failure. Risk mitigation: • In this approach, efforts are made to reduce the probability or impact of the risk event by designing the appropriate controls. • The objective of risk mitigation is to reduce the risk to an acceptable level. Risk sharing/transferring: • In this approach, the risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means. • Natural disasters have a very low probability but a high impact. The response to such a risk should be risk transfer. Risk acceptance: • In this approach, the risk is accepted as per the risk appetite of the organization. Risk is accepted where the cost of controlling the risk is more than the cost of the risk event. • However, organizations need to be careful while accepting the risk. If the risk is accepted while the correct level of risk isn't known, it may result in a higher level of liabilities. Risk treatment options
  • 42. Inherent risk • This is the risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). Residual risk • This is the risk that remains after controls are considered (the net risk or risk after controls). Residual Risk = Inherent Risk - Controls. • For a successful risk management program, residual risk should be within the risk appetite (acceptable risk level). Security baseline • The security baseline is the minimum security requirement across the organization. • The baseline may be different based on asset classification. For highly classified assets, the baseline will be more stringent. • Baseline security should form part of the control objective. The baseline should be reviewed at regular intervals to ensure that it is aligned with the organization's overall objectives. Risk treatment options