SlideShare a Scribd company logo

Information Security Risk Management

•Download as PPTX, PDF•
•
Nikhil Soni
Nikhil Soni

Presentation on Information Security Risk Management for Secure Software System Mtech Information Security.

Technology
1 of 27
“Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
• Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.
Thank You

Recommended

Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 

Recommended

Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
CAS
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
CAS
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
EC-Council
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
mtvvvv
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
pramod_kmr73
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
billugamma06
 

More Related Content

What's hot

Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 

What's hot (20)

chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Information security
Information securityInformation security
Information security
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 

Similar to Information Security Risk Management

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
 
Risk Management
Risk ManagementRisk Management
Risk Management
ysshah
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
ransayo
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
Hafeez Farooq
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
Neeraj Verma
 

Similar to Information Security Risk Management (20)

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
 
Week 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdfWeek 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdf
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
Risk Management.docx
Risk Management.docxRisk Management.docx
Risk Management.docx
 
Trustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
 
Risk management
Risk managementRisk management
Risk management
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
RISK MANAGEMENT.pptx
RISK MANAGEMENT.pptxRISK MANAGEMENT.pptx
RISK MANAGEMENT.pptx
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Information Security Risk Management

  • 1. “Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
  • 2. What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
  • 3. What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
  • 4. Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
  • 5. General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
  • 6. Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
  • 7. General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
  • 8. General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
  • 9. Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
  • 10. Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
  • 11. Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
  • 12. • Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
  • 13. Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
  • 14. Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
  • 15. Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
  • 16. Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
  • 17. Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
  • 18. Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
  • 19. Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
  • 20. Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
  • 21. Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
  • 22. Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
  • 23. Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
  • 24. Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
  • 25. Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
  • 26. Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.