Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Risk Maturity SRA-E 2018

127 views

Published on

Slides from my oral presentation S16-01 "A framework for Information Risk maturity" at SRA Europe in Östersund, Sweden, 20180618.

  • Be the first to comment

  • Be the first to like this

Information Risk Maturity SRA-E 2018

  1. 1. A Framework for Information Risk Maturity SRA Europe Östersund 2018-06-18 @stromsjo
  2. 2. 2 Per Strömsjö • Information Security since 2005 • Experience – Financial industry 25+ years – Established Information Risk Management – Consulted in Biz Continuity and Security Mgmt – Acting Chief Security Officer • What gets me going? – People as the strongest link in Security – Teaching, coaching, mentorship • Community – Board member of Swedish Academy of Risk Sciences (Riskkollegiet) – Association for Computing Machinery (ACM) • Education – Security Informatics, Criminology – B. Sc. In Systems Science, Stockholm University
  3. 3. Know Thy Assets • information – valuable to us – valuable to others • at rest • in use • in transit
  4. 4. Information Security Goals
  5. 5. Security and Trust
  6. 6. Socio-technical System people process tech …in that order…
  7. 7. Angles on Security security rules archi- tecture risk c u l t u r e
  8. 8. Information Risk Components risk asset threat source vulnera- bility customer database weak password in business system malicious hacker Malicious hacker exploits weak password in biz system, thus getting access to customer database, and discloses (confidentiality) sensitive information. Probability X, consequence Y, risk level Z.
  9. 9. Not an Isolated Matter • multiple systems – apps, services, … • interconnected – internal infrastructure – external infrastructure – in unknown ways – in unforeseen ways • plenty of moving parts • noone has the whole picture • InfoRisk is emergent
  10. 10. (Sub)divide and Conquer • Security Risk Assessment (SRA) for key components • local ownership can make this happen • manage local risk • a ”hygiene” level • enable subsequent high-level assessments
  11. 11. risk Managing InfoRisk delimit assess qualifytreat report
  12. 12. Who is the InfoRisk Owner? • our quality is not somebody else’s problem • “risk glasses” help • responsibility and ownership • transparency => accountability • outsourcing remains a challenge
  13. 13. A Helicopter View delimit assess qualifytreat report Enterprise Risk Management Concepts Methods Governance Facilitation Reporting Escalation Mediation delimit assess qualifytreat report delimit assess qualifytreat report
  14. 14. InfoRisk Maturity? A tentative definition motivation and ability to take local ownership for (Information) Risk impacting or stemming from one's own area of responsibility
  15. 15. Metrics for Risk Maturity Coverage • is the entire socio- technical system considered? • bias towards the known or uncontroversial?
  16. 16. Metrics for Risk Maturity Methodology • adherence to our established method? • is the assessment traceable? • are accidental threat sources included?
  17. 17. Metrics for Risk Maturity Regularity • updated risk assessment reported at preset deadline? • without additional reminders/requests?
  18. 18. A Dual View reported, qualified risk maturity dashboard
  19. 19. So, what does it take? • information model • process/system map • information owners • low-entry methods • persistence and trust • culture of local ownership
  20. 20. @stromsjo per.stromsjo@omegapoint.se metrics developed together with Tina Lindevall Anders Karlsson

×