SlideShare a Scribd company logo

Ch 3a: Risk Management Concepts

Sam Bowne
Sam Bowne

A college course in Cybersecurity Responsibilities More info: https://samsclass.info/160/160_S22.shtml

Education
1 of 43
Download to read offline
CNIT 160: Cybersecurity Responsibilities 3. Information Risk Management Part 1 Pages 102 - 115 Updated 2-10-22
Topics • Part 1 (p. 102 - 115) • Risk Management Concepts • Implementing a Risk Management Program • Part 2 (p. 114 - 125) • The Risk Management Life Cycle • The Risk Management Process • Risk Management Methodologies
Topics • Part 3 (p. 125 - 158) • The Risk Management Life Cycle • Starting at "Asset Identi fi cation and Valuation" • Part 4 (p. 158 - 182) • Operational Risk Management
Risk Management • 30% of the CISM exam • The practice of balancing business opportunity with potential information security-related losses • Largely qualitative
Effectiveness • E ff ectiveness of risk management depends on • Support from executive management • Organization's culture with respect to security awareness and accountability • Each risk management program is di ff erent, depending on several factors
Factors
Outcomes of Risk Management • Greatest bene fi ts • Lower probability of security incidents • Reduced impact from incidents • Culture of risk-aware planning, thinking, and decision-making
Technologies * * see next slide
• From cso.com
Technologies * * see next slide
• "Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while e ff ectively managing risk and meeting compliance requirements." • From cio.com GRC
Technologies * * see following slides *
UBA • "a cybersecurity process about detection of insider threats, targeted attacks, and fi nancial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns —anomalies that indicate potential threats." • From Wikpiedia.org
Ch 3a-1
Purchasing Decisions • With risk management: • Identify speci fi c risks • Choose to mitigate those risks with speci fi c solutions • Without risk management, choices come from • Salespeople • Imitating other companies • Articles in trade publications
Risk Tolerance Factors • Risk assessments and risk treatments drive adjustments to controls
Relationships • IT and security can't be the "no" group • Become a business enabler • Role: security catalyst
Communication • Stakeholders need to understand • How risk management works • What role they will play in it to achieve business objectives • Impact on relationships and autonomy • How the program will improve the organization, including their own jobs • Be as transparent as possible • Some items are still con fi dential
Security Awareness • Given to entire organization • Basics of security
Risk Awareness • Given to senior personnel • Ensures that they know • All business decisions have implications on information risk • Presence of a formal risk management program • Process and techniques for making risk- aware decisions
Risk Consulting • Security managers often act as consultants within their organization • Requires relationships of trust • Treat these mini-consulting engagements as formal service requests • Be responsive
Information Risk Consultant • Key attributes • Ability to listen to business leaders • Ability to assess impact on a process or business unit, and identify other areas of the business the issue may cascade to • Understand business, not just technology
Risk Management Frameworks
Risk Management Frameworks
Framework Components
Governance, Risk, and Compliance (GRC) Systems
Integration into the Environment • Use a GRC platform to manage policies and external vendors • To minimize disruption to the organization • Integrating into culture is the most important consideration
Risk Management Context • Risk management program may operate only within part of the business • Or the entire organization
Internal Environments
External Environments
Gap Analyses • Examination of process or system • To determine di ff erences between • Existing state, and • Desired future state
Example of Gap Analysis • Change control process • Currently: only a log of changes and emails containing management approval • Lacking: • Change request procedure • Change Advisory Board (CAB) • Roles and responsibilities • More fi elds and annotations in the log
External Support • Every security manager is lacking in some areas • Experience with risk management programs • Experience in this security sector • Familiarity with tools, technologies, or processes
Information Sources • Security round tables • Organization chapters • ISSA, (ISC)2, ISACA • Society for Information Management (SIM) • Society of Information Risk Analysts (SIRA) • Cloud Security Alliance (CSA) • InfraGard • International Association of Privacy Professionals (IAPP)
• Published risk management practices • From (ISC)2, ISACA, SANS • Security Industry News • Information Security, SC, CSO Magazines • Dark Reading • TechTarget • (ISC)2, ISACA, 
 SANS Information Sources
• Reports from research organizations Information Sources
• Advisory services Information Sources
• Consulting fi rms • Training • Books Information Sources
• Conferences Information Sources
• Security Intelligence Services • Human-readable, or machine-readable for import into SIEM Information Sources
Ch 3a-2

Recommended

CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 

Recommended

CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
Sam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk Management
Sam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
Sam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
Sam Bowne
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Enterprise Risk Management.pdf
Enterprise Risk Management.pdfEnterprise Risk Management.pdf
Enterprise Risk Management.pdf
Self Employed
 

More Related Content

What's hot

What's hot (20)

1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
CNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life CycleCNIT 160: Ch 3b: The Risk Management Life Cycle
CNIT 160: Ch 3b: The Risk Management Life Cycle
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 

Similar to Ch 3a: Risk Management Concepts

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
a3virani
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
Scott Baron
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 

Similar to Ch 3a: Risk Management Concepts (20)

Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Enterprise Risk Management.pdf
Enterprise Risk Management.pdfEnterprise Risk Management.pdf
Enterprise Risk Management.pdf
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINAL
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 

Ch 3a: Risk Management Concepts

  • 1. CNIT 160: Cybersecurity Responsibilities 3. Information Risk Management Part 1 Pages 102 - 115 Updated 2-10-22
  • 2. Topics • Part 1 (p. 102 - 115) • Risk Management Concepts • Implementing a Risk Management Program • Part 2 (p. 114 - 125) • The Risk Management Life Cycle • The Risk Management Process • Risk Management Methodologies
  • 3. Topics • Part 3 (p. 125 - 158) • The Risk Management Life Cycle • Starting at "Asset Identi fi cation and Valuation" • Part 4 (p. 158 - 182) • Operational Risk Management
  • 4. Risk Management • 30% of the CISM exam • The practice of balancing business opportunity with potential information security-related losses • Largely qualitative
  • 5. Effectiveness • E ff ectiveness of risk management depends on • Support from executive management • Organization's culture with respect to security awareness and accountability • Each risk management program is di ff erent, depending on several factors
  • 7. Outcomes of Risk Management • Greatest bene fi ts • Lower probability of security incidents • Reduced impact from incidents • Culture of risk-aware planning, thinking, and decision-making
  • 11. • "Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while e ff ectively managing risk and meeting compliance requirements." • From cio.com GRC
  • 13. UBA • "a cybersecurity process about detection of insider threats, targeted attacks, and fi nancial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns —anomalies that indicate potential threats." • From Wikpiedia.org
  • 14.
  • 16. Purchasing Decisions • With risk management: • Identify speci fi c risks • Choose to mitigate those risks with speci fi c solutions • Without risk management, choices come from • Salespeople • Imitating other companies • Articles in trade publications
  • 17. Risk Tolerance Factors • Risk assessments and risk treatments drive adjustments to controls
  • 18. Relationships • IT and security can't be the "no" group • Become a business enabler • Role: security catalyst
  • 19. Communication • Stakeholders need to understand • How risk management works • What role they will play in it to achieve business objectives • Impact on relationships and autonomy • How the program will improve the organization, including their own jobs • Be as transparent as possible • Some items are still con fi dential
  • 20. Security Awareness • Given to entire organization • Basics of security
  • 21. Risk Awareness • Given to senior personnel • Ensures that they know • All business decisions have implications on information risk • Presence of a formal risk management program • Process and techniques for making risk- aware decisions
  • 22. Risk Consulting • Security managers often act as consultants within their organization • Requires relationships of trust • Treat these mini-consulting engagements as formal service requests • Be responsive
  • 23. Information Risk Consultant • Key attributes • Ability to listen to business leaders • Ability to assess impact on a process or business unit, and identify other areas of the business the issue may cascade to • Understand business, not just technology
  • 28. Integration into the Environment • Use a GRC platform to manage policies and external vendors • To minimize disruption to the organization • Integrating into culture is the most important consideration
  • 29. Risk Management Context • Risk management program may operate only within part of the business • Or the entire organization
  • 32. Gap Analyses • Examination of process or system • To determine di ff erences between • Existing state, and • Desired future state
  • 33. Example of Gap Analysis • Change control process • Currently: only a log of changes and emails containing management approval • Lacking: • Change request procedure • Change Advisory Board (CAB) • Roles and responsibilities • More fi elds and annotations in the log
  • 34. External Support • Every security manager is lacking in some areas • Experience with risk management programs • Experience in this security sector • Familiarity with tools, technologies, or processes
  • 35. Information Sources • Security round tables • Organization chapters • ISSA, (ISC)2, ISACA • Society for Information Management (SIM) • Society of Information Risk Analysts (SIRA) • Cloud Security Alliance (CSA) • InfraGard • International Association of Privacy Professionals (IAPP)
  • 36. • Published risk management practices • From (ISC)2, ISACA, SANS • Security Industry News • Information Security, SC, CSO Magazines • Dark Reading • TechTarget • (ISC)2, ISACA, 
 SANS Information Sources
  • 37. • Reports from research organizations Information Sources
  • 39. • Consulting fi rms • Training • Books Information Sources
  • 40.
  • 42. • Security Intelligence Services • Human-readable, or machine-readable for import into SIEM Information Sources