Successfully reported this slideshow.

Risk Assessment And Risk Treatment

0

Share

Loading in …3
×
1 of 14
1 of 14

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Risk Assessment And Risk Treatment

  1. 1. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Risk assessment and risk treatment www.riesgoriskmanagement.com Contents Introduction ............................................................................................................................................ 2 Process overview .................................................................................................................................... 2 Risk assessment initiation: project submission & initial survey ............................................................. 3 The project registration form ................................................................................................................. 4 The submitted project registration form ................................................................................................ 5 Project register........................................................................................................................................ 7 The risk assessment ................................................................................................................................ 8 Project risk identification ........................................................................................................................ 9 Information Asset risk assessment ....................................................................................................... 10 Business impact assessment ................................................................................................................. 11 Risk assessment of assets ..................................................................................................................... 12 Risk management dashboards .............................................................................................................. 13 1
  2. 2. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Introduction This document describes how www.riesgoriskmanagement.com ISO27001 compliance tool via its risk management function handles risk assessment and risk treatment. The following assumptions are made: 1. There is an Information security/compliance team in place 2. There are business processes in place with the Project teams and business units to submit projects and business changes as and when they occur. 3. There is a Risk Assurance forum in place to handle risks raised by the organisation on a periodic basis. 4. There is a minimum security policy in place in which all projects, business changes have to adhere to. Process overview The diagram below depicts the process by which projects are submitted and assessed, have their risks mitigated as well as the risk management and assurance. 2
  3. 3. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Risk assessment initiation: project submission & initial survey The initial stage of risk assessment begins with project teams or business units submitting projects or business changes for assessment. For the sake simplicity, we provide a web based forms where project managers, business units can submit their projects or change requests. In order not to overwhelm the system, we have a project survey; this form completed by the project team or business unit and provides all the relevant information about the project. The initial survey is designed with rating system, depending on the selected entities, the project may score low or high. Low projects tend to be projects that either does not impact significant areas i.e. credit cards or confidential data or indicative a project that even though it impacts significant areas has adopted the correct minimum level for compliance. In either case, the project is submitted to the information security team for review. The picture below shows the function the team leader to allocate project to a team of consultants. 3
  4. 4. www.riesgoriskmanagement.com info@riesgoriskmanagement.com The project registration form The form will be made available on your intranet to allow all business units regardless of their geographical location to be able to access the form and complete the project registration. 4
  5. 5. www.riesgoriskmanagement.com info@riesgoriskmanagement.com The submitted project registration form Once completed, the project results are displayed to the project team and an alert is sent to the information security/compliance team with an indication of the result. The Survey score indicates that the project has scored low. The fields can be changed to accommodate the specific requirements of your organisation and the risk ratings can be changed to also reflect to your risk appetite. The risk score can be high, medium or low. All projects submitted can be viewed by the information security/compliance team and they can decide on which of the projects they wish to assess further. Traditionally, only medium and high risk projects are further assessed. If the information security/compliance team have several members that share work, we have the functionality for the team leader role who will deal with allocating projects to teams members. 5
  6. 6. www.riesgoriskmanagement.com info@riesgoriskmanagement.com A project with a high rating 6
  7. 7. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Project register The project register submitted to the information security or compliance team provides the team with details of the project as well as the relevant for billing and time scale. The solution provides the team with the flexibility to provide their services to business units in remote locations and maintain the same level of assurance. Each project will also contain the full documentation set for the project either on teamrooms or as attachment, the documentations can include, PID, BRS, HLD and or LLD. 7
  8. 8. www.riesgoriskmanagement.com info@riesgoriskmanagement.com The risk assessment Once the project has been assigned to a consultant, he or she would be able to pick up the project and review the details as well as carry out the business impact assessment. This BIA framework can incorporate your current risk management templates. The project dashboard reveals to the consultant the project details, the FRS survey carried out and he or she can initiate the Business impact assessment. If the team operates a milestone approval gate system, then the project milestones will also be available to the consultant for approval on due dates. The reports are also available to the project team for review and feedbacks. The diagram below describes how The consultant can add a new BIA as well as add stakeholders 8
  9. 9. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Project risk identification When the Consultant goes through the project documentation and has his or her meetings with them to identify the intentions and proposals from the project, the tool provide the option to register the risks identified in the project. The risk will identify the business impact, likelihood of occurrence as well as residual risks associated with the risk. The risk will be stored on the project risk register and reviewed periodically at each project milestone. The project register will be available to projects and information security/compliance teams to review and mitigate. As each mitigation is addressed and approved, the risk register will be updated to ensure there are no stagnant risks. 9
  10. 10. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Information Asset risk assessment Each information Asset is registered per business unit or organisation. The business unit can upload their assets and either carry out their risk assessment based on Confidentiality, Integrity and availability (CIA) using the standard risk matrix calculates the business impact assessment by defining the business risk, likelihood of occurrence and residual risk. The picture below shows how an information security/compliance team can view all the information assets from each business unit. When each business logs on, they will only be able to see their own assets whilst the information security/compliance can see the entire organisation. If the information asset was completed by the business unit, the information security/compliance team can review the information added and adjust accordingly or produce baseline policies for dealing with specific data for example, fraud, confidential or business sensitive assets. 10
  11. 11. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Business impact assessment The consultants can initiate their Business impact assessment for the project either by uploading their own BIA documents or if teamrooms are used setup a link to the central document repository. Once the BIA is uploaded, 11
  12. 12. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Risk assessment of assets The information asset can be edited to suit its current status. Each Asset is given an Asset ID and detail description provided including, data input and output as well as with whom the information asset is being shared. 12
  13. 13. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Risk management dashboards The tool provides several risk management dashboards depending on the desire of the organisation The project dashboard Asset list 13
  14. 14. www.riesgoriskmanagement.com info@riesgoriskmanagement.com Policy dashboard 14

×