Webinar:	
  
4	
  shortcuts	
  to	
  professional	
  IT	
  risk	
  assessments	
  
Presented	
  by	
  Lars	
  Neupart	
  ...
About	
  Neupart	
  
• 

ISO	
  27001	
  certified	
  company.	
  

• 

Provides	
  SecureAware®,	
  	
  an	
  all-­‐in-­‐o...
Program	
  
Introduc9on	
  
Business	
  Impact	
  Assessments	
  
Threat	
  Catalogues	
  
Vulnerability	
  Assessments	
 ...
Selected	
  ISO	
  2700x	
  standards	
  
ISO	
  27000	
  

ISO27001	
  

ISO27002	
  

ISO	
  27003	
  	
  

• Overview	
...
ISO	
  31000	
  Enterprise	
  Risk	
  Management	
  
Plan	
  

Do	
  

Act	
  
Check	
  
Comparing	
  ISO	
  27005,	
  NIST	
  SP800-­‐30	
  
	
  

ISO	
  27005

	
  

	
  	
  
	
  	
  

Context	
  establishment...
ISO	
  27005	
  is:	
  
•  A	
  threat	
  based	
  risk	
  
management	
  guidance	
  
•  Considered	
  best	
  practice	
...
Business	
  Impact	
  Assessment	
  
ISO	
  27005:	
  Estimate	
  the	
  business	
  impact	
  from	
  
breaches	
  on	
  ...
Example:	
  Business	
  Impact	
  Assessment	
  

Example	
  from	
  SecureAware	
  
Threats	
  
Example:	
  Threat	
  Catalogue	
  

Example	
  from	
  SecureAware	
  
Not	
  all	
  assets	
  burn	
  

(hint:	
  link	
  your	
  threats	
  to	
  asset	
  types)	
  

Example	
  from	
  Secur...
IT	
  Risk	
  Management	
  -­‐	
  Explained	
  
Prioritization
Reduce
Likelihood

Proactive
Security

Reduce
Consequence
...
Vulnerability	
  &	
  control	
  environment	
  assessment	
  
Preven9ve	
  
Measures	
  

Administra9ve	
  
Measures	
  
...
Example:	
  Vulnerability	
  Assessments	
  

Example	
  from	
  SecureAware	
  
Assets:	
  Dependency	
  Hierarchy	
  
Finance
	
  

Business	
  Impact	
  values	
  
are	
  inherited	
  downwards	
  

	...
Business	
  Processes	
  &	
  IT	
  Services	
  
Business Process
1

Business Process 2

IT Services
(on premise)

IT Serv...
High	
  level	
  assesments	
  
•  You	
  can	
  postpone	
  the	
  more	
  
detailed	
  assessments	
  and	
  
analysis.	...
An	
  assessment	
  project	
  step-­‐by-­‐step	
  

What	
  business	
  
processes,	
  IT	
  
Services,	
  etc.	
  to	
  ...
Risk	
  Management	
  
Risk	
  Owner	
  
(Assets)	
  
Threats	
  
Business	
  Impact	
  
Assessment	
  
•  Vulnerability	
...
Keep	
  it	
  simple:	
  

Risk	
  Management	
  	
  
=	
  
Risk	
  Assessments	
  	
  
+	
  	
  
Risk	
  Treatment	
  
1:	
  Not	
  all	
  threats	
  

2:	
  Inheritance	
  

Do	
  not	
  use	
  complete	
  
threat	
  catalogue	
  on	
  
eac...
Ressources	
  
	
  
•  White	
  papers	
  and	
  presentations	
  at	
  Neupart	
  blog	
  	
  
– 

treatingrisk.blogspot....
INFORMATION SECURITY MANAGEMENT

More	
  webinars:	
  
Treating	
  Risks	
  -­‐	
  	
  today	
  4pm	
  CET:	
  	
  
Secure...
Asset	
  Management	
  
Your	
  best	
  and	
  worst	
  assets	
  	
  

Example	
  from	
  SecureAware	
  
Risk	
  Management	
  Projects	
  

Example	
  from	
  SecureAware	
  
Key	
  features	
  summary	
  –	
  Risk	
  TNG	
  
• 
• 
• 
• 
• 
• 
• 
• 

Business	
  impact	
  assessment	
  	
  
Vulne...
Upcoming SlideShare
Loading in …5
×

Neupart webinar 1: Four shortcuts to better risk assessments

792 views

Published on

At this webinar, you will learn how to perform risk assessments and risk analysis based on the most commonly used standards for information security. You will learn about

● Business Impact Assessments
● Vulnerability Assessments
● Threat Catalogues
● Risk Reporting
● Carrying out a risk assessment project
● Responsible shortcuts to better risk assessments

Language: English

For a full list of Neupart's webinars and other events visit www.neupart.com/events

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
792
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Neupart webinar 1: Four shortcuts to better risk assessments

  1. 1.  Webinar:   4  shortcuts  to  professional  IT  risk  assessments   Presented  by  Lars  Neupart     Founder,  CEO  of  Neupart     Informa9on  Security  Management   LN@neupart.com   twiBer  @neupart    
  2. 2. About  Neupart   •  ISO  27001  certified  company.   •  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  ISMS   solution  allowing  organizations  to  automate  IT   governance,  risk  and  compliance  management.     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+   customer  portfolio  covering  a  wide  range  of  private   enterprises  and  governmental  agencies.     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
  3. 3. Program   Introduc9on   Business  Impact  Assessments   Threat  Catalogues   Vulnerability  Assessments   Carrying  out  a  risk  assessment  project   Summary  of  shortcuts  to  beBer  risk  assessments    
  4. 4. Selected  ISO  2700x  standards   ISO  27000   ISO27001   ISO27002   ISO  27003     • Overview  and   vocabulary   • Informa9on  Security   Management  Systems   –  Requirements   • Code  of  prac9ce  for   informa9on  security   management   • ISMS  Implementa9on   Guidelines   ISO  27004   ISO27005   ISO27006   • Informa9on  Security   Management  -­‐   Measurement     • Informa9on  Security   Risk  Management   • Requirements  for   bodies  providing  audit   and  cer9fica9on     +  +  +  +    
  5. 5. ISO  31000  Enterprise  Risk  Management   Plan   Do   Act   Check  
  6. 6. Comparing  ISO  27005,  NIST  SP800-­‐30     ISO  27005           Context  establishment       Identification  of  threats     NIST  SP800-­‐30 Identification  of  assets   System  Characterization     Threat  Identification   Identification  of  existing  controls Vulnerability  Identification Identification  of  vulnerabilities Control  Analysis   Identification  of  consequences       Assessment  of  consequences                 Likelihood  Determination   Assessment  of  incident  likelihood Impact  Analysis Risk  estimation Risk  Determination                     Risk  evaluation       Risk  acceptance   Risk  treatment     Control  Recommendations   Risk  communication       Results  Documentation
  7. 7. ISO  27005  is:   •  A  threat  based  risk   management  guidance   •  Considered  best  practice   •  Well  aligned  with  other   risk  frameworks   •  A  method  to  comply   with  ISO  27001  risk   management   requirements   ISO  27005  
  8. 8. Business  Impact  Assessment   ISO  27005:  Estimate  the  business  impact  from   breaches  on  CIA  (confidentiality,  integrity,  availability)     •  Financial  terms     –  Revenue,  cash  flow,  costs,  liabilities   •  Non-­‐financial  terms:   –  Image,  non-­‐compliance,  competitiveness,  service   level  
  9. 9. Example:  Business  Impact  Assessment   Example  from  SecureAware  
  10. 10. Threats  
  11. 11. Example:  Threat  Catalogue   Example  from  SecureAware  
  12. 12. Not  all  assets  burn   (hint:  link  your  threats  to  asset  types)   Example  from  SecureAware  
  13. 13. IT  Risk  Management  -­‐  Explained   Prioritization Reduce Likelihood Proactive Security Reduce Consequence IT Security Policy IT Service Continuity Teams Risk Compliance & Awareness Change Management Operating Procedures Access Control IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Incident Emergency Operations Flexibility Consequence Incident Likelihood Monitoring System Redundancy Firewall Antivirus Reactive Security Preventive Measures Standby Equipment Virtualization Threat Effect Threat Frequency Threats Corrective Measures Backup
  14. 14. Vulnerability  &  control  environment  assessment   Preven9ve   Measures   Administra9ve   Measures   Physical  /  Technical   Measures   Correc9ve   Measures   Business   Security   Con9nuity   Policy   Compliance   Strategy   Checks   IT  Service   Monitoring   Con9nuity  Plan   Awareness   Logging   System   Disaster  Recovery   Change   Management   Documenta9on   Procedures   Standby   Standby  Site   Equipment  Backup/Restore   Alarm   Virtualiza9on   Redundancy   System   Server  snapshots   Access  Control   System   Fire   Server   Suppression   Clusters   Firewalls   An9virus   RAID   Assess  how  well  your   controls  addresses   relevant  threats   Recommenda9on:   Base  assessments  on  a   maturity  level  scale  
  15. 15. Example:  Vulnerability  Assessments   Example  from  SecureAware  
  16. 16. Assets:  Dependency  Hierarchy   Finance   Business  Impact  values   are  inherited  downwards     Business  Process ERP   IT  Service   Finance  DB   Database   Dynamics  AOS   Business  system   SAN  01   Data  Staorage   Server  01   Server  02   Virtual  Server   Virtual  Server   HP  DL380   HP  DL380   Hardware  unit   Hardware    unit   Data  Center  Oslo   Datacenter   Vulnerability  values   are  inherited  upwards  
  17. 17. Business  Processes  &  IT  Services   Business Process 1 Business Process 2 IT Services (on premise) IT Services from vendor, e.g. cloud Business  Impact  Scores   Inherits  Downwards   Vulnerability  Scores   Inherits  Upwards  
  18. 18. High  level  assesments   •  You  can  postpone  the  more   detailed  assessments  and   analysis.   •  Begin  at  the  top:   –  High  level  BIA  can  combine   different  impact  types  e.g.   revenue,  cost,  cashflow,   image  in  a  single  question.   –  High  level  vulnerability   assessments  can  combine   different  threats  in  a  single   question  
  19. 19. An  assessment  project  step-­‐by-­‐step   What  business   processes,  IT   Services,  etc.  to   include  (assets)?   Who  to  involve  in   the  assessments?   Perform   interviews  /   collect  data   Repor9ng  and   communica9on  
  20. 20. Risk  Management   Risk  Owner   (Assets)   Threats   Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   •  •  •  •  Avoid)  
  21. 21. Keep  it  simple:   Risk  Management     =   Risk  Assessments     +     Risk  Treatment  
  22. 22. 1:  Not  all  threats   2:  Inheritance   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Not  all  assets   Assess  your  most   important  assets  first     (you  can  add  more   later)   4:  High  level  first   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   Neuparts  4  responsible  short-­‐cuts.     PS!  They  also  apply  to  the  2013  edition  of  ISO  27001  J  
  23. 23. Ressources     •  White  papers  and  presentations  at  Neupart  blog     –  treatingrisk.blogspot.com     •  Educational  Webinars  and  SecureAware  Live  Demos  at  our   website:   –  neupart.com/events         •  SecureAware  ISMS  tool   –  www.neupart.com/products     –  ISO  27001  Policy  &  Compliance  Management  ,  IT  Risk  Management   –  Out  of  the  box  solution;  Free  trial  
  24. 24. INFORMATION SECURITY MANAGEMENT More  webinars:   Treating  Risks  -­‐    today  4pm  CET:     SecureAware  Live  Demo  –  tomorrow  2pm   neupart.com/events      
  25. 25. Asset  Management  
  26. 26. Your  best  and  worst  assets     Example  from  SecureAware  
  27. 27. Risk  Management  Projects   Example  from  SecureAware  
  28. 28. Key  features  summary  –  Risk  TNG   •  •  •  •  •  •  •  •  Business  impact  assessment     Vulnerability  assessment   Role  based  interviews   Flexible  asset  inventory  for  any  type  of  asset,  i.e.   business  processes,  IT  services,  and  their  relationships   Customizable  threat  catalogue     Risk  dash  boards  &  flexible  reporting  options   Risk  treatment  processes   API  

×