SlideShare a Scribd company logo

Chapter 4: Governance and Risk Management

Download as PPTX, PDF
Nada G.Youssef
Nada G.Youssef

Security Program and Policies, Principles and Practices

Education
1 of 14
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 4: Governance and Risk Management
Copyright 2014 Pearson Education, Inc. 2 Objectives ❑ Explain the importance of strategic alignment ❑ Know how to manage information security policies ❑ Describe information security-related roles and responsibilities ❑ Identify the components of risk management ❑ Create polices related to information security policy, governance, and risk management
Understanding Information Security Policies ■ The goal of the information security policies is to protect the organization from harm ❑ Policies should be written ❑ Policies should be supported by management ❑ Policies should help companies align security with business requirements and relevant laws and regulations ■ ISO 27002:2013 can provide a framework for developing security policies Copyright 2014 Pearson Education, Inc. 3
Understanding Information Security Policies cont. ■ Two approaches to information security ❑ Parallel approach ❑ Integrated approach ■ Policies can serve as teaching documents to influence behavior ❑ Acceptable Use Policy ■ Companies should create vendor versions of information security policies ■ Policies should be authorized by executive management ■ Policies should be updated on regular basis Copyright 2014 Pearson Education, Inc. 4
Evaluating Information Security Policies ■ Policies can be evaluated internally or by independent third parties ■ Audit ❑ Systematic, evidence-based evaluation ❑ Include interviews, observation, tracing documents to management policies, review or practices, review of documents, and tracing data to source documents ❑ Audit report containing the formal opinion and findings of the audit team is generated at the end of the audit ■ Capability Maturity Model (CMM) ❑ Used to evaluate and document process maturity for a given area Copyright 2014 Pearson Education, Inc. 5
Information Security Governance ■ The process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors ■ The Board of Directors is usually responsible for overseeing the policy development ■ Effective security requires a distributed governance model with the active involvement of stakeholders, decision makers, and users Copyright 2014 Pearson Education, Inc. 6
Distributed Governance Model ■ Chief information security officer (CISO) ■ Information security steering committee ■ Compliance officer ■ Privacy officer ■ Internal audit ■ Incident response team ■ Data owners ■ Data custodians ■ Data users Copyright 2014 Pearson Education, Inc. 7
Regulatory Requirements ■ Gramm-Leach Bliley (GLBA) Section 314.4 ■ HIPAA/HITECH Security Rule Section 164.308(a) ■ Payment Card Industry Data Security Standard (PCI DDS) section 12.5 ■ 201 CMR 17: Standards for Protection of Personal Information of the Residents of the Commonwealth–Section 17.0.2 Copyright 2014 Pearson Education, Inc. 8
Information Security Risk ■ Three factors influence information security decision making and policy creation ❑ Guiding principles ❑ Regulatory requirements ❑ Risk associated with achieving business objectives ■ Risk: The potential of undesirable or unfavorable outcome from a given action ■ Risk tolerance: Hhow much undesirable outcome the risk taker is willing to accept ■ Risk appetite: The amount of risk an entity is willing to accept in pursuit of its mission Copyright 2014 Pearson Education, Inc. 9
Risk Assessment ■ Evaluate what can go wrong and the likelihood of a harmful event occurring ■ Risk assessment involves ❑ Identifying the inherent risk based on relevant threats, threat sources, and related vulnerabilities ❑ Determining the impact of a threat if it occurs ❑ Calculating the likelihood of occurrence ❑ Determining residual risk Copyright 2014 Pearson Education, Inc. 10
Risk Assessment cont. ■ Inherent risk ❑ The level of risk before security measure are applied ■ Residual risk ❑ The level of risk after security measures are applied ■ Threat ❑ Natural, environmental, or human event that could cause harm ■ Vulnerability ❑ A weakness that could be exploited by a threat ■ Impact ❑ The magnitude of a harm Copyright 2014 Pearson Education, Inc. 11
Risk Assessment Methodologies ■ Components of a risk assessment methodology include ❑ Defined process ❑ Assessment approach ❑ Standardized analysis ■ Three well-known information security risk assessment methodologies ❑ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ❑ Factor Analysis of Information Risk (FAIR) ❑ NIST Risk Management Framework (RMF) Copyright 2014 Pearson Education, Inc. 12
Risk Management ■ The process of determining an acceptable level of risk, calculating the current risk level, accepting the level of risk, or taking steps to reduce it to an acceptable level ❑ Risk acceptance ❑ Risk mitigation ■ Risk reduction ■ Risk transfer ■ Risk sharing ■ Risk avoidance Copyright 2014 Pearson Education, Inc. 13
Copyright 2014 Pearson Education, Inc. 14 Summary ❑ Information security policies should be reviewed at least annually to ensure they are relevant and accurate ❑ Information security audits should be conducted to ensure policies are accepted and integrated ❑ Governance is the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors ❑ Risk management is the process of determining an acceptable level of risk, calculating the current risk level, accepting the level of risk, or taking steps to reduce it to an acceptable level

Recommended

Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk ManagementFAA Safety Team Central Florida
 
Risk management
Risk managementRisk management
Risk managementBabasab Patil
 
ERM overview
ERM overviewERM overview
ERM overviewHisham Haridy MBA, PMP®, RMP®, SP®
 
Risk management
Risk managementRisk management
Risk managementHarold Malamion
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 

Recommended

Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk ManagementFAA Safety Team Central Florida
 
Risk management
Risk managementRisk management
Risk managementBabasab Patil
 
ERM overview
ERM overviewERM overview
ERM overviewHisham Haridy MBA, PMP®, RMP®, SP®
 
Risk management
Risk managementRisk management
Risk managementHarold Malamion
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityJeff B
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and managementTanmoy Sinha
 
Strategic risk management
Strategic risk managementStrategic risk management
Strategic risk managementKarim Farag
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Risk management
Risk managementRisk management
Risk managementbadar214118
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Risk management
Risk managementRisk management
Risk managementMichael Alonzo
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Risk culture presentation
Risk culture presentationRisk culture presentation
Risk culture presentationBenjamin Kpodo
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and managementTaekHyeun Kim
 
Risk Management
Risk ManagementRisk Management
Risk ManagementStefan Csosz
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementCroydon Consulting, LLC
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management FrameworkAnand Subramaniam
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraNik Hasyudeen
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Richard Swartzbaugh
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
CHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENTCHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENTanyoption
 

More Related Content

What's hot

Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityJeff B
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and managementTanmoy Sinha
 
Strategic risk management
Strategic risk managementStrategic risk management
Strategic risk managementKarim Farag
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Risk culture presentation
Risk culture presentationRisk culture presentation
Risk culture presentationBenjamin Kpodo
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and managementTaekHyeun Kim
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraNik Hasyudeen
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Richard Swartzbaugh
 

What's hot (20)

Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
 
Strategic risk management
Strategic risk managementStrategic risk management
Strategic risk management
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
Risk management
Risk managementRisk management
Risk management
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk Management
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
 
Risk management
Risk managementRisk management
Risk management
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk Management
 
Risk culture presentation
Risk culture presentationRisk culture presentation
Risk culture presentation
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ Inovastra
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 

Viewers also liked

Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
CHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENTCHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENTanyoption
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Nada G.Youssef
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementNada G.Youssef
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsNada G.Youssef
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
CHAPTER 3: TYPES OF UNDERLYING ASSETS
CHAPTER 3: TYPES OF UNDERLYING ASSETSCHAPTER 3: TYPES OF UNDERLYING ASSETS
CHAPTER 3: TYPES OF UNDERLYING ASSETSanyoption
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Nada G.Youssef
 
Form 4 Chapter 4
Form 4 Chapter 4Form 4 Chapter 4
Form 4 Chapter 4DSO
 
Risk mangement
Risk mangementRisk mangement
Risk mangementcollege
 

Viewers also liked (20)

Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style
 
CHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENTCHAPTER 4: RISK MANAGEMENT
CHAPTER 4: RISK MANAGEMENT
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations Security
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy
 
Chapter 4 risk
Chapter 4 riskChapter 4 risk
Chapter 4 risk
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity Management
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control Management
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial Institutions
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
 
CHAPTER 3: TYPES OF UNDERLYING ASSETS
CHAPTER 3: TYPES OF UNDERLYING ASSETSCHAPTER 3: TYPES OF UNDERLYING ASSETS
CHAPTER 3: TYPES OF UNDERLYING ASSETS
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants
 
Form 4 Chapter 4
Form 4 Chapter 4Form 4 Chapter 4
Form 4 Chapter 4
 
Risk mangement
Risk mangementRisk mangement
Risk mangement
 
Risk management
Risk managementRisk management
Risk management
 

Similar to Chapter 4: Governance and Risk Management

Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdfGoldenMIT
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...stuimrozsm
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponseID Experts
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 

Similar to Chapter 4: Governance and Risk Management (20)

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdf
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Chapter003
Chapter003Chapter003
Chapter003
 
Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOV
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Hipaa risk analysis_1.4
Hipaa risk analysis_1.4Hipaa risk analysis_1.4
Hipaa risk analysis_1.4
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
 
Information security
Information securityInformation security
Information security
 
Information security governance
Information security governanceInformation security governance
Information security governance
 

More from Nada G.Youssef

Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Nada G.Youssef
 

More from Nada G.Youssef (16)

مجلة 1
مجلة 1مجلة 1
مجلة 1
 
Chapter Tewlve
Chapter TewlveChapter Tewlve
Chapter Tewlve
 
Chapter Eleven
Chapter ElevenChapter Eleven
Chapter Eleven
 
Chapter Ten
Chapter TenChapter Ten
Chapter Ten
 
Chapter Nine
Chapter NineChapter Nine
Chapter Nine
 
Chapter Eight
Chapter Eight Chapter Eight
Chapter Eight
 
Chapter Seven
Chapter SevenChapter Seven
Chapter Seven
 
Chapter Six
Chapter SixChapter Six
Chapter Six
 
Chapter Five
Chapter FiveChapter Five
Chapter Five
 
Chapter Four
Chapter FourChapter Four
Chapter Four
 
Chapter Three
Chapter ThreeChapter Three
Chapter Three
 
Chapter Two
Chapter TwoChapter Two
Chapter Two
 
Chapter one
Chapter oneChapter one
Chapter one
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 

Recently uploaded

Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 

Recently uploaded (20)

Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 

Chapter 4: Governance and Risk Management

  • 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 4: Governance and Risk Management
  • 2. Copyright 2014 Pearson Education, Inc. 2 Objectives ❑ Explain the importance of strategic alignment ❑ Know how to manage information security policies ❑ Describe information security-related roles and responsibilities ❑ Identify the components of risk management ❑ Create polices related to information security policy, governance, and risk management
  • 3. Understanding Information Security Policies ■ The goal of the information security policies is to protect the organization from harm ❑ Policies should be written ❑ Policies should be supported by management ❑ Policies should help companies align security with business requirements and relevant laws and regulations ■ ISO 27002:2013 can provide a framework for developing security policies Copyright 2014 Pearson Education, Inc. 3
  • 4. Understanding Information Security Policies cont. ■ Two approaches to information security ❑ Parallel approach ❑ Integrated approach ■ Policies can serve as teaching documents to influence behavior ❑ Acceptable Use Policy ■ Companies should create vendor versions of information security policies ■ Policies should be authorized by executive management ■ Policies should be updated on regular basis Copyright 2014 Pearson Education, Inc. 4
  • 5. Evaluating Information Security Policies ■ Policies can be evaluated internally or by independent third parties ■ Audit ❑ Systematic, evidence-based evaluation ❑ Include interviews, observation, tracing documents to management policies, review or practices, review of documents, and tracing data to source documents ❑ Audit report containing the formal opinion and findings of the audit team is generated at the end of the audit ■ Capability Maturity Model (CMM) ❑ Used to evaluate and document process maturity for a given area Copyright 2014 Pearson Education, Inc. 5
  • 6. Information Security Governance ■ The process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors ■ The Board of Directors is usually responsible for overseeing the policy development ■ Effective security requires a distributed governance model with the active involvement of stakeholders, decision makers, and users Copyright 2014 Pearson Education, Inc. 6
  • 7. Distributed Governance Model ■ Chief information security officer (CISO) ■ Information security steering committee ■ Compliance officer ■ Privacy officer ■ Internal audit ■ Incident response team ■ Data owners ■ Data custodians ■ Data users Copyright 2014 Pearson Education, Inc. 7
  • 8. Regulatory Requirements ■ Gramm-Leach Bliley (GLBA) Section 314.4 ■ HIPAA/HITECH Security Rule Section 164.308(a) ■ Payment Card Industry Data Security Standard (PCI DDS) section 12.5 ■ 201 CMR 17: Standards for Protection of Personal Information of the Residents of the Commonwealth–Section 17.0.2 Copyright 2014 Pearson Education, Inc. 8
  • 9. Information Security Risk ■ Three factors influence information security decision making and policy creation ❑ Guiding principles ❑ Regulatory requirements ❑ Risk associated with achieving business objectives ■ Risk: The potential of undesirable or unfavorable outcome from a given action ■ Risk tolerance: Hhow much undesirable outcome the risk taker is willing to accept ■ Risk appetite: The amount of risk an entity is willing to accept in pursuit of its mission Copyright 2014 Pearson Education, Inc. 9
  • 10. Risk Assessment ■ Evaluate what can go wrong and the likelihood of a harmful event occurring ■ Risk assessment involves ❑ Identifying the inherent risk based on relevant threats, threat sources, and related vulnerabilities ❑ Determining the impact of a threat if it occurs ❑ Calculating the likelihood of occurrence ❑ Determining residual risk Copyright 2014 Pearson Education, Inc. 10
  • 11. Risk Assessment cont. ■ Inherent risk ❑ The level of risk before security measure are applied ■ Residual risk ❑ The level of risk after security measures are applied ■ Threat ❑ Natural, environmental, or human event that could cause harm ■ Vulnerability ❑ A weakness that could be exploited by a threat ■ Impact ❑ The magnitude of a harm Copyright 2014 Pearson Education, Inc. 11
  • 12. Risk Assessment Methodologies ■ Components of a risk assessment methodology include ❑ Defined process ❑ Assessment approach ❑ Standardized analysis ■ Three well-known information security risk assessment methodologies ❑ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ❑ Factor Analysis of Information Risk (FAIR) ❑ NIST Risk Management Framework (RMF) Copyright 2014 Pearson Education, Inc. 12
  • 13. Risk Management ■ The process of determining an acceptable level of risk, calculating the current risk level, accepting the level of risk, or taking steps to reduce it to an acceptable level ❑ Risk acceptance ❑ Risk mitigation ■ Risk reduction ■ Risk transfer ■ Risk sharing ■ Risk avoidance Copyright 2014 Pearson Education, Inc. 13
  • 14. Copyright 2014 Pearson Education, Inc. 14 Summary ❑ Information security policies should be reviewed at least annually to ensure they are relevant and accurate ❑ Information security audits should be conducted to ensure policies are accepted and integrated ❑ Governance is the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors ❑ Risk management is the process of determining an acceptable level of risk, calculating the current risk level, accepting the level of risk, or taking steps to reduce it to an acceptable level