SlideShare a Scribd company logo

CISSPills #3.04

Download as PPTX, PDF
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

This document provides an overview of information security governance and risk management. It discusses key concepts like security management, risk management, risk assessment, risk analysis, information risk management policies, risk methodologies, and risk handling approaches. Specific methodologies and approaches covered include ISO 27005, NIST 800-30, quantitative vs qualitative risk analysis, and the steps to conduct a quantitative risk analysis using metrics like SLE and ALE. The document also discusses how organizations select controls based on a cost-benefit analysis and the relationship between total risk, residual risk, and implemented controls.

Education
1 of 14
DOMAIN 3: Information Security Governance and Risk Management # 3.04
CISSPills Table of Contents  Security Management  Risk Management  Risk Assessment  Risk Analysis  Information Risk Management Policy  Risk Assessment Methodologies  Risk Analysis Approaches  Steps of a Quantitative Risk Analysis  Control Selection  Total Risk vs Residual Risk  Risk Handling
CISSPills Security Management Security management includes all the activities needed to both keep a Security Program running and maintain it. It aims at continuously protecting organisation’s assets and resources and incorporates processes, procedures, risk management, security controls and awareness. Security management ensures that policies, standards and guidelines are implemented in a way which assures business to be conducted within an acceptable risk level.
CISSPills Risk Management Risk refers to the likelihood a damage can occur and impact it can have. Risk Management is the process of identifying, assessing and minimising risks to an acceptable level. Risk can be never fully reduced, there will always be a residual risk. Risk management focuses to cope with risks to that they are reduced to a level tolerated by the organisation. Organisations operating in regulated environments (e.g. Financial or Healthcare industries) or subject to laws, need to take into account this requirements with regards to Risk Management and Security Governance. Risk Management is split in two steps:  Risk Assessment  Risk Analysis
CISSPills Risk Assessment Risk assessment is a method to identify vulnerabilities and threats, assessing then their possible impact in order to determine the security controls to put in place. Once the threats and the vulnerabilities have been identified, the ramifications deriving from their exploitation shall be investigated. Risks can have:  Loss potential: what the company can lose if the threat agent manages to exploit a vulnerability;  Delayed loss: a secondary consequence not directly related to the vulnerability being exploited, but equally impacting the organisation and its business (e.g. bad reputation after a breach).
CISSPills Risk Analysis Risk Analysis helps to priorities risks, so that the most critical are addressed first. It also show the amount of resources needed to protect against a specific risk. It provides a cost/benefit analysis, which compares the cost deriving from the occurrence of a threat and the annualised cost of the safeguard to implement. A proper analysis allows to understand if a countermeasure is worth to be implemented. Typically, in fact, it makes no sense implementing a controls that costs more than the loss derived by the occurrence of a threat. Ideally, the Risk Analysis team should include people coming from different departments of the organisation, in order to have a comprehensive picture of the risks within the enterprise. Alternatively, the team needs to interview people working in other department to make sure other standpoints are captured.
CISSPills Information Risk Management Policy To be successful, a Risk Management process needs to be supported by the executive management, needs a documented process, an information risk management (IRM) team and an IRM policy. The information risk management policy is very important, as it’s a tool providing IRM team with the guidance on how to carry out a proper risk management activity within the organisation. For example, the policy describes:  the objective of the IRM team;  The acceptable level of risk for the organisation;  The risk identification process;  Responsibilities of the IRM team;  The metric used to measure the effectiveness of the controls.
CISSPills Risk Assessment Methodologies There are a number of risk assessment methodologies, each of them having specific characteristics. There isn’t a ‘one size fits all’ approach and the choice really depends on the particular requirements an organisation. For example, organisations implementing a security program compliant with the ISO 27001 standard, should use the ISO 27005 standard, which describes how risk management should be undertaken within an ISMS. NIST 800-30, mainly focusing on IT, it’s instead considered a U.S. federal standard and fits better in governmental organisation.
CISSPills Risk Analysis Approaches Risk analysis can be carried out following two different approaches:  Quantitative analysis: this analysis assign numeric value to the loss, to the likelihood of a threat to occur and to the extent of the damage in the event of a loss. These figures are entered into equations to determine total and residual risk;  Qualitative analysis: this analysis doesn’t use numeric values. It assigns rating to the risk (e.g. High, Medium, Low) to relay the criticality. The team members rely on scenarios to determine the different risks and their severity and make use of brainstorming sessions, checklists, questionnaires, storyboards, etc. to walk through the risk analysis. The analysis relies a lot on the experience, intuition and judgement of the people involved in the assessment.
CISSPills Steps of a Quantitative Risk Analysis The most used equation used in a quantitative risk analysis are Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE). SLE provides a dollar amount for a threat which has taken place. SLE ($$$) = Asset Value (AV) x Exposure Factor (EF) AV= value of the asset EF = It’s the percentage of damage involving the asset when the threat takes place. ALE ($$$) = SLE x Annualized Rate of Occurrence (ARO) ARO= likelihood that the threat takes place over a period of one year. It can from 0.0 (never) to 1.0 (once a year), with any value in between (e.g. once in 10 years is 0.1 - 1/10=0.1). With the ALE a company knows how much it can spend to protect the asset to protect it against a specific threat.
CISSPills Control Selection A control must be cost-effective, that is its cost shall not exceed the value of the loss derived by the threat it’s trying to address. A cost/benefit analysis allows to estimate if the cost of the control is outweighing its benefits. An equation typically used is: ALE pre control implementation - ALE post control implementation – annualized cost of the control The cost of the control needs to include all the expenses related to its purchase, implementation, maintenance, etc. For example, if the control was a firewall, the cost shouldn’t take into account only its price, but also the cost of the training, the cost of the license, the cost of the people implementing the solution and so forth.
CISSPills Total Risk vs Residual Risk As said before, a control is not able to completely eliminate a risk. Even if a safeguard is put in place, a Residual Risk will still exist. The important thing is that such risk doesn’t exceed the level of risk the organisation deems acceptable. Total Risk = Threats x Vulnerability x Asset Value Residual Risk = Threats x Vulnerability x Asset Value x Control Gap Control Gap = it is the protection that the control can’t provide An alternative way to describe the Residual Risk is: Residual Risk = Total Risk – Countermeasure The formulas above are only conceptual representation of the relationship occurring between the entities making up risk and are useful to understand the items involved in Total and Residual Risk.
CISSPills Risk Handling An Organisation can choose to handle a risk in the following way:  Accept: the organisation decides it can ‘live’ with the identified risk and further action is taken;  Transfer: the risk is deemed to high or to costly to be mitigated using a control and for this reason is transferred to another entity (e.g. an insurance company);  Avoid: the organisation decides to eliminate the element that poses the risk, in order to consequently avoid the risk;  Mitigate: the organisation decides to implement a control, which allows to reduce the risk to an acceptable level. Organisation can choose one of the four option seen above depending on the context. All but rejecting/ignoring the risk is a way to cope with it.
CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details

Recommended

CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Integrated Risk Management
Integrated Risk ManagementIntegrated Risk Management
Integrated Risk ManagementOmicron Systems
 
Building an Effective AML Program
Building an Effective AML ProgramBuilding an Effective AML Program
Building an Effective AML ProgramCorporater
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 

Recommended

CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Integrated Risk Management
Integrated Risk ManagementIntegrated Risk Management
Integrated Risk ManagementOmicron Systems
 
Building an Effective AML Program
Building an Effective AML ProgramBuilding an Effective AML Program
Building an Effective AML ProgramCorporater
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Lennart Bredberg
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk managementEndeavor Management
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
The Path to Self-Disruption
The Path to Self-DisruptionThe Path to Self-Disruption
The Path to Self-DisruptionHewlett Packard Enterprise Business Value Exchange
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risknikatmalik
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk DataConor Coughlan
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementContinuity and Resilience
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandKienbaum Consultants
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
Risk Mgt
Risk Mgt Risk Mgt
Risk Mgt Morris Muhwezi
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 

More Related Content

What's hot

CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Lennart Bredberg
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risknikatmalik
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk DataConor Coughlan
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandKienbaum Consultants
 

What's hot (20)

CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
The Path to Self-Disruption
The Path to Self-DisruptionThe Path to Self-Disruption
The Path to Self-Disruption
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risk
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk Data
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile Island
 
Chapter003
Chapter003Chapter003
Chapter003
 

Similar to CISSPills #3.04

Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterDion K Hamilton
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Risk-Management-ppt.pptx
Risk-Management-ppt.pptxRisk-Management-ppt.pptx
Risk-Management-ppt.pptxYashuShukla2
 
Compliance and risk management
Compliance and risk managementCompliance and risk management
Compliance and risk managementITSYS Solutions
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docxgilbertkpeters11344
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxransayo
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewTatianaMajor22
 
Risk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptxRisk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptxmuthukrishnaveni anand
 
Risk management osh
Risk management oshRisk management osh
Risk management oshjaycatubig
 
7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management ProgramAlicia Edwards
 
HFMA Searching for Risk, April 2004
HFMA Searching for Risk, April 2004HFMA Searching for Risk, April 2004
HFMA Searching for Risk, April 2004Theim912
 
Risk management
Risk managementRisk management
Risk managementaseel m
 
Risks and TCoR
Risks and TCoRRisks and TCoR
Risks and TCoRkruijsse
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfRobert Serena, FSA, CFA, CPCU
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakYashavanth Nayak
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOPiTech
 

Similar to CISSPills #3.04 (20)

Risk Mgt
Risk Mgt Risk Mgt
Risk Mgt
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Risk-Management-ppt.pptx
Risk-Management-ppt.pptxRisk-Management-ppt.pptx
Risk-Management-ppt.pptx
 
Compliance and risk management
Compliance and risk managementCompliance and risk management
Compliance and risk management
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
 
Unit 1 rmi
Unit 1 rmiUnit 1 rmi
Unit 1 rmi
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330Overview
 
Risk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptxRisk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptx
 
Risk management osh
Risk management oshRisk management osh
Risk management osh
 
7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program
 
HFMA Searching for Risk, April 2004
HFMA Searching for Risk, April 2004HFMA Searching for Risk, April 2004
HFMA Searching for Risk, April 2004
 
Risk management
Risk managementRisk management
Risk management
 
Risks and TCoR
Risks and TCoRRisks and TCoR
Risks and TCoR
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdf
 
Risk management standard 030820
Risk management standard 030820 Risk management standard 030820
Risk management standard 030820
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_en
 

More from Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

More from Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation (6)

CISSPills #1.03
CISSPills #1.03CISSPills #1.03
CISSPills #1.03
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
CISSPills #1.01
CISSPills #1.01CISSPills #1.01
CISSPills #1.01
 
Annex 01
Annex 01Annex 01
Annex 01
 
CISSPills #3.05
CISSPills #3.05CISSPills #3.05
CISSPills #3.05
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 

Recently uploaded

How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxabhijeetpadhi001
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxUnboundStockton
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 

Recently uploaded (20)

How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 

CISSPills #3.04

  • 1. DOMAIN 3: Information Security Governance and Risk Management # 3.04
  • 2. CISSPills Table of Contents  Security Management  Risk Management  Risk Assessment  Risk Analysis  Information Risk Management Policy  Risk Assessment Methodologies  Risk Analysis Approaches  Steps of a Quantitative Risk Analysis  Control Selection  Total Risk vs Residual Risk  Risk Handling
  • 3. CISSPills Security Management Security management includes all the activities needed to both keep a Security Program running and maintain it. It aims at continuously protecting organisation’s assets and resources and incorporates processes, procedures, risk management, security controls and awareness. Security management ensures that policies, standards and guidelines are implemented in a way which assures business to be conducted within an acceptable risk level.
  • 4. CISSPills Risk Management Risk refers to the likelihood a damage can occur and impact it can have. Risk Management is the process of identifying, assessing and minimising risks to an acceptable level. Risk can be never fully reduced, there will always be a residual risk. Risk management focuses to cope with risks to that they are reduced to a level tolerated by the organisation. Organisations operating in regulated environments (e.g. Financial or Healthcare industries) or subject to laws, need to take into account this requirements with regards to Risk Management and Security Governance. Risk Management is split in two steps:  Risk Assessment  Risk Analysis
  • 5. CISSPills Risk Assessment Risk assessment is a method to identify vulnerabilities and threats, assessing then their possible impact in order to determine the security controls to put in place. Once the threats and the vulnerabilities have been identified, the ramifications deriving from their exploitation shall be investigated. Risks can have:  Loss potential: what the company can lose if the threat agent manages to exploit a vulnerability;  Delayed loss: a secondary consequence not directly related to the vulnerability being exploited, but equally impacting the organisation and its business (e.g. bad reputation after a breach).
  • 6. CISSPills Risk Analysis Risk Analysis helps to priorities risks, so that the most critical are addressed first. It also show the amount of resources needed to protect against a specific risk. It provides a cost/benefit analysis, which compares the cost deriving from the occurrence of a threat and the annualised cost of the safeguard to implement. A proper analysis allows to understand if a countermeasure is worth to be implemented. Typically, in fact, it makes no sense implementing a controls that costs more than the loss derived by the occurrence of a threat. Ideally, the Risk Analysis team should include people coming from different departments of the organisation, in order to have a comprehensive picture of the risks within the enterprise. Alternatively, the team needs to interview people working in other department to make sure other standpoints are captured.
  • 7. CISSPills Information Risk Management Policy To be successful, a Risk Management process needs to be supported by the executive management, needs a documented process, an information risk management (IRM) team and an IRM policy. The information risk management policy is very important, as it’s a tool providing IRM team with the guidance on how to carry out a proper risk management activity within the organisation. For example, the policy describes:  the objective of the IRM team;  The acceptable level of risk for the organisation;  The risk identification process;  Responsibilities of the IRM team;  The metric used to measure the effectiveness of the controls.
  • 8. CISSPills Risk Assessment Methodologies There are a number of risk assessment methodologies, each of them having specific characteristics. There isn’t a ‘one size fits all’ approach and the choice really depends on the particular requirements an organisation. For example, organisations implementing a security program compliant with the ISO 27001 standard, should use the ISO 27005 standard, which describes how risk management should be undertaken within an ISMS. NIST 800-30, mainly focusing on IT, it’s instead considered a U.S. federal standard and fits better in governmental organisation.
  • 9. CISSPills Risk Analysis Approaches Risk analysis can be carried out following two different approaches:  Quantitative analysis: this analysis assign numeric value to the loss, to the likelihood of a threat to occur and to the extent of the damage in the event of a loss. These figures are entered into equations to determine total and residual risk;  Qualitative analysis: this analysis doesn’t use numeric values. It assigns rating to the risk (e.g. High, Medium, Low) to relay the criticality. The team members rely on scenarios to determine the different risks and their severity and make use of brainstorming sessions, checklists, questionnaires, storyboards, etc. to walk through the risk analysis. The analysis relies a lot on the experience, intuition and judgement of the people involved in the assessment.
  • 10. CISSPills Steps of a Quantitative Risk Analysis The most used equation used in a quantitative risk analysis are Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE). SLE provides a dollar amount for a threat which has taken place. SLE ($$$) = Asset Value (AV) x Exposure Factor (EF) AV= value of the asset EF = It’s the percentage of damage involving the asset when the threat takes place. ALE ($$$) = SLE x Annualized Rate of Occurrence (ARO) ARO= likelihood that the threat takes place over a period of one year. It can from 0.0 (never) to 1.0 (once a year), with any value in between (e.g. once in 10 years is 0.1 - 1/10=0.1). With the ALE a company knows how much it can spend to protect the asset to protect it against a specific threat.
  • 11. CISSPills Control Selection A control must be cost-effective, that is its cost shall not exceed the value of the loss derived by the threat it’s trying to address. A cost/benefit analysis allows to estimate if the cost of the control is outweighing its benefits. An equation typically used is: ALE pre control implementation - ALE post control implementation – annualized cost of the control The cost of the control needs to include all the expenses related to its purchase, implementation, maintenance, etc. For example, if the control was a firewall, the cost shouldn’t take into account only its price, but also the cost of the training, the cost of the license, the cost of the people implementing the solution and so forth.
  • 12. CISSPills Total Risk vs Residual Risk As said before, a control is not able to completely eliminate a risk. Even if a safeguard is put in place, a Residual Risk will still exist. The important thing is that such risk doesn’t exceed the level of risk the organisation deems acceptable. Total Risk = Threats x Vulnerability x Asset Value Residual Risk = Threats x Vulnerability x Asset Value x Control Gap Control Gap = it is the protection that the control can’t provide An alternative way to describe the Residual Risk is: Residual Risk = Total Risk – Countermeasure The formulas above are only conceptual representation of the relationship occurring between the entities making up risk and are useful to understand the items involved in Total and Residual Risk.
  • 13. CISSPills Risk Handling An Organisation can choose to handle a risk in the following way:  Accept: the organisation decides it can ‘live’ with the identified risk and further action is taken;  Transfer: the risk is deemed to high or to costly to be mitigated using a control and for this reason is transferred to another entity (e.g. an insurance company);  Avoid: the organisation decides to eliminate the element that poses the risk, in order to consequently avoid the risk;  Mitigate: the organisation decides to implement a control, which allows to reduce the risk to an acceptable level. Organisation can choose one of the four option seen above depending on the context. All but rejecting/ignoring the risk is a way to cope with it.
  • 14. CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details