The document outlines the essentials of information security risk management, emphasizing the importance of understanding the environment, classifying information assets, and monitoring controls. It cites a specific incident involving Citibank's $900 million erroneous transaction due to software issues, which led to regulatory fines. Key dos and don'ts for effective risk management practices are also provided to enhance security efficiency.

2. 1.Information Security Risk in a nutshell
2.Key Elements of Effective IS Risk Management
3.Do’s and Dont’s for Efficiency
PLAN

3. Information Security Risk in a nutshell
1

4. Risk
Threat
• Threat Actor
Asset
Vulnerability
Risk
Probability x Impact
• Threat Factor
• Inherent weakness
• Tools
• Skills

5. Risk Scenario
Citibank wired a $900 million loan payoff to the cosmetic company Revlon’s money lenders, in 2020.
This was done mistakenly. Citibank reached out to the hedge funds to return the money, some did,
others refused.
Citibank decided to sue them. The federal judge ruled that Citibank can’t have its money back.
As you would imagine, Citibank had multiple controls and policies in place to ensure that mistakes
like this won’t happen.
Initial reports said that the mistake could have happened because of compromised banking controls,
but the problem was finally traced to a recently installed software that was rife with UI issues.
The software didn’t have appropriate controls and it led to the error. US regulators fined Citibank
$400 million to update their data governance, risk management, and compliance controls.

6. Key Elements of
Effective IS Risk Management
2

7. ✓ Know your environment and its constraints
✓ Inventoriate information assets
✓ Classify Information assets
Key Elements

8. ✓ Identify dependencies
✓ Identify and validate vulnerabilities and threats
Key Elements

9. ✓ Identify dependencies
✓ Identify and validate vulnerabilities and threats
✓ Identify and implement treatment
Key Elements

10. ✓ Check implementation
✓ Make adjustments and fine-tune
✓ Establish measurements (KRI, KPI)
Key Elements

11. ✓ Check implementation
✓ Make adjustments and fine-tune
✓ Establish measurements (KRI, KPI)
Key Elements

12. ✓ Establish monitoring
✓ Set measurement and reporting
✓ Repeat the cycle very often
Key Elements

13. For Efficiency
❌Dont’s
✅and Do’s
3

14. ❌Dont’s
❌ Dont Assume that Security controls are working properly
✅Set up monitoring and response mechanism (SIEM, SOC, Security Analysts)
✅Always check to identify issues with the controls and fine-tune if possible
✅Always test from every angle to ensure appropriateness of your control
❌Dont Over-rely on Compensating Controls
✅Set time limit to remediate the issue and remove the compensating control
✅Always review with management if the risk persists
❌ Dont Be hasty and/or try to cut corners
✅Be realistic with the treatment methods chosen
✅Get enough information for management to decide appropriately
✅and Do’s

15. ❌Dont Assume that you know your inventory completely
✅Always carry out periodic inventory to update database, automate discovery
✅Block automatic entry of assets, control introduction of new assets
❌Dont Assume that your users will always understand controls
✅Training and security awareness on regular basis
✅Test their knowledge through Campaigns like Phishing Campaigns
❌Dont Try to re-invent the wheel
✅Use tried and proven methods such as standards and frameworks which are available
✅ISO 27005, NIST 800-37, EBIOS, MEHARI, OCTAVE, ISF RMF
❌Dont’s ✅and Do’s

16. Summary

17. M E R C I !
T H A N K Y O U !
QUESTIONS ?