The document outlines definitions and distinctions between risk and issue, emphasizing the need for effective risk management in organizations. It discusses the risk management cycle, including risk identification, assessment, and mitigation strategies, while identifying various sources and methods of risk assessment. Additionally, it highlights the importance of proactive approaches to managing risks, the role of information security, and the necessity of maintaining proper risk documentation and reporting.

1. BY
PARABAKARAN

2. RISK DEFINITIONS
RISK DEFINITION: A Risk is a potential or future event that, should it occur, will
have a (negative) impact on the Business Objectives of an Organisation
o A risk must have Uncertainty, (in terms of Probability or Likelihood). It might
happen
o A risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o “It May Rain Tomorrow”
◦ ISSUE DEFINITION: An Issue is a current event that will have a (negative)
impact on the Business Objectives of an Organisation
o E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o “It is Raining Today”

3. Risk Life Cycle
3
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
cuntermeasure by a

4. Risk Management Cycle
4
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
• Each Step output considered
as an input for the next step
Risk
Control
Risk
Assessment

5. 5

6. Risk Identification
What is the purpose of this phase ?
The aims of this phase is to identify , classify and
prioritizing the organization’s information assets
( Know ourselves) and identify all important types and
sources of risk and uncertainty (know our enemy),
associated with each of the investment objectives.
This is a crucial phase. If a risk is not identified it cannot
be evaluated and managed
6

7. Information Assets
IS
Components
People Procedures Data
Transmission
HW
SW
Employees
Non
-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
7

8. Primary sources
of Risk Items
8
Human Threats
Environmental
Threats
Outside
&
Natural Threats
network
based attacks
virus infection
,
unauthorized access
floods
Earthquakes
hurricanes
Power failure
,
pollution

9. Risk Analysis
• requires an entity to, conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity,
and availability of electronic protected
information held by the entity.
• Risk analysis, which is a tool for risk
management, is a method of identifying
vulnerabilities and threats, and assessing the
possible damage to determine where to
implement security safeguards

10. Risk Assessment
For each identified component & risk, which has a 'clearly significant' or
'possibly significant' position, each should be assess to establish qualitatively
and Estimate the value
10

11. What is Risk Assessment ?
Assessing risk is the process of determining the likelihood of the
threat being exercised against the vulnerability and the resulting
impact from a successful compromise , i.e determine the relative
risk for each of the vulnerabilities
Risk assessment assigns a risk rating or score to each specific
information asset, useful in evaluating the relative risk and making
comparative ratings later in the risk control process.
•Although all elements of the risk management cycle are important,
risk assessments provide the foundation for other elements of the
cycle. In particular, risk assessments provide a basis for establishing
appropriate policies and selecting cost-effective techniques to
implement these policies
١٤٤٦/٠٣/٢١ 11

12. Methods of Risk Assessment
There are various methods assessing risk,
First : Quantitative risk assessment :
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk can be
measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.
12

13. This approach can be taken by defining
◦ Risk in more subjective and general terms such as high, medium, and
low.
◦ In this regard, qualitative assessments depend more on the expertise,
experience, and judgment of those conducting the assessment.
Qualitative risk assessments typically give risk results of “High”,
“Moderate” and “Low”. However, by providing the impact and likelihood
definition tables and the description of the impact, it is possible to
adequately communicate the assessment to the organization’s
management.
13
Second : Qualitative Risk Assessment

14. Third :Quantitative and Qualitative
◦ It is also possible to use a combination of quantitative and qualitative
method
14

38. WHAT IS RISK MANAGEMENT?
The identification of Risks and their management by defining:
 The Risk Description
 The Risk Owner
 The Probability of the Risk Event occurring
 The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective
 The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring
with relation to their costs and the reduction of Risk Exposure
 The Contingency Plan to recover the Asset once risk is manifested
 An understanding of Corporate Risk Appetite and where appropriate the application of Risk
Tolerance

39. OBJECTIVES OF GENERIC RISK MANAGEMENT
To ensure that all risks to the Business
however they are derived are managed
effectively.
This includes:
Strategic Risks
Programme and Project Risks
Operational Risks (includes Security and
Business Continuity Risks)
Operational Level
(Business as Usual)
Change
Level
Operational Risk
Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic Risks
Programme/Project Risks
Operational Risks
Project Risk Register
Strategic Risk Register

40. OBJECTIVES OF INFORMATION SECURITY
RISK MANAGEMENT
To ensure that the risks to the Organisation that are derived from, Incidents,
Threats, Vulnerabilities and Audit non-compliances are managed effectively.
In Security Terms these are those risks that impact the:
◦ Confidentiality,
◦ Integrity,
◦ Availability, and the
◦ Traceability of Information whilst:
◦ At rest
◦ Whilst being modified
◦ In transit (around a system, e-mail, media device, telephone etc.)

41. WHAT IS NOT RISK MANAGEMENT?
Incident Management
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
! However, they can be the Source of Infosec Risks…
So, these are issues, NO uncertainty!

44. RISK MATRIX

46. PROBLEMS WITH RISK MANAGEMENT
COMMON PROBLEMS
(MISUNDERSTANDINGS)?
Poor Risk Descriptions (Risk vs Issue and
Impact confusion) (Qualification vs
Quantification)
Unachievable, ineffective and
disproportionate Mitigation Actions
Poor Control, risk owner vs risk mitigation
owner. Stakeholder Involvement
Reactive vs Proactive Approach
• Reliance on Incidents, Threat and Non-
Compliance Management (Reactive)
• Proactive Risk Identification Workshop
based on Success Criteria
SO WHAT!
Risks occur that could have been managed
Impact on Assets not understood (BIA, CMDB)
Mitigation Action Costs do not reflect the Risk
Exposure Reduction
Systems fail, business and revenue lost,
Corporate data is unavailable when required –
Loss of Business
Regulator penalties, reputational damage occurs
Loss of Customer base and confidence
Loss of IPR.

47. MITIGATION PLANS & CONTINGENCY PLANS
oMitigations or Controls are primarily used to prevent the occurrence of a risk or
to reduce the Probability of Risk occurrence - (Reduce Probability).
o This is why it is so important to describe the risk event clearly.
o Contingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
o This is why it is so important to clearly describe the risk impact separately from the risk
description

48. SOURCES OF CYBER SECURITY RISKS
o Proliferation of BYOD and smart devices
o Cloud computing
o Outsourcing of critical business processes to a third party (and lack of
controls around third-party services)
o Disaster recovery and business continuity
o Periodic access reviews
o Log reviews
SOURCE: Cyber-security - What the Board of Directors need to ask?,
IIARF Research Report, 2014

49. COMMON CYBER-CRIMINAL ATTACK VECTORS
o Application vulnerabilities
o Remote access.
o Ineffective patch management
o Weak network security/flat networks
o Lack of real-time security monitoring
o Third parties
o Lack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014

50. WHERE TO START?
Select appropriate Controls / use Security Standards:
ISO27000
PCI DSS
COBIT
HIPAA

51. ENCOURAGE RISK REPORTING
1. Create risk reporting awareness for the workforce
2. Make it easy, create a simple Risk Submission form
3. Assess the risk submission, ask questions
4. Ensure it is a RISK, not an issue, a service request, a change request 

52. MANAGE THE RISKS…
1. Record in a Risk Register
2. Describe the RISK
3. Assess the Likelihood, Impact, and risk rating
4. Agree recommended Risk Mitigation / Treatment
5. Establish a contingency position if possible
6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7. Agree a Mitigation Owner
8. Obtain a decision (Reduce, Accept, Avoid, Transfer)
9. Monitor mitigation progress until target risk is achieved – retain
awareness of closed or mitigated risks
10. Produce monthly status reports