SlideShare a Scribd company logo

Information Security Risk Management and Compliance.pptx

Download as PPTX, PDF
A
Abraraw Zerfu

detail

Education
1 of 32
CISM PREP Topic 2 Information Security Governance
• Achieving optimal balance between realising opportunities for gain and minimising the likelihood of loss • Risks are identified and addressed so as not to impact the business in negative manner • Resources are not wasted addressing unrealistic risks • Requires knowledge of: – Leadership perception – Ability to absorb loss – Cost to implement controls – Risk-benefit ratio Risk management
How do we identify, prioritise and reduce risk? • Choosing a framework and structure • Periodic assessment • Continuous improvement • Align with organisational strategy, culture, hierarchy and, risk appetite and financial position • Perform a gap analysis • Prioritise Risk management program
Three elements 1. Actor – Bad guy, good guy – External, internal – Incidental, malicious 2. Negative impact – Exposure / unauthorised access – Loss of service – Loss of data 3. Asset – Confidential information – Privileged function or business functionality Threat Scenarios
Vulnerability – For convenience, staff are storing corporate credit cards on pastebin. Threat Scenario – An external attacker may gain unauthorised access to the list of corporate credit card numbers. Vulnerability – Big “delete all” button right next to the “update record” button in the customer relationship manager application. Threat Scenario – A staff member may accidentally delete the full customer database. Threat Scenarios - Examples
Forums and committees: • Identify risks at technical level • Disseminate risk knowledge at management level • Request direction for risk treatment from leadership Establish a risk management program Responsibility sits with the Information Security Manager Risk communication and awareness
ISO/IEC 27001 – Information security management system ISO/IEC 27005 – Information security risk management ISO/IEC 27005 – Risk management – risk assessment NIST SP 800-39 COBIT 5 – ISACA IT Governance RIMS Risk Maturity Model FRAP – Facilitated risk assessment process Risk management frameworks
• Program scope • Information risk objectives • Information risk policy • Risk appetite/tolerance • Roles and responsibilities • Risk management life-cycle process • Risk management documentation • Management review Risk management framework components
• System characterisation • Threat identification • Vulnerability identification • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation NIST SP 800-39
• Gaps in controls against a criteria • Published good practices • Security groups (industry, AISA, ISACA) • Security news (RiskyBiz) • Published research • Security training • Vulnerability alerting Gap analysis and external support
Risk management lifecycle
Types • PII (customer, staff) • Privileged functions • Internal information • Trade secrets • Payment data • Financial records Loss scenarios Value based on business knowledge Intangible and tangible value Asset Identification and Valuation
Viability and plausibility • Exist or reasonable expected to • Subject to some form of control Experienced staff • Organisational knowledge • Cyber security knowledge External vendors and consultants Risk Assessment: Identification of Risk
Categories • Physical • Logical • Loss of service • Technical failures • Unauthorised activity Internal and external threats Learn from industry sources Advanced persistent threats – APT Third parties Risk Assessment: Threats
Weakness Degrees of vulnerability Identify before exploitation Categorise vulnerabilities Vulnerability examples • Software bugs • Misconfiguration • Weak passwords • Staff awareness • Clear text transmission Risk Assessment: Vulnerabilities
1. Why is the information security manager responsible for the risk management program and strategy? 2. What is the difference between a plausible risk and a possible risk? 3. Name and describe two types of common vulnerabilities. 4. Why does organisational knowledge assist in threat identification? Discussion Questions
Three elements • Actor • Asset • Negative impact Example: An external attacker gains unauthorised access to bulk customer information. Threat Scenarios
Determine the level of risk by analysing: • Risk sources • Asset exposure • Negative consequences • Likelihood of risk realisation • Assessment of controls Sources of this information: • Past experience • Published standards • Experiments and testing • Consultants Risk Analysis
Volatility – varying likelihood Velocity – amount of prior warning before incident Proximity – time between event and impact Motivation – what is in it for the attacker Skill – level of difficulty exploit Visibility – how easy is a vulnerable system found Risk Likelihood
Influenced by the asset value Impact types • Loss of money • Criminal liability • Reputational damage • Breach of privacy • Competitive edge • Interruption to business Maximum tolerable outages Risk Impact
Qualitative Analysis
Assigning a financial figure Calculating a loss expectancy with a simple equation Annual loss expectancy (ALE) Single loss expectancy (SLE) Annual rate of occurrence (ARO) ALE = SLE x ARO OCTAVE Quantitative Analysis
Is the risk acceptable? Further analysis required Rank risks by severity How can the risk be treated • Avoid • Transfer • Mitigate • Accept • Ignore Inherent and residual risk Risk Treatment and Ownership
Methods to reduce the likelihood or impact of a risk Categories • Administrative • Technical • Physical Impact of regulation of the organisation Enforcement – where is the pressure coming from? Compliance levels The compliance plan Control implementation and compliance levels are a business decision Controls and Regulatory
Is the cost less than the benefit What are the obvious and hidden costs? • Acquisition • Deployment and integration • Support and maintenance • Testing • Compliance monitoring and enforcement • Inconvenience to users (useability vs security) • Slowing the business • Training • Decommissioning and disposal Cost vs Benefit
The minimum level of security for staff, systems and processes Reasons for change • Based on the asset value • Industry developments • New threats • New lines of business • Exploitation in the public domain Security Baselines
Determine levels of sensitivity and criticality Considerations • How many levels? • How will it be identified and labelled? • How will levels be handled? • How is it created, updated, archived and disposed of? • How long will it be retained? • Who is the owner and custodian? • Who approves access? Keep is SIMPLE Information Asset Classification
Business impact analysis Focus on information • Loss of Confidentiality • Loss of Integrity • Loss of Availability Impact Assessment and Analysis
Risks that occur due to failed process or mistakes Recovery time objectives - RTOs • RPO (recovery point objective) – data restoration • SDO (service delivery objective) – service restoration • MTO (maximum tolerable outage) – maximum time in recovery mode • AIW (allowable interruption window) – maximum service loss Operational Risk
A record of cyber risk across the organisation Record of risk management activities Contents • Vulnerabilities • Threat scenarios • Risk owners • Date identified • Date closed • Status Keep it SIMPLE Risk Register
Communicate risk at multiple levels Obtain risk information from multiple sources Build risk assessment into processes Every risk discussion is a training opportunity Document risk clearly Keep it SIMPLE Final Thoughts on Risk
1. Write a plausible threat scenario involving password guessing. 2. What is the difference between quantitative and qualitative risk analysis? 3. Name and describe two ways to treat risks. 4. What is the purpose of a risk register? Discussion Questions

Recommended

Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1tomkacy
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
ch01.ppt
ch01.pptch01.ppt
ch01.pptsamsam693199
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 

Recommended

Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1tomkacy
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
ch01.ppt
ch01.pptch01.ppt
ch01.pptsamsam693199
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxSameera Amjad
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPtRishabhAgrawal695188
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
My approach to CRO Role
My approach to CRO RoleMy approach to CRO Role
My approach to CRO RoleRameshGuptaMBAFRMPgM
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 

More Related Content

Similar to Information Security Risk Management and Compliance.pptx

CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxSameera Amjad
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

Similar to Information Security Risk Management and Compliance.pptx (20)

CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptx
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
My approach to CRO Role
My approach to CRO RoleMy approach to CRO Role
My approach to CRO Role
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life Cycle
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 

Recently uploaded

Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 

Recently uploaded (20)

Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 

Information Security Risk Management and Compliance.pptx

  • 1. CISM PREP Topic 2 Information Security Governance
  • 2. • Achieving optimal balance between realising opportunities for gain and minimising the likelihood of loss • Risks are identified and addressed so as not to impact the business in negative manner • Resources are not wasted addressing unrealistic risks • Requires knowledge of: – Leadership perception – Ability to absorb loss – Cost to implement controls – Risk-benefit ratio Risk management
  • 3. How do we identify, prioritise and reduce risk? • Choosing a framework and structure • Periodic assessment • Continuous improvement • Align with organisational strategy, culture, hierarchy and, risk appetite and financial position • Perform a gap analysis • Prioritise Risk management program
  • 4. Three elements 1. Actor – Bad guy, good guy – External, internal – Incidental, malicious 2. Negative impact – Exposure / unauthorised access – Loss of service – Loss of data 3. Asset – Confidential information – Privileged function or business functionality Threat Scenarios
  • 5. Vulnerability – For convenience, staff are storing corporate credit cards on pastebin. Threat Scenario – An external attacker may gain unauthorised access to the list of corporate credit card numbers. Vulnerability – Big “delete all” button right next to the “update record” button in the customer relationship manager application. Threat Scenario – A staff member may accidentally delete the full customer database. Threat Scenarios - Examples
  • 6. Forums and committees: • Identify risks at technical level • Disseminate risk knowledge at management level • Request direction for risk treatment from leadership Establish a risk management program Responsibility sits with the Information Security Manager Risk communication and awareness
  • 7. ISO/IEC 27001 – Information security management system ISO/IEC 27005 – Information security risk management ISO/IEC 27005 – Risk management – risk assessment NIST SP 800-39 COBIT 5 – ISACA IT Governance RIMS Risk Maturity Model FRAP – Facilitated risk assessment process Risk management frameworks
  • 8. • Program scope • Information risk objectives • Information risk policy • Risk appetite/tolerance • Roles and responsibilities • Risk management life-cycle process • Risk management documentation • Management review Risk management framework components
  • 9. • System characterisation • Threat identification • Vulnerability identification • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation NIST SP 800-39
  • 10. • Gaps in controls against a criteria • Published good practices • Security groups (industry, AISA, ISACA) • Security news (RiskyBiz) • Published research • Security training • Vulnerability alerting Gap analysis and external support
  • 12. Types • PII (customer, staff) • Privileged functions • Internal information • Trade secrets • Payment data • Financial records Loss scenarios Value based on business knowledge Intangible and tangible value Asset Identification and Valuation
  • 13. Viability and plausibility • Exist or reasonable expected to • Subject to some form of control Experienced staff • Organisational knowledge • Cyber security knowledge External vendors and consultants Risk Assessment: Identification of Risk
  • 14. Categories • Physical • Logical • Loss of service • Technical failures • Unauthorised activity Internal and external threats Learn from industry sources Advanced persistent threats – APT Third parties Risk Assessment: Threats
  • 15. Weakness Degrees of vulnerability Identify before exploitation Categorise vulnerabilities Vulnerability examples • Software bugs • Misconfiguration • Weak passwords • Staff awareness • Clear text transmission Risk Assessment: Vulnerabilities
  • 16. 1. Why is the information security manager responsible for the risk management program and strategy? 2. What is the difference between a plausible risk and a possible risk? 3. Name and describe two types of common vulnerabilities. 4. Why does organisational knowledge assist in threat identification? Discussion Questions
  • 17. Three elements • Actor • Asset • Negative impact Example: An external attacker gains unauthorised access to bulk customer information. Threat Scenarios
  • 18. Determine the level of risk by analysing: • Risk sources • Asset exposure • Negative consequences • Likelihood of risk realisation • Assessment of controls Sources of this information: • Past experience • Published standards • Experiments and testing • Consultants Risk Analysis
  • 19. Volatility – varying likelihood Velocity – amount of prior warning before incident Proximity – time between event and impact Motivation – what is in it for the attacker Skill – level of difficulty exploit Visibility – how easy is a vulnerable system found Risk Likelihood
  • 20. Influenced by the asset value Impact types • Loss of money • Criminal liability • Reputational damage • Breach of privacy • Competitive edge • Interruption to business Maximum tolerable outages Risk Impact
  • 22. Assigning a financial figure Calculating a loss expectancy with a simple equation Annual loss expectancy (ALE) Single loss expectancy (SLE) Annual rate of occurrence (ARO) ALE = SLE x ARO OCTAVE Quantitative Analysis
  • 23. Is the risk acceptable? Further analysis required Rank risks by severity How can the risk be treated • Avoid • Transfer • Mitigate • Accept • Ignore Inherent and residual risk Risk Treatment and Ownership
  • 24. Methods to reduce the likelihood or impact of a risk Categories • Administrative • Technical • Physical Impact of regulation of the organisation Enforcement – where is the pressure coming from? Compliance levels The compliance plan Control implementation and compliance levels are a business decision Controls and Regulatory
  • 25. Is the cost less than the benefit What are the obvious and hidden costs? • Acquisition • Deployment and integration • Support and maintenance • Testing • Compliance monitoring and enforcement • Inconvenience to users (useability vs security) • Slowing the business • Training • Decommissioning and disposal Cost vs Benefit
  • 26. The minimum level of security for staff, systems and processes Reasons for change • Based on the asset value • Industry developments • New threats • New lines of business • Exploitation in the public domain Security Baselines
  • 27. Determine levels of sensitivity and criticality Considerations • How many levels? • How will it be identified and labelled? • How will levels be handled? • How is it created, updated, archived and disposed of? • How long will it be retained? • Who is the owner and custodian? • Who approves access? Keep is SIMPLE Information Asset Classification
  • 28. Business impact analysis Focus on information • Loss of Confidentiality • Loss of Integrity • Loss of Availability Impact Assessment and Analysis
  • 29. Risks that occur due to failed process or mistakes Recovery time objectives - RTOs • RPO (recovery point objective) – data restoration • SDO (service delivery objective) – service restoration • MTO (maximum tolerable outage) – maximum time in recovery mode • AIW (allowable interruption window) – maximum service loss Operational Risk
  • 30. A record of cyber risk across the organisation Record of risk management activities Contents • Vulnerabilities • Threat scenarios • Risk owners • Date identified • Date closed • Status Keep it SIMPLE Risk Register
  • 31. Communicate risk at multiple levels Obtain risk information from multiple sources Build risk assessment into processes Every risk discussion is a training opportunity Document risk clearly Keep it SIMPLE Final Thoughts on Risk
  • 32. 1. Write a plausible threat scenario involving password guessing. 2. What is the difference between quantitative and qualitative risk analysis? 3. Name and describe two ways to treat risks. 4. What is the purpose of a risk register? Discussion Questions