Digicomp Academy AG, profile picture
Uploaded byDigicomp Academy AG
1,900 views

IT-Risk-Management Best Practice

The document discusses IT risk management frameworks and processes. It provides an overview of ISO 31000 for risk management, ISO 27005 for information security risk management, and the ITGI RiskIT framework. Key points covered include defining risk, the risk management process, quantifying and treating IT risks, and consolidating risks across an organization.

Embed presentation

Downloaded 59 times
IT  Risk  Management   Digicomp  Hacking  Day,  11.06.2014   Umberto  Annino  
•  Wer  spricht?   Umberto  Annino   WirtschaCsinformaEker,  InformaEon  Security   •  Was  ist  ein  Risiko?   !  Sicherheit  ist  das  Komplementärereignis   zum  Risiko   !  Risiko  ist  Schaden  mit  Potenzial   2  
Risiko   3   Gefahr   Bedrohung   Schwach-­‐ stelle   Asset   Risiko  
Realitätsabgleich   Compliance?   Risk  Management?   OperaEonal  Risk,  Business  ConEnuity?   IT,  InformaEon  Security  –  Cyber  Security?   Red  Team,  Threat  Modeling,  APT  and  openSSL?   Big  Data???     Security  ™  vs.  Compliance  ™   4  
IT  Risiko  in  der  Risiko-­‐Hierarchie   5  
COSO   Enterprise  Risk  Management  Framework   6  
ISO  31000  Risk  Mgmt  (2009)   Guidelines  and  Principles  and  Framework   7  
ISO  31000  Framework   8  
ISO  31000   Processes   9  
ISO  31000  -­‐  Processes   10   Design  of   framework  for   managing  risk   Understanding  of  the  organisaEon  and  its  context   Establishing  risk  management  policy   Accountability   IntegraEon  into  organisaEonal  processes   Resources   Establishing  internal  communicaEon  and  reporEng  mechanisms   Establishing  external  communicaEon  and  reporEng  mechanisms   ImplemenEng   risk   management   ImplemenEng  the  framework  for  managing  risk   ImplemenEng  the  risk  management  process   Monitoring  and  review  of  the  framework   ConEnual  improvement  of  the  framework   !  Mandate  and  commitment  
ISO  31000  -­‐  Processes   11   Risk   Management   Process   CommunicaEon  and  consultaEon   Establishing  the  external  context   Establishing  the  internal  context   Establishing  the  context  of  the  risk   management  process   Defining  risk  criteria   Risk  assessment   Risk  idenEficaEon   Risk  analysis   Risk  evaluaEon   Risk  treatment   Monitoring  and  review   Recording  the  risk  management   process  
ISO  31000   Acributes  of  enhanced  risk  management   •  Key  outcomes   –  The  organisaEon  has  a  current,  correct  and   comprehensive  understanding  of  its  risks   –  The  organisaEon‘s  risks  are  within  its  risk  criteria   •  Acributes   –  ConEnual  improvement   –  Full  accountability  for  risks   –  ApplicaEon  of  risk  management  in  all  decision  making   –  ConEnual  communicaEons   –  Full  integraEon  in  the  organisaEon‘s  governance   structure   12  
ISO  27005   InformaEon  Security  Risk  Management   13  
ISO  27005   Context  Establishment   14   Basic   Criteria   Risk  management  approach   Risk  evaluaEon  criteria   Impact  criteria   Risk  acceptance  criteria   ! Scope  and  Boundaries   ! OrganisaEon  for  informaEon  security  risk  management  
ISO  27005   InformaEon  security  risk  assessment   15   Risk   idenEficaEon   IdenEficaEon  of  assets   IdenEficaEon  of  threats   IdenEficaEon  of  exisEng  controls   IdenEficaEon  of  vulnerabiliEes   IdenEficaEon  of  consequences   Risk  analysis   Risk  analysis  methodologies   Assessment  of  consequences   Assessment  of  incident  likelihood   Level  of  risk  determinaEon  
ITGI  RiskIT  Framework   PosiEonierung   16  
IT  Risk  (high  level)  categories   17  
RiskIT  Framework   18  
Risk  maps...   •  Risk   appeEte   •  Risk   tolerance   •  Risk   culture   19  
Risk  culture   20  
IT  risk  scenario  development   21  
Risk  scenario  components   22  
Aber:  scenario  based...   !  keeping  it  real!   23  
IT  Risk  Response   opEons  and   prioriEsaEon   24  
Verwalten  von  IT  Risiken   Risiko   management   Risiko   analyse   Risiko   idenEfikaEon   Konsolidierung   Link  to   business   Risiko   bewertung   QuanEtaEv   QualiEaEv   StaEsEsche   Basis   Risiko   lenkung   Risiko   bearbeitung   Admin   Disziplin/ Aufwand   Kosten   ROI   Risiko   tracking   Nachvollzieh-­‐   barkeit   Konstanz   (Zahlen)   25  
QuanEfizieren  von  IT  Risiken   26   Big  Data?  Loss  DB?   Komplexität  von  InformaEonssystemen  (und  SoCware)?  
QuanEfizieren  von  IT  Risiken   •  In  der  Praxis  eher  qualitaEv  stac  quanEtaEv   –  Fehlende  staEsEsche  Basis   –  Prinzipiell  komplexe  Systeme   –  Wenig  akuter  Bedarf  zur  QuanEfizierung  !  über   Verknüpfung  mit  Business  Process   •  Konsolidierung  der  Werte  für  Management   ReporEng  als  Grundlage  für  QuanEfikaEon   •  In  der  Praxis  eher  „erste  Schrice“  stac  best   pracEse   •  ISO  27005,  ITGI  RiskIT  Framework  und   PracEcEoner  Guide  bieten  brauchbare   Grundlagen  (Framework)   27  
Risk  Treatment   28   Risk   treatment   Avoid   Eliminate   Reduce   Minimize     Transfer   Externalize   Accept   Residual  Risk   Controls   Measures   Avoid  /   Verhindern   Detect  /   Entdecken   Minimize  /   Eindämmen  
Risk  Treatment  –  ISO  27005   29  
Konsolidieren  von  IT  Risiken   Disjointed  risks   30  
Konsolidieren  von  IT  Risiken   shared  risks   31  
32  

More Related Content

PPTX
IT Risk Management
byComputer Aid, Inc
 
PDF
ISO 27005 Risk Assessment
bySmart Assessment
 
PPTX
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
PPTX
Iso27001 Risk Assessment Approach
bytschraider
 
PPT
Information Serurity Risk Assessment Basics
byVidyalankar Institute of Technology
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Risk Management and Remediation
byCarahsoft
 
IT Risk Management
byComputer Aid, Inc
 
ISO 27005 Risk Assessment
bySmart Assessment
 
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
Iso27001 Risk Assessment Approach
bytschraider
 
Information Serurity Risk Assessment Basics
byVidyalankar Institute of Technology
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Risk Management and Remediation
byCarahsoft
 

What's hot

PDF
Vendor Cybersecurity Governance: Scaling the risk
bySarah Clarke
 
PPT
Risk Based Security and Self Protection Powerpoint
byrandalje86
 
PPT
Review of Enterprise Security Risk Management
byRand W. Hirt
 
PPTX
Risk management ISO 27001 Standard
byTharindunuwan9
 
PPT
Risk Management 101
byBarry Caplin
 
PPT
Security Maturity Assessment
byClaude Baudoin
 
PDF
Risk Assessments
byJoAnna Cheshire
 
PDF
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
byAhmed Al Enizi
 
PPSX
Risk Management Remediation Overview
byRuss Pizzuto
 
PDF
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
byDenise Tawwab
 
PDF
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
bySmart Assessment
 
PPTX
Microsoft Risk Management
byUlukman Mamytov
 
PPTX
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
PPTX
Information Security Cost Effective Managed Services
byJorge Sebastiao
 
PDF
IIA Facilitated Risk Workshop
byErsoy AKSOY
 
PPTX
Information Security Risk Management
byNikhil Soni
 
PPTX
Cse it seminar ppt1, An Approach To IT Project Management
byGirija Sankar Dash
 
PPTX
Risk management in Software Industry
byRehan Akhtar
 
Vendor Cybersecurity Governance: Scaling the risk
bySarah Clarke
 
Risk Based Security and Self Protection Powerpoint
byrandalje86
 
Review of Enterprise Security Risk Management
byRand W. Hirt
 
Risk management ISO 27001 Standard
byTharindunuwan9
 
Risk Management 101
byBarry Caplin
 
Security Maturity Assessment
byClaude Baudoin
 
Risk Assessments
byJoAnna Cheshire
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
byAhmed Al Enizi
 
Risk Management Remediation Overview
byRuss Pizzuto
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
byDenise Tawwab
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
bySmart Assessment
 
Microsoft Risk Management
byUlukman Mamytov
 
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
Information Security Cost Effective Managed Services
byJorge Sebastiao
 
IIA Facilitated Risk Workshop
byErsoy AKSOY
 
Information Security Risk Management
byNikhil Soni
 
Cse it seminar ppt1, An Approach To IT Project Management
byGirija Sankar Dash
 
Risk management in Software Industry
byRehan Akhtar
 

Viewers also liked

PPTX
Hacking Homework - AR triggered by GPS locations, tactile objects or print
byBrendan O'Keefe
 
PPTX
QR codes and their application in libraries
byGeoffrey Lowe
 
PPSX
A quick response to promoting library services - How you can use QR Codes
byScott Hibberson
 
PPTX
Qr Codes & Simple Augmented Reality in Academic Libraries - Oct. 2010
byRobin M. Ashford, MSLIS
 
PPT
QR CODES IN AN ACADEMIC SETTING
bygenelg
 
PPTX
Sncs2015 cybersecurityy risk and control jakarta 3-4 juni 2015 ver01
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
IT Governance
byCarlos Chalico
 
PPTX
The Books "AR" Alive-Augmented Reality in Books
byCindy Wright
 
PDF
Sejarah Lisan Tajuk 1
byAlif Akram
 
PPTX
IT Policy
bySensewareInfomedia
 
PDF
Sejarah Lisan Tajuk 2
byAlif Akram
 
PPT
3.5 ICT Policies
bymrmwood
 
PDF
182764707 nota-sjh3104-sejarah-lisan-dan-pendokumentasian-bab-1-docx
byfiro HAR
 
PPT
Pengurusan risiko projek
byAmir Sagiran
 
PPT
3.4 ict strategy
bymrmwood
 
PPTX
How Augmented Reality can Boost Print Book Sales!
byReality Premedia
 
PPT
Modul 1 pengurusan projek
byUniversiti Kebangsaan Malaysia (UKM)
 
PDF
Kooperative VR - Collaborative Virtual Engineering: VDC-Whitepaper
byVirtual Dimension Center (VDC) Fellbach
 
PPTX
The new ISO 9001:2015
byReza Seifollahy
 
Hacking Homework - AR triggered by GPS locations, tactile objects or print
byBrendan O'Keefe
 
QR codes and their application in libraries
byGeoffrey Lowe
 
A quick response to promoting library services - How you can use QR Codes
byScott Hibberson
 
Qr Codes & Simple Augmented Reality in Academic Libraries - Oct. 2010
byRobin M. Ashford, MSLIS
 
QR CODES IN AN ACADEMIC SETTING
bygenelg
 
Sncs2015 cybersecurityy risk and control jakarta 3-4 juni 2015 ver01
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
IT Governance
byCarlos Chalico
 
The Books "AR" Alive-Augmented Reality in Books
byCindy Wright
 
Sejarah Lisan Tajuk 1
byAlif Akram
 
IT Policy
bySensewareInfomedia
 
Sejarah Lisan Tajuk 2
byAlif Akram
 
3.5 ICT Policies
bymrmwood
 
182764707 nota-sjh3104-sejarah-lisan-dan-pendokumentasian-bab-1-docx
byfiro HAR
 
Pengurusan risiko projek
byAmir Sagiran
 
3.4 ict strategy
bymrmwood
 
How Augmented Reality can Boost Print Book Sales!
byReality Premedia
 
Modul 1 pengurusan projek
byUniversiti Kebangsaan Malaysia (UKM)
 
Kooperative VR - Collaborative Virtual Engineering: VDC-Whitepaper
byVirtual Dimension Center (VDC) Fellbach
 
The new ISO 9001:2015
byReza Seifollahy
 

Similar to IT-Risk-Management Best Practice

PPTX
Risk Assessment
bymansoor765
 
PPTX
Risk - IT Services
byNema Chhaya Buch
 
PPT
Risk Management Training 2013
byVicky Ames
 
PDF
Information Risk Management - Cyber Risk Management - IT Risks
byHernan Huwyler, MBA CPA
 
PDF
Visió holística de la gestio de riscos de les TIC
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
DOCX
INFORMATION SECURITY MANAGEMENT
byNi
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
by360 BSI
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞.pdf
byInfosecTrain Education
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
bypriyanshamadhwal2
 
PDF
𝐌𝐚𝐬𝐭𝐞𝐫𝐢𝐧𝐠 𝐂𝐑𝐈𝐒𝐂 𝐃𝐨𝐦𝐚𝐢𝐧𝐬: 𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐆𝐚𝐦𝐞!
byMansi Kandari
 
PDF
CRISC Domains Mind Map InfosecTrain .pdf
byinfosec train
 
PDF
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
byMansi Kandari
 
PDF
Management of Risk and its integration within ITIL
byhdoornbos
 
PPTX
Info sec 2011 julen c mohanty
byJulen Mohanty
 
PPTX
Info sec 2011 julen c mohanty
byJulen Mohanty
 
PPTX
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
byjamiejohngianna
 
PPTX
Risk managemet made easy
bysheyam selvaraj
 
PDF
Risk management automation
bysheyam selvaraj
 
Risk Assessment
bymansoor765
 
Risk - IT Services
byNema Chhaya Buch
 
Risk Management Training 2013
byVicky Ames
 
Information Risk Management - Cyber Risk Management - IT Risks
byHernan Huwyler, MBA CPA
 
Visió holística de la gestio de riscos de les TIC
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
INFORMATION SECURITY MANAGEMENT
byNi
 
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
by360 BSI
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞.pdf
byInfosecTrain Education
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
bypriyanshamadhwal2
 
𝐌𝐚𝐬𝐭𝐞𝐫𝐢𝐧𝐠 𝐂𝐑𝐈𝐒𝐂 𝐃𝐨𝐦𝐚𝐢𝐧𝐬: 𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐆𝐚𝐦𝐞!
byMansi Kandari
 
CRISC Domains Mind Map InfosecTrain .pdf
byinfosec train
 
𝐂𝐑𝐈𝐒𝐂 𝐌𝐢𝐧𝐝 𝐌𝐚𝐩 𝐟𝐨𝐫 𝐄𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞
byMansi Kandari
 
Management of Risk and its integration within ITIL
byhdoornbos
 
Info sec 2011 julen c mohanty
byJulen Mohanty
 
Info sec 2011 julen c mohanty
byJulen Mohanty
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
byjamiejohngianna
 
Risk managemet made easy
bysheyam selvaraj
 
Risk management automation
bysheyam selvaraj
 

More from Digicomp Academy AG

PDF
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
byDigicomp Academy AG
 
PDF
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
byDigicomp Academy AG
 
PPTX
Innovation durch kollaboration gennex 2018
byDigicomp Academy AG
 
PDF
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
byDigicomp Academy AG
 
PDF
Roger basler meetup_21082018_work-smarter-not-harder_handout
byDigicomp Academy AG
 
PDF
Xing expertendialog zu nudge unit x
byDigicomp Academy AG
 
PDF
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
byDigicomp Academy AG
 
PDF
IPv6 Security Talk mit Joe Klein
byDigicomp Academy AG
 
PDF
Agiles Management - Wie geht das?
byDigicomp Academy AG
 
PPTX
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
byDigicomp Academy AG
 
PDF
Querdenken mit Kreativitätsmethoden – XING Expertendialog
byDigicomp Academy AG
 
PDF
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
byDigicomp Academy AG
 
PDF
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
byDigicomp Academy AG
 
PDF
UX – Schlüssel zum Erfolg im Digital Business
byDigicomp Academy AG
 
PDF
Minenfeld IPv6
byDigicomp Academy AG
 
PDF
Was ist design thinking
byDigicomp Academy AG
 
PDF
Die IPv6 Journey der ETH Zürich
byDigicomp Academy AG
 
PDF
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
byDigicomp Academy AG
 
PDF
General data protection regulation-slides
byDigicomp Academy AG
 
PDF
Möglichkeiten der Online-Werbung - Referat von Matteo Schürch
byDigicomp Academy AG
 
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
byDigicomp Academy AG
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
byDigicomp Academy AG
 
Innovation durch kollaboration gennex 2018
byDigicomp Academy AG
 
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
byDigicomp Academy AG
 
Roger basler meetup_21082018_work-smarter-not-harder_handout
byDigicomp Academy AG
 
Xing expertendialog zu nudge unit x
byDigicomp Academy AG
 
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
byDigicomp Academy AG
 
IPv6 Security Talk mit Joe Klein
byDigicomp Academy AG
 
Agiles Management - Wie geht das?
byDigicomp Academy AG
 
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
byDigicomp Academy AG
 
Querdenken mit Kreativitätsmethoden – XING Expertendialog
byDigicomp Academy AG
 
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
byDigicomp Academy AG
 
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
byDigicomp Academy AG
 
UX – Schlüssel zum Erfolg im Digital Business
byDigicomp Academy AG
 
Minenfeld IPv6
byDigicomp Academy AG
 
Was ist design thinking
byDigicomp Academy AG
 
Die IPv6 Journey der ETH Zürich
byDigicomp Academy AG
 
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
byDigicomp Academy AG
 
General data protection regulation-slides
byDigicomp Academy AG
 
Möglichkeiten der Online-Werbung - Referat von Matteo Schürch
byDigicomp Academy AG
 

Recently uploaded

PDF
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
PDF
How to Buy EDU Email Accounts_ A Comprehensive Guide in 2026.pdf
byonline marketing by pvaisback
 
PPTX
OpenAI’s Pitch Deck Analysis: Full Slide Review
byashishupmetrics
 
PDF
Contract_Costing_Introduction and Basics
byANEESHA252224
 
PPTX
Strategic Workforce Planning & Talent Strategy
bySeta Wicaksana
 
PDF
Laura Sergio - Specializing In Helping Small Businesses
byLaura Sergio
 
PPTX
Effluent Treatment Plant Companies in Chennai | Effluent Treatment Plant Manu...
byKemproPumps
 
PDF
Professional Profile of Micky Ahuja | CEO of MA Services Group Australia
byMicky Ahuja
 
PDF
MTD for Landlords – a closer look at the impact, requirements and software (H...
byFelixPerez547899
 
PDF
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
PDF
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
DOCX
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
PDF
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
PDF
ISACA CISM and CISA - Case Study for BCP
byJS
 
PDF
Equinox Gold - February Investor Presentation.pdf
byEquinox Gold Corp.
 
PDF
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 
PDF
sse-engineer-questions-answers-only1.pdf
bydeajhds
 
PDF
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
PDF
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
PDF
Carol Gauvreau - Focus Is On Wellness And Spending Time With Her Sons
byCarol Gauvreau
 
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
How to Buy EDU Email Accounts_ A Comprehensive Guide in 2026.pdf
byonline marketing by pvaisback
 
OpenAI’s Pitch Deck Analysis: Full Slide Review
byashishupmetrics
 
Contract_Costing_Introduction and Basics
byANEESHA252224
 
Strategic Workforce Planning & Talent Strategy
bySeta Wicaksana
 
Laura Sergio - Specializing In Helping Small Businesses
byLaura Sergio
 
Effluent Treatment Plant Companies in Chennai | Effluent Treatment Plant Manu...
byKemproPumps
 
Professional Profile of Micky Ahuja | CEO of MA Services Group Australia
byMicky Ahuja
 
MTD for Landlords – a closer look at the impact, requirements and software (H...
byFelixPerez547899
 
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
ISACA CISM and CISA - Case Study for BCP
byJS
 
Equinox Gold - February Investor Presentation.pdf
byEquinox Gold Corp.
 
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 
sse-engineer-questions-answers-only1.pdf
bydeajhds
 
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
Carol Gauvreau - Focus Is On Wellness And Spending Time With Her Sons
byCarol Gauvreau
 

IT-Risk-Management Best Practice

  • 1.
    IT  Risk  Management   Digicomp  Hacking  Day,  11.06.2014   Umberto  Annino  
  • 2.
    •  Wer  spricht?   Umberto  Annino   WirtschaCsinformaEker,  InformaEon  Security   •  Was  ist  ein  Risiko?   !  Sicherheit  ist  das  Komplementärereignis   zum  Risiko   !  Risiko  ist  Schaden  mit  Potenzial   2  
  • 3.
    Risiko   3   Gefahr   Bedrohung   Schwach-­‐ stelle   Asset   Risiko  
  • 4.
    Realitätsabgleich   Compliance?   Risk  Management?   OperaEonal  Risk,  Business  ConEnuity?   IT,  InformaEon  Security  –  Cyber  Security?   Red  Team,  Threat  Modeling,  APT  and  openSSL?   Big  Data???     Security  ™  vs.  Compliance  ™   4  
  • 5.
    IT  Risiko  in  der  Risiko-­‐Hierarchie   5  
  • 6.
    COSO   Enterprise  Risk  Management  Framework   6  
  • 7.
    ISO  31000  Risk  Mgmt  (2009)   Guidelines  and  Principles  and  Framework   7  
  • 8.
  • 9.
  • 10.
    ISO  31000  -­‐  Processes   10   Design  of   framework  for   managing  risk   Understanding  of  the  organisaEon  and  its  context   Establishing  risk  management  policy   Accountability   IntegraEon  into  organisaEonal  processes   Resources   Establishing  internal  communicaEon  and  reporEng  mechanisms   Establishing  external  communicaEon  and  reporEng  mechanisms   ImplemenEng   risk   management   ImplemenEng  the  framework  for  managing  risk   ImplemenEng  the  risk  management  process   Monitoring  and  review  of  the  framework   ConEnual  improvement  of  the  framework   !  Mandate  and  commitment  
  • 11.
    ISO  31000  -­‐  Processes   11   Risk   Management   Process   CommunicaEon  and  consultaEon   Establishing  the  external  context   Establishing  the  internal  context   Establishing  the  context  of  the  risk   management  process   Defining  risk  criteria   Risk  assessment   Risk  idenEficaEon   Risk  analysis   Risk  evaluaEon   Risk  treatment   Monitoring  and  review   Recording  the  risk  management   process  
  • 12.
    ISO  31000   Acributes  of  enhanced  risk  management   •  Key  outcomes   –  The  organisaEon  has  a  current,  correct  and   comprehensive  understanding  of  its  risks   –  The  organisaEon‘s  risks  are  within  its  risk  criteria   •  Acributes   –  ConEnual  improvement   –  Full  accountability  for  risks   –  ApplicaEon  of  risk  management  in  all  decision  making   –  ConEnual  communicaEons   –  Full  integraEon  in  the  organisaEon‘s  governance   structure   12  
  • 13.
    ISO  27005   InformaEon  Security  Risk  Management   13  
  • 14.
    ISO  27005   Context  Establishment   14   Basic   Criteria   Risk  management  approach   Risk  evaluaEon  criteria   Impact  criteria   Risk  acceptance  criteria   ! Scope  and  Boundaries   ! OrganisaEon  for  informaEon  security  risk  management  
  • 15.
    ISO  27005   InformaEon  security  risk  assessment   15   Risk   idenEficaEon   IdenEficaEon  of  assets   IdenEficaEon  of  threats   IdenEficaEon  of  exisEng  controls   IdenEficaEon  of  vulnerabiliEes   IdenEficaEon  of  consequences   Risk  analysis   Risk  analysis  methodologies   Assessment  of  consequences   Assessment  of  incident  likelihood   Level  of  risk  determinaEon  
  • 16.
    ITGI  RiskIT  Framework   PosiEonierung   16  
  • 17.
    IT  Risk  (high  level)  categories   17  
  • 18.
  • 19.
    Risk  maps...   • Risk   appeEte   •  Risk   tolerance   •  Risk   culture   19  
  • 20.
  • 21.
    IT  risk  scenario  development   21  
  • 22.
  • 23.
    Aber:  scenario  based...   !  keeping  it  real!   23  
  • 24.
    IT  Risk  Response   opEons  and   prioriEsaEon   24  
  • 25.
    Verwalten  von  IT  Risiken   Risiko   management   Risiko   analyse   Risiko   idenEfikaEon   Konsolidierung   Link  to   business   Risiko   bewertung   QuanEtaEv   QualiEaEv   StaEsEsche   Basis   Risiko   lenkung   Risiko   bearbeitung   Admin   Disziplin/ Aufwand   Kosten   ROI   Risiko   tracking   Nachvollzieh-­‐   barkeit   Konstanz   (Zahlen)   25  
  • 26.
    QuanEfizieren  von  IT  Risiken   26   Big  Data?  Loss  DB?   Komplexität  von  InformaEonssystemen  (und  SoCware)?  
  • 27.
    QuanEfizieren  von  IT  Risiken   •  In  der  Praxis  eher  qualitaEv  stac  quanEtaEv   –  Fehlende  staEsEsche  Basis   –  Prinzipiell  komplexe  Systeme   –  Wenig  akuter  Bedarf  zur  QuanEfizierung  !  über   Verknüpfung  mit  Business  Process   •  Konsolidierung  der  Werte  für  Management   ReporEng  als  Grundlage  für  QuanEfikaEon   •  In  der  Praxis  eher  „erste  Schrice“  stac  best   pracEse   •  ISO  27005,  ITGI  RiskIT  Framework  und   PracEcEoner  Guide  bieten  brauchbare   Grundlagen  (Framework)   27  
  • 28.
    Risk  Treatment   28   Risk   treatment   Avoid   Eliminate   Reduce   Minimize     Transfer   Externalize   Accept   Residual  Risk   Controls   Measures   Avoid  /   Verhindern   Detect  /   Entdecken   Minimize  /   Eindämmen  
  • 29.
    Risk  Treatment  –  ISO  27005   29  
  • 30.
    Konsolidieren  von  IT  Risiken   Disjointed  risks   30  
  • 31.
    Konsolidieren  von  IT  Risiken   shared  risks   31  
  • 32.