Vijay Mohire presented information on his planned contributions to Microsoft's ACE (Assessment, Consulting & Engineering) team. He outlined how he would assist with risk assessments, compliance checks, security consultations, engineering tasks, and program management. The presentation also provided an overview of Microsoft's information security practices, including its security stack, tools like Azure and Active Directory, and adherence to standards like NIST and PCI DSS.
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
Risk analysis and management is important for Digital Zone Corporation to secure their systems and customer information. They collect personal information from customers and need to identify vulnerabilities, threats, and risks. The analysis includes evaluating assets, finding vulnerabilities, conducting a risk assessment, and establishing security policies. It also provides recommendations for managing risks, such as creating an information risk management policy, security awareness training, and contingency plans. Regular risk analysis helps Digital Zone Corporation improve security and maintain customer trust.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
The document outlines a 9 step process for managing an enterprise cybersecurity program that includes assessing risks, identifying security scopes, evaluating security capabilities and operations, setting target security levels, identifying deficiencies, prioritizing improvements, resourcing and executing improvements, collecting operational metrics, and repeating the process on an ongoing cycle. It provides details on each step and how to assess risks, identify improvement areas, and prioritize remediation efforts to strengthen the overall cybersecurity posture. The goal is to use this iterative process to make progressive improvements to the enterprise's cybersecurity over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
Microsoft established its risk management group (RMG) in 1997 within the treasury department to develop a comprehensive approach to risk identification, measurement, and management across the enterprise. The RMG worked to bring non-financial risk management practices in line with the more mature financial risk management processes. Microsoft developed internal risk measurement systems and consulted third parties to ensure all risks were captured. The company encouraged a culture of transparency around risk through accessible internal reporting and education for all employees.
Risk Based Security and Self Protection Powerpointrandalje86
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
Risk analysis and management is important for Digital Zone Corporation to secure their systems and customer information. They collect personal information from customers and need to identify vulnerabilities, threats, and risks. The analysis includes evaluating assets, finding vulnerabilities, conducting a risk assessment, and establishing security policies. It also provides recommendations for managing risks, such as creating an information risk management policy, security awareness training, and contingency plans. Regular risk analysis helps Digital Zone Corporation improve security and maintain customer trust.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
The document outlines a 9 step process for managing an enterprise cybersecurity program that includes assessing risks, identifying security scopes, evaluating security capabilities and operations, setting target security levels, identifying deficiencies, prioritizing improvements, resourcing and executing improvements, collecting operational metrics, and repeating the process on an ongoing cycle. It provides details on each step and how to assess risks, identify improvement areas, and prioritize remediation efforts to strengthen the overall cybersecurity posture. The goal is to use this iterative process to make progressive improvements to the enterprise's cybersecurity over time.
Review of Enterprise Security Risk ManagementRand W. Hirt
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
Microsoft established its risk management group (RMG) in 1997 within the treasury department to develop a comprehensive approach to risk identification, measurement, and management across the enterprise. The RMG worked to bring non-financial risk management practices in line with the more mature financial risk management processes. Microsoft developed internal risk measurement systems and consulted third parties to ensure all risks were captured. The company encouraged a culture of transparency around risk through accessible internal reporting and education for all employees.
Risk Based Security and Self Protection Powerpointrandalje86
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
This document outlines a risk assessment methodology for organizations. It discusses how risk assessments are often not implemented formally or do not provide practical advice. The presented method uses foundation documents, risk evaluation criteria, and a multi-round review process called the Delphic Technique to provide a standardized risk assessment. It recommends developing reusable templates, defining assessment scope and objectives, using the methodology to identify and evaluate risks, and creating formal treatment plans. Time is included as a variable to show changing risks over time. The goal is for assessments to identify practical risk reduction options.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This document provides an overview of security risk management. It discusses reactive versus proactive approaches, and quantitative versus qualitative risk prioritization. The key steps of the security risk management process include assessing risks, conducting decision support, implementing controls, and measuring effectiveness. When assessing risks, organizations should plan the assessment, gather data through facilitated discussions, and prioritize risks. Both quantitative and qualitative approaches have benefits and drawbacks.
Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
The document defines key risk management terminology such as risk register, risk, risk management, risk appetite, risk owner, risk matrix, and risk vulnerability. It also outlines the risk management process recommended by PRINCE2 and lists common risk categories and responses to risks. Finally, it provides guidance on developing an ICT risk register, including understanding objectives, identifying risks, documenting the risk register, and getting approval.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Risk Based Security Management (RBSM) is defined as applying rigorous analytical techniques to evaluate risks impacting an organization's information assets and infrastructure. RBSM involves identifying important assets and risks, collecting relevant data, performing risk assessments to analyze probabilities and impacts, presenting results to the organization, identifying control objectives to minimize risks, selecting and implementing controls, monitoring controls, and repeating the process as the environment changes. Glintt's RBSM managed services approach creates an environment for informed choices by analyzing threat frequencies and vulnerabilities cyclically with feedback to continuously learn and challenge assumptions.
The document discusses vulnerability analysis and management. It defines vulnerability and describes individual, facility, and community vulnerability. It emphasizes the importance of vulnerability assessment, which involves identifying, quantifying, and prioritizing vulnerabilities in systems. The key aspects of vulnerability management are identified as identification and learning about vulnerabilities, mitigation, and monitoring. An optimal vulnerability management methodology is described using the Improved Vulnerability Assessment Framework, which is a three-step process of defining minimum essential infrastructure, identifying vulnerabilities, and prioritizing vulnerabilities for remediation.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
This document discusses risk management in information technology. It begins with introductions and an agenda. It then covers IT management basics like strategy, operations, and project management. It defines IT risks as the possibility that IT will not be able to deliver required capabilities. It discusses identifying, analyzing, planning for, tracking, controlling, and communicating risks. It provides an example of managing application support risks and a case study on a project to improve service excellence at an organization.
This document discusses risk management in the software industry. It outlines the importance of risk management, including its role in frameworks like CMMI, ISO 20000, TL 9000, and ITIL. It then describes the typical risk management process, which involves defining a risk management strategy, identifying and analyzing risks, and handling risks through mitigation plans. Finally, it lists common activities in risk management, such as identifying risk sources and categories, evaluating risks, developing mitigation plans, and implementing those plans through risk monitoring.
The document discusses designing next-generation threat identification solutions. It summarizes traditional threat modeling approaches and identifies challenges, such as incomplete threat coverage, inability to follow processes rigorously, and lack of suitability for new development scenarios. It proposes key elements for new solutions, including making the business the driver, empowering developers, using continuous and customizable processes, and taking a collaborative approach. The goals are to address resource constraints, conduct analysis throughout product lifecycles, and standardize flexible processes for different teams and products.
Introduction to Risk Management FundamentalsToño Herrera
This document provides an overview of risk management concepts including definitions of risk management, risk, the risk management process, risk identification, estimation, evaluation, treatment, and residual risk. It discusses qualitative and quantitative approaches to risk estimation and outlines the risk management process as establishing context, risk identification, analysis, evaluation, and treatment. It also defines risk appetite and tolerance.
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
Risk analysis and management helps organizations improve security and protect sensitive information. The document outlines steps taken to analyze risks at Digital Zone Corporation, an IT services company. It identifies assets, threats, vulnerabilities, and recommends security policies, employee training, and contingency plans to reduce risks like data breaches or system failures. Assessment tools evaluated networks and hosts, finding vulnerabilities to inform countermeasures that lower overall organizational risk.
The document provides an overview of the CISSP certification course. It outlines the 8 domains that will be covered in the CISSP certification exam: Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. It also provides details about the exam such as the number of questions, time limit, and materials allowed.
This document outlines a risk assessment methodology for organizations. It discusses how risk assessments are often not implemented formally or do not provide practical advice. The presented method uses foundation documents, risk evaluation criteria, and a multi-round review process called the Delphic Technique to provide a standardized risk assessment. It recommends developing reusable templates, defining assessment scope and objectives, using the methodology to identify and evaluate risks, and creating formal treatment plans. Time is included as a variable to show changing risks over time. The goal is for assessments to identify practical risk reduction options.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This document provides an overview of security risk management. It discusses reactive versus proactive approaches, and quantitative versus qualitative risk prioritization. The key steps of the security risk management process include assessing risks, conducting decision support, implementing controls, and measuring effectiveness. When assessing risks, organizations should plan the assessment, gather data through facilitated discussions, and prioritize risks. Both quantitative and qualitative approaches have benefits and drawbacks.
Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
The document outlines the risk assessment process recommended by NIST, which includes 9 steps: 1) system characterization, 2) threat identification, 3) vulnerability identification, 4) control analysis, 5) likelihood determination, 6) impact analysis, 7) risk determination, 8) control recommendations, and 9) results documentation. The goal is to identify risks, determine their likelihood and impact, and recommend controls to mitigate risks to protect the organization's mission.
The document defines key risk management terminology such as risk register, risk, risk management, risk appetite, risk owner, risk matrix, and risk vulnerability. It also outlines the risk management process recommended by PRINCE2 and lists common risk categories and responses to risks. Finally, it provides guidance on developing an ICT risk register, including understanding objectives, identifying risks, documenting the risk register, and getting approval.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Risk Based Security Management (RBSM) is defined as applying rigorous analytical techniques to evaluate risks impacting an organization's information assets and infrastructure. RBSM involves identifying important assets and risks, collecting relevant data, performing risk assessments to analyze probabilities and impacts, presenting results to the organization, identifying control objectives to minimize risks, selecting and implementing controls, monitoring controls, and repeating the process as the environment changes. Glintt's RBSM managed services approach creates an environment for informed choices by analyzing threat frequencies and vulnerabilities cyclically with feedback to continuously learn and challenge assumptions.
The document discusses vulnerability analysis and management. It defines vulnerability and describes individual, facility, and community vulnerability. It emphasizes the importance of vulnerability assessment, which involves identifying, quantifying, and prioritizing vulnerabilities in systems. The key aspects of vulnerability management are identified as identification and learning about vulnerabilities, mitigation, and monitoring. An optimal vulnerability management methodology is described using the Improved Vulnerability Assessment Framework, which is a three-step process of defining minimum essential infrastructure, identifying vulnerabilities, and prioritizing vulnerabilities for remediation.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
This document discusses risk management in information technology. It begins with introductions and an agenda. It then covers IT management basics like strategy, operations, and project management. It defines IT risks as the possibility that IT will not be able to deliver required capabilities. It discusses identifying, analyzing, planning for, tracking, controlling, and communicating risks. It provides an example of managing application support risks and a case study on a project to improve service excellence at an organization.
This document discusses risk management in the software industry. It outlines the importance of risk management, including its role in frameworks like CMMI, ISO 20000, TL 9000, and ITIL. It then describes the typical risk management process, which involves defining a risk management strategy, identifying and analyzing risks, and handling risks through mitigation plans. Finally, it lists common activities in risk management, such as identifying risk sources and categories, evaluating risks, developing mitigation plans, and implementing those plans through risk monitoring.
The document discusses designing next-generation threat identification solutions. It summarizes traditional threat modeling approaches and identifies challenges, such as incomplete threat coverage, inability to follow processes rigorously, and lack of suitability for new development scenarios. It proposes key elements for new solutions, including making the business the driver, empowering developers, using continuous and customizable processes, and taking a collaborative approach. The goals are to address resource constraints, conduct analysis throughout product lifecycles, and standardize flexible processes for different teams and products.
Introduction to Risk Management FundamentalsToño Herrera
This document provides an overview of risk management concepts including definitions of risk management, risk, the risk management process, risk identification, estimation, evaluation, treatment, and residual risk. It discusses qualitative and quantitative approaches to risk estimation and outlines the risk management process as establishing context, risk identification, analysis, evaluation, and treatment. It also defines risk appetite and tolerance.
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
Risk analysis and management helps organizations improve security and protect sensitive information. The document outlines steps taken to analyze risks at Digital Zone Corporation, an IT services company. It identifies assets, threats, vulnerabilities, and recommends security policies, employee training, and contingency plans to reduce risks like data breaches or system failures. Assessment tools evaluated networks and hosts, finding vulnerabilities to inform countermeasures that lower overall organizational risk.
The document provides an overview of the CISSP certification course. It outlines the 8 domains that will be covered in the CISSP certification exam: Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. It also provides details about the exam such as the number of questions, time limit, and materials allowed.
This document discusses risk management in project management. It explains that risk identification, probability assessment, and impact estimation are important activities for risk analysis. Risks can be proactively or reactively managed. Proactive management involves formal risk analysis and addressing root causes, while reactive management involves responding to risks as they occur. Key aspects of risk management include identifying risks, analyzing their probability and impact, developing a risk table to plan mitigation strategies, and continuously monitoring and managing risks throughout the project lifecycle.
The document defines risk and issue, outlines the risk lifecycle and management cycle, and provides details on risk identification, analysis, assessment, and management. Key points include:
- A risk is a potential future event that could negatively impact objectives, while an issue is a current problem.
- The risk management cycle includes identifying risks, assessing them, selecting strategies, implementing controls, and monitoring/evaluating.
- Risk identification involves knowing the organization's assets and sources of risk. Risk analysis assesses the likelihood and impact of risks.
MCGlobalTech presentation to manufacturing sector executives on managing cybersecurity risks by implementing an enterprise information security management program.
The document discusses security solutions and services offered by Connection to help organizations address increasing cyber threats. It describes Connection's approach of assessing vulnerabilities, developing risk management strategies, and implementing unified security stacks and managed security services to continuously protect, detect, and react to threats. Connection's experts can help organizations understand and prioritize security risks, implement appropriate solutions, and manage security programs on an ongoing basis.
This document provides an overview of ISO 27005, which provides guidelines for information security risk management. It discusses establishing the context for risk management, assessing risks, treating risks, and monitoring the risk management process on an ongoing basis. Key activities covered include risk identification, analysis, evaluation, and acceptance criteria. Qualitative and quantitative risk analysis methodologies are described. The goal is to take a systematic approach to identify security needs and risks in order to create an effective information security management system.
Risk Identification is the process of determining risks that could affect a project. Participants include the project manager, team, risk management team, subject matter experts, customers, end users, and other stakeholders. Risks are identified through iterative processes as the project progresses. Inputs include the project scope statement, risk management plan, and project management plan. Tools used include documentation reviews, brainstorming, checklists, and diagrams. The output is a risk register listing identified risks, potential responses, and risk categories.
The CRISC certification validates experience in building a well-defined, agile risk management program based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks. The certification focuses on four domains: governance (26%), IT risk assessment (20%), risk response and reporting (32%), and information technology and security (22%). Maintaining the CRISC certification demonstrates skills and knowledge in using governance best practices and continuous risk monitoring and reporting to enhance business resilience and stakeholder value.
This lecture provides short and comprehensive view of software project and risk management. It has basic examples and calculations which is main concern of software project manager. This lecture helps to understand basics of risk management.
This document discusses principles of risk management from a textbook on information security. It describes approaches for identifying risks, assessing their likelihood and impact, and selecting risk mitigation strategies. Key strategies discussed include risk defense, transfer, mitigation, acceptance, and termination. The document also covers how to justify controls using a cost-benefit analysis and benchmarks for best practices.
This document discusses project risk management for an IT project management course. It defines risk management and identifies key risk management processes: planning, identification, analysis, response planning, and monitoring/control. Various risk analysis techniques are described like probability/impact matrices and decision trees. The goal of risk management is to minimize negative risks while maximizing positive opportunities through risk avoidance, acceptance, transference, or mitigation strategies.
Kumar Bishwakarma gave a presentation on the basics of risk management. He discussed (1) reactive and proactive risk handling strategies, with reactive focusing on problems after they occur and proactive identifying risks in advance. He also covered (2) software risks like project, technical, business, known, predictable and unpredictable risks. Finally, he explained the process of (3) risk identification, projection, assessment, refinement, and developing a risk management, mitigation, monitoring and management plan to address risks throughout a project.
Webinar - Building Team Efficiency and EffectivenessInvensis Learning
Wouldn’t it be great if you could get to better ideas faster? If you learn to master just two thinking skills, you can! Many of the PMI supported tools have origins in creativity. As such, these tools are best leveraged when you apply divergent thinking (to generate) or convergent thinking (to narrow). This session will explore the principles of divergent and convergent thinking and provide examples of techniques to maximize their power in decision making, problem solving and performance feedback.
Connection's Security Practice offers solutions and services to counteract increased cybersecurity risks. They take a comprehensive approach focusing on protection, detection and reaction. Their experts assess vulnerabilities, develop prioritized remediation plans, and implement the right security solutions. They also provide managed security services for ongoing monitoring and risk management.
Connection's Security Practice offers solutions and services to help organizations address increasing cybersecurity threats and risks. They take a comprehensive approach focusing on protecting systems, detecting security issues, and reacting quickly to potential breaches. Their services include security assessments, risk analysis, implementation of security solutions, and ongoing managed security services to help organizations manage threats continuously. They take a unified approach considering people, processes, technology, and the overall security lifecycle to help organizations define and manage security risks.
This document provides an introduction to information systems risk management. It defines key risk management terms like risk, threat, vulnerability, likelihood, and impact. It explains the processes of risk assessment, including qualitative and quantitative approaches. It also outlines strategies for managing risks, including mitigation, transference, acceptance, and avoidance. Effective communication of risks and implementation of risk management strategies through a Plan of Action & Milestones is discussed as important aspects of the overall risk management process.
This document provides an overview of project risk management. It defines risk as the possibility of suffering loss and discusses how risk changes throughout a project's life. Key aspects of risk management are identified, including risk identification, assessment, response planning, monitoring and control. Various risk management techniques are described, such as risk maps, hazard control matrices, and defining risk ownership. The document emphasizes that effective risk management can help improve project success.
The presentation about Project Risk Management conducted by Mr. Mohamad Boukhari for the project management community in Lebanon during PMI Lebanon Chapter monthly lecture.
Similar to Microsoft InfoSec for cloud and mobile (20)
NexGen Solutions for cloud platforms, powered by GenQAIVijayananda Mohire
This is our next generation solutions powered by emerging technologies like AI, quantum computing, Blockchain, quantum cryptography etc. We have various offers that can help improved productivity, help automate and improve ease of doing business. We offer cloud based solutions and have a Hub to interface major cloud platforms.
This is our project work at our startup for Data Science. This is part of our internal training and focused on data management for AI, ML and Generative AI apps
This is our contributions to the Data Science projects, as developed in our startup. These are part of partner trainings and in-house design and development and testing of the course material and concepts in Data Science and Engineering. It covers Data ingestion, data wrangling, feature engineering, data analysis, data storage, data extraction, querying data, formatting and visualizing data for various dashboards.Data is prepared for accurate ML model predictions and Generative AI apps
Considering the need and demand for high quality digital platforms that can help clients to get the most of the newer technology, we have proposed an IT Hub that allows for rapid on boarding of clients to various modules on a need basis, allowing them to subscribe to modules they need only. We have various modules.
This document offers a high level overview of our IT Hub that offers various modules allowing for clients to onboard faster and get the benefits of a large set of vendor products, tools, IDE related to AI, Quantum and Generative AI technologies.
This is my hands-on projects in quantum technologies. These are few of the key projects that I worked with that demonstrates my skills in using various concepts, tools, IDE and deriving the solutions by using quantum principles like superposition, and entanglement along with quantum circuits in realizing the concepts
Azure Quantum Workspace for developing Q# based quantum circuitsVijayananda Mohire
This document provides steps to develop quantum circuits using Q# on Azure Quantum. It instructs the user to create an Azure subscription, log into the Azure portal, create a Quantum Workspace, and provision storage. It then explains how to define Q# operations, simulate them locally using %simulate, connect to the Azure Quantum workspace with %azure.connect, specify an execution target with %azure.target, submit jobs with %azure.submit, check job status with %azure.status, retrieve outputs with %azure.output, and view all jobs with %azure.jobs. An example quantum random number generation program written in Q# is provided.
This is my journey taken from year 2012 on wards, after graduation in my MS with major in AI. I have taken various certification courses, trainings, hands-on labs; few key ones are from Google, and Microsoft.
Agricultural and allied industries play a vital role in the progress of a nation and sustainable economic growth. Farmers play a vital role in this progress. Their hard work and efforts need to be praised and possibly offer them various tools and digital assets that can automate some of their various repetitive tasks such as back office operations, crop monitoring, and post-harvesting routines that might divert the attention of farmers from their core job.
We, at Bhadale IT have developed various products and services that are revolutionary and can offer effective solutions with our industrial partnerships with digital technology leaders like Intel and Microsoft. We have drafted this solution brief to illustrate our products and service offerings for the agricultural industry. We can tailor make highly customized solutions to meet individual project and farmer needs that can include use of various technologies like artificial intelligence, machine learning, data science and related machinery like drones and geo-spatial datasets and various information that can offer precise farming techniques and use of technology in improving production, improvised use of fertilizers, organic farming and reduced crop loss due to rodents, insects and regional diseases.
The focus of this solution is for farmers to adopt and migrate to digital cloud platform to Microsoft Azure that can boost quality and quantity of crop production and improve their supply chain and offer faster and mature downstream business operations.
This is our cloud offerings based on our partnership and relationship with Intel and Microsoft. We offer highly optimized Intel motherboards, memory, and software stack that is best suited for Azure cloud platform and can handle various types of models (IaaS, PaaS, SaaS) and Azure workloads in the public or private cloud.
Explore the fundamentals of GitHub Copilot and its potential to enhance productivity and foster innovation for both individual developers and businesses. Discover how to implement it within your organization and unleash its power for your own projects.
In this learning path, you'll:
Gain a comprehensive understanding of the distinctions between GitHub Copilot for Individuals, GitHub Copilot for Business, and GitHub Copilot X.
Explore various use cases for GitHub Copilot for Business, including real-life examples showcasing how customers have leveraged it to boost their productivity.
Receive step-by-step instructions on enabling GitHub Copilot for Individuals and GitHub Copilot for Business, ensuring a seamless integration into your workflows.
Practical ChatGPT From Use Cases to Prompt Engineering & Ethical ImplicationsVijayananda Mohire
This journey provides learners with a thorough exploration of ChatGPT, starting with an introduction to large language models and their capabilities, the series progresses through practical applications, advanced techniques, industry impacts, and important ethical considerations. Each course aims to equip learners with an in-depth understanding of the model, its functionality, and its wide-ranging applications.
Red Hat Enterprise Linux (RHEL) and Hybrid Cloud Infrastructure. Products that are developed for multi-cloud hybrid platform enabling seamless integration and portability of workloads across Red Hat and partner Infrastructure, public and private clouds.
Learners will be exposed to the foundations of Red Hat, Red Hat Enterprise Linux (RHEL) portfolio including Hybrid Cloud Infrastructure, how to identify target customers, distinguish Red Hat solutions from the competition, review key use cases, align to the sales conversation framework for positioning the solutions, and much more!
Upon completing this learning path, learners will receive the Red Hat Sales Specialist - Red Hat Enterprise Linux accreditation and be prepared to advance to the Red Hat Sales Specialist - Red Hat Enterprise Linux II learning path
This is my annual learning at Red Hat related to accreditation and courses at Red Hat partner training portal.
Learners will be exposed to the foundations of Red Hat, Red Hat Enterprise Linux (RHEL) portfolio including Hybrid Cloud Infrastructure, how to identify target customers, distinguish Red Hat solutions from the competition, review key use cases, align to the sales conversation framework for positioning the solutions, and much more!
Generative AI is a cutting-edge technology that will transform nearly every business function, ranging from content creation and product design, to improving customer experience and marketing new ideas. While the benefits of Generative AI are immense, the technology has its limitations and poses some ethical considerations. In this Journey, learners of all levels will develop a shared understanding of what Generative AI is, the guardrails for use and identify of how to use, build and experiment with the technology in a responsible manner. Learners will also develop skills for leading through this disruption with empathy, while cultivating the human skills to sustain the transformation
The document provides a transcript for Vijayananda Mohire that includes their legal name, username, contact email, a list of 130+ modules completed on the Microsoft learning platform totaling over 130 hours, and descriptions of each module completed including titles, descriptions, and durations.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
3. Information Security and Risk
Management (IS&RM)
• Microsoft’s Information Security (InfoSec) organization
• Responsible for information security risk management
• Information protection, enterprise business continuity
planning
• Accelerate secure and reliable business for Microsoft,
partners and customers
• Publisher of The Security Risk Management Guide
3
4. ACE team
• The ACE (Assessment, Consulting & Engineering) team
is the assessment arm of Microsoft’s Information
Security & Risk Mgmt. (IS&RM) organization
• Provides security assessment services to both Microsoft
and Microsoft’s enterprise + public sector customers
• Shares and showcases with external customers how
Microsoft manages risks
• Learns and brings back best practices from Microsoft’s
customers
4
5. My planned contributions to ACE
Assessments
• Risk assessments – Threat modeling, business impact
analysis, threat to vulnerability pairing, qualitative/
quantitative analysis, STREAD, DREAD
• Compliance checks- ISO, HIPAA, PCI
• Due diligence – Security gap analysis, Future state model
design, constraints assessments
• Strategy - Assess the capability, maturity and roadmaps
for investments in Info Sec, business continuity , migration
to cloud
5
6. My planned contributions to ACE
Consultation
• Assist clients in achieving their goals in areas of
cloud and mobile security
• Provide advice on use of Microsoft’s security tools,
SDL based development methodology
• Assist clients’ in leveraging security frameworks
• Educate in effective use of security best practices
• Help companies in developing & establishing security
practice, programs, RFP/ RFI 6
7. My planned contributions to ACE
Engineering
• Manage installation, instrumentation of data center
components where security is in scope
•
• Manage security features in electrical cabling, power
units, physical security devices, storage areas
• Triage and delegate security issues, related to
engineering systems, motherboards
7
8. My planned contributions to ACE
Program Management
• Plan, design, develop strategies for innovative
security features for ―mobile-first, cloud-first‖
environment
• Delegate, monitor project activities based on program
needs and client feedbacks
• Manage red / blue teams related to penetration
testing / ethical hackers
• Work on internal training programs and mentor
juniors in achieving capabilities in Info Sec 8
10. Risk
What is risk ?
• Risk is a function of the
likelihood of a given threat-
source’s exercising a
particular potential
vulnerability, and the
resulting impact of that
adverse event on the
organization/asset
10
11. Threat-sources
• Accidental / intentional disclosure
• Alteration of licensed IT components
• System Configuration errors
• Network errors
• Equipment malfunction
• Natural disaster
• War
11
12. Vulnerability
• A flaw or weakness in
system security
procedures, design,
implementation, or
internal controls
• This could be
exercised (accidentally
triggered or intentionally
exploited) and result in
a security breach or a
violation of the system’s
security policy
12
13. Risk assessment
• Risk is assessed by identifying threats and
vulnerabilities, then determining the likelihood and
impact for each risk
• Broadly two types
1. Quantitative risk assessment
2. Qualitative risk assessment
13
14. Quantitative risk assessment
• By assigning values to information, systems, business
processes, recovery costs, etc., impact, and therefore
risk, can be measured in terms of direct and indirect
costs
• Mathematically, quantitative risk can be expressed as
Annualized Loss Expectancy (ALE)
14
15. Quantitative risk assessment
ALE = SLE * ARO
Where:
• ALE is the expected monetary loss that can be
expected for an asset due to a risk being realized over a
one-year period
• SLE (Single Loss Expectancy) is the value of a single
loss of the asset. This is the impact of the loss
•
• ARO (Annualized Rate of Occurrence) is how often the
loss occurs. This is the likelihood
15
16. Qualitative risk assessments
• Qualitative risk assessments typically give risk
results of ―High‖, Moderate‖ and ―Low‖.
• By providing the impact and likelihood definition
tables and the description of the impact, it is possible
to adequately communicate the assessment to the
organization’s management
16
17. Impact and likelihood table
Tabulating the variables to determine the criticality
of the risk that need to be prioritized and addressed
17
18. Relating threats to vulnerabilities
• Establishing the relationship is
a mandatory activity, since
risk is defined as the exercise
of a threat against vulnerability
• This is often called threat-
vulnerability (T-V) pairing
• For instance, a threat of ―flood‖
obviously applies to a
vulnerability of ―lack of
contingency planning‖
18
19. How is risk managed?
• There are four basic strategies for
managing risk: mitigation,
transference, acceptance and
avoidance
• For each risk management
strategy, the cost associated with
the strategy and the basic steps
for achieving the strategy (known
as the Plan Of Action &
Milestones or POAM) must also
be determined
19
20. Mitigation
• Mitigation is the most commonly
considered risk management
strategy
• Mitigation involves fixing the
flaw or providing some type of
compensatory control to reduce
the likelihood or impact
associated with the flaw
• A common mitigation for a
technical security flaw is to
install a patch provided by the
vendor 20
21. Transference
• Transference is the process of allowing another party to
accept the risk on your behalf
• This is not widely done for IT systems, however cloud
models provide an opportunity
• Using SaaS, PaaS cloud models, some amount of risk
is being transferred to CSP – cloud service provider
21
22. Acceptance
• Acceptance is the practice of
simply allowing the system to
operate with a known risk
• Many low risks are simply
accepted
• Risks that have an extremely
high cost to mitigate are also
often accepted
22
23. Avoidance
• Avoidance is the practice of
removing the vulnerable
aspect of the system or even
the system itself
• Example is removing a legacy
admin system that is causing
hi-impact errors in operations
23
25. Communicating risks
• A Plan Of Action & Milestones (POAM) should be
part of the risk assessment report presented to
management
• The POAM is a tool to communicate to management
on the proposed and actual completion of the
implementation of the risk management strategies
25
28. Framing risk
• Risk framing establishes the context and provides a
common perspective on how organizations manage risk
•
• Risk framing, as its principal output, produces a risk
management strategy that addresses how
organizations intend to assess risk, respond to risk, and
monitor risk
• Mainly senior leaders, program manager at Tier 1 & 2
are responsible
28
29. Risk assessment
• Risk assessment identifies, prioritizes, and
estimates risk to organizational operations (i.e.,
mission, functions, image, and reputation),
organizational assets, individuals, other
organizations, and the Nation
• All tiers provide their reports to the security officer
for further action plan
29
30. Risk response
• Risk response identifies, evaluates, decides on, and
implements appropriate courses of action to accept,
avoid, mitigate, share, or transfer risk to organizational
operations and assets, individuals, other
organizations, and the Nation
• Typically occurs at Tier 1 or Tier 2, with feedbacks
from Tier 3
30
31. Risk monitoring
Risk monitoring provides organizations with the means
to:
(i) verify compliance
(ii) determine the ongoing effectiveness of risk
response measures; and
(iii) identify risk-impacting changes to organizational
information systems and environments of operation
31
32. Information technology continuity plan
Conduct a business impact analysis to identify:
1. Critical IT resources
2. Outage impacts and allowable outage times
3. Protocols to provide uninterrupted power by using
UPS devices, power
4. Store backup data in a secure and protected offsite
location
5. Develop recovery strategies that allow critical IT
resources to be recovered within 24 hours.
6. Document the recovery strategy
32
34. General risk assessment tools
• National Institute of Standards & Technology (NIST)
Methodology – US Federal based
• OCTAVE
®
- The Software Engineering Institute (SEI) at
Carnegie Mellon University developed the Operationally
Critical, Threat, Asset and Vulnerability Evaluation
(OCTAVE) process
• FRAP - The Facilitated Risk Assessment Process (FRAP)
is the creation of Thomas Peltier. FRAP uses formal
qualitative risk analysis methodologies using Vulnerability
Analysis, Hazard Impact Analysis, Threat Analysis and
Questionnaires
34
35. General risk assessment tools
• COBRA - The Consultative, Objective and Bi-functional
Risk Analysis (COBRA) process was created by C & A
Systems Security Ltd.. Risk assessment is a business
issue rather than a technical issue, tools that can be
purchased and utilized to perform self-assessments of
risk
• Risk Watch- Uses an expert knowledge database to
walk the user through a risk assessment and provide
reports on compliance as well as advice on managing
the risks
35
41. Microsoft’s STRIDE threat categories
• Spoofing identity – pose as another user
• Tampering with data – malicious modification of data
• Repudiation – can the action (prohibited action) be traced?
• Information disclosure – disclose of information to
individuals who aren’t supposed to have it
• Denial of service – deny access to valid users (e.g.
consume all the CPU time)
• Elevation of privilege – unprivileged user gains privileged
access (becomes part of the trusted system)
41
42. Microsoft’s DREAD model to rank threat’s
severity
• Damage potential: The extent of the damage if
vulnerability is exploited
• Reproducibility: How often an attempt at exploiting
vulnerability works
• Exploitability: How much effort is required? Is
authentication required?
• Affected users: How widespread could the exploit
become?
• Discoverability: The likelihood that the researcher or
hacker will find it
42
43. Security development lifecycle (SDL)
• SDL is a software development process that helps
developers build secure code, address compliance
43
44. SDL tools
Requirements tools
• Microsoft Solutions Framework (MSF) for Capability
Maturity Model Integration (CMMI) / Microsoft
Solutions Framework (MSF) for Agile
Design tool
• Microsoft Threat Modeling Tool 2014 / 2016
44
46. SDL tools
Verification tools
• BinScope binary analyzer- binary files
• SDL Regex fuzzer – tests reg. exp for DoS
• SDL MiniFuzz file fuzzer-detects file-handling flaws
• Attack surface analyzer-detect changes in OS, ACL,
registry, Active-X control
• Application verifier-runtime verification tool for native
code 46
47. SDL tools
Release tools
SDL process template- integrates the policy,
process, and tools associated with Microsoft SDL
Process Guidance version 4.1 directly into your
VSTS
47
48. Azure network security
• VNet for isolation of VMs
• ACL and NSG – for access control at VM and subnet
level
• Azure Virtual Filtering Platform (VFP) exposes an easy-
to-program interface to network agents that act on behalf
of network controllers and packet processing on each
host running in the datacenter
• Service endpoint and azure fabric level security
mechanism
48
49. Security for mobile-first, cloud-first world
• Office 365 app permissions - ability to approve or revoke
permissions
• Azure AD Identity Protection - prevents the use of
compromised credentials
• Microsoft Cloud App Security - new advanced security
capability
• Customer Lockbox - integrates the customer into the
approval process
• Azure Security Center- Centralized security policy at the
subscription level+ Resource Group level ( tailored as per
workloads)
49
50. Security for mobile-first, cloud-first world
• Azure Active Directory Identity Protection - detects
suspicious act, user risk severity is calculated and risk-
based policies can be configured at user level
• WindowsAzure.MobileServices.Backend.Security-
security extensions for your .NET mobile backend (
controller code level permissions)hosted in Microsoft
Azure
• System Center 2012 and InTune- mobile device
management (MDM), BYOD policies, remote wipe out
of data in case of theft
50
55. The Payment Card Industry Data Security
Standard (PCI DSS)
• PCI DSS provides a baseline of technical and
operational requirements designed to protect
cardholder data
• PCI DSS applies to all entities involved in payment
card processing—including merchants, processors,
acquirers, issuers, and service providers
55
57. The Payment Card Industry Data Security
Standard (PCI DSS)
AUDIT TESTING
57
58. Disclaimer
• Logos, images, text have been referenced from various sources
like NIST, SANS, PCI journals, David Chappell, Microsoft
websites, and internet data that is freely available. Full rights
belong to the individual owners. References are made strictly for
educational and illustration purposes only and for non-commercial
use. Please take advice of original authors before using them. I
am not responsible for any damages, monetary loss arising from
the use of this document
58