The document defines risk and issue, outlines the risk lifecycle and management cycle, and provides details on risk identification, analysis, assessment, and management. Key points include: - A risk is a potential future event that could negatively impact objectives, while an issue is a current problem. - The risk management cycle includes identifying risks, assessing them, selecting strategies, implementing controls, and monitoring/evaluating. - Risk identification involves knowing the organization's assets and sources of risk. Risk analysis assesses the likelihood and impact of risks.

2. • RISK DEFINITION: A Risk is a potential or future event that, should it occur,
will have a (negative) impact on the Business Objectives of an Organisation
o A risk must have Uncertainty, (in terms of Probability or Likelihood). It
might happen
o A risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
o “It May Rain Tomorrow”
• ISSUE DEFINITION: An Issue is a current event that will have a (negative)
impact on the Business Objectives of an Organisation
o E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
o “It is Raining Today”
RISK DEFINITIONS

3. 3
Risk Life Cycle
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Exploits
Leads to
Can damage
And cause an
Can be
countermeasured by a

4. 4
Risk Management Cycle
Identify Risks
Assess Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iteration
•The Processes are organized
• Each Step output considered
as an input for the next step
Risk
Control
Risk
Assessment

5. 5

6. 6
Risk Identification
What is the purpose of this phase ?
• The aims of this phase is to identify , classify
and prioritizing the organization’s information
assets ( Know ourselves) and identify all
important types and sources of risk and
uncertainty (know our enemy), associated with
each of the investment objectives.
• This is a crucial phase. If a risk is not identified
it cannot be evaluated and managed

7. 7
Information Assets
IS
Components
People Procedures Data
Transmission
HW
SW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work

8. 8
Primary sources
of Risk Items
Human Threats
Environmental
Threats
Outside &
Natural Threats
network
based attacks
virus infection,
unauthorized access
floods
Earthquakes
hurricanes
Power failure,
pollution

9. Risk Analysis
• requires an entity to, conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and
availability of electronic protected information
held by the entity.
• Risk analysis, which is a tool for risk management,
is a method of identifying vulnerabilities and
threats, and assessing the possible damage to
determine where to implement security
safeguards

10. 10
Risk Assessment
• For each identified component & risk, which has a 'clearly significant'
or 'possibly significant' position, each should be assess to establish
qualitatively and Estimate the value

11. 27/05/1444 11
What is Risk Assessment ?
• Assessing risk is the process of determining the
likelihood of the threat being exercised against the
vulnerability and the resulting impact from a successful
compromise , i.e determine the relative risk for each of the
vulnerabilities
• Risk assessment assigns a risk rating or score to each
specific information asset, useful in evaluating the relative
risk and making comparative ratings later in the risk control
process.
• Although all elements of the risk management cycle are
important, risk assessments provide the foundation for other
elements of the cycle. In particular, risk assessments provide
a basis for establishing appropriate policies and selecting
cost-effective techniques to implement these policies

12. 12
Methods of Risk Assessment
There are various methods assessing risk,
First : Quantitative risk assessment :
generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc., risk
can be measured in terms of direct and indirect costs , based on
(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.

13. 13
This approach can be taken by defining
– Risk in more subjective and general terms such as high,
medium, and low.
– In this regard, qualitative assessments depend more on the
expertise, experience, and judgment of those conducting the
assessment.
• Qualitative risk assessments typically give risk results of “High”,
“Moderate” and “Low”. However, by providing the impact and
likelihood definition tables and the description of the impact, it is
possible to adequately communicate the assessment to the
organization’s management.
Second : Qualitative Risk Assessment

14. 14
Third :Quantitative and Qualitative
– It is also possible to use a combination of quantitative and
qualitative method

38. • The identification of Risks and their management by defining:
 The Risk Description
 The Risk Owner
 The Probability of the Risk Event occurring
 The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
 The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk
Event occurring with relation to their costs and the reduction of Risk Exposure
 The Contingency Plan to recover the Asset once risk is manifested
 An understanding of Corporate Risk Appetite and where appropriate the application
of Risk Tolerance
WHAT IS RISK MANAGEMENT?

39. To ensure that all risks to the Business
however they are derived are
managed effectively.
• This includes:
• Strategic Risks
• Programme and Project Risks
• Operational Risks (includes Security
and Business Continuity Risks)
OBJECTIVES OF GENERIC RISK MANAGEMENT
Operational Level
(Business as Usual)
Change
Level
Operational
Risk Register
Information
Security Risk
Register
BAU
Business
continuity
Strategic
Level
Strategic
Risks
Programme/Project Risks
Operational Risks
Project Risk
Register
Strategic Risk Register

40. To ensure that the risks to the Organisation that are derived from,
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Security Terms these are those risks that impact the:
• Confidentiality,
• Integrity,
• Availability, and the
• Traceability of Information whilst:
• At rest
• Whilst being modified
• In transit (around a system, e-mail, media device, telephone etc.)
OBJECTIVES OF INFORMATION SECURITY
RISK MANAGEMENT

41. Incident Management
Audit Non-Compliances
Problem Management
Threat Management
Vulnerability Management
Exception / Waiver Management
! However, they can be the Source of Infosec
So, these are issues, NO uncertainty!
WHAT IS NOT RISK MANAGEMENT?

44. RISK MATRIX
IMPACT
High Medium High High
Medium Low Medium High
Low Low Low Medium
Low Medium High
LIKELIHOOD

46. COMMON PROBLEMS
(MISUNDERSTANDINGS)?
• Poor Risk Descriptions (Risk vs Issue and
Impact confusion) (Qualification vs
Quantification)
• Unachievable, ineffective and
disproportionate Mitigation Actions
• Poor Control, risk owner vs risk
mitigation owner. Stakeholder
Involvement
• Reactive vs Proactive Approach
• Reliance on Incidents, Threat and
Non-Compliance Management
(Reactive)
• Proactive Risk Identification
Workshop based on Success Criteria
SO WHAT!
• Risks occur that could have been
managed
• Impact on Assets not understood (BIA,
CMDB)
• Mitigation Action Costs do not reflect the
Risk Exposure Reduction
• Systems fail, business and revenue lost,
• Corporate data is unavailable when
required – Loss of Business
• Regulator penalties, reputational damage
occurs
• Loss of Customer base and confidence
• Loss of IPR.
PROBLEMS WITH RISK MANAGEMENT

47. o Mitigations or Controls are primarily used to prevent the occurrence of a risk
or to reduce the Probability of Risk occurrence - (Reduce Probability).
o This is why it is so important to describe the risk event clearly.
o Contingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
o This is why it is so important to clearly describe the risk impact separately from
the risk description
MITIGATION PLANS & CONTINGENCY PLANS

48. o Proliferation of BYOD and smart devices
o Cloud computing
o Outsourcing of critical business processes to a third party (and lack of
controls around third-party services)
o Disaster recovery and business continuity
o Periodic access reviews
o Log reviews
SOURCE: Cyber-security - What the Board of Directors need to ask?,
IIARF Research Report, 2014
SOURCES OF CYBER SECURITY RISKS

49. o Application vulnerabilities
o Remote access.
o Ineffective patch management
o Weak network security/flat networks
o Lack of real-time security monitoring
o Third parties
o Lack of a data retention policy
SOURCE: HANS HENRIK BERTHING
Cyber Assurance and the IT Auditor Nov 2014
COMMON CYBER-CRIMINAL ATTACK VECTORS

50. Select appropriate Controls / use Security Standards:
ISO27000
PCI DSS
COBIT
HIPAA
WHERE TO START?

51. 1. Create risk reporting awareness for the workforce
2. Make it easy, create a simple Risk Submission form
3. Assess the risk submission, ask questions
4. Ensure it is a RISK, not an issue, a service request, a change request 
ENCOURAGE RISK REPORTING

52. 1. Record in a Risk Register
2. Describe the RISK
3. Assess the Likelihood, Impact, and risk rating
4. Agree recommended Risk Mitigation / Treatment
5. Establish a contingency position if possible
6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7. Agree a Mitigation Owner
8. Obtain a decision (Reduce, Accept, Avoid, Transfer)
9. Monitor mitigation progress until target risk is achieved – retain awareness
of closed or mitigated risks
10. Produce monthly status reports
MANAGE THE RISKS…