Barry Caplin, profile picture
Uploaded byBarry Caplin
PPT, PDF4,037 views

Risk Management 101

This document summarizes a presentation on risk management 101. It defines key terms like threat, vulnerability, risk, and types of risk. It outlines the components of risk management frameworks including identifying threats, assessing risk, evaluating options, and taking action. It discusses different risk management standards and frameworks. Finally, it provides an overview of information risk management practices at the Minnesota Department of Human Services.

Embed presentation

Downloaded 129 times
Risk Management 101 Barry Caplin Chief Information Security Officer MN Department of Human Services MN Government IT Symposium Thurs. Dec. 13, 2007 Session 74
Agenda In the beginning… Definitions – Threat, Vulnerability, Risk Types of Risk Risk Management components Frameworks and standards Information Risk Management at DHS
In The Beginning…
In The Beginning… There were Humans…
In The Beginning… And Beasts…
And the concept of Risk was born...
Risk Always been with us Viewed as a negative Attempt to reduce
Magic?
Definitions
Threat Defn : Source or warning of probable impending danger (Actor) - wikipedia Direct/Intended – malicious hacker, thief, malware Indirect/Unintended – user, weather Person or Thing Task : Must analyze assets and environment to determine threats
Vulnerability Defn : the state of being exposed; liable to succumb – dictionary.com Measures – physical, financial, operational Task : Must analyze vulnerability to identified threats
Impact Defn : to effect, influence or alter – dictionary.com Measures – cost, time delays, damage Task : determine impact of action of threat to which we are vulnerable
Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
Risk Defn : Exposure to the chance of injury or loss (Event) – dictionary.com Based on action of threat Components: Probability of occurrence Impact of event Task : Identification and Disposition Accept (or Ignore) Mitigate Transfer
Types of Risk Prof. John Adams, University College London UK risk expert Direct – directly perceived – obvious Scientific – determined via science Virtual Risk – everything else!
D irectly perceived
Types of Risk Perceived through science
Types of Risk Virtual Risk What we are all involved in! Project risk/Operational risk Physical/Data security risk Terrorism/Homeland Security Weather
Virtual Risk Virtual Risk Difficult to “prove” Experts don’t know or do not agree We don’t know what we don’t know
Risk Management A discipline for living with the possibility that future events may cause adverse effects. http://www.sei.cmu.edu/risk/index.html
Risk Management The iterative framework and processes for: Identifying threats (imagining virtual threats) Assessing Evaluating options Acting.
Identify Threats Research Survey Brainstorm
Assess Threat Assessment Vulnerability Assessment Impact Assessment Risk Assessment Qualitative – subjective scoring Quantitative – objective or measured values
Disposition of Risk Accept (or Ignore) – what is the? Mitigate – what is the cost? Transfer – via contract or insurance – what terms? Cost?
Economics of Risk Management Cost of control < Cost of loss Cost of compliance (pain) < Cost of circumvention (gain)
Ineffective Risk Mitigation
Evaluate and Act Risk Management Committee or SMT Document decisions Get it done!
Frameworks for Risk Management CarnegieMellon (CMU SEI) – software NIST/FISMA – information systems CRESP – Consortium for Risk Evaluation with Stakeholder Participation - nuclear COSO – Committee Of Sponsoring Organizations – info systems COBIT – Control Objectives for IT SOMAP – Security Officers Management & Analysis Project – Open Information Security RM Handbook OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation Commercial - many
Treasury Board of Canada Integrated Risk Management Framework – 2001 “ Risk-Smart” Workforce and Environment 4 Elements: Develop Risk Profile Establish organizational function Practice and integrate Ensure continuous learning http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr01-1_e.asp
Security and Risk Management Security is a subset of Risk Management RM -> Security Solutions -> Compliance Security/Business balance Act on appropriate risks Consider the “costs”
At DHS Information Risk Management at DHS Based on elements of NIST, COBIT and OCTAVE SLM – Security Lifecycle Management Information Policy, Awareness and Compliance Business Continuity Planning
Resources Information Risk Management at DHS CMU SEI – www.sei.cmu.edu/risk COBIT – www.isaca.org /cobit COSO – www.coso.org CRESP – www.cresp.org NIST/FISMA – csrc.nist.gov SOMAP – www.somap.org OCTAVE – www.cert.org /octave Prof. John Adams – john- adams.co.uk
Discussion?

More Related Content

PPTX
2010; Risk Management Workshop Rev.1.1
byMuhammad Ector Prasetyo
 
PPTX
Risk Management
byStefan Csosz
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
PDF
127017438_RMA_OperationalRiskAppetite_v1.0
byRachael Phelan
 
PPTX
Risk management
bybaderali2141
 
PPTX
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
PDF
04 enterprise risk management telkom 2011 technical risk assessment
bywisnu wardhana, i nyoman
 
PPT
Operational risk & incident reporting
byShivaLeela Choudary
 
2010; Risk Management Workshop Rev.1.1
byMuhammad Ector Prasetyo
 
Risk Management
byStefan Csosz
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
127017438_RMA_OperationalRiskAppetite_v1.0
byRachael Phelan
 
Risk management
bybaderali2141
 
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
04 enterprise risk management telkom 2011 technical risk assessment
bywisnu wardhana, i nyoman
 
Operational risk & incident reporting
byShivaLeela Choudary
 

What's hot

PDF
Risk Management Overview
byJIGNESH PADIA
 
PDF
A compliance officer's guide to third party risk management
bySALIH AHMED ISLAM
 
PPTX
Risk Management
bycgeorgeo
 
PDF
Risk Appetite
byTowers Perrin
 
PDF
Fraud Risk Assessment
byTahir Abbas
 
PPT
Introduction to Risk Management
byFAA Safety Team Central Florida
 
PDF
Risk Management Process
byno suhaila
 
PDF
Risk management concepts and learning
byVanita Ahuja
 
PDF
Shaping Your Culture via Risk Appetite
byAndrew Smart
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
Five lines of assurance a new paradigm in internal audit &amp; erm
byDr. Zar RDJ
 
PPTX
Projectriskmanagement pmbok5
byDhamo daran
 
PPTX
Risk management
bymamta bhaurya
 
PPTX
Governance risk and compliance
byMagdalena Matell
 
PDF
Risk Overview & Risk management
bySubhendu Datta
 
PPTX
Introduction to internal auditing
byDavid Griffiths
 
PPTX
Key risk indicators shareslide
byZakaria Salah, Ph.D,MBA
 
PPTX
Governance, risk and compliance framework
byCeyeap
 
PPT
Internal Audit COSO Framework
byJesús Gándara
 
PPTX
Risk Management Training
byQuality Improvement Consulting
 
Risk Management Overview
byJIGNESH PADIA
 
A compliance officer's guide to third party risk management
bySALIH AHMED ISLAM
 
Risk Management
bycgeorgeo
 
Risk Appetite
byTowers Perrin
 
Fraud Risk Assessment
byTahir Abbas
 
Introduction to Risk Management
byFAA Safety Team Central Florida
 
Risk Management Process
byno suhaila
 
Risk management concepts and learning
byVanita Ahuja
 
Shaping Your Culture via Risk Appetite
byAndrew Smart
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
Five lines of assurance a new paradigm in internal audit &amp; erm
byDr. Zar RDJ
 
Projectriskmanagement pmbok5
byDhamo daran
 
Risk management
bymamta bhaurya
 
Governance risk and compliance
byMagdalena Matell
 
Risk Overview & Risk management
bySubhendu Datta
 
Introduction to internal auditing
byDavid Griffiths
 
Key risk indicators shareslide
byZakaria Salah, Ph.D,MBA
 
Governance, risk and compliance framework
byCeyeap
 
Internal Audit COSO Framework
byJesús Gándara
 
Risk Management Training
byQuality Improvement Consulting
 

Viewers also liked

PDF
Risk Management 101
byWil Rickards
 
PDF
Enterprise Risk Management Framework
byNigel Tebbutt
 
PPTX
Enterprise Risk Management Erm
byNexus Aid
 
PPTX
Basic Risk Identification Techniques
byRicardo Viana Vargas
 
PPT
Enterprise Risk Management
byCroydon Consulting, LLC
 
PPTX
COSO ERM
bySophia Abigayle
 
PPTX
Risk management
byAbhi Kalyan
 
PPT
Risk identification
bymurukkada
 
PPT
Project Management 101
byMurftheSurf
 
PDF
Risk Management and Risk Transfer
byCBIZ, Inc.
 
DOCX
Enterprise risk management
byAnu Damodaran
 
PPT
Business Risks
byNCVPS
 
PPT
Corporate Social Responsibility
byShahzad Khan
 
PDF
Enterprise Risk Management 2015 PDF
byNigel Tebbutt 奈杰尔 泰巴德
 
PPTX
Risk Management 101
byKim Towne
 
PPTX
Csr and ethics
byAniket Verma
 
PDF
25 Trend Trigger card to use in your brainstorm session - by @boardofinno
byBoard of Innovation
 
PPTX
Risk 101 – Know the Unknown by Nehru Nagappan
byBCM Institute
 
PDF
Presentation to MHF Regulator on RiskView Risk Management Solutions
byPeter Lacey
 
PDF
Sexuality and Identity: Scientific Findings
byCSR
 
Risk Management 101
byWil Rickards
 
Enterprise Risk Management Framework
byNigel Tebbutt
 
Enterprise Risk Management Erm
byNexus Aid
 
Basic Risk Identification Techniques
byRicardo Viana Vargas
 
Enterprise Risk Management
byCroydon Consulting, LLC
 
COSO ERM
bySophia Abigayle
 
Risk management
byAbhi Kalyan
 
Risk identification
bymurukkada
 
Project Management 101
byMurftheSurf
 
Risk Management and Risk Transfer
byCBIZ, Inc.
 
Enterprise risk management
byAnu Damodaran
 
Business Risks
byNCVPS
 
Corporate Social Responsibility
byShahzad Khan
 
Enterprise Risk Management 2015 PDF
byNigel Tebbutt 奈杰尔 泰巴德
 
Risk Management 101
byKim Towne
 
Csr and ethics
byAniket Verma
 
25 Trend Trigger card to use in your brainstorm session - by @boardofinno
byBoard of Innovation
 
Risk 101 – Know the Unknown by Nehru Nagappan
byBCM Institute
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
byPeter Lacey
 
Sexuality and Identity: Scientific Findings
byCSR
 

Similar to Risk Management 101

PPTX
Information Security Risk Management
byNikhil Soni
 
PPT
1. security management practices
by7wounders
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PPTX
CapTech Talks Webinar April 2023 Joshua Sinai.pptx
byCapitolTechU
 
PPTX
Crash Course: Managing Cyber Risk Using Quantitative Analysis
by"Apolonio \"Apps\"" Garcia
 
PPTX
Risky Business
byMichael Scheidell
 
PPTX
Lecture 14 Risk Assessment vaadasdsadaada.pptx
byfarhanghafoor5
 
PPT
IT Policy, RISK MANAGEMENT
byUniversity of Basrah
 
PDF
IT+&+Cyber+Security+Risk+Management-3-Risk+assessment+&+measurement.pdf
byMohammed_Nagieb
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
PPTX
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
byJakeariesMacarayo
 
PPTX
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
byJakeariesMacarayo
 
PPTX
Assessing Quality in Cyber Risk Forecasting
byJack Freund, PhD
 
PPT
Risk Assessment And Management
byvikasraina
 
PDF
2023 ITM Short Course - Week 1.pdf
byDorcusSitali
 
PPTX
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
PPTX
Risk Management / Information Security
byNicollai Kostadinov
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
Information Security Risk Management
byNikhil Soni
 
1. security management practices
by7wounders
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
Information Security and Risk Management.pptx
byprembasnet12
 
CapTech Talks Webinar April 2023 Joshua Sinai.pptx
byCapitolTechU
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
by"Apolonio \"Apps\"" Garcia
 
Risky Business
byMichael Scheidell
 
Lecture 14 Risk Assessment vaadasdsadaada.pptx
byfarhanghafoor5
 
IT Policy, RISK MANAGEMENT
byUniversity of Basrah
 
IT+&+Cyber+Security+Risk+Management-3-Risk+assessment+&+measurement.pdf
byMohammed_Nagieb
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
byJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
byJakeariesMacarayo
 
Assessing Quality in Cyber Risk Forecasting
byJack Freund, PhD
 
Risk Assessment And Management
byvikasraina
 
2023 ITM Short Course - Week 1.pdf
byDorcusSitali
 
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
Risk Management / Information Security
byNicollai Kostadinov
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 

More from Barry Caplin

PPTX
It’s not if but when 20160503
byBarry Caplin
 
PPTX
Stuff my ciso says
byBarry Caplin
 
PPT
Accidental Insider
byBarry Caplin
 
PPTX
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperative NG Security
byBarry Caplin
 
PPT
3 factors of fail sec360 5-15-13
byBarry Caplin
 
PPT
Wearing Your Heart On Your Sleeve - Literally!
byBarry Caplin
 
PPTX
It’s not If but When 20160503
byBarry Caplin
 
PPT
Toys in the office 11
byBarry Caplin
 
PPTX
Dreaded Embedded sec360 5-17-16
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
PPT
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
PPT
Online Self Defense
byBarry Caplin
 
PPT
Tech smart preschool parent 2 13
byBarry Caplin
 
PPTX
Healing healthcare security
byBarry Caplin
 
PPTX
CISOs are from Mars, CIOs are from Venus
byBarry Caplin
 
PPT
Bullying and Cyberbullying
byBarry Caplin
 
PPT
Teens 2.0 - Teens and Social Networks
byBarry Caplin
 
PPTX
Online Self Defense - Passwords
byBarry Caplin
 
PPT
The CISO Guide – How Do You Spell CISO?
byBarry Caplin
 
It’s not if but when 20160503
byBarry Caplin
 
Stuff my ciso says
byBarry Caplin
 
Accidental Insider
byBarry Caplin
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
byBarry Caplin
 
Embracing the IT Consumerization Imperative NG Security
byBarry Caplin
 
3 factors of fail sec360 5-15-13
byBarry Caplin
 
Wearing Your Heart On Your Sleeve - Literally!
byBarry Caplin
 
It’s not If but When 20160503
byBarry Caplin
 
Toys in the office 11
byBarry Caplin
 
Dreaded Embedded sec360 5-17-16
byBarry Caplin
 
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
Embracing the IT Consumerization Imperitive
byBarry Caplin
 
Online Self Defense
byBarry Caplin
 
Tech smart preschool parent 2 13
byBarry Caplin
 
Healing healthcare security
byBarry Caplin
 
CISOs are from Mars, CIOs are from Venus
byBarry Caplin
 
Bullying and Cyberbullying
byBarry Caplin
 
Teens 2.0 - Teens and Social Networks
byBarry Caplin
 
Online Self Defense - Passwords
byBarry Caplin
 
The CISO Guide – How Do You Spell CISO?
byBarry Caplin
 

Recently uploaded

PPTX
Finding Product-Market Fit in the Age of AI
byJeffrey Bussgang
 
PDF
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
PDF
Top 1 0 Websites to Buy Verified Transfer Remitly Accounts ....pdf
byBusiness
 
PDF
How to Buy Old Gmail Accounts – Verified & Secure.pdf
bymarketing
 
PPTX
Keynote: The Modern CMO: Architect of Growth. Guardian of Credibility.
byArmis Inc
 
PDF
enterprise software is not dead and here is why
bywangbin26
 
DOCX
How Verified Cash App Accounts Work and How to Buy.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
PPTX
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
PDF
Top 5 Trusted Websites to Buy Verified PayPal Accounts Safely in 2026
byUsaservicepoint
 
PDF
How To Buy Verified Cash App Accounts - Secure Your Transactions.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
DOCX
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 
DOCX
_18 Buying USA LinkedIn Accounts Can Boost Your Social.docx
bytimofeyzhuravlev1
 
PDF
17 Guide to Buying Verified Binance Accounts in the US.pdf
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
DOCX
How to Buy Verified OnlyFans Accounts Work in 2026.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
PDF
_Top 7 Mistakes to Avoid When Buying Google Ads Accounts.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
DOCX
Buy Old Gmail Accounts – A Detailed Guide.docx
byPremium Phone Verified Account Providers
 
PPTX
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
PDF
Kirill Klip GEM Royalty TNR Gold Lithium Presentation
byKirill Klip
 
PPTX
Explore Hubspot’s Customer Agent for B2B
byBoundify
 
PDF
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 
Finding Product-Market Fit in the Age of AI
byJeffrey Bussgang
 
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
Top 1 0 Websites to Buy Verified Transfer Remitly Accounts ....pdf
byBusiness
 
How to Buy Old Gmail Accounts – Verified & Secure.pdf
bymarketing
 
Keynote: The Modern CMO: Architect of Growth. Guardian of Credibility.
byArmis Inc
 
enterprise software is not dead and here is why
bywangbin26
 
How Verified Cash App Accounts Work and How to Buy.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
Top 5 Trusted Websites to Buy Verified PayPal Accounts Safely in 2026
byUsaservicepoint
 
How To Buy Verified Cash App Accounts - Secure Your Transactions.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 
_18 Buying USA LinkedIn Accounts Can Boost Your Social.docx
bytimofeyzhuravlev1
 
17 Guide to Buying Verified Binance Accounts in the US.pdf
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
How to Buy Verified OnlyFans Accounts Work in 2026.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
_Top 7 Mistakes to Avoid When Buying Google Ads Accounts.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
Buy Old Gmail Accounts – A Detailed Guide.docx
byPremium Phone Verified Account Providers
 
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
Kirill Klip GEM Royalty TNR Gold Lithium Presentation
byKirill Klip
 
Explore Hubspot’s Customer Agent for B2B
byBoundify
 
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 

Risk Management 101

  • 1.
    Risk Management 101Barry Caplin Chief Information Security Officer MN Department of Human Services MN Government IT Symposium Thurs. Dec. 13, 2007 Session 74
  • 2.
    Agenda In thebeginning… Definitions – Threat, Vulnerability, Risk Types of Risk Risk Management components Frameworks and standards Information Risk Management at DHS
  • 3.
  • 4.
    In The Beginning…There were Humans…
  • 5.
    In The Beginning…And Beasts…
  • 6.
    And the conceptof Risk was born...
  • 7.
    Risk Always beenwith us Viewed as a negative Attempt to reduce
  • 8.
  • 9.
  • 10.
    Threat Defn :Source or warning of probable impending danger (Actor) - wikipedia Direct/Intended – malicious hacker, thief, malware Indirect/Unintended – user, weather Person or Thing Task : Must analyze assets and environment to determine threats
  • 11.
    Vulnerability Defn :the state of being exposed; liable to succumb – dictionary.com Measures – physical, financial, operational Task : Must analyze vulnerability to identified threats
  • 12.
    Impact Defn :to effect, influence or alter – dictionary.com Measures – cost, time delays, damage Task : determine impact of action of threat to which we are vulnerable
  • 13.
    Threat, Vulnerability, Impact=> Risk (probability of event × impact = risk)
  • 14.
    Risk Defn :Exposure to the chance of injury or loss (Event) – dictionary.com Based on action of threat Components: Probability of occurrence Impact of event Task : Identification and Disposition Accept (or Ignore) Mitigate Transfer
  • 15.
    Types of RiskProf. John Adams, University College London UK risk expert Direct – directly perceived – obvious Scientific – determined via science Virtual Risk – everything else!
  • 16.
  • 17.
    Types of RiskPerceived through science
  • 18.
    Types of RiskVirtual Risk What we are all involved in! Project risk/Operational risk Physical/Data security risk Terrorism/Homeland Security Weather
  • 19.
    Virtual Risk VirtualRisk Difficult to “prove” Experts don’t know or do not agree We don’t know what we don’t know
  • 20.
    Risk Management Adiscipline for living with the possibility that future events may cause adverse effects. http://www.sei.cmu.edu/risk/index.html
  • 21.
    Risk Management The iterative framework and processes for: Identifying threats (imagining virtual threats) Assessing Evaluating options Acting.
  • 22.
    Identify Threats ResearchSurvey Brainstorm
  • 23.
    Assess Threat AssessmentVulnerability Assessment Impact Assessment Risk Assessment Qualitative – subjective scoring Quantitative – objective or measured values
  • 24.
    Disposition of RiskAccept (or Ignore) – what is the? Mitigate – what is the cost? Transfer – via contract or insurance – what terms? Cost?
  • 25.
    Economics of RiskManagement Cost of control < Cost of loss Cost of compliance (pain) < Cost of circumvention (gain)
  • 26.
  • 27.
    Evaluate and ActRisk Management Committee or SMT Document decisions Get it done!
  • 28.
    Frameworks for RiskManagement CarnegieMellon (CMU SEI) – software NIST/FISMA – information systems CRESP – Consortium for Risk Evaluation with Stakeholder Participation - nuclear COSO – Committee Of Sponsoring Organizations – info systems COBIT – Control Objectives for IT SOMAP – Security Officers Management & Analysis Project – Open Information Security RM Handbook OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation Commercial - many
  • 29.
    Treasury Board ofCanada Integrated Risk Management Framework – 2001 “ Risk-Smart” Workforce and Environment 4 Elements: Develop Risk Profile Establish organizational function Practice and integrate Ensure continuous learning http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr01-1_e.asp
  • 30.
    Security and RiskManagement Security is a subset of Risk Management RM -> Security Solutions -> Compliance Security/Business balance Act on appropriate risks Consider the “costs”
  • 31.
    At DHS InformationRisk Management at DHS Based on elements of NIST, COBIT and OCTAVE SLM – Security Lifecycle Management Information Policy, Awareness and Compliance Business Continuity Planning
  • 32.
    Resources Information RiskManagement at DHS CMU SEI – www.sei.cmu.edu/risk COBIT – www.isaca.org /cobit COSO – www.coso.org CRESP – www.cresp.org NIST/FISMA – csrc.nist.gov SOMAP – www.somap.org OCTAVE – www.cert.org /octave Prof. John Adams – john- adams.co.uk
  • 33.