The document outlines the importance of IT risk management for organizations, focusing on identifying and mitigating various types of risks such as cybersecurity, operational, compliance, strategic, and third-party risks. It details assessment techniques, mitigation strategies, governance frameworks, and provides case studies of significant data breaches to highlight key lessons. Continuous monitoring and adaptation to evolving threats are emphasized as critical for effective risk management.

1. IT RISK MANAGEMENT
Information Security Audit & Assurance
(MISS-1206)
Date: - 03.10.2024
Submitted by:
Mohammad Kamrul Alam (ID: 24549110011)
Maruf Hossain (ID: 24549110030)
Joy Nandi (ID: 24549110043)
Nahid Hasan Noyon (ID:24549110012)
Jamil Ahsan (ID: 2254911004)

2. IT risk management is essential for organizations to ensure the safety,
reliability, and compliance of their IT systems. It focuses on identifying
potential risks that could affect the organization's data, operations, and
infrastructure, and then developing mitigation strategies.
Introduction

3. Overview of IT Risk Management Process

4. Types of IT Risks
▪ Cybersecurity Risks
Data Breaches, Ransomware, Phishing, APTs
▪ Operational Risks
System Failures, Software Bugs, Human Errors
▪ Compliance and Legal Risks
GDPR Violations, PCI DSS Non-Compliance
▪ Strategic Risks
Poor IT investment decisions
▪ Third-party Risks
Vendor Data Breaches, Service Disruptions
▪ Natural and Environmental Risks
Data Center Outages, Power Failures

5. IT Risk Assessment Techniques
• Qualitative Risk Assessment
Risk Matrix, Interviews, Workshops
• Quantitative Risk Assessment
ALE, ROSI
• Threat Modeling
STRIDE model
• Risk Scenarios and Simulations
• Risk Heat Maps
• Business Impact Analysis (BIA)

6. IT Risk Mitigation Strategies
▪ Risk Avoidance
This involves eliminating risky activities or assets altogether.
▪ Risk Reduction
Network Security Controls, Regular Patching, Data Encryption.
▪ Risk Transfer
Organizations can transfer the risk to a third party, such as through insurance or outsourcing.
▪ Risk Acceptance
Some risks, particularly those with a low likelihood or impact, can be accepted. The cost of
mitigation might not be justified compared to the potential loss.
▪ Risk Sharing
Risk can be shared with a partner, such as by entering a joint venture or
forming strategic alliances.

7. IT Risk Governance and Frameworks
▪ IT Risk Governance
Define risk policies, assign roles (e.g., Chief Information Security Officer, Risk
Committees), and ensure accountability
▪ IT Risk Frameworks
ISO/IEC 27005
NIST Risk Management Framework
COBIT (Control Objectives for Information and Related Technology)
ISO/IEC 31000
▪ Continuous Monitoring

8. Background
Breach of 40 million payment card
details
Risk Factors
Third-Party Risk, Insufficient Network
Segmentation
Impact
Financial Losses, Reputation Damage
Lessons Learned
Stronger controls for third-party access,
Network segmentation
Case Study 1: Target Data Breach (2013)

9. Background
Exposure of data for 140 million
individuals
Key Failures
Failure to Apply Security Patches,
Insufficient Encryption
Impact
Long notification delays
Key Takeaways
Importance of Patch Management,
Encryption, Incident Response
Case Study 2: Equifax Data Breach (2017)

10. Cloud Security
Unique risks and strategies
AI and Automation Risks
New risks like data poisoning
Zero Trust Security
Principle of "never trust, always verify"
Emerging Trends in IT Risk Management

11. IT risk management is an essential function that requires a balanced
approach combining prevention, detection, and response. By understanding
the nature of risks, using appropriate assessment techniques, and
implementing effective mitigation strategies, organizations can protect
themselves from a wide range of IT-related threats. Continuous monitoring
and improvement are necessary as technology and cyber threats evolve
rapidly.
Conclusion

12. Thank You