Vi Minh Toại - Security Risk Management, tough path to success

•Download as PPTX, PDF•

1 like•1,236 views

This document summarizes a presentation on security risk management. It begins with introducing the presenter and their background. It then discusses some recent security incidents in Vietnam, including attacks on a bank and airline. The presentation defines security risk management and the risk management process. It describes assessing risks using threats, vulnerabilities, and impacts. It also discusses different types of risks, controls, risk assessment methodologies, and risk treatment options. The presentation emphasizes that effective risk management requires senior management support, a suitable framework, communication, and following an ongoing process.

Technology

Security Risk Management, tough
path to success
Presenter: Vi Minh Toai
Date: Sep 10, 2016
Security Bootcamp 2016 - Dong Thap

Who am I?
• 10+ years of working experience in IT industry.
• IT Security Manager of RMIT Vietnam University.
• Certificates: CISSP, CISM, CEH
• Email: minhtoai@gmail.com

Something you should know:
• Silence your phone.
• Raise questions at the end of the present.
• WC.
• Emergency exit.

Agenda
• Several Vietnam Security Incidents in 2016
• Security Risk Management

Several Vietnam Security Incidents in 2016
• May 2016: TPBank
• July 2016: Vietnam Airlines (Jul 29)
• August 2016: Vietcombank (Aug 04, Aug 16, Aug 19)

Security incident – Vietnam Airlines
Vietnam Airlines

Security incident - Vietnam Airlines (cont.)
• Possible Impact:
• Flight safety.
• Reputation lost. (TRUST)
• Over 400,000 accounts of Vietnam Airlines’ members
were leaked.
• Delays of flights: more than 100 flights: 64 from TSN, 30
from Noi Bai.
• Current customer password must be changed.
• Cost.
• Time.

Security Incident - Vietcombank
Vietcombank

Security Incident- Vietcombank (cont.)
• Possible Impact:
• VND200 million ($8,929) had been stolen.
• VCB stock went down (VND 4000 billion were gone).
• Reputation lost. (TRUST)
(Statistics extract from tuoitrenews, vietnamnet website)
Look up the RISKS -> Set up Controls -> Cover Actions -> Reduce the IMPACT

Security Risk Management
Risk is:
“The effect of uncertainty on the ability of an organisation to meet its
objectives.” (ISO 31000:2009)
Risk Management is:
the process of identifying and assessing the risk, reducing it to an
acceptable level, and ensuring it remains at that level.

Security Risk Management (cont.)
Risk = Threats x Vulnerabilities x

The relationships among the different
security concepts

Important of Security Risk Management
a. Better oversight of organizational assets.
b. Minimized loss.
c. Identification of threats, vulnerabilities and risk.
d. Prioritization of risk response efforts.
e. Legal and regulatory compliance.
f. Increased likelihood of project success.
g. Better incident and business continuity management.

Several types of information security risk
a. Physical damage
b. Human interaction
c. Equipment malfunction
d. Inside and outside attacks
e. Misuse of data
f. Loss of data
g. Application error

Risk Type
“Above the line”
“Below the line”

Security Risk Management (cont.) - Controls
Control types:
a.Administrative
b.Technical
c.Physical

Security Risk Management (cont.) - Controls
Controls Functionalities:
a.Preventive
b.Detective
c.Corrective
d.Deterrent
e.Recovery
f. Compensating

Methodologies for Risk Assessment
a.Quantitative Risk Assessment
b.Qualitative Risk Assessment
c.Semi-quantitative Risk Assessment
Reference:
a.NIST SP800-30
b.FRAP (Facilitated Risk Analysis Process)
c.OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation)
d.ISO/IEC 31010

Risk Treatment
a.Avoid the risk
b.Reduce the risk
c.Transfer the risk
d.Accept the risk

What is an effective risk management?
a.Senior management support.
b.Suitable Risk Management Framework.
c.Effective Risk Management Process.
d.Communication.

References
 CISSP All-in-One Exam Guide 7th Edition, Shon Harris –
Fernando Maymi
 ISACA CRISC Review Manual 2015
 ISACA CISM Review Manual 2015
 NIST SP800-30
 Google Search

Questions and Answers
THANK YOU!!!
HAVE A NICE WEEKEND

Jane Alexander,CIO,Cleveland Museum of Art Brian Dawson, CDO, Canada Science and Technology Museums Corporation Yvel Guelce, Director of Infrastructure Technology Children's Museum of Indianapolis IT staff are often seen as the "Bad Guys," naysayers to anything new and exciting, in the quest to protect the organization from security breaches. In this session, four museum IT leaders will show how common struggles in security can be turned around to develop positive partnerships with other departments for pro-active risk management. Ranging from simple to complex, the issues each museum faces transcends cost and institution size. The presenters work at wildly diverse organizations but face surprisingly similar issues. Among the topics they will address are how federal policy requirements and PCI compliance affect their organizations, finding budget-conscious ways to meet the rules, encouraging safe practices by end users, using IT risk management to assist senior staff in making informed decisions, and educating employees at all levels. Attention will be given to the everyday struggles common to all IT professionals--for example, changing passwords, Bring Your Own Device, and securely managing information in the cloud. The discussion will then open up to a roundtable format for sharing of successes and frustrations, questions, and comments.

Top 10 mobile security risks - Khổng Văn Cường

Security Bootcamp

Werner Schierschmidt

NOSA (Pty) Ltd

Human Factors in a Safety Management System – Breaking the Chain A safety management system (SMS) goes beyond the health and safety concerns usually associated with the mining or building and construction disciplines. Ever thought about the aerospace and defence industries? This presentation includes understanding the human factors and cultural growth that need to occur within any industry wanting to implement a successful SMS.

Human Factors in a Safety Management System - Breaking the Chain

SAMTRAC International

Operational RiskITM Institute, Mumbai (Sion Br.)

Viewers also liked

Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...

Security Bootcamp

Audit policy giám sát hệ thống

laonap166

Eventlog

Shashi Kanth

Mcafee dyntekliquidnetzero

Kiến trúc Bảo mật Toàn diện

Sunmedia Corporation

Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước

Security Bootcamp

Understanding the Event Log

chuckbt

Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec

Security Bootcamp

Security Bootcamp 2013 penetration testing (basic)Security Bootcamp

Information Security Risk Quantification

Joel Baese

Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp

Enterprise API Security & Data Loss Prevention - IntelIntel - API Security & Tokenization

Cybersecurity Framework - What are Pundits Saying?

Jim Meyer

Chu nhat 02 luu thanh tra e-prior e-trustSecurity Bootcamp

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm

Security Bootcamp

Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN

Security Bootcamp

Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hungSecurity Bootcamp

#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...

Jane Alexander

Top 10 mobile security risks - Khổng Văn Cường

Security Bootcamp

Viewers also liked (19)

Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...

Audit policy giám sát hệ thống

Eventlog

Mcafee dyntek

Kiến trúc Bảo mật Toàn diện

Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước

Understanding the Event Log

Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec

Security Bootcamp 2013 penetration testing (basic)

Information Security Risk Quantification

Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long

Enterprise API Security & Data Loss Prevention - Intel

Cybersecurity Framework - What are Pundits Saying?

Chu nhat 02 luu thanh tra e-prior e-trust

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm

Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN

Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung

#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...

Top 10 mobile security risks - Khổng Văn Cường

Similar to Vi Minh Toại - Security Risk Management, tough path to success

Werner Schierschmidt

NOSA (Pty) Ltd

Human Factors in a Safety Management System - Breaking the Chain

SAMTRAC International

Operational RiskITM Institute, Mumbai (Sion Br.)

Hse, Risk Assessment

Tara Smith

Regional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi Kenya

Martin M

Corruption and Fraud Risk Management using ISO 31000

PECB

This webinar will ensure that participants develop the competence to master a model for implementing corruption and fraud risk management processes throughout their organization using the ISO 31000:2009 standard as a reference framework. Based on practical exercises, participants acquire the necessary knowledge and skills to perform an optimal corruption and fraud risk assessment and manage risks in time by being familiar with their life cycle. This webinar will include the ISO 31000 general risk management standard, the process model it recommends, and how companies may use the standard for corruption and fraud risk management. Learning objectives: • To understand the concepts, approaches, methods and techniques allowing an effective corruption and fraud risk management according to ISO 31000 • To acquire the competence to implement, maintain and manage an ongoing corruption and fraud risk management using ISO 31000 • To acquire the competence to effectively advise organizations on the best practices in corruption and fraud risk management Presenter: This webinar is presented by Valentyn Sysoev, who leads the consulting and audit projects as well as projects related to IS audit and IS assurance, crisis and business continuity management, international standards implementation - specifically, ISO31000 Risk Management, ISO 21500 Project Management, ISO 38500 Corporate Governance of IT, ITIL 3 and Cobit 5, at Active Audit Agency. Valentyn has over more than 8 year experience on information security areas as a consultant, auditor and advisor. Valentyn provides services for financial, insurance, industrial, energy and others customers as an expert on information security.

INFORMATION SECURITY MANAGEMENT

Will the next systemic crisis be cyber?

Arrow Institute

Presentation For R Ae S Dubai 20120110 Ver 2

NicklasD

Emerging Trends in Information Privacy and Security

Jessica Santamaria

Malware infiltration, spear phishing, data breaches...these are all terrifying words with even more frightening implications. These threats are hitting the technology world fast and hard and can no longer be ignored. The first step to defending yourself against a cyber attack is being proactive in settling the SCORE. Know your risks before it’s too late. Ask us about our SCORE report - a high level IT risk assessment, designed to help you focus on your company's potential IT exposures: http://www.lgcd.com/contact/

Emerging Trends in Information Privacy and Security

Jessica Santamaria

Ekran System - Employee Activity Monitoring Tool

cloudlabs

Business cases for software security

Marco Morana

Session 01 _Risk Assessment Program for YSP_Introduction, Definitions and Sta...

Muizz Anibire

Certified Information Security Manager (CISM) - PPT.pdf

Multisoft Virtual Acedamy

Boost your career with Multisoft Virtual Academy's Certified Information Security Manager (CISM) Online Training. Acquire the skills and knowledge needed to excel in information security management. Our expert instructors will guide you through risk management, governance, and compliance, preparing you to earn the prestigious CISM certification. Elevate your career and become a leader in information security. Enroll today for a secure future.

Assessing and Measuring Security in Custom SAP Applications

sebastianschinzel

Cybersecurity - Dominic Nessi, Former CIO, Los Angeles World Airports

SITA

In the digital age of air transport – with its ever-more connected industry operations, passengers and aircraft – air transport faces a constant threat of cyber attacks, both on the critical infrastructure that keeps the wheels of air travel in motion, and on passenger data. The spotlight on threat intelligence, identity protection, data privacy and security in air transport has never been more intense. As we navigate deepening ‘lakes’ of data to become smarter at every step, how do we protect our operations and passengers, ensuring the utmost security and resilience across the air transport community?

Cybersecurity-Course.9643104.powerpoint.pptx

AfsanaMumal2

Three Lines of Defense (3LODs) for Startup

Adlina Hajidah Anwar

Top 10 Security Challenges

Jorge Sebastiao

Similar to Vi Minh Toại - Security Risk Management, tough path to success (20)

Werner Schierschmidt

Human Factors in a Safety Management System - Breaking the Chain

Operational Risk

Hse, Risk Assessment

Regional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi Kenya

Corruption and Fraud Risk Management using ISO 31000

INFORMATION SECURITY MANAGEMENT

Will the next systemic crisis be cyber?

Presentation For R Ae S Dubai 20120110 Ver 2

Emerging Trends in Information Privacy and Security

Ekran System - Employee Activity Monitoring Tool

Business cases for software security

Session 01 _Risk Assessment Program for YSP_Introduction, Definitions and Sta...

Certified Information Security Manager (CISM) - PPT.pdf

Assessing and Measuring Security in Custom SAP Applications

Cybersecurity - Dominic Nessi, Former CIO, Los Angeles World Airports

Cybersecurity-Course.9643104.powerpoint.pptx

Three Lines of Defense (3LODs) for Startup

Top 10 Security Challenges

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

RESUME BUILDER APPLICATION Project for students

KAMESHS29

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team

Introduction to CHERI technology - Cybersecurity

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

How to Get CNIC Information System with Paksim Ga.pptx

Artificial Intelligence for XMLDevelopment

RESUME BUILDER APPLICATION Project for students

GridMate - End to end testing is a critical piece to ensure quality and avoid...

Epistemic Interaction - tuning interfaces to provide information for AI support

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

The Art of the Pitch: WordPress Relationships and Sales

UiPath Test Automation using UiPath Test Suite series, part 5

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Large Language Model (LLM) and it’s Geospatial Applications

Video Streaming: Then, Now, and in the Future

Pushing the limits of ePRTC: 100ns holdover for 100 days

UiPath Test Automation using UiPath Test Suite series, part 6

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

Vi Minh Toại - Security Risk Management, tough path to success

1. Security Risk Management, tough path to success Presenter: Vi Minh Toai Date: Sep 10, 2016 Security Bootcamp 2016 - Dong Thap

2. Xin cảm ơn các nhà tài trợ

3. Who am I? • 10+ years of working experience in IT industry. • IT Security Manager of RMIT Vietnam University. • Certificates: CISSP, CISM, CEH • Email: minhtoai@gmail.com

4. Something you should know: • Silence your phone. • Raise questions at the end of the present. • WC. • Emergency exit.

5. Agenda • Several Vietnam Security Incidents in 2016 • Security Risk Management

6. Several Vietnam Security Incidents in 2016 • May 2016: TPBank • July 2016: Vietnam Airlines (Jul 29) • August 2016: Vietcombank (Aug 04, Aug 16, Aug 19)

7. Security incident – Vietnam Airlines Vietnam Airlines

8. Security incident - Vietnam Airlines (cont.) • Possible Impact: • Flight safety. • Reputation lost. (TRUST) • Over 400,000 accounts of Vietnam Airlines’ members were leaked. • Delays of flights: more than 100 flights: 64 from TSN, 30 from Noi Bai. • Current customer password must be changed. • Cost. • Time.

9. Security Incident - Vietcombank Vietcombank

10. Security Incident- Vietcombank (cont.) • Possible Impact: • VND200 million ($8,929) had been stolen. • VCB stock went down (VND 4000 billion were gone). • Reputation lost. (TRUST) (Statistics extract from tuoitrenews, vietnamnet website) Look up the RISKS -> Set up Controls -> Cover Actions -> Reduce the IMPACT

11. Security Risk Management Risk is: “The effect of uncertainty on the ability of an organisation to meet its objectives.” (ISO 31000:2009) Risk Management is: the process of identifying and assessing the risk, reducing it to an acceptable level, and ensuring it remains at that level.

12. Security Risk Management (cont.) Risk = Threats x Vulnerabilities x

13. 3 components of CIA Triad

14. The relationships among the different security concepts

15. Important of Security Risk Management a. Better oversight of organizational assets. b. Minimized loss. c. Identification of threats, vulnerabilities and risk. d. Prioritization of risk response efforts. e. Legal and regulatory compliance. f. Increased likelihood of project success. g. Better incident and business continuity management.

16. Several types of information security risk a. Physical damage b. Human interaction c. Equipment malfunction d. Inside and outside attacks e. Misuse of data f. Loss of data g. Application error

17. Risk Type “Above the line” “Below the line”

18. Risk level matrix

19. Security Risk Management (cont.) - Controls Control types: a.Administrative b.Technical c.Physical

20. Security Risk Management (cont.) - Controls Controls Functionalities: a.Preventive b.Detective c.Corrective d.Deterrent e.Recovery f. Compensating

21. Risk Management Process

22. Methodologies for Risk Assessment a.Quantitative Risk Assessment b.Qualitative Risk Assessment c.Semi-quantitative Risk Assessment Reference: a.NIST SP800-30 b.FRAP (Facilitated Risk Analysis Process) c.OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) d.ISO/IEC 31010

23. Risk Treatment a.Avoid the risk b.Reduce the risk c.Transfer the risk d.Accept the risk

24. What is an effective risk management? a.Senior management support. b.Suitable Risk Management Framework. c.Effective Risk Management Process. d.Communication.

25. References  CISSP All-in-One Exam Guide 7th Edition, Shon Harris – Fernando Maymi  ISACA CRISC Review Manual 2015  ISACA CISM Review Manual 2015  NIST SP800-30  Google Search

26. Questions and Answers THANK YOU!!! HAVE A NICE WEEKEND

Vi Minh Toại - Security Risk Management, tough path to success

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (19)

Similar to Vi Minh Toại - Security Risk Management, tough path to success

Similar to Vi Minh Toại - Security Risk Management, tough path to success (20)

More from Security Bootcamp

More from Security Bootcamp (20)

Recently uploaded

Recently uploaded (20)

Vi Minh Toại - Security Risk Management, tough path to success