Information Security

Risk Management

1
CYBER

Definition of Cyber:

Relating to or a characteristic of, the culture of computers,

information technology and virtual reality

2
Stephen Shippey
• IT since 1986.
• Information Security & Risk Manager since 1998 at a
number of Global Financial Services Organisations
including GE Global Consumer Finance, HBOS, Lloyds
Banking Group.
• Joined HP as an Information Security Risk Consultant 2013

Disclaimer
The views expressed in this presentation are my own and do not necessarily represent
those of my employer.

3
Risk Management
Agenda

What is Risk Management Slide 5

Objectives of Infosec Risk Management vs Generic Risk Management Slide 7
Problems with Risk Management Slide 11
Mitigation Plans vs Contingency Plans Slide 12
Identifying Risks Slide 13
Risk Submissions Slide 16
Managing Risk Slide 17
Any questions Slide 18

4
What is Risk Management?
The identification of Risks and their management by defining:
•The Risk Description
•The Risk Owner
•The Probability of the Risk Event occurring
•The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
• The most suitable Mitigations that will prevent or reduce the Likelihood of the
Risk Event occurring with relation to their costs and the reduction of Risk
Exposure
• The Contingency Plan to recover the Asset once risk is manifested
• An understanding of Corporate Risk Appetite and where appropriate the
application of Risk Tolerance

5
Risk Definitions
Risk Definition: A Risk is a potential or future event that, should it occur, will
have a (negative) impact on the Business Objectives of an Organisation
A risk must have Uncertainty, (in terms of Probability or Likelihood). It
might happen
A risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
“It May Rain Tomorrow”

Issue Definition: An Issue is a current event that will have a (negative) impact
on the Business Objectives of an Organisation
E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
“It is Raining Today”

6
Objectives of Generic Risk Management
To ensure that all risks to the Business however they are
derived are managed effectively.
Strategic Risk Register
Strategic
Level

Strategic Risks

This includes:
• Strategic Risks Change
Level
• Programme and Project Risks Project Risk Register
Programme/Project Risks
• Operational Risks (includes
Security and Business
Continuity Risks) Operational Risk
Register
Information
Operational Level
(Business as Usual) Security Risk
Register

Operational Risks BAU

Business
continuity

7
Objectives of Information Security Risk
Management
To ensure that the risks to the Organisation that are derived from,
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Security Terms these are those risks that impact the:
• Confidentiality,
• Integrity,
• Availability, and the
• Traceability of Information whilst:
• At rest
• Whilst being modified
• In transit (around a system, e-mail, media device, telephone etc.)
Information Security Risk Management

Risks within service provider environments

• A risk may have the same Risk Description but two separate impacts
dependent on the Owner

• e.g. Risk: patching may fail to complete in a timely manner

1. Impact on IT Service Provider: Potential Commercial Penalties, Damage to Reputation
2. Impact on Client: Loss of Systems, loss of information, loss of revenue etc. etc.
What is NOT Risk Management!
• Incident Management
• Audit Non-Compliances
• Problem Management
• Threat Management
• Vulnerability Management
• Exception / Waiver Management

These are Issues, no uncertainty!

However, they can be the Source of Infosec Risks
Problems with Risk Management
Common Problems (Misunderstandings)?
• Poor Risk Descriptions (Risk vs Issue and Impact
confusion) (Qualification vs Quantification)
• Unachievable, ineffective and disproportionate
Mitigation Actions
• Poor Control, risk owner vs risk mitigation
owner. Stakeholder Involvement
• Reactive vs Proactive Approach
• Reliance on Incidents, Threat and Non-
Compliance Management (Reactive)
• Proactive Risk Identification Workshop
based on Success Criteria
So What!
• Risks occur that could have been managed
• Impact on Assets not understood (BIA, CMDB)
• Mitigation Action Costs do not reflect the Risk
Exposure Reduction
• Systems fail, business and revenue lost,
• Corporate data is unavailable when required –
Loss of Business
• Regulator penalties, reputational damage occurs
• Loss of Customer base and confidence
• Loss of IPR.
11
Mitigation Plans and Contingency Plans
• Mitigations or Controls are primarily used to prevent the occurrence of
a risk or to reduce the Probability of Risk occurrence - (Reduce
Probability)
• This is why it is so important to describe the risk event clearly.

• Contingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
• This is why it is so important to clearly describe the risk impact separately from
the risk description
Sources of Cyber Security Risks (flip to risks)

Taken from some recent ISACA slides, these can be re-worded as risks

• Proliferation of BYOD and smart devices

• Cloud computing
• Outsourcing of critical business processes to a third party (and lack of
controls around third-party services)
• Disaster recovery and business continuity
• Periodic access reviews
• Log reviews

Source: Cybersecurity - what the Board of Directors need to ask,

IIARF Research Report, 2014

13
Common Cybercriminal Attack Vectors (flip to risks)

• Application vulnerabilities
• Remote access.
• Ineffective patch management
• Weak network security/flat networks
• Lack of real-time security monitoring
• Third parties
• Lack of a data retention policy
SOURCE: HANS HENRIK BERTHING - Cyber Assurance and the IT Auditor Nov 2014

14
Where to start
Select appropriate controls / use security standards

• ISO27000
• PCI DSS
• CObIT
• BITS SIG

• Identify what is important to the business

15
Encourage Risk Reporting

1. Create risk reporting awareness for the workforce

2. Make it easy, create a simple Risk Submission form

3. Assess the risk submission, ask questions

4. Ensure it is a risk, not an issue, a service request, a change request ☺

16
Manage the Risks
1. Record in a Risk Register
2. Describe the RISK
3. Assess the Likelihood, Impact, and risk rating
4. Agree recommended Risk Mitigation / Treatment
5. Establish a contingency position if possible
6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7. Agree a Mitigation Owner
8. Obtain a decision (Reduce, Accept, Avoid, Transfer)
9. Monitor mitigation progress until target risk is achieved – retain awareness of
closed or mitigated risks
10. Produce monthly status reports

17
Any Questions?
Ersoy.Aksoy@G31000.ae

18