Professional Documents
Culture Documents
Information Security Risk Management
Information Security Risk Management
Risk Management
1
CYBER
Definition of Cyber:
2
Stephen Shippey
• IT since 1986.
• Information Security & Risk Manager since 1998 at a
number of Global Financial Services Organisations
including GE Global Consumer Finance, HBOS, Lloyds
Banking Group.
• Joined HP as an Information Security Risk Consultant 2013
Disclaimer
The views expressed in this presentation are my own and do not necessarily represent
those of my employer.
3
Risk Management
Agenda
4
What is Risk Management?
The identification of Risks and their management by defining:
•The Risk Description
•The Risk Owner
•The Probability of the Risk Event occurring
•The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
• The most suitable Mitigations that will prevent or reduce the Likelihood of the
Risk Event occurring with relation to their costs and the reduction of Risk
Exposure
• The Contingency Plan to recover the Asset once risk is manifested
• An understanding of Corporate Risk Appetite and where appropriate the
application of Risk Tolerance
5
Risk Definitions
Risk Definition: A Risk is a potential or future event that, should it occur, will
have a (negative) impact on the Business Objectives of an Organisation
A risk must have Uncertainty, (in terms of Probability or Likelihood). It
might happen
A risk must have a measurable Impact, (usually measured in monetary
terms, but other criteria are acceptable, reputation for example)
“It May Rain Tomorrow”
Issue Definition: An Issue is a current event that will have a (negative) impact
on the Business Objectives of an Organisation
E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an
Equipment or Supplier failure
“It is Raining Today”
6
Objectives of Generic Risk Management
To ensure that all risks to the Business however they are
derived are managed effectively.
Strategic Risk Register
Strategic
Level
Strategic Risks
This includes:
• Strategic Risks Change
Level
• Programme and Project Risks Project Risk Register
Programme/Project Risks
• Operational Risks (includes
Security and Business
Continuity Risks) Operational Risk
Register
Information
Operational Level
(Business as Usual) Security Risk
Register
7
Objectives of Information Security Risk
Management
To ensure that the risks to the Organisation that are derived from,
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Security Terms these are those risks that impact the:
• Confidentiality,
• Integrity,
• Availability, and the
• Traceability of Information whilst:
• At rest
• Whilst being modified
• In transit (around a system, e-mail, media device, telephone etc.)
Information Security Risk Management
• Poor Risk Descriptions (Risk vs Issue and Impact • Risks occur that could have been managed
confusion) (Qualification vs Quantification) • Impact on Assets not understood (BIA, CMDB)
• Unachievable, ineffective and disproportionate • Mitigation Action Costs do not reflect the Risk
Mitigation Actions Exposure Reduction
• Poor Control, risk owner vs risk mitigation • Systems fail, business and revenue lost,
owner. Stakeholder Involvement • Corporate data is unavailable when required –
• Reactive vs Proactive Approach Loss of Business
• Reliance on Incidents, Threat and Non- • Regulator penalties, reputational damage occurs
Compliance Management (Reactive) • Loss of Customer base and confidence
• Proactive Risk Identification Workshop • Loss of IPR.
based on Success Criteria
11
Mitigation Plans and Contingency Plans
• Mitigations or Controls are primarily used to prevent the occurrence of
a risk or to reduce the Probability of Risk occurrence - (Reduce
Probability)
• This is why it is so important to describe the risk event clearly.
• Contingency Plans address the Impact of the Risk plans and are used to
recover a system from the effect of a risk should it occur, a mini BCP -
(Reduce Impact)
• This is why it is so important to clearly describe the risk impact separately from
the risk description
Sources of Cyber Security Risks (flip to risks)
Taken from some recent ISACA slides, these can be re-worded as risks
13
Common Cybercriminal Attack Vectors (flip to risks)
• Application vulnerabilities
• Remote access.
• Ineffective patch management
• Weak network security/flat networks
• Lack of real-time security monitoring
• Third parties
• Lack of a data retention policy
SOURCE: HANS HENRIK BERTHING - Cyber Assurance and the IT Auditor Nov 2014
14
Where to start
Select appropriate controls / use security standards
• ISO27000
• PCI DSS
• CObIT
• BITS SIG
15
Encourage Risk Reporting
16
Manage the Risks
1. Record in a Risk Register
2. Describe the RISK
3. Assess the Likelihood, Impact, and risk rating
4. Agree recommended Risk Mitigation / Treatment
5. Establish a contingency position if possible
6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
7. Agree a Mitigation Owner
8. Obtain a decision (Reduce, Accept, Avoid, Transfer)
9. Monitor mitigation progress until target risk is achieved – retain awareness of
closed or mitigated risks
10. Produce monthly status reports
17
Any Questions?
Ersoy.Aksoy@G31000.ae
18