Part 2: Cyber Security Management

Competency Guide - Risk Management

Enable End-to-End Citizen Experience
of CYBER Security and Data PRIVACY
Notification and Disclaimer
Personal Data Privacy:
The name and email addresses collected, retained, and used in the
seminar are to recognize the participants and to send learning materials
and training information. The participant during the online live seminar
may opt to close his or her camera and simply use the microphone or
chat for questions and comments. The online live seminar is not
streamed in Facebook or YouTube without consent.

Copyright Notice:
The cited and annotated content of cited standards are duly owned by
their research organization or publishers.

The provided information about the rules and standards are for
educational purpose.
Belief on Competency Building

 The accountable and responsible

behind the understanding, decision,
and action of cyber security must have
the set of knowledge, skills and
behaviour that fit the appropriate end-
to-end delivery and support of
regulated cyber security level
requirements and assessed risks to be
controlled.
Belief on Competency Building

 The identification, elaboration,

analysis and documentation of cyber
security problem statements are made
valid and verifiable by the adopted
regulatory guidelines, internationally
recognized standards, and professional
body of knowledge.
Belief on Competency Building

 The valid, verifiable, acceptable and

actionable knowledge on cyber security are
communicated with clarity, coherence, and
completeness and consistency based on
stakeholder’s and whole-of-enterprise
agreement of the rules, standards,
organization, results, metrics, procedures
and technology.
Belief on Competency Building

 Real understanding about the insecurity

of a cyber infrastructure comes from
people who are the knowledge and
product sources of the vulnerability
exploitation, and security counter
measures.
Competency has to be linked to the
value stream and supply chain of cyber
security management and data privacy
Belief on Competency Building

 Useful data, report and analysis on cyber

security come from
1. Person or entity who analyzes the security
vulnerabilities and creates the “exploitation”
that will breach the confidentiality, integrity
and availability of information in the
targeted system.
Belief on Competency Building

 Useful data, report and analysis on cyber

security come from
2. Person or entity who creates the knowledge
and technology that examine the security
vulnerabilities and continously improve the
control of known and possible exploitation.
Belief on Competency Building

(Center for Creative

Leadership
Morgan McCall
Michael M. Lombardo
Robert A. Eichinger)
Cyber Cyber Security Regulatory Context
and Practice Standards
Security
Competenc Cyber Security Risks Management
y
Guide
Cyber Security Control Policies

Cyber Security Incident Management

Cyber Security Operation Centre

and Technology
Send your question
Part 2:
Cyber Security
Risks Management
Question of Understanding

• How to identify, analyze, evaluate,

report, and mitigate the cyber
security risk?
Normative References of
Understanding
• ISO 31000 – Risks Management
Guidelines (Clause 8)
• ISO 27005 – Information Security
Risk Management
• ETSI Information Security Indicators
Common Concept
Information Security Governance
Principles
ISO 27014
1. Establish organization-wide information security
2. Adopt a risks-based approach
3. Set the direction of investment decision
4. Ensure conformance with internal and external
requirements
5. Foster a security-positive environment
6. Review performance in relation to business
Common Concept
Cyber refers to a computer or a
computer network, the electronic medium
in which online communication takes
place
(R.A. 10175)
Common Concept
Cyberspace is a complex environment
resulting from the interaction of people,
software and services on the Internet,
supported by worldwide distributed
physical information and communications
technology (ICT) devices and connected
networks.
(ISO 27032)
Common Concept
Cyberspace is a complex environment
based on digital technologies that
provides a global place for digital
interaction among people including
formal and informal interactions with
public or private entities such as
businesses, governments, non-profit
organizations, and other groups.
(ISO 27100
Common Concept
Cyber Security is preservation of
confidentiality, integrity and availability
of information in the Cyberspace

In addition, other properties, such as

authenticity, accountability, non-
repudiation, and reliability can also be
involved.
(ISO 27032)
Common Concept

Cyber Security is safeguarding of

society, people, organizations and
nations from risks caused by threats
that exploit an interconnected digital
environment of networks, services,
systems, and processes
(ISO 27100)
Common Concept
Cyber Security is to maintain an
acceptable level of stability, continuity,
and safety of entities operating in
cyberspace. While it is not possible to
always achieve these objectives, cyber
security aims to reduce cyber risks to a
tolerable level.
(ISO 27100)
Common Concept
Cyber Security refers to the collection of
tools, policies, risk management approaches,
actions, training, best practices, assurance
and technologies that can be used to protect
the cyber environment, and organization and
user’s assets.
(R.A. 10175)
Common Concept
Cyber Safety is the condition of being
protected against physical, social, spiritual,
financial, political, emotional, occupational,
psychological, educational or other types or
consequences of failure, damage, error,
accidents, harm or any other event in the
Cyberspace which could be considered non-
desirable.
(ISO 27032)
 
Common Concept
Cyber Safety can take the form of being
protected from the event or from exposure
to something that causes health or economic
losses. It can include protection of people or
of assets.

Safety in general is also defined as the state

of being certain that adverse effects will not
be caused by some agent under defined
Common Concept
Information Security is preservation
of confidentiality, integrity and availability 
of information

In addition, other properties, such

as authenticity, accountability, non-
repudiation, and reliability can also be
involved.
(ISO 27000)
Common Concept
Information Security Event is
identified occurrence of a system, service or
network state indicating a possible breach of
information security policy or failure
of controls, or a previously unknown
situation that can be security relevant
Common Concept
Information Security Incident is
about single or a series of unwanted or
unexpected information security events that
have a significant probability of
compromising business operations and
threatening information security.
(ISO 27000)
Common Concept
Information Security Incident
Management is set of processes for
detecting, reporting, assessing, responding
to, dealing with, and learning
from information security incidents.
Common Concept
Critical Infrastructure refers to the
computer systems, and/or networks, whether
physical or virtual, and/or the computer
programs, computer data and/or traffic data that
are so vital to this country that the incapacity or
destruction of or interference with such system
and assets would have a debilitating impact on
security, national or economic security, national
public health and safety, or any combination of
those matters
Common Concept
Cybercrime is criminal activity where
services or applications in the Cyberspace
are used for or are the target of a crime, or
where the Cyberspace is the source, tool,
target, or place of a crime
(ISO 27032)
Common Concept
Vulnerability is intrinsic properties of
something resulting in susceptibility to
a risk source  that can lead to an event with
a consequence
Common Concept
Asset is anything that has value to an
individual, an organization or a government
(ISO 27032)
Common Concept
Information asset
• knowledge or data that has value to
the individual or organization
(ISO 27032)
Common Concept
Risk is effect of uncertainty on objectives
• An effect is a deviation from the expected.
It can be positive, negative or both, and can
address, create or result in opportunities and
threats.
• Objectives can have different aspects and
categories, and can be applied at different
levels.
(ISO 31000)
Common Concept
Risk is usually expressed in terms of risk
sources , potential events,
their consequences  and their likelihood.
• (ISO 31000)
Common Concept
• Risk Criteria are terms of reference
against which the significance of a risk is
evaluated
• Risk criteria are based on organizational
objectives, and external and internal context
• Risk criteria can be derived from standards, laws,
policies and other requirements.
(ISO 27005)
Common Concept
• Risk Management is coordinated
activities to direct and control an
organization with regard to risk.
(ISO 31000)
• 3.3
 Risk Management Concepts
1.Threat - Any potential danger to information life
cycle.
2.Vulnerability -Any weakness or flaw that may
provide an opportunity to a threat agent.
3.Threat Agent -An entity that may act on a
vulnerability
4.Risk –The probability (likelihood) of a threat agent
exploits a discovered vulnerability, and severity 6.Treatment – An
(impact) of harm the threats may create. administrative, legal,
5.Exposure - An instance of being compromised by a physical, operational, and
threat agent.
technical remedy,
mitigation, countermeasure
or safeguard against the
What is management of
security risks
Common Concept
Risk Management Process involves
the systematic application of policies,
procedures and practices to the activities of
communicating and consulting, establishing
the context and assessing, treating,
monitoring, reviewing, recording and
reporting risk.
(ISO 31000)
Common Concept
Risk Management
Process
 Risk Assessment Concept (ISO 31000)
1. Risk identification - It applies risk identification tools and
techniques, the organization should identify risk sources,
areas of impacts, events and causes, and their potential
consequences.
2. Risk analysis - It involves the development of understanding
of the risk, consideration of the causes and risk sources, their
positive and negative consequences, the likelihood that those
consequences can occur, provides an input to risk evaluation
and decision whether risks need to be treated, and on the most
appropriate risk treatment strategies and methods.
 Risk Assessment Concept

3. Risk evaluation -It assist in decision making about

which risks need treatment and priority for treatment
implementation.
4. Risk treatment -It determines, describes, documents
and demonstrate the risk treatment options. The
selected action to remedy the evaluated impact of the
risks must be based on the outcome of the risk
assessment, the expected cost for implementing and
benefiting from the available options.
Send your question
Content Review of the Standard
Information Security Risks
Management
ISO 27005 (Clause 8.2, Annex B,
Annex C)
Cyber Asset
Stakehold Asset Artifacts
ers
Consumer 1. Information Personal data
Financial data
Provider 2. Reputation Brand name
Regulators 3. Software Application program

4. Hardware Devices
Network
5. Services CRM, ERP
6. People Skills
Cyber Asset
Stakehold Asset Artifacts
ers
Consumer 1. Personal Mobile Phone
Personal data
Provider 2. Organizational Reputation
Authority
Regulators 3. Physical Facilities

4. Virtual Bitcoins
Digital records
Cyber Threat
Review of ETSI Security Incident
Indicators
1. Website Forgery
2. Spam
3. Phishing
4. Intrusion
5. Website Defacement
Cyber Threat
Review of ETSI Security Incident
Indicators
6. Misappropriation of Resources
7. Denial of Service
8. Malware
9. Physical Intrusion
10.Malfunction
Cyber Threat
Review of ETSI Security Incident
Indicators
11.Loss or theft of mobile device
12.Trace Malfunction
13.Internal Deviant Behavior
14.Rights or Privileges Usurpation
or Abuse
15.Unauthorized access to servers
through remote access points
Cyber Threat
Review of ETSI Security Incident
Indicators
16.Illicit Access to Internet
17.Deactivating of Logs Recording
18.Non-patched or poorly patched
vulnerability exploitation
19.Configuration vulnerability
exploitation
20.Security incidents on non-
inventoried and/or not managed
Send your question
Cyber Security Risks Assessment
Asset Source of Kind of Threat
Threat
1.
Information
2.
Reputation
3. Software

4. Hardware

5. Services
6. People
Cyber Security Risks Assessment
Asset Source of Kind of Threat
Threat
1. Personal

2.
Organization

3. Physical

4. Virtual
CyberSecurity Risks Assessment
Asset:
CYBERCRIME SOURCE OF EXPLOITED IMPACT PROBABILI REMEDY
SECURITY VULNERABILITIES TY TREATMEN
THREAT T

1. Illegal Access
2. Illegal
Interception
3. Data Interference
4. System
Interference
5. Misuse of Device
6. Computer Fraud
7. Computer Forgery
Send your question