1 / 12

Information Security Risk Management

Information Security Risk Management. A Systematic View to Approaches. Content. Concept Management Principles Framework Process Approaches Samples. What is an IT Risk?. Risk = ƒ (Threat x Vulnerability x Impact) Vulnerability: weakness in the system or situation

eliad
Download Presentation

Information Security Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information SecurityRisk Management A Systematic View to Approaches

  2. Content • Concept • Management • Principles • Framework • Process • Approaches • Samples

  3. What is an IT Risk? • Risk = ƒ (Threat x Vulnerability x Impact) • Vulnerability: weakness in the system or situation • Threat: probability of occurrence of an event exploiting the vulnerability • Impact: consequence • Example – Information leakage • Vulnerability: Unprotected sensitive traffic, unnecessary services enabled • Threat: Eavesdropping, illegal processing of data • Impact: Loss of business

  4. How to manage IT Risks? • Information Security Risk Management • Identify organizational needs on info security in a systematic approach • Create an effective information security management system (ISMS) • Align with overall enterprise risk management • Address risks in an effective and timely manner as needed • Be an integral part of all information security management activities • Apply both to implementation and ongoing operation of ISMS • It is a continual process • Organization as a whole, any discrete part of organization, or any IT system • Principles apply

  5. What are the Principles? • Creates value • Integral part of organizational processes • Part of decision making • Explicitly addresses uncertainty • Systematic, structured and timely • Based on the best available information • Tailored • Takes human and cultural factors into account • Transparent and inclusive • Dynamic, iterative and responsive to change • Facilitates continual improvement and enhancement of the organization

  6. How to apply the Principles? • Risk Management Framework • Provide foundations and arrangements to be embedded at all levels • Assist in managing risks effectively • through application of risk management process at varying levels • within specific contexts of the organization • Ensure risk information is adequately reported to the management • Ensure risk based decision making and accountability • The key to success • Effectiveness of framework

  7. How does the Framework work? Mandate & Commitment • The framework components interrelate in an iterative manner • Organization should adapt the components to their specific needs • Implemented by Risk Management Process • Existing general RM process should be critically reviewed and assessed against IT Security requirements Design framework for managing risk Implement risk management Continually improve the framework Monitor and review the framework Basic Risk Management Framework recommended by ISO 31000:2009

  8. How does the RM Process work? Context Establishment • The process components interrelate in an iterative manner • provide a good balance between time and effort spent in identifying controls • Ensure high risks are appropriately assessed • Embedded in the culture and practices • Tailored to the business processes of enterprise Risk assessment Risk Identification Risk Analysis Risk Monitoring and Review Risk Communicate and Consultation Risk Evaluation N Y Risk Treatment N Y Risk Acceptance Illustration of an Information Security Risk Management Process by ISO 31000:2009

  9. Why always iterative approach? • A systematic approach is necessary for Infor Sec Risk Management • Risk Management is a continual process • Iterative approach provides good balance between time and effort • Information security protection efforts will vary over time • Why again? • Ultimately, CHANGES! • from internal and external parties • Including but not limited to technology changes and enemy changes

  10. Sample 1 - Hardware • Vulnerability • Unprotected storage • Threat • Theft of media of documents • Impact • Loss of business information • Mitigating control • Lock the storage in rooms under video surveillance

  11. Sample 2 - Software • Vulnerability • Unclear or incomplete specification for developers • Threat • Software malfunction • Impact • System shutdown, critical public relationship or project delay, depending on specific business type • Mitigating control • Peer review and confirm on all specification documents before development

  12. Samples 3 - Network • Vulnerability • Transfer of passwords in clear • Threat • Remote spying, illegal access to internal system • Impact • Damage of reputation or loss of business, depending on specific business type • Mitigating control • Encrypt password • Send password hash code instead of password

More Related