Information Security Risk Management

1. Information Security Risk Management Darren Craig Senior Managing Consultant

2. Agenda • Introduction • Common Management Views • Past & Present approaches to Information security management • Risk Approach • Conclusions

3. Introduction • Darren Craig • Background • Senior Managing Consultant with IBM with over 15 years experience in the area of information security management and threat mitigation • Sectors • Retail • Public Sector • Financial Services

4. Information Security advocate • Information security is as necessary as physical security; just as a business locks the doors to it’s offices it must also take steps to protect it’s information assets. • Information security is a business enabler that provides a protected context in which commerce can occur while still protecting intellectual property and customer data. • The value of information security can not always be established in hard cost; if a countermeasure is purely preventative then ROI may be measured by performing a cost/benefit analysis

5. Common management • Information security is a discretionary expense in the companies budget. • Information security cost the company more then it returns. • Only when a security failure is reported is there a justification for greater expense. • Our presently implemented countermeasures are sufficient, no further steps can significantly reduce risk.

6. Outdated Approach • IT driven (Best of Breed) • Bottom up approach • No clear view of risk • Threats not clearly defined • External focused • No clear standards • Hard to measure cost v benefit • Fear, Uncertainty and Doubt (FUD)

7. Going Forward • Protection of “Information Assets” in all areas of the business • Business drivers • Balance between costs v benefits • Built around worldwide best practice (ISO 27002) • Incorporates compliance requirements (PCI, SOX) • Easier management • Control costs • Measure Risk and Decide how to reduce it • Better value for money The goal is to protect Confidentiality, Integrity or Availability of the information which belongs to the business – Your business information is a asset after all – isn’t it?

8. Why a Risk based approach • The business decides on whether to accept risk or not • Clear budget justifications to reduce risk to an acceptable level • Helps maintain compliance as part of the overall process • Helps identify “information Assets” • The business are the real owners of “information” • Strengthens overall Business Continuity

9. Identify the critical assets Identify the owners Determine how and where the critical assets are used Categorize the assets Classify the assets Identify risk and exposure Suggest Approach 1 Business Value Assessment 1 Identify Threats to the Assets 2 1 Vulnerability Assessment 3 4 Mitigate Risk Accept Risk Manage Risk 5

10. Conclusions • Build Information risk management into your overall Business Continuity Planning process • Use ISO 27001 as you framework • Always take a risk based approach and understand the threats before deciding which types of controls to implement • Don’t be fooled into thinking “Best of breed” means better security • Ask yourself these key questions; • Which information assets are we trying to protect? • What are they worth to the business? • What’s the impact if we lost Confidentiality, Integrity or Availability of these? • How do we mitigate the risk? – which controls • What’s the cost?

11. Use Protection!