Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012.

Slides:



Advertisements
Similar presentations
Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.
Advertisements

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
DEVELOPING A STRATEGIC TECHNOLOGY PLAN © Cummings & Lockwood LLC Fantasy Meets Reality: Strategic Planning and Budgeting DEVELOPING A STRATEGIC.
Agenda For Today! Professional Learning Communities (Self Audit) Professional Learning Communities (Self Audit) School Improvement Snapshot School Improvement.
Copyright The Info-Tech Research Group Inc. All Rights Reserved. D1-1 by James M. Dutcher Strategic IT Planning & Governance Creation H I G H.
Govern the Flow of Data: Moving from Chaos to Control
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Effective PR: the Power of Three Craig Coward Context Public Relations.
PROCEDURE FOR TRANSFER OF A MEMBER OF THE CIVIL SERVICE CORPS TO THE POST OF DEPARTMENTAL DEPUTY DIRECTOR IN THE CENTRAL STATISTICAL OFFICE WITHOUT CONDUCTING.
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
Chapter 1 Business Driven Technology
Determining the Significant Aspects
An Introduction to The JM Group. Agenda  The JM Group overview  Structure  Sector Credentials  Key Clients  Delivery  Recruitment by Capability.
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Supply Chain Performance Measurement
Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.
Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Manage and Safeguard Your BC Career Cheyene Haase BC Management, Inc.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Risk Assessment Frameworks
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Introduction to Network Defense
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
The Evergreen, Background, Methodology and IT Service Management Model
Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Presenter: Nick Cavalancia Auditing Evangelist 3 Ways Auditing Needs to be a Part of Your Security Strategy Brought to You by.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Chapter 6 of the Executive Guide manual Technology.
Secure Data Sharing What is it Where is it What is the Risk – Strategic > What Policy should be enforced > How can the process be Audited > Ongoing Process.
Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha.
DFA Capital Management Inc. DFA vs. ERM Is There A Difference? CAS Special Interest Seminar Understanding the Enterprise Risk Management Process San Francisco,
Introduction – Addressing Business Challenges Microsoft® Business Intelligence Solutions.
Office of Audit Services Risk Assessment California Public Employees’ Retirement System A.
“Integrating Property Management with Emergency Recovery” Ivonne Bachar, CPPM CF Director, Property Management Office Stanford University
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
Alaa Mubaied Risk Management Alaa Mubaied
Juan Ortega 12/15/09 NTS355. Microsoft Security Advisory (977544) Vulnerability in SMB Could Allow Denial of Service Flaw on SMBv2 supposedly opened two.
All rights reserved | Phone: | Website: © 2004 Accenture All Rights Reserved.
INTERNAL AUDIT 2015 ANNUAL REPORT Internal Audit Assurance Independent Objective Collaborative Compliance Controls Efficiency Accountability Transparency.
FFIEC Cyber Security Assessment Tool
Or How to Gain and Sustain a Competitive Advantage for Your Sales Team Key’s to Consistently High Performing Sales Organizations © by David R. Barnes Jr.
From cost to value: 2010 Global Survey on the CIO Agenda June 15 th, 2010 IT ADVISORY KPMG INTERNATIONAL.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Audit Committee Presentation Annual Audit Plan
Chapter 8 Auditing in an E-commerce Environment
Information Systems in Organizations 3.2 Systems Management.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
CAPA in Child and Adolescent Mental Health Services An independent evaluation by the Mental Health Foundation 2009 National CAMHS Support Service.
Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.
Supply Chain Insights LLC Copyright © 2015, p. 1 Supply Chain Risk Management Study Summary Charts July 2015.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Critical Infrastructure Protection Market by Security Technology & Region
Security Operations Update
Core Competencies Training for Supervisors
Core Competencies Training for Supervisors
Cyber Protections: First Step, Risk Assessment
Pierce County Performance Audit Committee
Effective Risk Management in Decision Making Process
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Presentation transcript:

Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012

Introductions David Fanson, CISA, MBA –Director of Tech Risk Practice at Titus –IT professional for 15 Years –Specializing in IT Risk management –Accenture (Andersen Consulting), PwC, Fortune 500 Telco –System Development, Strategic Planning, and Risk Management –Wisconsin based national consulting firm founded in 2000 –Risk Management, Finance, Recruiting, and Energy –Multi-year winner of Southeastern Wisconsins Future 50 –Winner of Inc. Magazines List of Fastest Growing companies in the US –Independent and employee owned

Agenda Slide Heading Data Security Program Risk Assessment Process Overview Data Security Impact and Likelihood Collaborative Exercise Parting Thoughts and Discussion

Data Security Program – Key Ingredients Data Classification - Management knows what data they have and has rules for managing it. Data Mapping – Management knows where their data is and how it moves. Control Programs – Management has a risk & control program in place to protect their data. Preparedness – Management is prepared for data breaches with security, legal, and public relations programs.

Recent Example from NASA NASA told its staff this week that a laptop containing sensitive personal information for a large number of employees and contractors was stolen two weeks ago from a locked vehicle. Although the laptop was password protected, the information had not been encrypted, which could give skilled hackers full access to the contents. …And as recently as March, the company reported a breach that was also caused by a stolen laptop. - New York Times, November 14, 2012

Risk Assessment - Objectives Help management achieve organization objectives Risk management activities should be tied to strategic objectives Risk Assessments are then tied to Risk Management Objectives Focus risk management activities on highest risk areas. Improve the effectiveness of audits Audit activity should focus on the highest risk areas in the organization

Risk Assessment – Key Ingredients Risk Universe Spectrum of risk areas across an organization, function, or process Example: IT Department risk universe could include: Application Management Data Management Infrastructure Resource Management The risk profile of each area in the Risk Universe will be compared to each other, scored, and ranked

Risk Assessment – Key Equation Impact - What happens to your organization in the event of a risk being realized. Likelihood - The probability that a risk will be realized. Impact LikelihoodRisk

Risk Assessment – Impact Impact Analysis Each area in the Risk Universe is evaluated for impact to the organization should the risk be realized. Impact is determined by analyzing different Impact Factors. Types of Impact Factors Strategic Impact Financial Impact Operational Impact Legal Reputation etc.

Risk Assessment – Likelihood Likelihood Analysis Each area in the Risk Universe is evaluated for likelihood the risk be realized. Likelihood is determined by analyzing different likelihood factors. Example Likelihood Factors Prior Findings Monitoring Complexity Customization Frequency of Change

Risk Assessment – Scoring/Ranking LikelihoodImpactRisk UniverseScoreRank ERP Application Custom App Oracle Database Unix Active Directory High Medium Low 10 Medium Impact LikelihoodRisk

Data Security Risk Assessment Data Security Risk Universe What does the Data Security Risk Universe look like?

Data Security Risk Assessment Data Security Risk Universe Two Primary Drivers of Data Security Risk Type of data Which would have a higher impact to an organization if it gets leaked to the public? Earnings Organizational Chart Location of data Which data location is more likely to cause a data leak? Earnings data on a database behind firewall Earnings data on a flash drive in controllers pocket?

Data Security Risk Assessment Data Security Risk Universe We need to conduct two risk assessments 1.Data Types What types of data does an organization have? Has the organization classified its data? Is all data equal or is some higher risk than others? 2.Data Locations Where does data reside in an organization? Does management know where all its data is? Where could data reside in an organization?

Data Type Risk Assessment Data Type Risk Universe Consider the different types of data in your organization Data can be thought of by business process Revenue, Payroll, Purchasing, Manufacturing Data can be thought of by Structured vs. Unstructured Data Type Impact Factors What questions can we ask to determine the impact different data types can have? Lets begin building a Data Type Risk Assessment!

Data Location Risk Assessment Data Location Risk Universe Consider the different locations data could be in your organization Is data always electronic? Does data stay still or is it on the move? Data Location Likelihood Factors What questions can we ask to determine the likelihood that a data location could cause a data breach? Lets begin building a Data Location Risk Assessment!

Pulling Type and Location Together The Impact of a data security breach is driven by the type of data it is. The Likelihood of a data a security breach is driven by where the data is. What insights do we get when we combine the impact of a type of data with the likelihood of its location? Lets find out!

Insights From This Exercise What insights would a data security manager gain from a risk ranked list of data types? What insights can be drawn from the data location exercise? How can the combining of data type and location assessment impact an audit plan?

Insights From This Exercise Has this exercise addressed our objectives? Help management achieve organization objectives Focus risk management activities on highest risk areas. Improve the effectiveness of audits Can this exercise contribute to an organizations Data Security Program? Data Classification – Building Data Type Universe Data Mapping – Building Data Location Universe Control Programs – Data Location Risk Assessment. Preparedness –. Data Type Risk Assessment

In Summary An effective data security program must be able to: 1.Identify, classify, and prioritize its data. 2.Map its data to specific locations and quantify the risks associated with those locations. 3.Build control programs to safeguard its data, wherever it is. 4.Be prepared for a data breach if and when it happens. A Data Security Risk Assessment helps by: 1.Building a data type universe that can be classified and prioritized. 2.Driving risk management of hardware, devices and networks. 3.Identifying the high risk areas control and monitoring programs. 4.Facilitating the analysis and planning for emergency response.

Questions? Closing comments Happy Holidays! David Fanson, CISA, MBA, Practice Director, Technology Risk Titus

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.