Service Design – Section 4.5 Service Continuity Management.

Slides:



Advertisements
Similar presentations
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Advertisements

EMS Checklist (ISO model)
PROJECT RISK MANAGEMENT
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Control and Accounting Information Systems
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Managing Project Risk.
The Risk Management Process
1 Risk management and Investigation Peter Roberts
Software Project Risk Management
Risk Assessment Frameworks
Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.
Information Systems Controls for System Reliability -Information Security-
FAO/WHO CODEX TRAINING PACKAGE
Protection Against Occupational Exposure
Security Risk Management Paula Kiernan Ward Solutions.
S/W Project Management
PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Ship Recycling Facility Management System IMO Guideline A.962
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Internal Control in a Financial Statement Audit
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Risk Management in the Built Environment Qualitative and Quantitative Risk Management By Professor Simon Burtonshaw-Gunn – licensed under the Creative.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Management & Development of Complex Projects Course Code MS Project Management Perform Qualitative Risk Analysis Lecture # 25.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
MANAGING BUSINESS RISKS AN OVERVIEW CSU, Northridge January, 2004 Chris Brady University Risk Manager.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Project Management IV1021Fö5 Risk Management. Agenda Project Risk Project Risk Management The Risk Management Process Goal: get an understanding of basic.
SOFTWARE PROJECT MANAGEMENT
Project Risk Management Planning Stage
TREASURY REGULATIONS’ CHANGES AND POTENTIAL IMPACT
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
The Risk Management Process
Introduction to Project Management Chapter 9 Managing Project Risk
Project management Topic 5 Risk. What is risk? An uncertain outcome – either from a positive opportunity or negative threat Risk management is about:
1 Project Management C53PM Session 4 Russell Taylor Staff Work-base – 1 st Floor
Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
OHSAS Occupational health and safety management system.
NAMES OF STUDENTS IN GROUP 8 ALARA, Oluwaseun RuthKKE15018 FIRAS, JAMAL KKE15019 MOHAMED, SAAD BALA KKE15010.
DARSHANA RAGHU MANAGEMENT. Risk Management Risk management is the identification, assessment, and prioritization of risks followed by coordinated and.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Business Continuity Planning 101
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Risk Assessment: A Practical Guide to Assessing Operational Risk
Risk Management in Software Development Projects Roberto Torres Ph.D. 11/6/01.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Managing Project Risk – A simplified approach Presented by : Damian Leonard.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
JMFIP Financial Management Conference
An Overview on Risk Management
Monitoring and Evaluation Systems for NARS organizations in Papua New Guinea Day 4. Session 12. Risk Management.
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
CHAPTER11 Project Risk Management
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
The Importance of Project Risk Management
Software Project Management (SPM)
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Service Design – Section 4.5 Service Continuity Management

We are all familiar with typical risk management processes. The fundamental notion is that we identify risks, risks, we assess their probability of occurrence, occurrence, and we assess the consequence of occurrence. Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events. Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem. The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks. James Dobbins, Critical Success Factor (CSF) Analysis for DoD Risk Management CSF—More Than Making a List

Service Design – Section 4.5 Service Continuity Management Risk Analysis provides basic input for continuity and recovery strategies, plans and responses. Risk is a function of the likelihood of a given threat- source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Service Design – Section 4.5 Service Continuity Management A family of standards relating to risk management codified by the International Organization for Standardization that provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization.

Service Design – Section 4.5 Service Continuity Management

5.2 Communications 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Management Policy Process Guide Plans Risk Registers Issue Logs. Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment the overall management framework governance and accountability structures values and ethics operational work environment current risk tolerances of stakeholders individual and corporate risk management culture and tolerances existing risk management expertise and practices human resources capacity level of transparency required local and corporate policies, procedures and processes. Risk Profile

Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Embue culture in which everybody is a risk manager Place responsibility for driving risk management high in the organization Open communication is necessary for risk management to succeed Use teams to manage risks Communicate risk management performance. Risk Profile 5.2 Communications

Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment 5.3 Context Setting Identification of risk in a selected domain of interest Planning the remainder of the process Mapping out the social scope of risk management, the identity and objectives of stakeholders and the basis upon which risks and constraints will be evaluated Defining a framework for the activity and an agenda for identification Developing an analysis of risks involved in the process Mitigation or Solution of risks using available technological, human and organizational resources.

5.3 Context Setting Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment

5.3 Context Setting Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Scope Scope of Risk Nature Nature of Risk Stakeholders Stakeholders Risk Risk Appetite Treatment & Control Mechanisms Potential Potential Action for Improvement Strategy Strategy and Policy Developments

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile Risks must be assessed as to their potential severity of loss and to the probability of occurrence occurrence.

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Risks are about events events that, when triggered, cause problems. Hence, risk identification can start with the source source of problems, or with the problem problem itself Identification Source Analysis: Risk sources may be internal or external to the system that is the target of risk management. Problem Analysis: Risks are related to identified threats.

Service Design – Section 4.5 Service Continuity Management Objectives-based Objectives-based Scenario-based Scenario-based Taxonomy-based Taxonomy-based Risk Risk Lists charting

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat Identification

Service Design – Section 4.5 Service Continuity Management x = The impact of the risk event is assessed using a measure (eg., (eg., 0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses)) The probability of occurrence is also assessed using a scale (eg., 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence (ie., certainty)). Impact of Risk event Probability of Occurrence Composite Risk Index

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification Controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are identified. The goal of the recommended Controls Controls is to reduce the level of risk to the IT system and its data to an acceptable level. Factors to be considered: Effectiveness of recommended options (e.g., system compatibility) Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Legislation and regulation Organizational policy Organizational policy Operational impact Operational impact Safety and reliability. Safety and reliability.

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Prioritization and implementation of the appropriate risk-reducing controls recommended from the Risk Assessment process Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Avoidance (eliminate, withdraw from or not become involved) Reduction (optimize - mitigate) Sharing (transfer - outsource or insure) Retention (accept and budget)

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Re-design Re-design business process with adequate built-in risk control and containment measures Periodically Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures Transfer Transfer the risk Avoid Avoid risks (e.g. by closing down a particular high-risk business area)

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Approval Approval by appropriate management level Propose applicable and effective security controls for managing the risks

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced: to to evaluate whether selected controls are still applicable and effective, and evaluate the possible risk level changes in the business environment. 5.6 Risk Monitoring

Service Design – Section 4.5 Service Continuity Management Risk Assessment is a CobIT Control Object (PO09): “IT risk identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks.” with the following objectives: Business Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updatesBusiness Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updates Risk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skillsRisk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skills Risk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classificationRisk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classification Risk Measurement - Measurement of risk exposure, assessment of risk acceptance capacityRisk Measurement - Measurement of risk exposure, assessment of risk acceptance capacity Risk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptanceRisk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptance Risk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilitiesRisk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilities Safeguard Selection - Control system to balance prevention, detection, correction and recovery measuresSafeguard Selection - Control system to balance prevention, detection, correction and recovery measures Risk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanismsRisk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanisms

Service Design – Section 4.5 Service Continuity Management Organizations may undertake risk assessment at one of six maturity levels: Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements requirements. 0 (Non-existent) 1 (Ad Hoc) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable) Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies.

Service Design – Section 4.5 Service Continuity Management Organizations may undertake risk assessment at one of six maturity levels: Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent) 1 (Ad Hoc) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable) Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. 3 (Defined) An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. 4 (Managed & Measured) The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. 5 (Optimized) Risk assessment has developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization.

Service Design – Section 4.5 Service Continuity Management