Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Slides:



Advertisements
Similar presentations
Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Advertisements

Risk Management Introduction Risk Management Fundamentals
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Progress on Risk Assessment......continued Ms. Albana Gjinopulli, MPA Mr. Stanislav Buchkov.
G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Service Design – Section 4.5 Service Continuity Management.
PII Breach Management and Risk Assessment
Service Design – Section 4.5 Service Continuity Management.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks
Operational Risk Management
Protection Against Occupational Exposure
Donna Read, CRM Florida Gulf Coast ARMA Chapter February 2011.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Project Risk and Cost Management. IS the future certain? The future is uncertain, but it is certain that there are two questions will be asked about our.
Chapter 11: Project Risk Management
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
Security Risk Management
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
NIST Special Publication Revision 1
S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
Chapter 11: Project Risk Management
Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.
Management & Development of Complex Projects Course Code MS Project Management Perform Qualitative Risk Analysis Lecture # 25.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Project Management IV1021Fö5 Risk Management. Agenda Project Risk Project Risk Management The Risk Management Process Goal: get an understanding of basic.
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Credit risk vs. Market risk Credit risk is the risk that a borrower or counterparty may fail to fulfill an obligation whereas market risk is the risk to.
Project Risk Management Planning Stage
Health Emergency Risk Management Pir Mohammad Paya MD, MPH,DCBHD Senior Technical Specialist Public Health in Emergencies Asian Disaster Preparedness Center.
1 Project Management C53PM Session 4 Russell Taylor Staff Work-base – 1 st Floor
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
RISK MANAGEMENT FOR COMMUNITY EVENTS. Today’s Session Risk Management – why is it important? Risk Management and Risk Assessment concepts Steps in the.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
RISK & ITS MANAGEMENT. Risk A crisis situation involves : - a threat to resource & people, - a loss of control, - visible and / or invisible effects on.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
An Overview on Risk Management
Monitoring and Evaluation Systems for NARS organizations in Papua New Guinea Day 4. Session 12. Risk Management.
OSG Computer Security Plans
Air Carrier Continuing Analysis and Surveillance System (CASS)
The Importance of Project Risk Management
Security measures Introducing Risk Assessment in GDPR
Yves Goulet Director, National Fisheries Intelligence Service
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
A New Concept for Laboratory Quality Management Systems
Impact Of A Security Breach
Presentation transcript:

Risk Assessment and Management

Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or transmit organisational information enabling management to make well-informed risk management decisions to justify the expenditure (within the IT budget) assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

Risk Assessment and Management What is Risk?

Risk is the degree to which any of the vulnerabilities can be exploited by the threats to result in loss or damage to the asset. This is called impact Examples:  Direct loss of money (cash or credit)  Breach of legislation  Loss of goodwill/reputation  Reduction of share value  Endangering staff or confidence  Loss of business opportunity  Reduction in operational efficiency/performance  Interruption of business activity

Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence

Risk and its Value Risk is a mathematical function of threats, vulnerabilities, their probability and the impact While the threats increase with more exposure of data/systems, vulnerabilities go up with complexity of the problem The value of the assets, if exploited determine the impact Thus, risk value is a product of the value of threat, value of vulnerability, probability value and the asset value

This is a method by which- Risks to your organisation are identified Cost of these risks are calculated. Costs of mitigating those risks are calculated A cost benefit analysis is performed Risk Assessment

This helps the management- To make informed decisions relating to the security of IT assets To ensure that the relevant controls are in place Depending on the size of the organisation, part of these controls will include extra-resourcing, i.e. a dedicated Information security officer. In a medium to large organisation, there should be a security officer to continue the design and deployment of the security programme. Risk Assessment

The first process in the risk management methodology. Made to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. Helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. Analyses the threats to an IT system, given the likely vulnerabilities and the controls in place Helps to determine the likelihood of a future adverse event

Risk Assessment The magnitude of harm that could be caused by a threat's exercise of vulnerability is known as Impact In the impact analysis, the merits and demerits of quantitative and qualitative assessments are considered We may adopt a qualitative assessment as it prioritises the risks and identifies areas for immediate improvement in addressing the vulnerabilities

Risk Management

Encompasses three processes Risk assessment Risk mitigation Risk evaluation & assessment. Risk management is the process that allows IT managers to balance the operational and economic costs of security to achieve gains in mission capability by protecting the IT systems and data that support their organisational mission.

Risk Management A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities Effective risk management must be totally integrated into the SDLC

Risk Management Process If effective, this becomes an important component of a successful IT security programme The process should not be treated primarily as a technical function carried out by the IT experts It should be treated as an essential management function Risk management is the process of identifying & assessing the risk and taking steps to reduce it to an acceptable level

Overall Risk Management Process Risk Increase Vulnerabilities Indicate Asset Values Threats Controls Reduce Increas e Security Needs Assets Impact on Organization Project against Exploit Expose Have Met by

Impact Assessment

The impact assessment may be made as- High: Exercise of the vulnerability may result in the highly costly loss of major tangible assets or resources significantly violate, harm, or impede an organisation's mission, reputation, or interest result in human death or serious injury

The impact assessment may be made as- Medium- Exercise of the vulnerability may result in the costly loss of tangible assets or resources violate, harm, or impede an organisation's mission, reputation, or interest result in human injury

The impact assessment may be made as- Low- Exercise of the vulnerability may result in the loss of some tangible assets or resources noticeably affect an organisation's mission, reputation, or interest.

Risk Determination

The final determination of mission risk is derived by- multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact using a matrix-table which shows how the overall risk ratings might be determined  based on inputs from the threat likelihood and threat impact categories. It is a 3 x 3 matrix of threat likelihood (High, Medium, and Low) and threat impact (High, Medium, and Low).

Risk-level Matrix Threat Likelihood Impact Low (10)Medium (50) High (100) High (1.0)Low 10 x 1.0=10 Medium 50 x 1.0=50 High 100 x1.0=100 Medium (0.5) Low 10 x 0.5=5 Medium 50 x 0.5=25 High 100 x 0.5=50 Low (0.1)Low 10 x 0.1=1 Low 50 x 0.1=5 Low 100 x 0.1=10

Using the matrix- the risk level can be identified as High, Medium or Low This in turn is a function of the likelihood and Impact This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability is exercised. This also presents actions that senior management- the mission owners, must take for each risk level

From the matrix, the risk is considered- High: If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Medium: If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low: If an observation is described as low risk, the system's DM must determine whether corrective actions are still required or decide to accept the risk.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.