Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3357 Managing Cyber Risk

Published byEthel Bradley Modified over 6 years ago

Similar presentations

Presentation on theme: "COMP3357 Managing Cyber Risk"— Presentation transcript:

1 COMP3357 Managing Cyber Risk
Richard Henson University of Worcester May 2017

2 Week 12: Using Risk Assessment for BCP…
Objectives: Use theoretical principles of risk assessment to produce a risk register and risk treatment plan Use the risk treatment plan to create a useable Business Continuity Plan

3 ISO27001 & Risk Assessment ISO 27001 is about…
informing an organisation which incidents could occur (i.e. assess the risks) then find the most appropriate ways to avoid such incidents (i.e. treat the risks) assessing the relative importance of each risk so the organisation can treat the most important one(s)

4 Summary of Information Risk Assessment (ISO27001) - 1
Risk Assessment Methodology define rules on how to perform the risk management whole organization should do it the same way qualitative or quantitative risk assessment? what will be the acceptable level of risk, etc.

5 Summary of Information Risk Assessment (ISO27001) - 2
Risk Assessment Implementation companies typically aware of only 30% of their risks! raise awareness… list assets list threats and vulnerabilities related to those assets Identify impact and likelihood for each combination of assets/threats/vulnerabilities finally calculate the level of risk

6 Summary of Information Risk Assessment (ISO27001) – 3a
Risk treatment Implementation four ways to mitigate unacceptable risks: apply “Annex A” security controls to decrease risks article ISO Annex A controls. transfer the risk to another party insurance company (buy an insurance policy) avoid stop doing an activity that is too risky doing activity in a completely different fashion. accept if cost for mitigation higher that the damage itself!

7 Summary of Information Risk Assessment (ISO27001) – 3b
Risk Treatment plan… how to decrease the risks with minimum investment? management demand… (!) achieve the same result with less money need to figure out how!?!

8 Summary of Information Risk Assessment (ISO27001) - 4
ISMS Risk Assessment Report everything done so far compiled into readable documentation for the auditors… internal, for future reference – checking!

9 Summary of Information Risk Assessment (ISO27001) - 5
Statement of Applicability (SoA) shows security profile of the company… based on the results of the risk treatment lists implemented controls, why implemented, how implemented important for the audit (!) For details about the SoA, see Statement of Applicability for ISO

10 6 - Risk Treatment (Implementation) Plan
Theory becomes reality! crucial to get management approval will take considerable time and effort (and money) to implement all the controls journey… Start: not knowing how to setup your information security Finish: having a very clear picture of what you need to implement in a real company… who (is going to implement each control) when, with which budget, etc.

11 Gathering Risk Assessment Data
Requirements: figuring out all the threats to the organisation’s data cataloguing all hardware and software in the organisation into a Risk Register although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register!

12 1. Threats to Organisational Data
Outsiders: hackers competitors Insiders: employees with bad intent dopey employees either of above working with outsiders

13 2. Information Assets & Risk
data required to keep business functioning need hardware and software to be useful! these also carry risk Once identified… need to be categorised into rank order according to how well (or not…) the organisation would survive without them

14 The Information Asset Register (ISO27001)
List of information assets… List of related assets… infrastructure needed to maintain each/all asset(s) can be non-computer hardware (e.g. cooling/ventilation system for servers) equipment to counteract effects of natural disasters (e.g. flood defences)

15 System Vulnerabilities
Ways that assets can be compromised unpatched applications and/or operating systems user accounts with poorly protected passwords users unaware of hacker “phishing” and other social engineering tactics

16 Calculating Risk to Information Assets
Simple formula likelihood of loss (1-10) x impact (also 1-10) bigger score, bigger risk! Can be ranked accordingly along with hardware/software to maintain each asset

17 Asset Register to Risk Treatment Planning
“Risk Treatment” as a formal stage started with ISO27001 now an accepted part of information risk management process concludes with a risk treatment plan that shows how each of the risks regarded as significant will be mitigated

18 To Mitigate or Accept a Risk?
Risk Register should contain all potential risks… H, M, L categorisation and/or impact assessment score should indicate the main dangers Even L categorisations and low impact assessments still need classifying as “risk accepted” register should show acceptance or mitigation for each information resource

19 Asset Register for BCP Use list of assets… (incl. information assets)
devise a plan to protect each one, according to priority (H, M, L) for business continuity another column in asset register stating how a back up for each category H asset Protecting “H” assets make sure a plan is in place to quickly replace that asset if damaged! make sure that plan is put to the test on a regular basis! no good if replacement resources not working or compatible

20 ISO27001 and BCP Information security continuity fundamental to business continuity whole section A17 CIA (confidentiality, integrity, availability) essential to online trading BCP protects availability… confidentiality and integrity of information also essential

21 CIA (a recap…)

22 BCP and Business Success
Online Businesses need to aim for 24-7 trading Competitors will have similar targets customers free to choose! If 24-7 uptime depends on business partners… they should be subject to BCP and BCP rehearsals as well!

Download ppt "COMP3357 Managing Cyber Risk"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 5: Asset Classification

Chapter 5: Asset Classification
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Management BS 7799 now ISO 17799:2000 Paul M Kane nic.AC wwTLD Meeting Argentina April 2005.

Information Security Management BS 7799 now ISO 17799:2000 Paul M Kane nic.AC wwTLD Meeting Argentina April 2005.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
G53SEC Computer Security Introduction to G53SEC 1.

G53SEC Computer Security Introduction to G53SEC 1.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
OSF/ISD Project Portfolio Management Framework January 17, 2011.

OSF/ISD Project Portfolio Management Framework January 17, 2011.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Similar presentations

Ads by Google