Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Published byLorin Davidson Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS."— Presentation transcript:

1

2 Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS

3 Anatomy of a Risk Assessment UK Government Case study UK government services have gone online UK government services have gone online Personal and sensitive data being propagated and populated by government departments to provide these services Personal and sensitive data being propagated and populated by government departments to provide these services Online services targeted by hackers, fraudsters, espionage Online services targeted by hackers, fraudsters, espionage Old and new risks, threats and vulnerabilities threaten services Old and new risks, threats and vulnerabilities threaten services Departments need to identify and mitigate these risks Departments need to identify and mitigate these risks

4 Anatomy of Risk Management UK Case study UK government policy is that any government information system used to store, process or forward any official information must be accredited before use UK government policy is that any government information system used to store, process or forward any official information must be accredited before use Objective of accreditation is to show that all relevant risks to the system have been identified and will be managed by appropriate configuration, use, maintenance, evolution and disposal Objective of accreditation is to show that all relevant risks to the system have been identified and will be managed by appropriate configuration, use, maintenance, evolution and disposal RMADS methodology applied to government systems RMADS methodology applied to government systems

5 RMADS Documents and Process

6 RMADS Stages Determine the Business Impact Level of the information that is held on the information system to be accredited. (Most Important) Determine the Business Impact Level of the information that is held on the information system to be accredited. (Most Important) Impacts are assessed against confidentiality, integrity and availability Impacts are assessed against confidentiality, integrity and availability Depending on the findings of that, it may be sufficient to simply comply with ISO27001. Depending on the findings of that, it may be sufficient to simply comply with ISO27001. For higher levels of impact level, an RMADS is mandatory. For higher levels of impact level, an RMADS is mandatory.

7 Impact Samples Impacts measured against the government department and the data subject Impacts measured against the government department and the data subject Financial Loss due to Fraud Financial Loss due to Fraud Reputational Loss due to service not being available. Reputational Loss due to service not being available. Criminal Charges due to breach of Data Protection. Criminal Charges due to breach of Data Protection.

8 Business Impact Assessment Business Impact levels range from 0-8 Business Impact levels range from 0-8 Level 1 Trivial: No further actions taken Level 1 Trivial: No further actions taken Levels 2 and 3 Minor: No further actions taken Levels 2 and 3 Minor: No further actions taken Level 4: Significant: Some negative effects: Acceptable risks: actions may need to be taken Level 4: Significant: Some negative effects: Acceptable risks: actions may need to be taken Level 5: Significant: Significant negative effects: actions to be taken on case by case basis Level 5: Significant: Significant negative effects: actions to be taken on case by case basis Levels 6,7: Major risks need to be reduced or treated Levels 6,7: Major risks need to be reduced or treated Level 8: Catastrophic: Disastrous: Dealt with and reduced under all circumtances Level 8: Catastrophic: Disastrous: Dealt with and reduced under all circumtances

9 Business Impact Assessment Confidentiality Impact Level Markings Confidentiality Impact Level Markings For Confidentiality, the Impact Levels relate directly to protective markings: For Confidentiality, the Impact Levels relate directly to protective markings: Impact Levels 1 and 2 – PROTECT, Impact Levels 1 and 2 – PROTECT, Impact Level 3 – RESTRICTED, Impact Level 3 – RESTRICTED, Impact Level 4 – CONFIDENTIAL, Impact Level 4 – CONFIDENTIAL, Impact Level 5 – SECRET Impact Level 5 – SECRET Impact Level 6 - TOP SECRET Impact Level 6 - TOP SECRET

10 RMADS First Phase in developing an RMADS. First Phase in developing an RMADS. Conduct Standard 1 Technical Risk Assessment. Conduct Standard 1 Technical Risk Assessment. Catalogue the information system and generate a scope diagram. Catalogue the information system and generate a scope diagram. Verify minimum assumptions to ensure that the risk assessment is accurate. Verify minimum assumptions to ensure that the risk assessment is accurate. Perform Privacy Impact Assessment Perform Privacy Impact Assessment Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS. Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS.

11 Identify Threats Asset List: What the system is made of Asset List: What the system is made of Threat Sources: Where is the threat coming from Threat Sources: Where is the threat coming from Focus of Interest: The system being accredited Focus of Interest: The system being accredited Threat Actors: Principle parties involved in constituting the threat Threat Actors: Principle parties involved in constituting the threat

12 Asset List DataBase DataBase Application Application Development and Test Environments Development and Test Environments Desktop Desktop Government Offices Government Offices Inter connecting systems Inter connecting systems Data Centre Data Centre Third Party Location Third Party Location

13 Threat Source Samples Organised Crime Organised Crime Pressure Groups Pressure Groups Investigative Journalists Investigative Journalists Terrorist Organisations Terrorist Organisations

14 Threat Actor Samples Hacker: Altering website, Denial of service Hacker: Altering website, Denial of service Third Party: Inappropriate Access, Privacy Breach Third Party: Inappropriate Access, Privacy Breach Normal User: Accidental Data Loss Normal User: Accidental Data Loss Privileged User: Data Confidentiality Compromise Privileged User: Data Confidentiality Compromise Data Handler: Data Loss Data Handler: Data Loss

15 RMADS Second Part Create the RMADS Second Part Create the RMADS Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence. Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence. Develop the Security Case and Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite. Develop the Security Case and Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.

16 ISO 27001 Benchmarking ISO 27001 Information Security Standard ISO 27001 Information Security Standard Covers: Security Policy, Security Organisation, Asset Classification, Personnel Security, Physical Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Business Continuity Management, Compliance Covers: Security Policy, Security Organisation, Asset Classification, Personnel Security, Physical Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Business Continuity Management, Compliance Benchmarking involves conducting face to face review with System Architects, Administrators, Security Teams to verify compliance with the areas above Benchmarking involves conducting face to face review with System Architects, Administrators, Security Teams to verify compliance with the areas above

17 Risk Treatment Plan Risk Treatment Plan identifies what steps will be taken to resolve identified risks Risk Treatment Plan identifies what steps will be taken to resolve identified risks It highlights who will be responsible for risk It highlights who will be responsible for risk Date for resolving risk Date for resolving risk Status Status

18 Penetration Test Network and Application tests Network and Application tests Round up to identify if there is any exposure to known vulnerabilities by conducting a penetration and application test. Round up to identify if there is any exposure to known vulnerabilities by conducting a penetration and application test. Review outcome Review outcome Accredit system Accredit system

19 Application Vulnerability Tests Cross Site Scripting Cross Site Scripting Failure to Restrict URL Access Failure to Restrict URL Access

20 End Of Session

Download ppt "Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS."

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
HMG Risk Management - Systems Accreditation (a view from 40,000 ft in 50 minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS.

HMG Risk Management - Systems Accreditation (a view from 40,000 ft in 50 minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Vulnerability Assessments

Vulnerability Assessments
UK Office for Security & Counter Terrorism Future threats and the potential role of the CBRN Action plan in supporting the BTWC Dr Catherine Terry International.

UK Office for Security & Counter Terrorism Future threats and the potential role of the CBRN Action plan in supporting the BTWC Dr Catherine Terry International.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google