Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Risk Management

Published byGeorgiana Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Risk Management"— Presentation transcript:

1 Information Security Risk Management
Stephen Shippey Information Security Risk Manager, Governance Risk Compliance Stephen Shippey 22nd April 2015

2 Stephen Shippey 22nd April 2015
CYBER Definition of Cyber: Relating to or a characteristic of, the culture of computers, information technology and virtual reality Stephen Shippey 22nd April 2015

3 Stephen Shippey 22nd April 2015
IT since 1986. Information Security & Risk Manager since 1998 at a number of Global Financial Services Organisations including GE Global Consumer Finance, HBOS, Lloyds Banking Group. Joined HP as an Information Security Risk Consultant 2013 Disclaimer The views expressed in this presentation are my own and do not necessarily represent those of my employer. Stephen Shippey 22nd April 2015

4 Stephen Shippey 22nd April 2015
Risk Management Agenda What is Risk Management Slide 5 Objectives of Infosec Risk Management vs Generic Risk Management Slide 7 Problems with Risk Management Slide 11 Mitigation Plans vs Contingency Plans Slide 12 Identifying Risks Slide 13 Risk Submissions Slide 16 Managing Risk Slide 17 Any questions Slide 18 Stephen Shippey 22nd April 2015

5 Stephen Shippey 22nd April 2015
What is Risk Management? The identification of Risks and their management by defining: The Risk Description The Risk Owner The Probability of the Risk Event occurring The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure The Contingency Plan to recover the Asset once risk is manifested An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance Stephen Shippey 22nd April 2015

6 Stephen Shippey 22nd April 2015
Risk Definitions Risk Definition: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) “It May Rain Tomorrow” Issue Definition: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure “It is Raining Today” Stephen Shippey 22nd April 2015

7 Objectives of Generic Risk Management
To ensure that all risks to the Business however they are derived are managed effectively. Strategic Level Strategic Risk Register Strategic Risks Programme/Project Risks Operational Risks This includes: Strategic Risks Programme and Project Risks Operational Risks (includes Security and Business Continuity Risks) Project Risk Register Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Operational Level (Business as Usual) Stephen Shippey 22nd April 2015

8 Objectives of Information Security Risk Management
To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: Confidentiality, Integrity, Availability, and the Traceability of Information whilst: At rest Whilst being modified In transit (around a system, , media device, telephone etc.) Unlike Project Risk Management the objectives for Security Risk Management are fairly well defined

9 Information Security Risk Management
Risks within service provider environments A risk may have the same Risk Description but two separate impacts dependent on the Owner e.g. Risk: patching may fail to complete in a timely manner Impact on IT Service Provider: Potential Commercial Penalties, Damage to Reputation Impact on Client: Loss of Systems, loss of information, loss of revenue etc. etc.

10 What is NOT Risk Management!
Incident Management Audit Non-Compliances Problem Management Threat Management Vulnerability Management Exception / Waiver Management These are Issues, no uncertainty! However, they can be the Source of Infosec Risks

11 Problems with Risk Management
Common Problems (Misunderstandings)? So What! Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) Unachievable, ineffective and disproportionate Mitigation Actions Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement Reactive vs Proactive Approach Reliance on Incidents, Threat and Non- Compliance Management (Reactive) Proactive Risk Identification Workshop based on Success Criteria Risks occur that could have been managed Impact on Assets not understood (BIA, CMDB) Mitigation Action Costs do not reflect the Risk Exposure Reduction Systems fail, business and revenue lost, Corporate data is unavailable when required – Loss of Business Regulator penalties, reputational damage occurs Loss of Customer base and confidence Loss of IPR. Stephen Shippey 22nd April 2015

12 Mitigation Plans and Contingency Plans
Mitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability) This is why it is so important to describe the risk event clearly. Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) This is why it is so important to clearly describe the risk impact separately from the risk description

13 Stephen Shippey 22nd April 2015
Sources of Cyber Security Risks (flip to risks) Taken from some recent ISACA slides, these can be re-worded as risks Proliferation of BYOD and smart devices Cloud computing Outsourcing of critical business processes to a third party (and lack of controls around third-party services) Disaster recovery and business continuity Periodic access reviews Log reviews Source: Cybersecurity - what the Board of Directors need to ask, IIARF Research Report, 2014 Stephen Shippey 22nd April 2015

14 Stephen Shippey 22nd April 2015
Common Cybercriminal Attack Vectors (flip to risks) Application vulnerabilities Remote access. Ineffective patch management Weak network security/flat networks Lack of real-time security monitoring Third parties Lack of a data retention policy SOURCE: HANS HENRIK BERTHING - Cyber Assurance and the IT Auditor Nov 2014 Stephen Shippey 22nd April 2015

15 Stephen Shippey 22nd April 2015
Where to start Select appropriate controls / use security standards ISO27000 PCI DSS CObIT BITS SIG Identify what is important to the business Stephen Shippey 22nd April 2015

16 Stephen Shippey 22nd April 2015
Encourage Risk Reporting Create risk reporting awareness for the workforce Make it easy, create a simple Risk Submission form Assess the risk submission, ask questions Ensure it is a risk, not an issue, a service request, a change request  Stephen Shippey 22nd April 2015

17 Stephen Shippey 22nd April 2015
Manage the Risks Record in a Risk Register Describe the RISK Assess the Likelihood, Impact, and risk rating Agree recommended Risk Mitigation / Treatment Establish a contingency position if possible Assign to an appropriate RISK OWNER (usually a Business Stakeholder) Agree a Mitigation Owner Obtain a decision (Reduce, Accept, Avoid, Transfer) Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks Produce monthly status reports Stephen Shippey 22nd April 2015

18 Stephen Shippey 22nd April 2015
Any Questions? Stephen Shippey 22nd April 2015

Download ppt "Information Security Risk Management"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Www.lrqa.co.uk BS EN ISO 14001:2004 Madlen King BSc MSc MIEMA EMS Lead Assessor Lloyd’s Register Quality Assurance Ltd BS EN ISO 14001:2004.

BS EN ISO 14001:2004 Madlen King BSc MSc MIEMA EMS Lead Assessor Lloyd’s Register Quality Assurance Ltd BS EN ISO 14001:2004.

Similar presentations

Ads by Google