Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.

Similar presentations


Presentation on theme: "Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our."— Presentation transcript:

1 Information Systems Security Risk Management

2 © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management

3 © G. Dhillon All Rights Reserved Aspiration Vision

4 © G. Dhillon All Rights Reserved Aspiration Vision

5 © G. Dhillon All Rights Reserved Aspiration Vision

6 © G. Dhillon All Rights Reserved Security is a business enabler Security allows me to do something I couldn’t do [safely] otherwise/before Electronic Commerce Online banking Online brokerage Added value, security is part of the product Help make sale because of security Revenue generated as a result of security Security is not the product – it allows me to do business

7 © G. Dhillon All Rights Reserved Business enabler

8 © G. Dhillon All Rights Reserved Reality For a range of reasons companies have always been under pressure to cut IT costs. Perhaps by outsourcing. Justify expenses. And when choosing being keeping the “shop running” versus securing it, protection mechanisms take a back burner.

9 © G. Dhillon All Rights Reserved Risks Glenmeade Vision To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type)

10 © G. Dhillon All Rights Reserved Glenmeade Vision Risk Management To provide a personalized experience to our customers To reach out to the customers and know their preferences, likes and dislikes Business Objective(s) Marketing Objectives IT Objectives Ops Objectives Implement a Customer Relationship Management System. Buy a state of the art system Develop a Tastemasters program Get to the customer directly & most efficiently Various marketing Programs -freebees -sponsorships Various Operations Programs -On time delivery incentives etc Various IT Programs -New rollouts -System Training -IT Project Management Personal Privacy Data Ownership Data flow Integrity Availability … … Project risks System Dev. risks Business continuity risks Inherent risks (Doubleclick type) What is the probability that personal privacy will be compromised when personally identifiable information is accessed in an unauthorized manner? What is the probability of unauthorized access?

11 © G. Dhillon All Rights Reserved Answer Let’s calculate the probability of occurrence of a negative event (privacy breach or unauthorized access in this case) What is going to be the cost to mend the privacy breach? BINGO!! R = P * C

12 © G. Dhillon All Rights Reserved Communicating Risk Well-Formed Risk Statement Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Asset What are you trying to protect? Threat What are you afraid of happening? Threat What are you afraid of happening? Vulnerability How could the threat occur? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Mitigation What is currently reducing the risk?

13 © G. Dhillon All Rights Reserved Reference Documents Publications to help you determine your organization’s risk management maturity level include: ISO Code of Practice for Information Security Management (ISO 17799) International Standards Organization Control Objectives for Information and Related Technology (CobiT) IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP-800-26) National Institute of Standards and Technology

14 © G. Dhillon All Rights Reserved What’s Risk Management? Formally defined “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

15 © G. Dhillon All Rights Reserved More simply put… “Determine what your risks are and then decide on a course of action to deal with those risks.”

16 © G. Dhillon All Rights Reserved Even more colloquially… What’s your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress ?

17 © G. Dhillon All Rights Reserved Risk Management Maturity Assessment LevelState 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized

18 © G. Dhillon All Rights Reserved Classify

19 © G. Dhillon All Rights Reserved Risk management: classification Inherent risks Planning needed Can be assessed and predicted Strategic High Potential Key Operational Support Outcome: high Operational: low Process: low What risk? Outcome: low Operational: high Process: medium Outcome: low Operational: low Process: high

20 © G. Dhillon All Rights Reserved Typical concerns StrategicHigh Potential Outcome risks Opportunity & financial risks? Lack of strategic framework: poor business understanding Conflicts of strategy and problems of coordination IT supplier problems Poor management of change Senior management not involved Large and complex projects; too many stakeholders Rigid methodology and strict budgetary controls Key Operational Support Operational risks Process based risks Too much faith in the ‘technical fix’ Use of technology for its novelty value Poor technical skills in the development team Inexperienced staff Large and complex projects; too many stakeholders Poor testing procedures Poor implementation Lack of technical standards

21 © G. Dhillon All Rights Reserved Generic CSFs for different applications Strategic High Potential Key Operational Support Time Quality Cost Time Quality Cost Time Quality Cost R & D projects

22 © G. Dhillon All Rights Reserved Risk management: core strategies StrategicHigh Potential Key OperationalSupport CONFIGURE COMMUNICATE CONTROL CONSTRAIN

23 © G. Dhillon All Rights Reserved Risk management: directions - 1 StrategicHigh Potential Business and corporate risks Opportunity & financial risks Key OperationalSupport Operational risks Process based risks Controllable Uncontrollable Predictable Unpredictable No problem - carry out plans Practice quick response to manage as events unfold Emphasis forecasting and thus “steer around” these events Develop a contingency planning system

24 © G. Dhillon All Rights Reserved Risk management: directions -2 History Context (external) Context (internal) Business processes Content Risk Outcomes Context oriented risk assessment StrategicHigh Potential Business and corporate risks Key OperationalSupport Operational risks Process based risks Opportunity & financial risks

25 © G. Dhillon All Rights Reserved Risk Management Practices Conduct a mission impact analysis and risk assessment to: 1.Identify various levels of sensitivity associated with information resources 2.Identify potential security threats to those resources

26 © G. Dhillon All Rights Reserved Risk Management Practices (cont.) Conduct a mission impact analysis and risk assessment to: 3.Determine the appropriate level of security to be implemented to safeguard those resources 4.Review, reassess and update as needed or at least every 3 years

27 © G. Dhillon All Rights Reserved


Download ppt "Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our."

Similar presentations


Ads by Google