SlideShare a Scribd company logo

An Overview of IT Risk and Control

Download as PPTX, PDF
I
Ismail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS

The document provides an overview of IT risk and control, detailing its definition, objectives, and management strategies. It covers the cyclical process of risk management, including risk identification activities, various risk response options, and methods for enhancing enterprise network and asset security. Key topics include vulnerability management, malware monitoring, and application review techniques essential for effective IT risk management.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
An Overview of IT Risk & Control Presented at the HH Internal Auditor’sCOP. By Ismail Oduoye CISA,CISSP December, 2019
Outlines 01 02 03 Introduction Definition of IT Risk Objective What is IT Risk and Control IT Risk and Control An overview of IT Risk and Control/IT Risk Management 04 05 06 Risk Response plan Discussion of various risk management approach. IT Risk Identification Activities involved in the detection of risk in the enterprise IT asset. Questions Rubbing mind session
Objectives An overview of the IT Risk & Control and discussion of various activities involved in the identification of risk in an enterprise IT asset.
Introduction What is Risk?  Risk can be view as a challenge or obstacle to achieving set objectives.  ISO called risk “the effect of uncertainty on objectives”  IT Risk is view as a negative event.  IT Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to organization.
IT Risk and Control/Management IT Risk and Control/IT Risk management is defined as the coordinated activities to direct and control an enterprise with regards to risk. It is a set of activities undertaken to predict challenges and lower the chance of risk occurrence or its impact. IT Risk management is a cyclical process.
Risk Response Negative risk or threat  Negative risk or threat  Avoid  Transfer  Mitigate  Accept Positive risk or opportunity  Exploit  Share  Enhance
IT Risk Identification 1. IT ASSET INVENTORY AND ENUMERATION  IT Asset Review  Method and technique of detecting active devices on the network.  Asset Classification based on criticality to the enterprise business operation. 2. ENTERPRISE NETWORK SECURITY  Enterprise network architecture review and assessment.  Firewall logs review and analysis.  Firewall configuration review .  How to use basic network scanners, NMAP, Angry IP, etc.  Improving network access security . The following activities are involved in the risk identification stage of the IT Risk Management cycle.
3. DATABASE REVIEWAND MONITORING  Basic database monitoring tools.  What to know while deploying DAM.  What to look for while monitoring your organization database.  Database Vulnerability Test and Management. 4. MALWARE ACTIVITIES MONITORINGAND REVIEW  Need for an enterprise antivirus solution equipped with endpoints protection.  Antivirus logs review and analysis.  Gaining insight into users ‘activities on the Enterprise network.
5. VULNERABILITY MANAGEMENT  Methods and Techniques of detecting Vulnerabilities in the system  Ports and services scanning  Servers configuration review  System patch review  Automation of vulnerability Management with tools such as Qualys Guard and Nessus.  VAPT of web application using OWASP or free available tools on the internet.
6. SIEM (SECURITY INFORMATION EVENT MANAGEMENT)  SIEM implementation and requirement gathering  Automation of security tool’s log review and analysis.  Active directory activities monitoring.  Office 365 activities monitoring.  Incident detection and reporting. 7. APPLICATION REVIEW TECHNIQUIES  Functional testing.  Application architecture and positioning on the enterprise network.  Code documentation and review.  VAPT using Burp suite or OWASP tools  SSL Certificate vulnerability assessment  Free online web application scanner
8. USER ACCESS REVIEW ON CORE BUSINESS APPLICATION  Separation of duty technique.  Inventory of active and Inactive users  Secure password requirement.  User profiles modification review.  Approval should be in place for each user created.  Exited staff profile review across the various platforms.  Implementation of 2fa. 9. Other activities expected of IT Security Professionals  Crawl the internet for detection of clone websites.  Daily search on social media platforms for detection impersonated profiles/pages.  Policies and other administrative framework review.
Questions
Thank you

More Related Content

PPTX
Prevent Insider Threats with User Activity Monitoring
ObserveIT
 
PPTX
ObserveIT Webinar: Privileged Identity Management
ObserveIT
 
PPTX
Cybersecurity Audit
EC-Council
 
PPTX
Optimizing Security Operations: 5 Keys to Success
Sirius
 
PPTX
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
ObserveIT
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PDF
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Phil Agcaoili
 
Prevent Insider Threats with User Activity Monitoring
ObserveIT
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT
 
Cybersecurity Audit
EC-Council
 
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
ObserveIT
 
Next-Gen security operation center
Muhammad Sahputra
 
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Phil Agcaoili
 

What's hot (20)

PPTX
Security operation center
MuthuKumaran267
 
PPTX
Challenges of Vulnerability Management
Rahul Neel Mani
 
PPTX
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
ObserveIT
 
PPTX
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
PDF
NASA OIG Report
Priyanka Aash
 
PPTX
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
PPTX
I.T. Geeks Can't Talk to Management
Tripwire
 
PDF
Governance of security operation centers
Brencil Kaimba
 
PPTX
Ins and outs of ObserveIT
ObserveIT
 
PPTX
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
PPTX
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPSX
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
PDF
When and How to Set up a Security Operations Center
Komand
 
PPTX
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
PDF
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
DOCX
Catalyst research institute
Catalyst Research Institute
 
PPTX
CyberSecurity Strategy For Defendable ROI
Siemplify
 
PDF
2017 IT Control Environment for Local Gov
Donald E. Hester
 
PPTX
Security posture: Dashboard Implementation through Wireframe
Shriya Rai
 
Security operation center
MuthuKumaran267
 
Challenges of Vulnerability Management
Rahul Neel Mani
 
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
ObserveIT
 
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
NASA OIG Report
Priyanka Aash
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
I.T. Geeks Can't Talk to Management
Tripwire
 
Governance of security operation centers
Brencil Kaimba
 
Ins and outs of ObserveIT
ObserveIT
 
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
When and How to Set up a Security Operations Center
Komand
 
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Catalyst research institute
Catalyst Research Institute
 
CyberSecurity Strategy For Defendable ROI
Siemplify
 
2017 IT Control Environment for Local Gov
Donald E. Hester
 
Security posture: Dashboard Implementation through Wireframe
Shriya Rai
 
Ad

Similar to An Overview of IT Risk and Control (20)

PPTX
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
PDF
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
PDF
Cyber presentation spet 2019 v8sentfor upload
savassociates1
 
PPTX
CRISC Course Preview
Invensis Learning
 
PDF
SMB270: Security Essentials for ITSM
Ivanti
 
PPT
S nandakumar
IPPAI
 
PPT
S nandakumar_banglore
IPPAI
 
PPTX
Information System Audit and Control
Asad Raza
 
PDF
(Ebook) CIS Critical Security Controls by Center for Internet Security
hqusshov3993
 
PPTX
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
PDF
CCA study group
IIBA UK Chapter
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
PPT
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Cyber Security Interview Analyst Questions.pdf
InfosecTrain
 
PDF
Cybersecurity Analyst Interview Questions.pdf
infosec train
 
PDF
Cybersecurity Analyst Interview Questions and Answers.pdf
infosecTrain
 
PDF
Cybersecurity Analyst Interview Questions By InfosecTrain
priyanshamadhwal2
 
PDF
Aujas incident management webinar deck 08162016
Karl Kispert
 
PDF
InfosecTrain Cybersecurity Analyst Interview Questions
priyanshamadhwal2
 
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
Cyber presentation spet 2019 v8sentfor upload
savassociates1
 
CRISC Course Preview
Invensis Learning
 
SMB270: Security Essentials for ITSM
Ivanti
 
S nandakumar
IPPAI
 
S nandakumar_banglore
IPPAI
 
Information System Audit and Control
Asad Raza
 
(Ebook) CIS Critical Security Controls by Center for Internet Security
hqusshov3993
 
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
CCA study group
IIBA UK Chapter
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cyber Security Interview Analyst Questions.pdf
InfosecTrain
 
Cybersecurity Analyst Interview Questions.pdf
infosec train
 
Cybersecurity Analyst Interview Questions and Answers.pdf
infosecTrain
 
Cybersecurity Analyst Interview Questions By InfosecTrain
priyanshamadhwal2
 
Aujas incident management webinar deck 08162016
Karl Kispert
 
InfosecTrain Cybersecurity Analyst Interview Questions
priyanshamadhwal2
 
Ad

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Approach and Philosophy of On baking technology
30anthuong17
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 

An Overview of IT Risk and Control

  • 1. An Overview of IT Risk & Control Presented at the HH Internal Auditor’sCOP. By Ismail Oduoye CISA,CISSP December, 2019
  • 2. Outlines 01 02 03 Introduction Definition of IT Risk Objective What is IT Risk and Control IT Risk and Control An overview of IT Risk and Control/IT Risk Management 04 05 06 Risk Response plan Discussion of various risk management approach. IT Risk Identification Activities involved in the detection of risk in the enterprise IT asset. Questions Rubbing mind session
  • 3. Objectives An overview of the IT Risk & Control and discussion of various activities involved in the identification of risk in an enterprise IT asset.
  • 4. Introduction What is Risk?  Risk can be view as a challenge or obstacle to achieving set objectives.  ISO called risk “the effect of uncertainty on objectives”  IT Risk is view as a negative event.  IT Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to organization.
  • 5. IT Risk and Control/Management IT Risk and Control/IT Risk management is defined as the coordinated activities to direct and control an enterprise with regards to risk. It is a set of activities undertaken to predict challenges and lower the chance of risk occurrence or its impact. IT Risk management is a cyclical process.
  • 6. Risk Response Negative risk or threat  Negative risk or threat  Avoid  Transfer  Mitigate  Accept Positive risk or opportunity  Exploit  Share  Enhance
  • 7. IT Risk Identification 1. IT ASSET INVENTORY AND ENUMERATION  IT Asset Review  Method and technique of detecting active devices on the network.  Asset Classification based on criticality to the enterprise business operation. 2. ENTERPRISE NETWORK SECURITY  Enterprise network architecture review and assessment.  Firewall logs review and analysis.  Firewall configuration review .  How to use basic network scanners, NMAP, Angry IP, etc.  Improving network access security . The following activities are involved in the risk identification stage of the IT Risk Management cycle.
  • 8. 3. DATABASE REVIEWAND MONITORING  Basic database monitoring tools.  What to know while deploying DAM.  What to look for while monitoring your organization database.  Database Vulnerability Test and Management. 4. MALWARE ACTIVITIES MONITORINGAND REVIEW  Need for an enterprise antivirus solution equipped with endpoints protection.  Antivirus logs review and analysis.  Gaining insight into users ‘activities on the Enterprise network.
  • 9. 5. VULNERABILITY MANAGEMENT  Methods and Techniques of detecting Vulnerabilities in the system  Ports and services scanning  Servers configuration review  System patch review  Automation of vulnerability Management with tools such as Qualys Guard and Nessus.  VAPT of web application using OWASP or free available tools on the internet.
  • 10. 6. SIEM (SECURITY INFORMATION EVENT MANAGEMENT)  SIEM implementation and requirement gathering  Automation of security tool’s log review and analysis.  Active directory activities monitoring.  Office 365 activities monitoring.  Incident detection and reporting. 7. APPLICATION REVIEW TECHNIQUIES  Functional testing.  Application architecture and positioning on the enterprise network.  Code documentation and review.  VAPT using Burp suite or OWASP tools  SSL Certificate vulnerability assessment  Free online web application scanner
  • 11. 8. USER ACCESS REVIEW ON CORE BUSINESS APPLICATION  Separation of duty technique.  Inventory of active and Inactive users  Secure password requirement.  User profiles modification review.  Approval should be in place for each user created.  Exited staff profile review across the various platforms.  Implementation of 2fa. 9. Other activities expected of IT Security Professionals  Crawl the internet for detection of clone websites.  Daily search on social media platforms for detection impersonated profiles/pages.  Policies and other administrative framework review.

Editor's Notes

  • #3: © Copyright PresentationGO.com – The free PowerPoint template library
  • #4: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #5: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #6: © Copyright PresentationGo.com – The free PowerPoint template library
  • #7: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #8: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #9: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #10: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #11: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #12: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library
  • #13: © Copyright PresentationGO.com – The free PowerPoint and Google Slides template library