ENTERPRISE risk management AWARENESS.ppt
- 2. RISK DEFINITIONS RISK DEFINITION: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation o A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen o A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) o “It May Rain Tomorrow” ◦ ISSUE DEFINITION: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation o E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure o “It is Raining Today”
- 3. Risk Life Cycle 3 Threat Agent Vulnerability Risk Asset Exposures Safeguard Exploits Leads to Can damage And cause an Can be cuntermeasure by a
- 4. Risk Management Cycle 4 Identify Risks Assess Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iteration •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment
- 5. 5
- 6. Risk Identification What is the purpose of this phase ? The aims of this phase is to identify , classify and prioritizing the organization’s information assets ( Know ourselves) and identify all important types and sources of risk and uncertainty (know our enemy), associated with each of the investment objectives. This is a crucial phase. If a risk is not identified it cannot be evaluated and managed 6
- 7. Information Assets IS Components People Procedures Data Transmission HW SW Employees Non - employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work 7
- 8. Primary sources of Risk Items 8 Human Threats Environmental Threats Outside & Natural Threats network based attacks virus infection , unauthorized access floods Earthquakes hurricanes Power failure , pollution
- 9. Risk Analysis • requires an entity to, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected information held by the entity. • Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats, and assessing the possible damage to determine where to implement security safeguards
- 10. Risk Assessment For each identified component & risk, which has a 'clearly significant' or 'possibly significant' position, each should be assess to establish qualitatively and Estimate the value 10
- 11. What is Risk Assessment ? Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise , i.e determine the relative risk for each of the vulnerabilities Risk assessment assigns a risk rating or score to each specific information asset, useful in evaluating the relative risk and making comparative ratings later in the risk control process. •Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In particular, risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies ١٤٤٦/٠٣/٢١ 11
- 12. Methods of Risk Assessment There are various methods assessing risk, First : Quantitative risk assessment : generally estimates values of Information Systems components as ; information, systems, business processes, recovery costs, etc., risk can be measured in terms of direct and indirect costs , based on (1) the likelihood that a damaging event will occur (2) the costs of potential losses (3) the costs of mitigating actions that could be taken. 12
- 13. This approach can be taken by defining ◦ Risk in more subjective and general terms such as high, medium, and low. ◦ In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment. Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. However, by providing the impact and likelihood definition tables and the description of the impact, it is possible to adequately communicate the assessment to the organization’s management. 13 Second : Qualitative Risk Assessment
- 14. Third :Quantitative and Qualitative ◦ It is also possible to use a combination of quantitative and qualitative method 14
- 38. WHAT IS RISK MANAGEMENT? The identification of Risks and their management by defining: The Risk Description The Risk Owner The Probability of the Risk Event occurring The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure The Contingency Plan to recover the Asset once risk is manifested An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance
- 39. OBJECTIVES OF GENERIC RISK MANAGEMENT To ensure that all risks to the Business however they are derived are managed effectively. This includes: Strategic Risks Programme and Project Risks Operational Risks (includes Security and Business Continuity Risks) Operational Level (Business as Usual) Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Strategic Level Strategic Risks Programme/Project Risks Operational Risks Project Risk Register Strategic Risk Register
- 40. OBJECTIVES OF INFORMATION SECURITY RISK MANAGEMENT To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: ◦ Confidentiality, ◦ Integrity, ◦ Availability, and the ◦ Traceability of Information whilst: ◦ At rest ◦ Whilst being modified ◦ In transit (around a system, e-mail, media device, telephone etc.)
- 41. WHAT IS NOT RISK MANAGEMENT? Incident Management Audit Non-Compliances Problem Management Threat Management Vulnerability Management Exception / Waiver Management ! However, they can be the Source of Infosec Risks… So, these are issues, NO uncertainty!
- 44. RISK MATRIX
- 46. PROBLEMS WITH RISK MANAGEMENT COMMON PROBLEMS (MISUNDERSTANDINGS)? Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) Unachievable, ineffective and disproportionate Mitigation Actions Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement Reactive vs Proactive Approach • Reliance on Incidents, Threat and Non- Compliance Management (Reactive) • Proactive Risk Identification Workshop based on Success Criteria SO WHAT! Risks occur that could have been managed Impact on Assets not understood (BIA, CMDB) Mitigation Action Costs do not reflect the Risk Exposure Reduction Systems fail, business and revenue lost, Corporate data is unavailable when required – Loss of Business Regulator penalties, reputational damage occurs Loss of Customer base and confidence Loss of IPR.
- 47. MITIGATION PLANS & CONTINGENCY PLANS oMitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability). o This is why it is so important to describe the risk event clearly. o Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) o This is why it is so important to clearly describe the risk impact separately from the risk description
- 48. SOURCES OF CYBER SECURITY RISKS o Proliferation of BYOD and smart devices o Cloud computing o Outsourcing of critical business processes to a third party (and lack of controls around third-party services) o Disaster recovery and business continuity o Periodic access reviews o Log reviews SOURCE: Cyber-security - What the Board of Directors need to ask?, IIARF Research Report, 2014
- 49. COMMON CYBER-CRIMINAL ATTACK VECTORS o Application vulnerabilities o Remote access. o Ineffective patch management o Weak network security/flat networks o Lack of real-time security monitoring o Third parties o Lack of a data retention policy SOURCE: HANS HENRIK BERTHING Cyber Assurance and the IT Auditor Nov 2014
- 50. WHERE TO START? Select appropriate Controls / use Security Standards: ISO27000 PCI DSS COBIT HIPAA
- 51. ENCOURAGE RISK REPORTING 1. Create risk reporting awareness for the workforce 2. Make it easy, create a simple Risk Submission form 3. Assess the risk submission, ask questions 4. Ensure it is a RISK, not an issue, a service request, a change request
- 52. MANAGE THE RISKS… 1. Record in a Risk Register 2. Describe the RISK 3. Assess the Likelihood, Impact, and risk rating 4. Agree recommended Risk Mitigation / Treatment 5. Establish a contingency position if possible 6. Assign to an appropriate RISK OWNER (usually a Business Stakeholder) 7. Agree a Mitigation Owner 8. Obtain a decision (Reduce, Accept, Avoid, Transfer) 9. Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks 10. Produce monthly status reports