Information Security Risk Management
6 likes12,877 views
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
Information Security Risk Management
- 2. CYBER Definition of Cyber: Relating to or a characteristic of, the culture of computers, information technology and virtual reality 2
- 3. Disclaimer The views expressed in this presentation are my own and do not necessarily represent those of my employer. Stephen Shippey • IT since 1986. • Information Security & Risk Manager since 1998 at a number of Global Financial Services Organisations including GE Global Consumer Finance, HBOS, Lloyds Banking Group. • Joined HP as an Information Security Risk Consultant 2013 3
- 4. Agenda Risk Management What is Risk Management Slide 5 Objectives of Infosec Risk Management vs Generic Risk Management Slide 7 Problems with Risk Management Slide 11 Mitigation Plans vs Contingency Plans Slide 12 Identifying Risks Slide 13 Risk Submissions Slide 16 Managing Risk Slide 17 Any questions Slide 18 4
- 5. What is Risk Management? The identification of Risks and their management by defining: • The Risk Description • The Risk Owner • The Probability of the Risk Event occurring • The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective • The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure • The Contingency Plan to recover the Asset once risk is manifested • An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance 5
- 6. Risk Definitions Risk Definition: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) “It May Rain Tomorrow” Issue Definition: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure “It is Raining Today” 6
- 7. Objectives of Generic Risk Management This includes: • Strategic Risks • Programme and Project Risks • Operational Risks (includes Security and Business Continuity Risks) To ensure that all risks to the Business however they are derived are managed effectively. Operational Level (Business as Usual) Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Strategic Level Strategic Risks Programme/Project Risks Operational Risks Project Risk Register Strategic Risk Register 7
- 8. Objectives of Information Security Risk Management To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: • Confidentiality, • Integrity, • Availability, and the • Traceability of Information whilst: • At rest • Whilst being modified • In transit (around a system, e-mail, media device, telephone etc.)
- 9. Risks within service provider environments Information Security Risk Management • A risk may have the same Risk Description but two separate impacts dependent on the Owner • e.g. Risk: patching may fail to complete in a timely manner 1. Impact on IT Service Provider: Potential Commercial Penalties, Damage to Reputation 2. Impact on Client: Loss of Systems, loss of information, loss of revenue etc. etc.
- 10. What is NOT Risk Management! • Incident Management • Audit Non-Compliances • Problem Management • Threat Management • Vulnerability Management • Exception / Waiver Management These are Issues, no uncertainty! However, they can be the Source of Infosec Risks
- 11. Common Problems (Misunderstandings)? • Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) • Unachievable, ineffective and disproportionate Mitigation Actions • Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement • Reactive vs Proactive Approach • Reliance on Incidents, Threat and Non- Compliance Management (Reactive) • Proactive Risk Identification Workshop based on Success Criteria So What! • Risks occur that could have been managed • Impact on Assets not understood (BIA, CMDB) • Mitigation Action Costs do not reflect the Risk Exposure Reduction • Systems fail, business and revenue lost, • Corporate data is unavailable when required – Loss of Business • Regulator penalties, reputational damage occurs • Loss of Customer base and confidence • Loss of IPR. Problems with Risk Management 11
- 12. Mitigation Plans and Contingency Plans • Mitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability) • This is why it is so important to describe the risk event clearly. • Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) • This is why it is so important to clearly describe the risk impact separately from the risk description
- 13. Sources of Cyber Security Risks (flip to risks) Takenfrom some recent ISACA slides, these can be re-wordedas risks • Proliferation of BYOD and smart devices • Cloud computing • Outsourcing of critical business processes to a third party (and lack of controls around third-party services) • Disaster recovery and business continuity • Periodic access reviews • Log reviews Source: Cybersecurity - what the Board of Directors need to ask, IIARF Research Report, 2014 13
- 14. Common Cybercriminal Attack Vectors (flip to risks) • Application vulnerabilities • Remote access. • Ineffective patch management • Weak network security/flat networks • Lack of real-time security monitoring • Third parties • Lack of a data retention policy SOURCE:HANSHENRIKBERTHING -CyberAssuranceandtheITAuditor Nov2014 14
- 15. Where to start Selectappropriatecontrols/usesecuritystandards • ISO27000 • PCIDSS • CObIT • BITSSIG • Identifywhatisimportanttothebusiness 15
- 16. Encourage Risk Reporting 1. Createriskreportingawarenessfortheworkforce 2. Makeiteasy,createasimpleRiskSubmissionform 3. Assesstherisksubmission,askquestions 4. Ensureitisarisk,notanissue,aservicerequest,achangerequest☺ 16
- 17. Manage the Risks 1. RecordinaRiskRegister 2. DescribetheRISK 3. AssesstheLikelihood,Impact,andriskrating 4. AgreerecommendedRiskMitigation/Treatment 5. Establishacontingencypositionifpossible 6. AssigntoanappropriateRISKOWNER(usuallyaBusinessStakeholder) 7. AgreeaMitigationOwner 8. Obtainadecision(Reduce,Accept,Avoid,Transfer) 9. Monitormitigationprogressuntiltargetriskisachieved–retainawarenessof closedormitigatedrisks 10. Producemonthlystatusreports 17