BME Department of Telecommunications (Híradástechnikai Tanszék) Mark Felegyhazi, CrySyS Lab,
|
|
- Marilyn Conley
- 8 years ago
- Views:
Transcription
1 Security is risk management IT risk management IT risk management Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. risk: Merriam-Webster (1): possibility of loss or injury Dictionary (1): exposure to the chance of injury or loss; a hazard or dangerous chance: Wikipedia: Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu IT risk management Security is risk management risk management: Wikipedia: risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. CISA Review Manual: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. More concepts vulnerability = a possibility to attack flaw or weakness in the hardware, software or design ex: software bugs threat agent (= attacker) threat = potential for a threat agent to exploit a vulnerability ex: disk is not encrypted, but the device is fixed anyway also need motivation for an attacker risk = threat realization with considered impact IT risk management 3 IT risk management 4 1
2 Risk management (simplified) Goal of risk management? $ risk manager 1 3 vulnerabilities threats incidents losses Goal: Minimize the costs associated with risks (threats) IT risk management 5 IT risk management 6 Risk management lifecycle source: Systems Engineering Fundamentals. Defense Acquisition University Press, 001 Risk management standards ISO/IEC 7000 series - Information security management systems 7005:011 - Information security risk management generally accepted guidelines of implementing information management systems and also serves to perform audits open source support: Enterprise Security Information System (ESIS) NIST SP ISACA Risk IT Open Source Security Testing Methodology Manual (OSSTMM) ISO/IEC Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) IT risk management 7 IT risk management 8
3 "$%&'(')*+*(, -./.0/1..0 *F'+8C*;8*>=+"$%G*',+*(,H,?=A,,?*8*>=+'(:*=>"$%6$$*$$+*(,= 8*>=+"$%6$$*$$+*(,'(B,?*(8=:**BB*:,C<H,?=,?*':,K,*$=>45&5D G?*B*'C$*LA*(:*>=,?*8*>=+'(:*=>,?*8=:*$$*$=>"$%&'(')*+*(,$,=$,', Management process (ENISA) 6::*8,'(:*ND ='/+'/,&"( ;$5(<,%,4"0"%&( "$%$&$'%('()*'+"(,%-./,0"1'/('/(&3"( 0,%,4"0"%&('(/$55 "$%$&$'%('(67&"/%,8(6%$/'%0"%& :"%"/,&$'%('(;$5(<,%,4"0"%&( ='%&"7& 6,8>,&$'%('(;$ THE RISK IT FMEWORK 4. THE RISK IT FMEWORK The Risk IT framework is built on the principles laid out in chapter 3 and further developed into a comprehensive process model (figure 6). The risk management process model groups key activities into a number of processes. These processes are grouped into three domains. The process model will appear familiar to users of COBIT and Val IT: substantial guidance is provided on the key activities within each process, responsibilities for the process, information flows between processes and performance management of the process. Risk Management process (Risk-IT) The three domains of the Risk IT framework Risk Governance, Risk Evaluation and Risk Response each contain three processes, as shown in figure 6. Figure 6 Risk IT Framework Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. Establish and Maintain a Common Risk View Integrate With ERM Make Risk-aware Business ;"*>//"%*" -./&%'$( )*++,'&%'$( "$%&%'$( ;$55(='00>%$*,&$'% ;$55(?1,/"%"55 ='%5>8&$%4 C,88(,5+"*&5($%*8>-"-($%(&3"($%&"/,*" 1$&3('&3"/('+"/,&$'%,8('/(+/'->*&(+/'*"55"5F <'%$&'/(,%-(;"$"1(C+8,%5D(""%&5D(E>,8$&AF ;$5?**"+&,%*" "$%&'()*+'&,--./.-'01,345,6,$'7'68&0.'33 4,$H=,?+*(,=(();,?',(=*>>*:,K*"$%&'(')*+*(,$<$,*+:'(@**$,'@C$?*B( IT risk management '(=)'(E',=(;>,C':%$$A:?(,*>':*$'(B*$8*:'CC<,==,?**C*K'(,=8*',=('C= 8=BA:,8=:*$$*$M$D@=F',,?*,=8=>,?*>)A*ND4(,$>A,A*H=%=("$% &'(')*+*(,;3456HCC*C'@=',**F'+8C*$,=B*+=($,',*H'<$,=(,*)',*"$% &'(')*+*(,':,K,*$(+8=,'(,=8*',=('C8=:*$$*$M*D)D8=:A*+*(,;$=>,H'* European Network and Information Security Agency (ENISA), Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools, June 006 G+&$'%,8 Articulate Risk Manage Risk React to Events Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. The following chapters contain a number of essential practices and techniques for each of the three domains of the Risk IT framework. The model is explained in full detail in chapter 11. IT risk management 10 Collect Data 00 ISACA. ALL RIGHTS RESERVED. Analyse Risk Maintain Risk Profile Ensure that IT-related risks and opportunities are identified, analysed and presented in business terms. ISACA, Risk-IT framework, Risk management phases Decision-makers RG risk governance (RG) risk mgmt context define criteria - profile definition - requirements resources risk monitoring and review (RM) monitoring communication awareness risk assessment () risk analysis - identification - estimation risk evaluation risk treatment (RT) prevent mitigate transfer accept senior management chief information officer (CIO) information system security officer (ISSO) system and information owners security practitioners (sysadmins, security specialists) security awareness trainers ISACA, Risk-IT framework, 00 IT risk management 11 IT risk management 1 3
4 practical guidance can be found in The Risk IT Practitioner Guide. The topics discussed here include: Risk management planning and governance develop an enterprise risk management strategy establish and maintain a risk management plan risk appetite risk tolerance ensure that IT risk management is embedded in the system integrate with business processes provide resources for risk management establish responsibilities and accountability generic control of risk management RG IT risk management 13 Risk Appetite and Tolerance COSO Definition Risk appetite and tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the Behavior towards risks Establish and maintain a common risk view. ISACA, Risk-IT framework, 00 Risk Appetite risk appetite: the property of engaging with risks risk-averse risk-neutral risk-taking accept to pursue a return? risk tolerance: tolerance towards the difference from the risk level as defined in risk appetite Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be Risk appetite can be defined using risk maps. Different bands of risk significance can be defined, indicated by coloured bands on the risk map shown in figure 7. this band might trigger an immediate risk response. The enterprise might, as a matter of policy, require mitigation or another adequate response to be defined within certain time boundaries. responses found by decreasing the degree of control or where opportunities for assuming more risk might arise Figure 7 Risk Map Indicating Risk Appetite Bands Opportunity Acceptable Unacceptable Really Unacceptable RG IT risk management 14 opportunity seeking. There is no universal right or wrong, but it needs to be defined, well understood and communicated. Risk appetite and Magnitude Frequency Key factors to success continuous support from top management central management common strategy successful integration with business processes optimize tasks and controls (avoid over-control) compliant with company s business philosophy continuous training never-ending process IT risk management 15 Risk Tolerance RG ENISA, Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools, June 006 Risk assessment 00 ISACA. ALL RI GHTS RE S E R VED. "$% &'()*+((,((-,"%*+.%'/'%',( 0$%$% =B./*:M0356(4B =B./*:N35C/-05. =B./*:(56G(/( 4-/-C(7-/B =B./*:(56G(/( *5.-/-H-/B <&='*+'' <8-&0'?4;%;:&%"F;"51 =E(46F(4* =01/F(4* =B./*:-5/*41(C*. =G(/(( :(/-05 ="*0?7* =B./*:: *(//(/*:*5/ <&='@+'' A4%&;'B6&1"C":;"51 =E-./04B01.B./*:(//(C@ =G(/(140:-5/*77-)*5C* ()*5C-*.OIJ"OPJQO N*6J>O:(..:*6-(O,-./01"0/*5/-(7 ;375*4(<-7-/-*. <&='(+'' D$71&%;E"7"8'B6&1"C":;"51 =>*?04/.140:? @ (..*..:*5/. =A5B(36-/C0::*5/. =*C34-/B4*D3-4*:*5/. =*C34-/B/*./4*.37/.,-./01344*5/(56 "7(55*605/407. =344*5/C05/407. ="7(55*6C05/407. IT risk management 16,-@*7-006>(/-5) <&='G+'' H".&7"4556'I&&%0"1;"51 = 84*(/&.034C*:0/-H(/-05 =84*(/C(?(C-/B =I(/34*01H375*4(<-7-/B =344*5/C05/ = K :?(C/(5(7B.-. J:?(C/>(/-5) =,0..01J5/*)4-/B =,0..01AH(-7(<-7-/B =, *5/-(7-/B =A..*/C4-/-C(7-/B(..*..:*5/ =G(/(C4-/-C(7-/B =G(/(.*5.-/-H-/B =,-@* /4*(/ *L?70-/(/-05 >-.@.(56 A..0C-(/*6>-.@,*H*7. <&='L+'',"-.'I&&%0"1;"51 =K()5-/36*01-:?(C/ =A6*D3(CB01?7(55*604 C344*5/C05/407. >*C0::*56*6 05/407. <&='>+''?51%57'/1;78-"- <&='K+''B0=;:'/1;78-"- <&='M+''?51%57',&:500&16;"51- NIST SP800-30, Risk Management Guide for Information Technology Systems, July 00 >-.@A..*..:*5/ >*?04/ <&='J+'',&-$7-'I5:$0&1;"51 "$%&'()*+'',"-.'/--&--0&1'3& '75:4;%'' "$%%&'% "()*+ 4
5 =E(46F(4* =01/F(4* =B./*:-5/*41(C*. =G(/(( :(/-05 ="*0?7* =B./*:: =G(/(140:-5/*77-)*5C* ()*5C-*.OIJ"OPJQO N*6J>O:(..:*6-(O (..*..:*5/. =A5B(36-/C0::*5/. =*C34-/B4*D3-4*:*5/. =*C34-/B/*./4*.37/. =344*5/C05/407. ="7(55*6C05/407. =84*(/C(?(C-/B =I(/34*01H375*4(<-7-/B =344*5/C05/407. =A..*/C4-/-C(7-/B(..*..:*5/ =G(/(C4-/-C(7-/B =G(/(.*5.-/-H-/B *L?70-/(/-05 =K()5-/36*01-:?(C/ =A6*D3(CB01?7(55*604 C344*5/C05/407. <&='*+'' <8-&0'?4;%;:&%"F;"51 =,0..01AH(-7(<-7-/B =, *5/-(7-/B =B./*:M0356(4B =B./*:N35C/-05. =B./*:(56G(/( 4-/-C(7-/B =B./*:(56G(/( *5.-/-H-/B 84*(//(/*:*5/,-./01"0/*5/-(7 ;375*4(<-7-/-*.,-./01344*5/(56 J:?(C/>(/-5) >*C0::*56*6 05/407. >*?04/ "$ %&'($)&*&+,*&-.$'*%,*/+0$ Risk assessment Risk assessment identification - persons, assets and system info - technical / mgmt / operational controls - information gathering info sources - threat sources attacker model - vulnerability identification analysis / estimation - control analysis security options (ROSI) - categorize threats by likelihood - impact analysis system critical incidents evaluation - risk determination "$%%&'% "()*+ IT risk management 17 "$% &'()*+((,((-,"%*+.%'/'%',( 0$%$% = 84*(/&.034C*:0/-H(/-05 = K :?(C/(5(7B.-. Measuring risks: simplified Annualized Loss Expectancy (ALE) ALE = ARO * SLE = ARO * AV * EF example: - ARO Annualized Rate of Occurrence (likelihood) - AV Asset Value (impact) - EF Exposure Factor prob. of a server failing 0.01 data worth $ most probably 30% destroyed ALE = 0.01 *$ * 0.3 = $15000 <&='@+'' A4%&;'B6&1"C":;"51 <&='(+'' D$71&%;E"7"8'B6&1"C":;"51 <&='G+'' H".&7"4556'I&&%0"1;"51 =,0..01J5/*)4-/B <&='L+'',"-.'I&&%0"1;"51 <&='>+''?51%57'/1;78-"- <&='K+''B0=;:'/1;78-"- <&='M+''?51%57',&:500&16;"51- <&='J+'',&-$7-'I5:$0&1;"51 "$%&'()*+'',"-.'/--&--0&1'3& '75:4;%'' Problems IT risk management 1 *,-./0(,()*0*,113*0-44-.,.5,*/46,.5-,)13*7.1*,1-(8/-464(,/*:.00*,*:.,1/.84 0(;(46<=3*,(,>,*/53(1:-/:>041(,:*443.>8?1(6*(:1-.,@=3*,43(88?-078*0*,1 13*4*:.,1/ )(1*13*/-46(,7/.1*:1.>/./)(,-A(1-.,@B C3*/ )(1-.,:3(/1-,D-)>/*E&F(/*44*413*4*G>*41-.,4HI77/.7/-(1*7.-,14J./ -078*0*,1(1-.,.J:.,1/.8(:1-.,4(/*-,-:(1*-,13-4J-)>/*K;13*5./LMH Risk analysis flowchart *D?4@3 ':=?B4 ' $<=>4?@A>4M.-.:$%7; %7; /C73 0/',33@B;4?G H:3$I$+@7 0/' /CE>:73@A>4M.-.:$%7; 0/' <=>4?@A7>731 3:$,33@B; /C73 loss rather than The the variance preceding of three loss risk because metrics the can standard be illustrated deviation with of loss an example. is measured Let in X the be a random J:,37B7E@34K 0/' L$*D?4D:>K F@BB4E3@A>4 %7; same units variable (dollars, representing for example) the loss as the (in expected millions loss of dollars) and expected attributable severe to loss. a breach. Suppose for a.-.- proposal (called Proposal 1) for enhancing information security activities, X has the following %7;$,BB4E3 %7;$,BB4E3 variable discrete representing uniform the distribution: loss (in millions of dollars) attributable to a breach. Suppose for a loss rather NIST SP800-30, N78=?4$OP"$$%7;$)7378@37:$,B37:$Q:73$ Risk Management Guide for Information Technology Systems, July 00 proposal than (called the variance P[X=x] Proposal = of.1 1) loss for for because enhancing x = 0, 1, the, information standard,. deviation security activities, of loss is X measured has the following the IT risk management 18 loss rather than the variance of loss because the standard deviation of loss is measured in the C3-441/(1*);-4J>/13*/(/1-:>8(1*-,13*J.88.5-,)/>8*4.J13>0K53-:37/.N-*)>-(,:*., same discrete units (dollars, Therefore, uniform for distribution: the example) expected as loss the expected from a breach, loss and E[X], expected under Proposal severe loss. 1 is given by: (:1-., )(1*/-464J/.0-,1*,1-.,(83>0(,13/*(14O same units (dollars, for example) as the expected loss and expected severe loss. The preceding P[X=x] = [.1 three ] for risk x = metrics 0, 1,, can, be. illustrated with an example. Let X be a random RD4$S=>4?@A7>731$T:?$U>@VW$V4@;4X$4C73$$-078*0*,1(44>/(,:*1*:3,-G>*4 The preceding three [ xxpxxe ] 0 [.1] 1 [.1]... [.1] 4.5 risk metrics can be illustrated with an example. Let X be a random variable 1./*>:*13*8-6*8-3...J(N>8,*/(K-8-1;P4K*-,)*Q*/:-4*H Therefore, representing the expected the loss loss (in from millions a breach, of dollars) E[X], attributable under Proposal to a 1 breach. is given Suppose by: for a variable representing RD4$@$S=>4?@A7>731$B@$A4$4C4?B74K$$(778;8(;*/*7/.1*:1-.,4(/:3-1*:1>/(8 In order the to loss calculate (in millions the expected of dollars) severe attributable loss, the to a decision-maker breach. Suppose must for a first specify a proposal (called *4-),4(,(0-,-41/(1-N*:.,1/ ,-0-A*13*/-46.J./7/*N*,113-4 Percieved Proposal 1) for enhancing composite information security risk activities, (PCR) X has the following proposal (called [ ] Proposal [ 1) for xxpxxe ] enhancing 0 [.1] 1information [.1]... security [.1] 4.5 activities, X has the following threshold level. Suppose the threshold level, denoted by T, is judged to be 8, i.e., any breach.::>//*,:*h L.D. Bodin, L.A. Gordon, M.P. Loeb, discrete assume discrete uniform uniform distribution: distribution: Information security and risk management, RD4$3D4$@33@B;4?G$B:3$7$>4$3D@$3D4$E:3437@>$8@7$$(778;7/.1*:1-.,41. In whose order cost to calculate is $8 million the expected or greater severe is believed Communications loss, the to put decision-maker the of survivability the ACM, must 008 of first the specify organization a at risk. *:/*(4*(,(11(:6*/P40.1-N(1-.,K;-,:/*(4-,)13*(11(:6*/P4:.41R*H)H>4*.J4;41*0 P[X=x] P[X=x] = = for for x = x 0, = 0, 1, 1,,,,.,. :.,1/.844>:3( ,)53(1(4;41*0>4*/:(,(::*44(,.:(,4-),-J-:(,18; threshold The where level. expected x Suppose severe is in $ the loss millions threshold under level, Proposal denoted 1, denoted by T, is by judged E[severe to be loss] 8, i.e.,, is any given breach by: Therefore, /*>:*(,(11(:6*/P4)(-,SH Therefore, the expected the expected loss loss from from a a breach, E[X], under Proposal 1 is is given by: by: whose expected cost is loss $8 RD4$>:$7$3::$8?4@3$$(778;*4-),7/-,:-78*4(/:3-1*:1>/(8*4-),4(,1*:3,-:(8 E[severe million loss] or greater is believed to put the survivability of the organization at risk. xp[ X x] 8 [.1] [.1] 1.7 (,,.,1*:3,-:(87/.1*:1-., **Q1*,1.J13*(11(:613*/*K;/*>:-,)13* [ ] [ ] [ [ ] xxpxxe ] 0 0 x [.1] [.1] 8 11[.1] [.1] [.1] 4.5 The expected severe loss under Proposal 1, denoted by E[severe loss], is given by: 7.1*,1-(8J./8.44H expected severe The standard loss deviation of loss, denoted by, under the loss function defined for Computing the Expected Perceived Composite Risk (PCR) In order to calculate the expected severe loss, the decision-maker must first specify a In order E[severe to calculate loss] the expected xp[ X xsevere ] 8 [.1] loss, the [.1] decision-maker 1.7 must first specify a C3*41/(1*);.>18-,*(K.N*5-1313**Q:*71-.,.J13*13-/8-41-1*0R<=3*,13*(11(:6*/P4:.41 Proposal 1 is given x8by: -48*4413(,13*7.1*,1-(8)(-,BS(84.(778-*41.13*0-1-)(1-.,.J/-464(/-4-,)J/.0*,N-/.,0*,1(8 threshold threshold standard level. For level. Suppose deviation Suppose a given the set the of threshold the threshold of information loss level, denoted security by T, activities, is judged to the be PCR 8, i.e., is any a linear breach combination of the level, denoted by T, is judged to be 8, i.e., any breach The standard deviation of loss, denoted by, under the loss function defined for whose cost is $8 million or greater expected is believed to put the survivability of the organization risk. whose cost is $8 million loss, ( the [ expected ]) [ severe xxpxex ] loss, 8.5and.87 the standard deviation of loss that can be attributable or greater is believed to put the survivability of the organization at risk. Proposal The expected 1 is given severe by: loss under Proposal 1, denoted by E[severe loss], is given by: "$%%&'% to a breach. Specifically, The expected severe loss under Proposal 1, denoted by E[severe loss], is given by: "()*+$ We now present the PCR metric. E[severe ( PCR [ loss] ]) E xp[ X x] 8 [.1] [.1] 1.7 [ [ X ] [ xxpxex B] / A] 8.5 E[severe.87loss] [ C/ A] x8 E[severe loss] P[ X x] 8 [.1] [.1] 1.7 x8 where IT risk management We now The present standard the weights the deviation A, B, PCR metric. of and loss, C denoted are determined by, under from the loss the AHP. function The defined weights, for A, B, and C are 0 The standard deviation of loss, denoted by, under the loss function defined for Proposal positive, 1 is given sum by: to one, and reflect the relative importance of the performance metrics to the Proposal 1 is given by: decision maker. An overview of the AHP (in an information security investment context) is ( [ ]) [ xxpxex ] loss rather than the variance of loss because the standard deviation of loss is measured in the same units (dollars, for example) as the expected loss and expected severe loss. The preceding three risk metrics can be illustrated with an example. Let X be a random ( given [ in ]) Bodin, [ Gordon, xxpxex ] and 8.5Loeb.87 (006). We now present the PCR metric. 3 Before turning to the question of how these weights are derived using AHP, we We now present the PCR metric. summarize the properties of the PCR: 5
6 In establishing this pairwise comparison matrix, the assumption Probability of Loss Proposal in the example is that the Probability of Loss Proposal expected loss (E[X]) and Probability of Loss Proposal expected severe loss (E[X X T]) Probability of Loss Proposal are equally important criteria, both slightly more preferred than Table. Probability the three risk measures for each of the three proposals; of losses under three the standard-deviation-of-loss information security it also lists the value of the PCR for each proposal, () criterion.thepairwisecomparisons The approach that represent ofthis using judg- the expected loss duesome to a problems breach as with using the popular metric of project proposals. assuming that A = 0.4, B = 0.4, and C = 0.. PCR: calculate weights the ranking ment are realized criterion by setting givesathe 1 = CISO a narrow analysis expectedof loss theasalternatives a sole measure of risk are apparent by 1, a 1 =1,a 13 =,a and 3 =,a may PCR 31 =1/,anda leadexample to misleading 3 =1/.Further, the diagonal elements, a 11,a,anda 33,areset loss metric, Proposal 3 is the preferred proposal, fol- examining Tables and 3. According to the expected results. equal to 1, since a criterion is equally important as lowed in order by Proposal 1, Proposal, and Proposal itself. A = 0.4, B = 0.4, C = Note that although Proposal 3 minimizes the CISO decides about the importance of these factors matrix in columns For and a given rowsdecision 4 maker for which AHP reveals Losses fromexpected an inf ormation loss, security it br each also(in generates $ millions) the second highest in the table these (for more, weights A see [1]). = 0.4, B = 0.4, and C = 0. here probability of threatening the survivability of the A + B + C = 1 and A,B,C > Other values In establishing the value this of pairwise the PCR for Proposal 1: organization (Pr [X 8]=0.4) and generates the highest Probability of Loss Proposal weights calculated using Analytic Hierarchy Process (AHP) comparison matrix, the assumption in the PCR example is(proposal that the 1) = $4.5+[.4/.4] Table 3 also indicates that based on the expected standard deviation of loss. Probability of Loss Proposal (check on Wikipedia, it s quite interesting) Probability of Loss Proposal expected [$1.7M]+[./.4].[$.87M]=$4.5M+$1.7M+$1.43 loss (E[X]) and severe loss criterion, Proposal is the preferred proposal, followed in order Probability of Loss Proposal 4 expected severe loss (E[X X T]) M=$7.636M are equally important criteria, by Proposal 1, Proposal 3, both slightly more preferred than Table. Probability Expected the threeexpected risk measures Standard for each of Perceived the three proposals; EVALUATING FOUR of losses under three Loss E[X] Severe Loss Deviation of Composite Risk and Proposal 4. Further, the standard-deviation-of-loss information security it also lists E[X Xthe T] valueloss of the PCR PCR for each proposal, PROPOSALS based on the standard () criterion.thepairwisecomparisons that project Proposal proposals. 1 assuming 14.5 that 1.7 A = 0.4,.87B = 0.4, and C = 0.. In represent order to this demonstrate judgment are realized PCR use, by setting assume a that Some problems with using the popular metric deviation of criterion, Proposalby 4 is the preferred Proposal = the expected loss as a sole measure of risk are apparent Proposal , a 1 =1,a 13 CISO =,a 3 must =,a 31 select =1/,anda from 3 =1/.Further, the diagonal amongelements, four equal a 11,a examining Tables and 3. According to the expected proposal, followed in Proposal 4 cost ,anda 33,areset loss metric, Proposal 3 is the preferred proposal, order followed in order by Proposal 1, Proposal, and posal Pro- 1, and Proposal 3. by Proposal, Pro- equal to 1, proposals since a criterion for enhancing Bold indicates column minimums is equally important as itself. an organization s information security. Suppose posal 4. Note the that Table although 3. Risk measures Proposal for3the minimizes Thus, thea decision maker IT risk management three proposals (where T=8, For a given CISO decision andmaker his/her for staff which have AHP estimated reveals the expected loss Department probabilities = 0.4, associated B = 0.4, with and C the = 0. here three proposed probability sets of of threatening the survivability the of risk the of a breach could loss, of Telecommunications, it also generates BME A=0.4, B=0.4, and C=0.. the second interested highest in minimizing these weights A is the value of information the PCR forsecurity Proposalactivities. 1: The estimated organization loss(pr rationally [X 8]=0.4) select and generates Proposal the, Proposal highest 3, or Proposal 4, probabilities associated with each proposal standard are broken down into 1) the 10 = discrete $4.5+[.4/.4] amounts in Table3. also indicates The PCR that based combines on the the expected three risk measures deviation depending of loss. on the risk metric being considered. PCR (Proposal [$1.7M]+[./.4].[$.87M]=$4.5M+$1.7M+$1.43 We continue to assume that the threshold severe level, loss T, criterion, Proposal is the preferred proposal, followed in order the decision through a procedure that determines 6M=$7.636M of a severe loss is $8 million. Table 3 lists the values of ALE method s failure Improved methods maker s relative weighting of the risk criteria. The by Proposal 1, Proposal 3, Expected Expected Standard Perceived EVALUATING FOUR Loss E[X] Severe Loss Deviation of Composite Risk and Proposal 4. Further, E[X X T] Loss PCR PROPOSALS COMMUNICATIONS based on the OF THE standard ACM April 008/Vol. 51, No ALE method s failure Proposal simplify 1.7 tractable.87 way to analyze risks In order to demonstrate deviation criterion, Proposal 4 is the preferred Proposal too many details PCR use, assume that the Proposal CISO must select from Integrated Business Risk management proposal, framework followed in - difficult to implement Proposal 4 among four equal cost order by Proposal, Proposal 1, and Proposal 3. focuses on impact and added value proposals for enhancing Bold indicates column minimums - number of scenarios is too high an organization s information security. Suppose the Table 3. Risk measures for the security like other business risks Thus, a decision maker technology view on risk three proposals (where T=8, CISO and his/her staff have estimated the loss probabilities associated with the three proposed simplifies sets ofmanagement - deterministic rather than probabilistic the risk of a breach could A=0.4, B=0.4, and C=0.. interested in minimizing information security activities. The estimated loss rationally select Proposal, Proposal 3, or Proposal 4, dependence on information valuation-driven methods probabilities associated with each proposal are broken depending on the risk metric being considered. down into the 10 discrete amounts in Table. The PCR combines the three risk measures new methods no data We continue to assume that the threshold level, T, through a procedure that determines the decision simplify risk analysis of a severe loss is $8 million. Table 3 lists the ignore values incident of maker s likelihoods relative weighting and focus ofon theasset risk criteria. value The mostly short-term suffer the simplification IT risk management 1 K. Soo Hoo, How Much Is Enough? A Risk- Management Approach to Computer Security, PhD thesis, Stanford 000 IT risk management 3 COMMUNICATIONS OF THE ACM April 008/Vol. 51, No IT risk management 4 6
7 Improved methods (cont d) Quantitative risk management scenario analysis qualitative quantitative methods share information often used to dramatize impact (by consultants) Key enabler: information = data (potentially historic) limited scope good practices common engineering response vulnerabilities incidents losses effectiveness of countermeasures conformance to policies results in (some) protection steps also protects against liability claims de-coupled from data collection and analysis efficiency depends on - compliance costs register incidents proper forensics report summarize in a central(ized) database driving force insurance??? (more in Chapter 10) - process to define practices / rules governments? IT risk management 5 IT risk management 6 Risk treatment options RT Risk treatment controls RT avoidance mitigation eliminate incidents testing reduce impact sharing / transfer disclaimer: no party is responsible agreement: responsibility transferred compensation - risk pooling: share losses - risk hedging: bet for losses acceptance / retention self-insure accept losses determine the appropriate controls partially from: Blakley, B. and McDermott, E. and Geer, D., Information security is information risk management, Proceedings of the 001 workshop on New security paradigms, 001 IT risk management 7 select risk treatment controls prevention - firewall, authentication, locks detection - IDS recovery - backup, forensics management - better data center for security information collection - information sharing (more in Chapter 6) training / awareness - employee training sessions IT risk management 8 7
8 Risk treatment action plan RT Risk monitoring and review RM action plan = prioritize + implement actions / controls prioritize controls / actions cost-benefit analysis (more in Chapter 4) importance of risk (impact) effectiveness difficult quantify benefit of unrealized losses (ROSI) get approval for the action plan top mgmt support is essential implement the action plan develop a policy w/ security policy assign responsibility performance measures and reporting residual risks and acceptance review and update processes and policies document each stage of the risk management process development and action plan (reasons and analysis) changes and efficiency legal basis reuse of information IT risk management IT risk management 30 THE RISK IT FMEWORK Risk communication RM Reading for next time Status: Risk Profile, Key Risk Indicators, Loss Data, etc. Figure IT Risk Communication Components Expectation: Strategy, Policies, Procedures, Awareness, Training, etc. Effective IT Risk Communication Capability: Risk Management Process Maturity Risk Communication What to Communicate? IT risk communication covers a broad array of information flows. Risk IT distinguishes amongst the following major types of IT risk communication, as shown in figure : policies, procedures, awareness training, continuous reinforcement of principles, etc. This is essential communication on the enterprise s overall strategy towards IT risk, and it drives all subsequent efforts on risk management. It sets the overall expectations from risk management. monitoring of the state of the risk management engine in the enterprise, and is a key indicator for good risk management. It has predictive value for how well the enterprise is managing risk and reducing exposure. information such as: Risk profile of the enterprise, i.e., the overall portfolio of (identified) risks to which the enterprise is exposed KRIs to support management reporting on risk Event/loss data Root cause of loss events Options to mitigate (cost and benefits) risks Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 00 optional: Gordon, L.A. and Loeb, M.P. and Lucyshyn, W., Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, vol. 1 nr., 003 Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1, 010 To be effective, all information exchanged, regardless ISACA, of its type, Risk-IT should be: framework, 00 Mark Felegyhazi, CrySyS Lab, communication on risk. This includes the avoidance of jargon and technical terms regarding risk since the intended audiences are generally not deeply technologically skilled. hinder, rather than enable, a clear view of risk. originate when an inadequate IT organisation is set up, and the business consequence is inefficient IT operations and service delivery. In another example, the origination point may be project failure, and the business consequence is delayed business initiatives. Communication is timely when it allows action to be taken at the appropriate moments to identify and treat the risk. It serves no useful purpose to communicate a project delay a week before the deadline. and enabling informed decisions. In this process, aggregation must not hide root causes of risk. For example, a security officer needs technical IT data on intrusions and viruses to deploy solutions. An IT steering committee may not need this level of detail, but it does need IT risk management 31 IT risk management 3 8
Information Security and Risk Management
Information Security and Risk Management by Lawrence D. Bodin Professor Emeritus of Decision and Information Technology Robert H. Smith School of Business University of Maryland College Park, MD 20742
More informationEconomics of Information Security - A Review
Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu Information
More informationHow To Use Risk It
Risk IT A set of guiding principles and the first framework to help enterprises identify, govern and effectively manage IT risk. In business today, risk plays a critical role. Almost every business decision
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationQUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT
QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationS 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.
S 2 ERC Project: A Review of Return on Investment for Cybersecurity Author: Joe Stuntz, MBA EP 14, McDonough School of Business Date: 06 May 2014 Abstract Many organizations are looking at investing in
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationPOL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:
POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:
More informationFeature. Developing an Information Security and Risk Management Strategy
Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide
More informationCOBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.
COBIT 5 for Risk CS 3-7: Monday, July 6 4:00-5:00 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net Disclaimer of Use and Association Note: It is understood that
More informationDecision making in ITSM processes risk assessment
Decision making in ITSM processes risk assessment V Grekul*, N Korovkina, K Korneva National Research University Higher School of Economics, 20 Myasnitskaya Ulitsa, Moscow, 101000, Russia * Corresponding
More informationRecall the Security Life Cycle
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena Recall the Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance So far what we have learnt
More informationInformation technology Security techniques Information security management systems Overview and vocabulary
INTERNATIONAL STANDARD ISO/IEC 27000 Third edition 2014-01-15 Information technology Security techniques Information security management systems Overview and vocabulary Technologies de l information Techniques
More informationOperational Risk Management Program Version 1.0 October 2013
Introduction This module applies to Fannie Mae and Freddie Mac (collectively, the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance, (which for purposes of this module are
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationProject Risk Management
Project Risk Management Study Notes PMI, PMP, CAPM, PMBOK, PM Network and the PMI Registered Education Provider logo are registered marks of the Project Management Institute, Inc. Points to Note Risk Management
More informationISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk
Kevin W Knight AM CPRM; Hon FRMIA; FIRM (UK); LMRMIA: ANZIIF (Mem) ISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk History of the ISO and Risk Management Over
More informationRISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY
RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY PRESENTED BY: LEN WIATR, CHIEF RISK OFFICER Len s Risk Management Philosophy Build a
More informationA Hierarchical Information System Risk Evaluation Method Based on Asset Dependence Chain
International Journal of Security and Its Applications, pp.81-88 http://dx.doi.org/10.1257/ijsia.201.8.6.08 A Hierarchical Information System Risk Evaluation Method Based on Asset Dependence Chain Xin
More informationKey Components of a Risk-Based Security Plan
Key Components of a Risk-Based Security Plan How to Create a Plan That Works Authors: Vivek Chudgar Principal Consultant Foundstone Professional Services Jason Bevis Director Foundstone Professional Services
More informationInformation Security Risk Management
Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationRoot Cause Analysis Concepts and Best Practices for IT Problem Managers
Root Cause Analysis Concepts and Best Practices for IT Problem Managers By Mark Hall, Apollo RCA Instructor & Investigator A version of this article was featured in the April 2010 issue of Industrial Engineer
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationAnalyzing the Security Significance of System Requirements
Analyzing the Security Significance of System Requirements Donald G. Firesmith Software Engineering Institute dgf@sei.cmu.edu Abstract Safety and security are highly related concepts [1] [2] [3]. Both
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationDeriving Value from ORSA. Board Perspective
Deriving Value from ORSA Board Perspective April 2015 1 This paper has been produced by the Joint Own Risk Solvency Assessment (ORSA) Subcommittee of the Insurance Regulation Committee and the Enterprise
More informationRisk Mapping A Risk Management Tool with Powerful Applications in the New Economy
Risk Mapping A Risk Management Tool with Powerful Applications in the New Economy By Todd Williams and Steve Saporito What if your company s major business risks, obstacles to strategic objectives, and
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationImproving Residual Risk Management Through the Use of Security Metrics
Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce
More informationLecture 7: Threat Modeling. CS 392/6813: Computer Security Fall 2007. Nitesh Saxena. *Adopted from a previous lecture by Nasir Memon
Lecture 7: Threat Modeling CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Nasir Memon Course Admin HW 1 to 5 are graded; solutions provided HW6 being graded
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationImproving Software Development Processes with Multicriteria Methods
Improving Software Development Processes with Multicriteria Methods Elena Kornyshova, Rébecca Deneckère, and Camille Salinesi CRI, University Paris 1 - Panthéon Sorbonne, 90, rue de Tolbiac, 75013 Paris,
More informationBridgend County Borough Council. Corporate Risk Management Policy
Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationGuiding Principles for Implementing Enterprise Risk Management (ERM)
1 Guiding Principles for Implementing Enterprise Risk Management (ERM) SEAC Conference New Orleans November 15-17, 2006 Hubert Mueller (860) 843-7079 Towers Towers Perrin Perrin 0 ERM raises many implementation
More informationHow To Understand And Understand Risk Management
CYBERSECURITY RISK MANAGEMENT AND INSURANCE Paul J M Klumpes Professor of Sustainable Finance and Risk Accounting by GIRO Conference September 2014 2014 R&I Conference 1 Authors Brief Paul Klumpes Professor
More informationFlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk
Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk 2012 The Flynt Group, Inc., All Rights Reserved FlyntGroup.com Enterprise Risk Management and Business
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationMetrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz
Metrics to Assess and Manage Software Application Security Risk M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz Auburn University at Montgomery (AUM) and ATILIM University, Ankara msahinog@aum.edu,
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
More informationRISK MANAGEMENT FOR INFRASTRUCTURE
RISK MANAGEMENT FOR INFRASTRUCTURE CONTENTS 1.0 PURPOSE & SCOPE 2.0 DEFINITIONS 3.0 FLOWCHART 4.0 PROCEDURAL TEXT 5.0 REFERENCES 6.0 ATTACHMENTS This document is the property of Thiess Infraco and all
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationChayuth Singtongthumrongkul
IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional
More informationNegative Risk. Risk Can Be Positive. The Importance of Project Risk Management
The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests t of
More informationZurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate
Zurich s approach to Enterprise Risk Management John Scott Chief Risk Officer Zurich Global Corporate Agenda 1. The risks we face 2. Strategy risk and risk tolerance 3. Zurich s ERM framework 4. Capital
More informationA structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Contents Executive summary Introduction Acknowledgements Part 1: Risk, risk management and ISO 31000 1 Nature
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationGlobal Technology Audit Guide. Auditing IT Governance
Global Technology Audit Guide Auditing IT Governance Global Technology Audit Guide (GTAG ) 17 Auditing IT Governance July 2012 GTAG Table of Contents Executive Summary... 1 1. Introduction... 2 2. IT
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationMeasurement Information Model
mcgarry02.qxd 9/7/01 1:27 PM Page 13 2 Information Model This chapter describes one of the fundamental measurement concepts of Practical Software, the Information Model. The Information Model provides
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More information5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationIT Risk & Security Specialist Position Description
Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level
More informationECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY
ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY Lawrence A. Gordon Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance The Robert H. Smith School of Business University of Maryland
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationRisk Management Framework for IT-Centric Micro and Small Companies
Risk Management Framework for IT-Centric Micro and Small Companies Jasmina Trajkovski 1, Ljupcho Antovski 2 1 Trajkovski & Partners Management Consulting Sveti Kliment Ohridski 24/2/1, 1000 Skopje, Macedonia
More informationContents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.
iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management
More informationIT@Intel. Measuring the Return on IT Security Investments. White Paper Intel Information Technology Computer Manufacturing Information Security
White Paper Intel Information Technology Computer Manufacturing Information Security Measuring the Return on IT Security Investments Intel IT developed a model for measuring return on security investment
More informationImplementing COBIT based Process Assessment Model for Evaluating IT Controls
Implementing COBIT based Process Assessment Model for Evaluating IT Controls By János Ivanyos, Memolux Ltd. (H) Introduction New generations of governance models referring to either IT or Internal Control
More informationPursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES
Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES Contents PART I An Increasing Threat: Identity Theft The FFIEC Response Risk Assessment Fundamentals The FFIEC
More information1.20 Appendix A Generic Risk Management Process and Tasks
1.20 Appendix A Generic Risk Management Process and Tasks The Project Manager shall undertake the following generic tasks during each stage of Project Development: A. Define the project context B. Identify
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationWhite Paper An Enterprise Security Program and Architecture to Support Business Drivers
White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationA Risk Management Standard
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationAdvantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches
Chinese Business Review, ISSN 1537-1506 December 2011, Vol. 10, No. 12, 1106-1110 D DAVID PUBLISHING Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches Stroie Elena
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationDeveloping an Effective Enterprise Risk Management Program
Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationOperational Risk Management - The Next Frontier The Risk Management Association (RMA)
Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first
More informationCORPORATE GOVERNANCE
CORPORATE GOVERNANCE Lesson n. 9 Corporate Governance and Risk Management a.y. 2015-2016 1 st semester f.buzzichelli@lumsa.it CG and Risk Management Contents 1. Corporate Risk Assessment: ERM 2. US COSO
More informationComplying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance
WHITE paper Complying with the Federal Information Security Management Act How Tripwire Change Auditing Solutions Help page 2 page 3 page 3 page 3 page 4 page 4 page 5 page 5 page 6 page 6 page 7 Introduction
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationAbout Effective Penetration Testing Methodology
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 5호 2008년 10월 About Effective Penetration Testing Methodology Byeong-Ho KANG 1) Abstract Penetration testing is one of the oldest methods for assessing
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationKEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
More information