Information Security Risk Management



Similar documents
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Compliance Risk Assessment Measures of Financial Information Security using System Dynamics

Domain 5 Information Security Governance and Risk Management

Information Security Specialist Training on the Basis of ISO/IEC 27002

ITIL Foundation Certification Course

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Measurement Information Model

White paper. Secure Cloud Services: An Integrated Approach

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Governance Simplified

Achieving Business Imperatives through IT Governance and Risk

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Frequently Asked Questions about the HITRUST Risk Management Framework

Building Security In:

Privacy & Security Crash Course: How Do I Do a Risk Assessment?

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

our enterprise security Empowering business

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Moving Forward with IT Governance and COBIT

Certified Information Security Manager (CISM)

Workshop agenda. Data Quality Metrics and IT Governance. Today s purpose. Icebreaker. Audience Contract. Today s Purpose

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

COBIT Helps Organizations Meet Performance and Compliance Requirements

Open Certification Framework. Vision Statement

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Preparation Guide. EXIN IT Service Management Executive Consultant/Manager based on ISO/IEC 20000

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, PARIS

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Cyber Risk Management Guidance for FHFA Regulated Entities

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Feature. Developing an Information Security and Risk Management Strategy

Aberdeen City Council IT Security (Network and perimeter)

Preparing for the Convergence of Risk Management & Business Continuity

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Cyber Security solutions

ISTQB - Certified Tester Advanced Level - Test Manager

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Cloud Computing Security Audit

Security metrics to improve information security management

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

ESKISP Direct security testing

Improving Residual Risk Management Through the Use of Security Metrics

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Comprehensive Risk Assessment and Developing the Audit Plan

ENTERPRISE RISK MANAGEMENT FRAMEWORK

INFORMATION SECURITY STRATEGIC PLAN

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

NIST Cybersecurity Framework & A Tale of Two Criticalities

IT Governance: The benefits of an Information Security Management System

Core Fittings C-Core and CD-Core Fittings

CSF Support for HIPAA and NIST Implementation and Compliance

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!!

HP ITSM Assessment Services Helping you reach the levels of service your business requires

Trends in Information Technology (IT) Auditing

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards

This alignment chart was designed specifically for the use of Red River College. These alignments have not been verified or endorsed by the IIBA.

Practice Guide. Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements

Information Security and Governance in ERP Implementation (JD Edwards)

CESG Certification of Cyber Security Training Courses

Risk Management Framework for IT-Centric Micro and Small Companies

Vendor Risk Management Financial Organizations

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Complimentary Relationship Between ITIL and PMBOK

Program Overview and 2015 Outlook

IT Insights. Managing Third Party Technology Risk

Compliance & information security A (bit of a) rant. Jodie Siganto

Address C-level Cybersecurity issues to enable and secure Digital transformation

Enterprise Security Architecture

Performing Effective Risk Assessments Dos and Don ts

Consultants Alliance LLC. Professional Development Programs

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Data Gathering Instrument Service Portfolio Management

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Guidance for Addressing Cybersecurity in the Chemical Sector. Version 2.0 December 2004

1.20 Appendix A Generic Risk Management Process and Tasks

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Information Security Management System for Microsoft s Cloud Infrastructure

Transcription:

Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

Target Audience This session is primarily intended for: Systems architects and planners Members of the information security team Security and IT auditors Senior executives, business analysts, and business decision makers Consultants and partners

Motivation for this Presentation Security is a process, not a product. Security products will not save you. Process is composed of technology, people, and tools. This is important because processes involve time and interaction between entities and many of the hard problems in security stem from this inherent interaction.

What is a risk (generic) A definable event Probability of Occurrence Consequence (impact) of occurrence A risk is not a problem. A problem is a risk whose time has come

Identifying Security Risk Management Prerequisites Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Risk Analysis Risk Analysis is a method of identifying and assessing the possible damage that could be caused on order to justify security safeguards. Two types of risk analysis: Quantitative attempts to assign real numbers to the costs of safeguards and the amount of damage that can take place Qualitative An analysis that judges an organization s risk to threats, which is based on judgment, intuition, and the experience versus assigning real numbers to this possible risks and their potential loss

Risk Management vs. Risk Assessment Risk Management Risk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Scheduled activity Continuous activity Alignment Aligned with budgeting cycles Not applicable

Communicating Risk Asset What are you trying to protect? Threat What are you afraid of happening? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Impact What is the impact to the business? Probability How likely is the threat given the controls? Well-Formed Risk Statement

Determining Your Organization s Risk Management Maturity Level Publications to help you determine your organization s risk management maturity level include: National Institute of Standards and Technology IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP-800-26) Control Objectives for Information and Related Technology (CobiT) International Standards Organization ISO Code of Practice for Information Security Management (ISO 17799)

Performing a Risk Management Maturity Self-Assessment Level State 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized

Enterprise Security Architecture Model Corporate Governance Business & Security Management Organization Business Aligned Security Policies, Standards and Strategies Compliance and Monitoring Business Processes IT Management Processes Security Management Processes Security Solutions Privacy Identity Management Application Integrity Infrastructure Security Business Continuity Architecture and Standards

Defining Roles and Responsibilities Executive Sponsor What's important? Determine acceptable risk Information Security Group Prioritize risks Assess risks Define security requirements Measure security solutions IT Group Best control solution Design and build security solutions Operate and support security solutions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information