risk management - ase management presentation.pdf · developing and implementing risk mitigation...
TRANSCRIPT
• Calita Gheorghita Cristinel
• Bucharest • 09 November 2015
Risk Management
2
• Introduction
• Risk identification
• Risk assessment
• Risk mitigation
• Conclusions & closing thoughts
• Q&A
Risk Management - content
Introduction
4
Concept
Short history
Frameworks
Introduction
5
Why we need Risk Management?
Source: http://www.bankinfosecurity.com/chase-a-6356/op-1
Source: http://www.wsj.com/articles/deutsche-bank-mistakenly-transfers-6-billion-to-clients-account-1445283517
Source: http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts-1642063956
6
Risk Management is defined as the process of identifying risks, assessing their potential impacts on the organization and its mission, determining the likelihood of their occurrence, communicating findings to management and developing and implementing risk mitigation strategies to reduce risks to levels that are acceptable to the organization.
What is Risk Management?
Definition:
Goal:
Information Risk Management
Is the management of the risks involved with manipulating data.
Risk Management’s goal is to create a
reference framework that will allow companies to handle risk and uncertainty.
7
Related terms
RISK
Likelihood
Threat source
Vulnerability
Impact
Threat
8
Risk definition
9
Information Risk & CIA Triad The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events
Confidentiality - ensure that data can be accessed only by those who are authorized. Integrity - prevent unauthorised or inadvertent data modification. Availability - ensure that data is always available when we need it
The risk of financial and reputational loss due to events leading to breaches of confidentiality, integrity and availability of business processes or information caused by inadequate information and IT security.
IT Risk
Operational Risk
Risk identification
11
Risk Identification • Describe how risks are identified.
• Risks identified through internal assessments:
- Business environment assessments - Risk and control self assessments - IT risk assessments - Vulnerability assessments (e.g. scans) - Internal control missions/verifications - Scenario analysis
• Risks identified via external assessments: - External audit reports; - External penetration tests; - Responsible disclosure programs; - Emerging external trends/factors, sourced • from reputable external sources;
12
Controls • A control is a measure, an action, a process, a requirement, etc. that has the final
scope to mitigate a risk.
• Categories….
Technical (control end-user and system
action; e.g. passwords constraints, access control lists, firewalls, data encryption, antivirus software, intrusion prevention software, etc.)
Administrative (dictates how the
activities should be performed; e.g. policies, procedures, guidelines, standards, etc.)
Operational (e.g. configuration
management, incident response, awareness, etc.)
Preventive (attempt to prevent adverse
behavior and actions from occurring; e.g. firewall, IPS, etc.)
Deterrent (warn a would-be attacker that he
should not attack; e.g. fence, dog sign, etc.)
Detective (detect actual or attempted
violations of system security; e.g. sensors IDS, etc.)
Compensating (backup controls that
come into play only when other controls have failed; e.g. backup generator)
OR
Risk assessment
14
Risk Assessment – likelihood determination
• Likelihood determination. Based on the:
• Operating system, application, database or device affected by the vulnerability
• Whether local or remote access is required to exploit the vulnerability
• The skills and tools required to exploit the vulnerability
• Threat source motivational factors (e.g. financial gain, revenge. Political motivation)
• Capability (e.g. skills, tools, knowledge)
• The effectiveness of the controls used for preventing the vulnerability exploitation.
Vulnerability Nature Threat source’s motivation and capability
Controls in place
15
Risk Assessment – Impact Analysis (I)
• Quantitative approach (financial impact)
Factors may
include: • Range and severity of
issue
• Perceived importance
• Budget involved
• Etc.
ALE:
Annual Loss
Expectancy - The expected
annual loss as a
result of a risk to a
specific asset
RISK IMPACT (in Euro’s)
€
Number of
occurrences
(absolute nr.
per annum) = x Likelihood (in %) x
16
Risk Assessment – Impact Analysis (II)
• Qualitative approach (non-financial impact) – risk rating table
Source: https://ischool2013.wikispaces.com/file/view/risk-table.jpg/472497818/risk-table.jpg
17
Risk Assessment – risk level-matrix
• Risk determination
Results from the combination of: The likelihood The magnitude of the impact The effectiveness of the controls in
place
Critical Risk : - Major risk to the organization and organizational mission exists - Corrective actions are mandatory and should be implemented
immediately.
High Risk : - Significant risk to the organization and to organizational mission exists. - Strong need for corrective actions - Corrective actions to be implemented as soon as possible
Medium Risk : - Moderate risk to the organization and to organizational mission exists. - There is a need for corrective actions . -Corrective actions to be implemented within reasonable time
Low Risk : - A low risk to the organization exists. - A evaluation needed to determine if the risk should be reduced or it should be accepted. - If it is determined tat the risk should be reduced, corrective actions to be implemented within reasonable time
Risk mitigation
19
Risk Mitigation (I)
•The risk as it is, before the controls are considered
•Applicable for new projects, in the planning phase, considering the source threats present in the environment, only with its generic controls in place.
•The risk given the effectiveness of the current control environment
•Requires the identification of all relevant existing specific controls and the assessment of the controls’ effectiveness
•If there are no existing controls, the managed risk is the inherent risk
•The target risk level after mitigation actions have been put in place
•Assessment of the residual risks after planned mitigation actions and related to the target risk appetite of business management
•If there are no additional planned mitigation actions, the residual risk is the managed risk
Inherent Risk
Managed Risk
Residual Risk
Inherent, Managed, and Residual Risk
20
Ri sk Mi t i gat i on ( II) Ri sk Mi t i gat i on St rat egi es
Managed Ri sk
Ri sk
Reduct i on Ri sk Avoi dance Ri sk Transf er Ri sk Accept ance
Resi dual Ri sk
Ri sk Accept ance
Resi dual r i sk wi t hi n
appet i t e
Residual risk beyond appetite
1. Reduci ng t he l i kel i hood of
occurrence
2. Reduci ng Impact
1. Ri sk Devi at i on
2. Ri sk Accept ances
3. Ri sk Wai ver
Insurance
St op t he act i vi t y t hat
generat es t he r i sk
Ri sk
Reduct i on
Ri sk
Avoi dance
Ri sk
Transf er
Ri sk
Accept ance
Conclusions & closing thoughts
22
Risk identification and risk assessment activities should always be documented and presented to company senior management.
Conclusion & closing thoughts
Risk mitigation strategies should be developed by senior management , based on cost-benefit approach.
Risks are present in nearly all of company’s financial and economical activities – risk management process is an important part of company’s strategic development.
Thank you
Any questions?