• Calita Gheorghita Cristinel

• Bucharest • 09 November 2015

Risk Management

2

• Introduction

• Risk identification

• Risk assessment

• Risk mitigation

• Conclusions & closing thoughts

• Q&A

Risk Management - content

Introduction

4

Concept

Short history

Frameworks

Introduction

5

Why we need Risk Management?

Source: http://www.bankinfosecurity.com/chase-a-6356/op-1

Source: http://www.wsj.com/articles/deutsche-bank-mistakenly-transfers-6-billion-to-clients-account-1445283517

Source: http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts-1642063956

6

Risk Management is defined as the process of identifying risks, assessing their potential impacts on the organization and its mission, determining the likelihood of their occurrence, communicating findings to management and developing and implementing risk mitigation strategies to reduce risks to levels that are acceptable to the organization.

What is Risk Management?

Definition:

Goal:

Information Risk Management

Is the management of the risks involved with manipulating data.

Risk Management’s goal is to create a

reference framework that will allow companies to handle risk and uncertainty.

7

Related terms

RISK

Likelihood

Threat source

Vulnerability

Impact

Threat

8

Risk definition

9

Information Risk & CIA Triad The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events

Confidentiality - ensure that data can be accessed only by those who are authorized. Integrity - prevent unauthorised or inadvertent data modification. Availability - ensure that data is always available when we need it

The risk of financial and reputational loss due to events leading to breaches of confidentiality, integrity and availability of business processes or information caused by inadequate information and IT security.

IT Risk

Operational Risk

Risk identification

11

Risk Identification • Describe how risks are identified.

• Risks identified through internal assessments:

- Business environment assessments - Risk and control self assessments - IT risk assessments - Vulnerability assessments (e.g. scans) - Internal control missions/verifications - Scenario analysis

• Risks identified via external assessments: - External audit reports; - External penetration tests; - Responsible disclosure programs; - Emerging external trends/factors, sourced • from reputable external sources;

12

Controls • A control is a measure, an action, a process, a requirement, etc. that has the final

scope to mitigate a risk.

• Categories….

Technical (control end-user and system

action; e.g. passwords constraints, access control lists, firewalls, data encryption, antivirus software, intrusion prevention software, etc.)

Administrative (dictates how the

activities should be performed; e.g. policies, procedures, guidelines, standards, etc.)

Operational (e.g. configuration

management, incident response, awareness, etc.)

Preventive (attempt to prevent adverse

behavior and actions from occurring; e.g. firewall, IPS, etc.)

Deterrent (warn a would-be attacker that he

should not attack; e.g. fence, dog sign, etc.)

Detective (detect actual or attempted

violations of system security; e.g. sensors IDS, etc.)

Compensating (backup controls that

come into play only when other controls have failed; e.g. backup generator)

OR

Risk assessment

14

Risk Assessment – likelihood determination

• Likelihood determination. Based on the:

• Operating system, application, database or device affected by the vulnerability

• Whether local or remote access is required to exploit the vulnerability

• The skills and tools required to exploit the vulnerability

• Threat source motivational factors (e.g. financial gain, revenge. Political motivation)

• Capability (e.g. skills, tools, knowledge)

• The effectiveness of the controls used for preventing the vulnerability exploitation.

Vulnerability Nature Threat source’s motivation and capability

Controls in place

15

Risk Assessment – Impact Analysis (I)

• Quantitative approach (financial impact)

Factors may

include: • Range and severity of

issue

• Perceived importance

• Budget involved

• Etc.

ALE:

Annual Loss

Expectancy - The expected

annual loss as a

result of a risk to a

specific asset

RISK IMPACT (in Euro’s)

€

Number of

occurrences

(absolute nr.

per annum) = x Likelihood (in %) x

16

Risk Assessment – Impact Analysis (II)

• Qualitative approach (non-financial impact) – risk rating table

Source: https://ischool2013.wikispaces.com/file/view/risk-table.jpg/472497818/risk-table.jpg

17

Risk Assessment – risk level-matrix

• Risk determination

Results from the combination of: The likelihood The magnitude of the impact The effectiveness of the controls in

place

Critical Risk : - Major risk to the organization and organizational mission exists - Corrective actions are mandatory and should be implemented

immediately.

High Risk : - Significant risk to the organization and to organizational mission exists. - Strong need for corrective actions - Corrective actions to be implemented as soon as possible

Medium Risk : - Moderate risk to the organization and to organizational mission exists. - There is a need for corrective actions . -Corrective actions to be implemented within reasonable time

Low Risk : - A low risk to the organization exists. - A evaluation needed to determine if the risk should be reduced or it should be accepted. - If it is determined tat the risk should be reduced, corrective actions to be implemented within reasonable time

Risk mitigation

19

Risk Mitigation (I)

•The risk as it is, before the controls are considered

•Applicable for new projects, in the planning phase, considering the source threats present in the environment, only with its generic controls in place.

•The risk given the effectiveness of the current control environment

•Requires the identification of all relevant existing specific controls and the assessment of the controls’ effectiveness

•If there are no existing controls, the managed risk is the inherent risk

•The target risk level after mitigation actions have been put in place

•Assessment of the residual risks after planned mitigation actions and related to the target risk appetite of business management

•If there are no additional planned mitigation actions, the residual risk is the managed risk

Inherent Risk

Managed Risk

Residual Risk

Inherent, Managed, and Residual Risk

20

Ri sk Mi t i gat i on ( II) Ri sk Mi t i gat i on St rat egi es

Managed Ri sk

Ri sk

Reduct i on Ri sk Avoi dance Ri sk Transf er Ri sk Accept ance

Resi dual Ri sk

Ri sk Accept ance

Resi dual r i sk wi t hi n

appet i t e

Residual risk beyond appetite

1. Reduci ng t he l i kel i hood of

occurrence

2. Reduci ng Impact

1. Ri sk Devi at i on

2. Ri sk Accept ances

3. Ri sk Wai ver

Insurance

St op t he act i vi t y t hat

generat es t he r i sk

Ri sk

Reduct i on

Ri sk

Avoi dance

Ri sk

Transf er

Ri sk

Accept ance

Conclusions & closing thoughts

22

Risk identification and risk assessment activities should always be documented and presented to company senior management.

Conclusion & closing thoughts

Risk mitigation strategies should be developed by senior management , based on cost-benefit approach.

Risks are present in nearly all of company’s financial and economical activities – risk management process is an important part of company’s strategic development.

Thank you

Any questions?