Risk Management • Calita Gheorghita Cristinel • Bucharest • 09 November 2015
Risk Management - content • Introduction • Risk identification • Risk assessment • Risk mitigation • Conclusions & closing thoughts • Q&A 2
Introduction
Introduction Concept Short history Frameworks 4
Why we need Risk Management? Source: http://www.wsj.com/articles/deutsche-bank-mistakenly-transfers-6-billion-to-clients-account-1445283517 Source: http://www.bankinfosecurity.com/chase-a-6356/op-1 Source: http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts- 1642063956 5
What is Risk Management? Risk Management is defined as the process of identifying Definition: risks, assessing their potential impacts on the organization and its mission, determining the likelihood of their occurrence, communicating findings to management and developing and implementing risk mitigation strategies to reduce risks to levels that are acceptable to the organization. Risk Management’s goal is to create a Goal: reference framework that will allow companies to handle risk and uncertainty. Information Risk Management Is the management of the risks involved with manipulating data. 6
Related terms Likelihood Vulnerability Threat RISK Impact Threat source 7
Risk definition 8
Information Risk & CIA Triad The risk of direct or indirect loss resulting from inadequate or failed Operational internal processes, people and systems, or from external events Risk The risk of financial and reputational loss due to events leading to breaches IT Risk of confidentiality, integrity and availability of business processes or information caused by inadequate information and IT security. Confidentiality - ensure that data can be accessed only by those who are authorized. Integrity - prevent unauthorised or inadvertent data modification. Availability - ensure that data is always available when we need it 9
Risk identification
Risk Identification Describe how risks are identified. • Risks identified through internal assessments: • Business environment assessments - Risk and control self assessments - IT risk assessments - Vulnerability assessments (e.g. scans) - Internal control missions/verifications - Scenario analysis - Risks identified via external assessments: • External audit reports; - External penetration tests; - Responsible disclosure programs; - Emerging external trends/factors, sourced - from reputable external sources; • 11
Controls • A control is a measure, an action, a process, a requirement, etc. that has the final scope to mitigate a risk. • Categories…. Preventive (attempt to prevent adverse behavior and actions from occurring; e.g. firewall, IPS, etc.) Technical (control end-user and system action; e.g. passwords constraints, access control Deterrent (warn a would-be attacker that he lists, firewalls, data encryption, antivirus software, intrusion prevention software, etc.) should not attack; e.g. fence, dog sign, etc.) OR Administrative (dictates how the Detective (detect actual or attempted activities should be performed; e.g. policies, procedures, guidelines, standards, etc.) violations of system security; e.g. sensors IDS, etc.) Operational (e.g. configuration Compensating (backup controls that management, incident response, awareness, etc.) come into play only when other controls have failed; e.g. backup generator) 12
Risk assessment
Risk Assessment – likelihood determination • Likelihood determination . Based on the: Vulnerability Nature Threat source’s Controls in place motivation and • Operating system, application, • The effectiveness of the controls capability database or device affected by used for preventing the the vulnerability vulnerability exploitation . • Threat source motivational factors (e.g. financial gain, • Whether local or remote access revenge. Political motivation) is required to exploit the vulnerability • Capability (e.g. skills, tools, knowledge) • The skills and tools required to exploit the vulnerability 14
Risk Assessment – Impact Analysis (I) Quantitative approach (financial impact) • = x Likelihood (in %) x Number of IMPACT occurrences RISK (in Euro’s) ( absolute nr. € per annum) Factors may ALE: include: Annual Loss • Range and severity of Expectancy issue - The expected • Perceived importance annual loss as a • Budget involved result of a risk to a • Etc. specific asset 15
Risk Assessment – Impact Analysis (II) Qualitative approach (non-financial impact) – risk rating table • Source: https://ischool2013.wikispaces.com/file/view/risk-table.jpg/472497818/risk-table.jpg 16
Risk Assessment – risk level-matrix • Risk determination Critical Risk : - Major risk to the organization and organizational mission exists - Corrective actions are mandatory and should be implemented immediately. High Risk : - Significant risk to the organization and to organizational mission exists. Results from the combination of: - Strong need for corrective actions - Corrective actions to be implemented as soon as possible The likelihood The magnitude of the impact Medium Risk : The effectiveness of the controls in - Moderate risk to the organization and to organizational mission exists. - There is a need for corrective actions . place -Corrective actions to be implemented within reasonable time Low Risk : - A low risk to the organization exists. - A evaluation needed to determine if the risk should be reduced or it should be accepted. - If it is determined tat the risk should be reduced, corrective actions to be implemented within reasonable time 17
Risk mitigation
Risk Mitigation (I) Inherent, Managed, and Residual Risk • The risk as it is, before the controls are considered Inherent Risk • Applicable for new projects, in the planning phase, considering the source threats present in the environment, only with its generic controls in place. • The risk given the effectiveness of the current control environment Managed Risk • Requires the identification of all relevant existing specific controls and the assessment of the controls’ effectiveness • If there are no existing controls, the managed risk is the inherent risk • The target risk level after mitigation actions have been put in place • Assessment of the residual risks after planned mitigation Residual Risk actions and related to the target risk appetite of business management • If there are no additional planned mitigation actions, the residual risk is the managed risk 19
R i sk M i t i gat i on ( II ) R i sk M M i t i gat i on S S t rat egi es M anaged R R i sk R educi ng t he l i kel i hood of R i sk 1 . occurrence R educt i on R educi ng I I m pact 2 . R i sk R i sk T T ransf er R i sk A A voi dance R i sk A A ccept ance R i sk S t op t he act i vi t y t hat R educt i on A voi dance generat es t he ri sk R i sk I nsurance T ransf er R esi dual R R i sk R i sk D D evi at i on R i sk 1 . Residual risk beyond appetite R i sk A ccept ances A ccept ance 2 . R i sk W W ai ver 3 . R esi dual ri sk w i t hi n appet i t e R i sk A A ccept ance 20
Conclusions & closing thoughts
Conclusion & closing thoughts Risk identification and risk assessment activities should always be documented and presented to company senior management. Risk mitigation strategies should be developed by senior management , based on cost-benefit approach. Risks are present in nearly all of company’s financial and economical activities – risk management process is an important part of company’s strategic development. 22
Thank you Any questions?
Recommend
More recommend
