Risk Management Calita Gheorghita Cristinel Bucharest 09 - - PowerPoint PPT Presentation

• Calita Gheorghita Cristinel
• Bucharest • 09 November 2015

Risk Management

2

• Introduction
• Risk identification
• Risk assessment
• Risk mitigation
• Conclusions & closing

thoughts

• Q&A

Risk Management - content

Introduction

4

• Concept
• Short history
• Frameworks

Introduction

5

Why we need Risk Management?

Source: http://www.bankinfosecurity.com/chase-a-6356/op-1

Source: http://www.wsj.com/articles/deutsche-bank-mistakenly-transfers-6-billion-to-clients-account-1445283517 Source: http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts- 1642063956

6

Risk Management is defined as the process of identifying risks, assessing their potential impacts on the organization and its mission, determining the likelihood of their

• ccurrence, communicating findings to management and

developing and implementing risk mitigation strategies to reduce risks to levels that are acceptable to the

• rganization.

What is Risk Management?

Definition: Goal: Information Risk Management Is the management of the risks involved with manipulating data. Risk Management’s goal is to create a

reference framework that will allow

companies to handle risk and uncertainty.

7

Related terms

RISK

Likelihood Threat source

Vulnerability

Impact Threat

8

Risk definition

9

Information Risk & CIA Triad

The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events Confidentiality - ensure that data can be accessed only by those who are authorized. Integrity - prevent unauthorised or inadvertent data modification. Availability - ensure that data is always available when we need it The risk of financial and reputational loss due to events leading to breaches

• f confidentiality, integrity and availability of business processes or

information caused by inadequate information and IT security. IT Risk Operational Risk

Risk identification

11

Risk Identification

• Describe how risks are identified.
• Risks identified through internal assessments:
• Business environment assessments
• Risk and control self assessments
• IT risk assessments
• Vulnerability assessments (e.g. scans)
• Internal control missions/verifications
• Scenario analysis
• Risks identified via external assessments:
• External audit reports;
• External penetration tests;
• Responsible disclosure programs;
• Emerging external trends/factors, sourced
• from reputable external sources;

12

Controls

• A control is a measure, an action, a process, a requirement, etc. that has the final

scope to mitigate a risk.

• Categories….
• Technical (control end-user and system

action; e.g. passwords constraints, access control lists, firewalls, data encryption, antivirus software, intrusion prevention software, etc.)

• Administrative (dictates how the

activities should be performed; e.g. policies, procedures, guidelines, standards, etc.)

• Operational (e.g. configuration

management, incident response, awareness, etc.)

• Preventive (attempt to prevent adverse

behavior and actions from occurring; e.g. firewall, IPS, etc.)

• Deterrent (warn a would-be attacker that he

should not attack; e.g. fence, dog sign, etc.)

• Detective (detect actual or attempted

violations of system security; e.g. sensors IDS, etc.)

• Compensating (backup controls that

come into play only when other controls have failed; e.g. backup generator)

OR

Risk assessment

14

Risk Assessment – likelihood determination

• Likelihood determination. Based on the:
• Operating system, application,

database or device affected by the vulnerability

• Whether local or remote access

is required to exploit the vulnerability

• The skills and tools required to

exploit the vulnerability

• Threat source motivational

factors (e.g. financial gain,

• revenge. Political motivation)
• Capability (e.g. skills, tools,

knowledge)

• The effectiveness of the controls

used for preventing the vulnerability exploitation.

Vulnerability Nature Threat source’s motivation and capability Controls in place

15

Risk Assessment – Impact Analysis (I)

• Quantitative approach (financial impact)

Factors may include:

• Range and severity of

issue

• Perceived importance
• Budget involved
• Etc.

ALE: Annual Loss Expectancy

• The expected

annual loss as a result of a risk to a specific asset

RISK

IMPACT

(in Euro’s)

€

Number of

• ccurrences

(absolute nr.

per annum)

=

x Likelihood

(in %) x

16

Risk Assessment – Impact Analysis (II)

• Qualitative approach (non-financial impact) – risk rating table

Source: https://ischool2013.wikispaces.com/file/view/risk-table.jpg/472497818/risk-table.jpg

17

Risk Assessment – risk level-matrix

• Risk determination

Results from the combination of:

• The likelihood
• The magnitude of the impact
• The effectiveness of the controls in

place

Critical Risk :

• Major risk to the organization and organizational mission exists
• Corrective actions are mandatory and should be implemented

immediately.

High Risk :

• Significant risk to the organization and to organizational mission exists.
• Strong need for corrective actions
• Corrective actions to be implemented as soon as possible

Medium Risk :

• Moderate risk to the organization and to organizational mission exists.
• There is a need for corrective actions .
• Corrective actions to be implemented within reasonable time

Low Risk :

• A low risk to the organization exists.
• A evaluation needed to determine if the risk should be reduced or it

should be accepted.

• If it is determined tat the risk should be reduced, corrective actions to

be implemented within reasonable time

Risk mitigation

19

Risk Mitigation (I)

• The risk as it is, before the controls are considered
• Applicable for new projects, in the planning phase, considering the

source threats present in the environment, only with its generic controls in place.

• The risk given the effectiveness of the current control environment
• Requires the identification of all relevant existing specific controls

and the assessment of the controls’ effectiveness

• If there are no existing controls, the managed risk is the inherent

risk

• The target risk level after mitigation actions have been

put in place

• Assessment of the residual risks after planned mitigation

actions and related to the target risk appetite of business management

• If there are no additional planned mitigation actions, the

residual risk is the managed risk

Inherent Risk Managed Risk Residual Risk Inherent, Managed, and Residual Risk

20

Ri sk Mi t i gat i on ( II)

Ri sk M Mi t i gat i on S St rat egi es

Managed R Ri sk Ri sk Reduct i on Ri sk A Avoi dance Ri sk T Transf er Ri sk A Accept ance Resi dual R Ri sk Ri sk A Accept ance

Resi dual ri sk w i t hi n appet i t e Residual risk beyond appetite

1. Reduci ng t he l i kel i hood of

• ccurrence

2. Reduci ng I Im pact

1. Ri sk D Devi at i on 2. Ri sk Accept ances 3. Ri sk W Wai ver

Insurance St op t he act i vi t y t hat generat es t he ri sk Ri sk Reduct i on Ri sk Avoi dance Ri sk Transf er Ri sk Accept ance

Conclusions & closing thoughts

22

Risk identification and risk assessment activities should always be documented and presented to company senior management.

Conclusion & closing thoughts

Risk mitigation strategies should be developed by senior management , based on cost-benefit approach. Risks are present in nearly all of company’s financial and economical activities – risk management process is an important part of company’s strategic development.

Thank you

Any questions?