risk management who i am
play

Risk Management Who I Am B.S. Business Administration MIS - PowerPoint PPT Presentation

Oct 03, 2022 •160 likes •446 views

Risk Management Who I Am B.S. Business Administration MIS Master of Business Administration (MBA) Information Assurance Consulting SFS Scholar School of Nursing Graduate Assistant Security Development

  1. Risk Management

  2. Who I Am ● B.S. Business Administration ○ MIS ● Master of Business Administration (MBA) ○ Information Assurance ○ Consulting ○ SFS Scholar ○ School of Nursing Graduate Assistant ○ Security Development Track ● Department of Homeland Security ○ NPPD, CS&C, +2-3 more I am not representing the United States Government. United States Government does not necessarily endorse, support, sanction, encourage, verify or agree with the comments, opinions, or statements of the following presentation.

  3. What is Risk?

  4. Risk & Agenda ● is the potential of losing something of value ● Risk Process or Risk Management Life Cycle ● Risk = Likelihood X Impact ○ Likelihood - chance of a risk event occurring ○ Impact - Financial impact of the risk event ● Risk Appetite & Tolerance ● Risk Register ● Security Frameworks ● Compliance

  5. WARNING!

  6. Mini Case-Study Your team (4 people) have been hired by SUNY UB to implement a security framework for various compliance. First things first, you will need to setup a risk management plan. SUNY UB is a large organization, one of the largest university of the SUNY system. ~30,000 Students; ~6,000 Employees, ~2,500 Faculty, ~$716M Budget, ~12 Schools, ~40 Departments. Let’s discuss

  7. Planning ● Scope & boundary ● Resources ● Criteria ● Policy ● Enforcement ● Information Classification and Handling

  8. Risk Management Information Security Policies Communications Security Organization of Information Security System Acquisition, Development, and Maintenance Human Resources Security Supplier Relationships Asset Management Information Security Incident Management Access Control Information Security Aspects of Business Encryption Continuity Management Physical and Environmental Security Compliance Operations Security Career and Workforce Development

  10. Mini Case-Study Active Directory (User Management) Students’ Computers Exchange (Email) Wifi File Servers UBLearns Print Servers VoIP System Network (Switches & Routers) Workstations Server Rooms Offices

  11. Assets Inventory Physical Access Ownership Network Acceptable Use User Impact to the business Software Hardware Operational Procedural and Policy Information and Data

  12. Mini Case-Study Active Directory (User Management) Students’ Computers Exchange (Email) Wifi File Servers UBLearns Print Servers Research Assets VoIP System Hypervisor (Virtualization) Network (Switches & Routers) Classrooms Workstations Software Server Rooms Sensitive Data/Information Offices UBHub

  13. Mini Case-Study Asset Asset Inventory & Use UBHub - Students’ PII, Grades, Schedule - Employee Info - Databases & ODBC - Multiple Privilege & Regular Users Exchange (Email) - PII?, Privacy, Grades? - Conversations - Personal & Business - Research - Multiple Privilege & Regular Users Server Rooms - Hypervisor (Virtual Machines) - Network Equipment - Users with Physical Access - Data & Info

  14. Threats Internal to our organization External to our organization o Budget loss for needed projects o Regulatory o Systems growing overly complex o Legal o System failures o Environmental / Weather related o Staff turnover o Utility related o Insider threats o Natural disasters o Politics/Agendas o Economic o Geo-political o Civil unrest o Cybersecurity events

  15. Vulnerabilities - Similar to Threats - What is the Likelihood of exploitation? - Weaknesses or gap - How can it be exploited? - Not just technical controls - Usually specific

  16. Mini Case-Study Asset Asset Inventory & Use Threats Vulnerabilities UBHub - Students’ PII, Grades, Schedule - Failure - Employee Info - Insider Threats - Databases & ODBC - Overly Complex - Multiple Privilege & Regular - Regulations and Users Legal Exchange - PII, Privacy, Grades - Regulations and - Misconfigured, (Email) - Conversations - Personal & Legal Patching behind Business - System Failure - Too much access - Research - Complexity - Lack of knowledge - Multiple Privilege & Regular - Staff Turnover - Stored PII Users - Insider Threats Server - Hypervisor (Virtual Machines) - Natural Disasters - Physical Access Rooms - Network Equipment - Utilities - Location - Physical Access Needed - Civil Unrest - Older HVAC - Data & Info - Staff Turnover - Older equipment - Budgets, $$$$ - No Documentation

  17. Risk Identification & Risk Analysis ● Follow consistent criteria and measurements ● Prioritize and plan (risk treatment) ● Risk Register & Matrix ● Impact ● Likelihood ● Security Frameworks

  18. Mini Case-Study Asset Threats Vulnerabilities Impact Likelihood Risk UBHub - Failure - Too much access Medium Low Medium - Insider Threats - No Documentation - Overly Complex - Misconfigured - Regulations and - Lack of Knowledge Legal Exchange - Regulations and - Misconfigured, Medium Low Medium (Email) Legal Patching behind - System Failure - Too much access - Complexity - Lack of knowledge - Staff Turnover - Stored PII - Insider Threats Server - Natural - Physical Access High Medium High Rooms Disasters - Location - Utilities - Older HVAC - Civil Unrest - Older equipment - Staff Turnover - No Documentation - Budgets, $$$$

  19. Mini Case-Study Asset Threats Vulnerabilities Impact Likelihood Risk UBHub - Failure - Too much access $1.5M 3 $4.5M - Insider Threats - No Documentation - Overly Complex - Misconfigured - Regulations and - Lack of Knowledge Legal Exchange - Regulations and - Misconfigured, $1M 2 $2M (Email) Legal Patching behind - System Failure - Too much access - Complexity - Lack of knowledge - Staff Turnover - Stored PII - Insider Threats Server - Natural - Physical Access $3M 6 $18M Rooms Disasters - Location - Utilities - Older HVAC - Civil Unrest - Older equipment - Staff Turnover - No Documentation - Budgets, $$$$

  20. Risk Response Avoid Transfer/Share Mitigate Accept

  21. Mini Case-Study Asset Vulnerabilities Risk POA&M or Risk Treatment UBHub - Too much access Medium - Restriction of Users (Least - No Documentation Privilege Principle) - Misconfigured - Documentation - Lack of Knowledge - Within a year Exchange - Misconfigured, Medium - Restriction of Users (Least (Email) Patching behind Privilege Principle) - Too much access - Documentation - Lack of knowledge - Encryption - Stored PII - With two years Server Rooms - Physical Access High - Replacement of HVAC and - Location equipment - Older HVAC - Documentation - Older equipment - Access Control - Card System - No Documentation - With 6 months

  22. Mini Case-Study Asset Vulnerabilities Risk POA&M or Risk Treatment UBHub - Too much access Medium - Restriction of Users (Least Privilege Principle) - Within a year - No Documentation Medium - Documentation - Lack of Knowledge - Encryption - With two years - Misconfigured High - Reconfiguration and Documentation with screenshots - Contact Consultants - Within 6 months *Ownership of Assets

  23. Monitoring Risk ● Yearly reviews/audits ● Change in policies ● New risk assessment criterias ● Change in criminal landscape ● Risk Dashboards

  24. Mini Case-Study Asset Vulnerabilities Risk POA&M or Risk Treatment Yearly Check UBHub - Too much Medium - Restriction of Users - No changes access (Least Privilege occurred, Possible Principle) DATO needed - Within a year - No Medium - Documentation - Encryption is in Documentation - Encryption testing environment - Lack of - With two years Knowledge - Misconfigured High - Reconfiguration and - Configured properly, Documentation with Risk Mitigated screenshots - Contact Consultants - Within 6 months

  25. Information and Data | Handling and Classification ● At Rest ● Public ● In Transit ● Internal ● Disposal ● Departmental ● Hard Copy ● Confidential/Sensitive ● Electrical Format ● Highly Restricted ● Storage Media ● Need to Know ● Least Privilege

  26. Security Frameworks Compliance ● COBIT ● HIPAA ● ISO 27000 Series ● FERPA ○ 27001 ● PCI-DSS ● NIST SP 800 Series ● FISMA ○ NIST 800-53 ● State Laws ● International Laws

  27. Risk Management - Summarized ● Planning! ● Compliance ○ Scope, Boundaries ● Security Frameworks ● Asset Management ● Planning ● Threat Identification ● Asset Management ● Vulnerability Identification ● Threat Identification ○ Auditing and Reviews ● Risk Assessment ● Risk Assessment ● Vulnerability Identifications ○ Asset Risk Level ● Risk Treatment & Governance ○ Threat Risks ● Monitoring ○ Vulnerability Risks ● Risk Treatment or Risk Response ● Monitoring ● Security Framework ● https://www.nist.gov/cyberframework ● Compliance ● Info Handling and Classifications

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op. Risk Management Board of Enterprise Risk Senior Management Committees Directors Management Credit Risk Cross-Border Exposure Country Rating

453 views • 6 slides
What is Risk Management? What is Risk Management? A (great) management tool Focus

What is Risk Management? What is Risk Management? A (great) management tool Focus

Proudly Presents How To Establish Functional Risk Management in Your Public Entity R. J oy J ackson, City of London Tina Gardiner, Region of York RIMS, Ottawa, 2011 What is Risk Management? What is Risk Management? A (great)

463 views • 24 slides
Preparedness Preliminary risk management Risk assessment Risk management Risk

Preparedness Preliminary risk management Risk assessment Risk management Risk

FAO/WHO guide for application of risk analysis principles to food safety emergencies Food Recall and Traceability (February 2013, Thailand) Preparedness Preliminary risk management Risk assessment Risk management Risk

440 views • 39 slides
Group Risk Management May 10, 2010 David Benson Chief Risk Officer Agenda 1 . Risk Management

Group Risk Management May 10, 2010 David Benson Chief Risk Officer Agenda 1 . Risk Management

Risk Management Group Risk Management May 10, 2010 David Benson Chief Risk Officer Agenda 1 . Risk Management Framework - 4 Pillars 2 . Risk Appetite pp 3 . Economic Capital Analysis 4 . Illiquid Asset Analysis 2 1. Risk Management

562 views • 10 slides
Introduction to Risk Management (Theory & Practice) DCU Risk & Compliance Officer

Introduction to Risk Management (Theory & Practice) DCU Risk & Compliance Officer

Risk Management Introduction to Risk Management (Theory & Practice) DCU Risk & Compliance Officer November 2015 Risk Management Sections 1) Aims of presentation 7) Tips for success 2) What is Risk Management (RM)? 8) Why RM may

533 views • 32 slides
ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system.

ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system.

ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system. ARM is a complete suite allowing the management of market risk and operational risk for commodities derivatives. 4 main modules are available:

848 views • 26 slides
ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system.

ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system.

ARM A commodity risk management system. 1. . ARM: : A commodity ri risk management system. ARM is a complete suite allowing the management of market risk and operational risk for commodities derivatives. 4 main modules are available:

543 views • 31 slides
Risk Management Ken Haas USA Hockey Atlantic District Risk Manager 1 Risk Management Risk

Risk Management Ken Haas USA Hockey Atlantic District Risk Manager 1 Risk Management Risk

Risk Management Ken Haas USA Hockey Atlantic District Risk Manager 1 Risk Management Risk Management What you need to know 2 Risk Management for Coaches What do you need to know? Pennsylvania Act 15 Insurance Issues Inj

908 views • 22 slides
Construction Contract: Risk management EPCC Contract Management 1 Can We Ignore Risk ?

Construction Contract: Risk management EPCC Contract Management 1 Can We Ignore Risk ?

Construction Contract: Risk management EPCC Contract Management 1 Can We Ignore Risk ? Construction is a risky business Why wait till the risk occurs? Knowing the objectives of risk management 2 Risk Recognition Dr. Julian

921 views • 90 slides
RISK RISK MA MANAGEMENT GEMENT Background Checks OSYSA Risk Management Policy

RISK RISK MA MANAGEMENT GEMENT Background Checks OSYSA Risk Management Policy

RISK RISK MA MANAGEMENT GEMENT Background Checks OSYSA Risk Management Policy Concussion Safe Sport OSYSA Risk Management Jeff Rossi OS Board member, Risk Management Coordinator Jim Sturm OS Board member,

610 views • 14 slides
1/12/2015 Chapter 3 Introduction to Risk Managem ent Agenda Meaning of Risk Management

1/12/2015 Chapter 3 Introduction to Risk Managem ent Agenda Meaning of Risk Management

1/12/2015 Chapter 3 Introduction to Risk Managem ent Agenda Meaning of Risk Management Objectives of Risk Management Steps in the Risk Management Process Benefits of Risk Management Personal Risk Management Meaning of Risk

371 views • 12 slides
1 Risk in hospitals Legal Risk Clinical risk Risk arising out of failure to comply with

1 Risk in hospitals Legal Risk Clinical risk Risk arising out of failure to comply with

Effective Risk Management Dr Rohini Sridhar MD FRCPA Dr. Rohini Sridhar, MD, FRCPA Chief Operating Officer, Apollo Speciality Hospital, Madurai Risk Management programme Identification of risk Strategies to avoid risk Strategies

494 views • 8 slides
1/16/2018 THE OBJECTIVE OF RISK MANAGEMENT Risk Management Suppose the firm is closely

1/16/2018 THE OBJECTIVE OF RISK MANAGEMENT Risk Management Suppose the firm is closely

1/16/2018 THE OBJECTIVE OF RISK MANAGEMENT Risk Management Suppose the firm is closely owned Proprietorship Partnership Privately held corporation Suppose the owner(s) are risk averse Risk management can make

297 views • 8 slides
INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information

INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information

INFORMATION TECHNOLOGY SERVICES INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information Security & Privacy Office June 8, 2017 Version 1.5.7 Risk Management at Florida State University Risk assessments

549 views • 11 slides
Risk Management, Compliance and CRA October 25, 2018 Hosted By: Michael Gallagher Chief Risk

Risk Management, Compliance and CRA October 25, 2018 Hosted By: Michael Gallagher Chief Risk

Risk Management, Compliance and CRA October 25, 2018 Hosted By: Michael Gallagher Chief Risk Officer, EVP 1 Todays Agenda Risk Management Risk governance Enterprise Risk Management Community Reinvestment Act Operational Risk

366 views • 23 slides
Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

789 views • 61 slides
Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca The goal of cybersecurity Make sure that systems work as intended The goal of cybersecurity Make sure that systems work as

824 views • 45 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Application access to directories opening Pandoras box Victoriano Giralt Central Computing

Application access to directories opening Pandoras box Victoriano Giralt Central Computing

The problem The cure The solution Application access to directories opening Pandoras box Victoriano Giralt Central Computing Facility University of Mlaga A November 5th, 2008 Victoriano Giralt Application access to

1.11k views • 78 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood University of Wisconsin-Madison Presented by : Yash Bhalgat, Arun Subramaniyan Key Id Ideas and goals Sharing memory between host and

596 views • 21 slides
Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give presentations. @scriptingislife https:/ /scriptingis.life https:/ /glimpseid.com 2 What is the cloud? 3 What is the cloud? 4 What is the cloud? 5

1.12k views • 32 slides
Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1.

Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1.

Introduction to Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1. Homework 1 is due next Wednesday! Remember that Monday is a holiday, so no office hours 2. Remember to start forming final project

877 views • 48 slides

More recommend