Networks ∙ Services ∙ People www.geant.org
Risk Registers The Good The Bad, Making Real Change Wayne Routly - - PowerPoint PPT Presentation
Risk Registers The Good The Bad, Making Real Change Wayne Routly - - PowerPoint PPT Presentation
Risk Registers The Good The Bad, Making Real Change Wayne Routly SA3T1 TL, SA6T4 TL, Security Coordinator Head of Information & Infrastructure Security. GEANT Association ISM-SIG Workshop, London UK 13 th May 2015 Networks Services
Networks ∙ Services ∙ People www.geant.org
A risk register is a risk management tool commonly used in risk management and compliance . It acts as a central repository for all risks identified by the organisation and, for each risk, includes information such as source, nature, treatment option, existing counter-measures, recommended counter-measures …...
2
What is a ….
Networks ∙ Services ∙ People www.geant.org
- Understand the nature of the risks the
- rganization faces.
- Become aware of the extent of those risks.
- Recognize its ability to control and reduce
risk.
- Report the risk status at any point in time.
- Have in place risk event "early warning"
factors and upward reporting thresholds.
3
Benefits of Risk Registers
Networks ∙ Services ∙ People www.geant.org
Threat x Vulnerability x Cost = Risk (Risk Score (Exposure) = Probability x Impact)
- Threat
Threat is the frequency of potentially adverse events.
- Vulnerability
Vulnerability is the likelihood of success of a particular threat category against a particular organization.
- Cost
Cost is the total cost of the impact of a particular threat experienced by a vulnerable target.
4
Calculating Risk
Networks ∙ Services ∙ People www.geant.org
5
Networks ∙ Services ∙ People www.geant.org
6
Example Risk Register (Example)
Networks ∙ Services ∙ People www.geant.org
7
Example Risk Register (Cont)
Networks ∙ Services ∙ People www.geant.org
- Project leaders, managers and everyone responsible for oversight of a
project must perform a risk assessment before commencing with any new project. If a user is impacted by any change or the implementation of a new project affects users or departments, then a risk assessment must be performed.
- When performing a risk assessment, all stakeholders must either
participate or contribute to the initial threat assessment and the resultant risk assessment. Stakeholders comprise of departments affected
- r involved in the project.
- A corporate Risk Register is in place where all risk affecting the network
and services of the GÉANT project and GEANT Ltd are assessed. If new risk
- r associated threats have been identified (e.g. by a Nessus vulnerability
scan) a new entry has to be added to the Risk Register.
8
Trigger & Responsibilities
Networks ∙ Services ∙ People www.geant.org
9
Why have A Register?
Networks ∙ Services ∙ People www.geant.org
Thank you
Networks ∙ Services ∙ People www.geant.org
10