QCERT 582018 1 Target Audience This session is primarily intended for Senior executives Decision Makers ü IS IT Security Managers and Auditors ü CIO IT Managers ü ID: 1029473
Download Presentation The PPT/PDF document "IS Risk Management Framework Overview" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. IS Risk Management Framework OverviewQCERT
2. 5/8/20181Target AudienceThis session is primarily intended for: Senior executives/ Decision Makers ü IS/ IT Security Managers and Auditorsü CIO/ IT Managers ü Business Managers (Process Owners)ü System and Information Owners ü Governance Risk & Compliance Managers ü
3. 5/8/20182Table of ContentNeedRisk ManagementIS Risk ManagementWhy manage IS Risk?BenefitsHow to manage IS Risk?IS Risk Management FrameworkApproachSuccess FactorsOrganizational CommitmentIS Risk Assessment plan
4. 5/8/20183Need
5. 5/8/20184Need
6. 5/8/20185NeedChinese saying in IS Risk Management contextOrganization’s “Crown Jewels”Attract threatsBiggest vulnerabilitiesThreshold for painInformation Security Risk Management (ISRM)Hacker interestGovernment implication“If you know the enemy and know yourself, you need not fear the result of a hundred battles.If you know yourself and not the enemy, for every victory gained you will suffer a defeat.If you know neither the enemy nor yourself, you will succumb in every battle”
7. 5/8/20186Risk ManagementSystematic approach for managing risks within an organizationWhat is Risk Management?Risk is the potential of losing something of value e.g. InformationWhat is Risk?
8. 5/8/20187IS Risk ManagementHow likely is it?What are the ImpactsRisk LevelMANAGE RISKWhat could go wrongInformation Security Risk ManagementProcess of identifying, assessing information security risks and taking steps to reduce risk to an acceptable levelLikelihood of a threat source taking advantage of a vulnerabilityInformation Security RiskInformation Security RiskData Breach
9. 5/8/20188Why manage IS Risk?Failure to meet Organizational goals & objectives Face audit observationsNon-compliance to Global / regional compliance requirementsNon-compliance to Qatar legal & regulatory requirementsUnable to manage risks proactivelyUnable to manage outsourcing or third party risksExcess compliance cost
10. 5/8/20189BenefitsQatar National Cyber Security StrategyNational Information AssuranceCritical Information Infrastructure Protection (CIIP) LawCyber Crime LawISO 27005:2011 Standard
11. 5/8/201810BenefitsVisibility to IS risks / opportunities;Compliance with regulatory requirements;Identify critical information assets;Reduces frequency & magnitude of IS incidents;Make more informed decisions;Raise awareness about information security risks;Increase the level of trust from customers and shareholders;Drive business continuity planning; andDemonstrate good corporate governance.Achieve a Balance
12. 5/8/201811How to manage IS Risk?
13. 5/8/201812ISRMFIS Risk Program Management, Training & AwarenessOrganizational Goals, Strategy, Governance and PoliciesLegal and Regulatory RequirementsEnterprise Risk ManagementIntelligence & research, incidents, previous RA and geo-political risk reportsThreat & Vulnerability ManagementIssues ManagementIncident ManagementResource TemplateIS Risk Governance1.Risk Identification2. Risk Assessment3.Risk Treatment4.Risk Communication5. Risk Monitoring
14. 5/8/201813ApproachISRM process constitute following phasesIS Risk Governance1.Risk Identification2. Risk Assessment3.Risk Treatment4.Risk Communication5. Risk MonitoringScope and BoundaryPolicy & ProcedureSteering / Governance CommitteeRoles and ResponsibilitiesISRM Criteria(s)MonitorRisk TreatmentResidual RiskNew RisksIdentify changeDevelop Final ISRM ReportCommunicate Residual Risks to ManagementObtain Management ApprovalConduct awareness sessionsPerform BIAIdentifyInformation AssetsVulnerabilitiesThreatsControlsInherent RisksAssessInformation Asset Value & ClassificationVulnerability FactorThreat LikelihoodControls EffectivenessCost of ControlInitial Residual RiskSelect Treatment OptionModifyShareAvoidRetainTreat RisksFinal Residual Risk
15. 5/8/20181414Success FactorsKey factors to implementing a successful security risk management program include:Executive sponsorship üOrganizational maturity in terms of risk managementüAn atmosphere of open communication and teamworküInformation security risk management team expertiseüWell-defined list of risk management stakeholders ü
16. 5/8/201815Organizational CommitmentContinuous relationshipsEffective managementOrganization Commitment to ISRMSound basic practices ‘on the ground’Disciplined handling of changesOperational things ‘done right’Other risks controlledActive driving forceSpecialist know-howSystematic risk assessmentIndependent reviewClear rulesControlled access to system capabilities
17. 5/8/2018165/8/201816For more information, visit www.motc.gov.qa