Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Security Risk Management
Transcript of Security Risk Management
services ensure that human and system resources are protected from internal and external
Security can be broken into
Identify, develop, implement, maintain
security across the organization’s
Defend information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction
Manage actions that discover, eliminate, prevent, mitigate risk or report on cyber threats, vulnerability or attacks
What it is...
Security Risk Management
Process to Identify, Assess, Mitigate and Monitor security risk.
- establish or indicate what a risk is
- evaluate the nature of someone or something
- accept, avoid, limit or transfer risk
- observe and
Each of the three security domains or 'services' represent a body of work that is provided
'Work' may exist in a physical or digital sense. Some elements may exist -
mirrored in both.
Security Risk Manager
The role of the Risk Manager is to
elements of security.
This includes the structure, content, data, accessibility, and workflow associated with all aspects of each business service.
access and permissions
enable personnel to obtain security clearances
adjudicate issues with clearance or accessibility
maintain personnel awareness
All facets of
should be managed with a solution to
security risk management.
Manage system acquisition, inventory, and monitoring both virtually and physically
Control access and egress to facilities, systems and sites
Report on actions that impact company's system security posture
Categorize assets through Inventory analysis
Continuous awareness of
Strategic initiatives, business development and opportunities must take into consideration all security risks
Enable long and short term security risk management strategy
Mitigation strategies for risk limitation, avoidance, acceptance or transfer
Business continuity planning
Risk management strategy
is critical at all levels within an
Accounting, banking, sales, investments, and profit sharing all have elements of security risk
Control custody of financial assets with defined risk from source to end
Monitor financial assets for cyber criminal intrusions and attacks
to financial assets through defined
Risks are associated with business execution, emergency management and business relationships
Maintain company documents and records at risk
Proper Storage and Handling
Physical (hard copy)
All information that makes up the organization and its systems can be
Security liaison enables interaction with internal and external entities concerning security content, information, personnel, accessibility and reporting.
Internal & external collaboration and participation in compliance
Public affairs and affiliations monitored for security risk
is a critical feature for a Security
From project planning to execution
Control access to ensure minimal risk to proprietary information
Segregate projects with limited access to personnel with proper NDA
Standardize security risk reporting, terms and measurements.
Each project needs
to personnel and system assets used.
Policy, environment, legal, safety, contract management
create, modify, update policy for security related compliance efforts
educate to ensure compliance
enforce security policy across all organizational services
to ensure the security professional is in the 'loop' on all
Veteran-Owned Small Business providing services and solutions to Federal, State and
Virginia-based small business with virtual access to the world
We have been in business for almost 10 years
Clients range from United States Army, Navy, Air Force and Marines to private sector Commercial companies
We deliver measurable value from a variety of innovative consulting solutions with a focus on enterprise sustainability
Our competent workforce consists of seasoned professionals with the right backgrounds that you can trust
Paul W. Johnson
Risk is pervasive in all elements of life and in business.
How you manage
begins with an understanding of it.
- uncertainty of financial loss or the probability that a loss has occurred or will occur.
Primary Risk Divisions
(employees, contractors, outsourced, etc)
Any person or group that the company is financially bound to and legally responsible for their security
(real property, leased, owned, facilities, etc)
Any system or group of systems that the company is financially bound to and legally responsible for its security.
– tangible objects
- examples include
– intangible objects
- examples include
- anything that could adversely affect the enterprise
- capable of or susceptible to being damaged through some intentional or unintentional dysfunction
- move risk from one place to another
- keep away from or stop from doing something
- restrict the size or amount of something permissible
- recognize something as valid and work within the its boundaries
- notice or perceive something and register it as being significant
- align something relative to a specified criteria
: Vulnerability requires significant resources to exploit, with little potential for loss.
: Vulnerability requires minimal resources to exploit, with moderate potential for loss.
: Vulnerability requires few resources to exploit, with significant potential for loss.
: Effects of vulnerability tightly contained. Does not increase probability of additional vulnerabilities being exploited.
: Vulnerability affects more than one component. Exploitation increases probability of additional vulnerabilities being exploited.
: Vulnerability affects a majority of components. Exploitation significantly increases probability of additional vulnerabilities being exploited.
Structure refers to physical folders and virtual folder location, naming conventions and relationships.
Structure is the “library system” of organizing content.
Content exists as physical media (paper) and digital media (audio, video, and documents) that are organized and ordered by the structure.
Individual content is the artifact that contains information in the form of specific data.
Some enhanced solutions may balance both physical and digital content so that electronic versions of physical artifacts are named the same, located in the same structure and contain the same data.
Data exists as foundational instances of information within content.
Data must be protected by access to its associated content.
Data matures in a manner that is similar to structure - it begins as a concept and eventually manifests as a physical object.
Accessibility refers to the security and permissions structured to access the physical and virtual content, workflow or data.
Physical access describes the real world of facilities, rooms, cabinets and their associated locks, badges, and associated access protocols to files and electronic equipment.
Digital accessibility describes the cybersecurity considerations that ensure specific personnel have specific permissions to interact with specific content.
Workflow refers to dependent services that change the state of data.
It typically manifests as one or many manual processes that evolve or mature over time to become automated and repeatable. To engage in a workflow an individual must have access.
Workflow is foundational to all other elements in a business because no service is performed in isolation.
Evidence of workflow is key to identifying if a service exists, if it is done by the company itself, or outsourced, or a mixture of both.
No thing or no one can ever be made 100% secure – there is no such thing as a perfect security program
Monitor all risk mitigation efforts and ensure they are timely and efficient
risks are registered
Report any mitigation efforts that are "off course" and direct the correct personnel to correct
Align or re-align efforts to mitigate risk
Organizations that do not manage security risk are vulnerable to situations that could disrupt, damage or destroy their ability to conduct business.
Natural (hazards - hurricane, flood, earthquake, etc)
Accidental (fire, drop, spill, etc)
Intentional (criminal, malicious tampering, etc)
Internal (owned or leased human or system)
External (outside of organizational influence)
Cognitive or communicative vulnerability - can't understand
Economic vulnerability - economic situation makes it vulnerable
Social vulnerability - coerced or social engineered behavior
Legal vulnerability - legal rights mis-management
Time - vulnerable window of time: short term to forever
Place - only vulnerable at specific location
Given all potential
based on the scope and context of an organization's business
each of the business
obtained from overall business assessment
Manufacturer, Inventor, Service Provider, Lessor, Wholesaler/Retailer, Broker, Trader