Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Information Risk Management

No description
by

Faham Usman

on 22 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Information Risk Management

Information Security
Information Risk Management
Awareness Campaign
Agenda
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
What is Information?
Acceptable Levels of Risk
What is Risk?
IT Risk Management Best Practices
How to Risk Management?
IT Risk Management Principles
Risk Management Best Practices
Risk Management Best Practices
aeCERT
Salim (aeCERT)
@salim_aecert
For more information
www.aecert.ae
info@aecert.ae
Questions
What is Information?
Examples of Information
For Business:
Transactions
Customer data
Pricing information
Strategic plans
Competitor information
Employee information
For Government:
National revenues and expenses
Deeds, wills, contracts, legal documents
Maps, blueprints and designs
Tax collections and assessment
Intro: What is Risk?
What is Risk Management?
Risks are events, situations or circumstances which lead to negative consequences for your business

Risk management means deploying people, processes and technologies to operate at an acceptable level of risk.

For example, a department store can have a security guard at every door looking for shoplifters. But that would cost too much and would offend customers.
Facets of Information Risk Management
Risk Management Best Practices
Address IT (Information) risk continuously
Information Risk Management objectives should be driven by business objectives
Top management has to support, sponsor and promote information Risk Management efforts
Perform cost-benefit analysis of Risk Management investments
Acceptable Levels of Risk
Somewhere in the middle is the acceptable level of risk
Acceptable Levels of Risk
Information Risk Management seeks to minimize threats to information.

Threats to information
include:

Theft
Alteration
Corruption
Falsification
Loss of confidentiality
Loss of availability
Loss due to hardware failure
Privacy violations of national laws
Non compliance to standards and international requirements
What is Information Security?
Protecting against theft or loss of personal or company data and assets including financial ones.
Developing procedures, standards, software, physical security procedures and deploying to contain information security risk.
Risk is the tradeoff between benefit and cost.
Calculate Risk: Measure
Risk Exposure
Information Risk Management -
Roles and Responsibilities
Classify Data According to Business
Importance
Summary
Penetration testing is the process of assessing loopholes in a system, application or a network by exploiting its loopholes.
Penetration Testing
Vulnerability Assessment is the process of identifying loopholes in a computer system or a network.
Vulnerability Assessment
Make Risk-aware Business Decisions
Making Risk-aware business decisions mean doing a cost-benefit analysis for business decisions.

For example, should we drill a new oil well if the price of crude is forecast to drop below $100 USD Per barrel.

Another example, should we move our data center to the cloud or keep it in house. One is riskier than the other,
One costs more than the other. (Experts would say cloud computing but increases security and decreases costs.)

Another example, should we install a new firewall in the finance office network if we already have one in the
Network which contains that network. Is it worth the money to have two firewalls?

1
Document IT Security Procedures
React to Events
The Role of the Auditor
Collect Data (Logs)
In order to analyze risk, it is necessary to collect risk-related data. This includes:

Logs---used for intrusion detection and forensics. That means you need to analyze logs

To see if someone has hacked your computer and stolen data or gained unauthorized access to data.

Coordinate IT Risk with Rest
of Business
Document Risk and Communicate
to Employees
Risk Evaluation
IT Risk Management Best Practices
Maintain Risk Profile
IT Risk Management Best
Practices
IT is only one type of risk to the organization.

The organization should have an ERM (enterprise risk model).

The ERM has separate teams to handle: financial fraud, theft of company assets,
Physical threats to employees, strategic planning (meaning the people who make
Business decisions)

A risk profile means a way to measure risk. You can assign a code or number to each item to maintain the profile. The profile includes:
Document roles and responsibilities
Write down procedures for security incident response
Adopt and document SOPs (Standard Operating Procedures ) compliant with industry best practices
Information is an
asset
which, like other important organizational assets,
has value
to an organization and consequently
needs to be suitably protected.

Information has a certain
financial, operational, or strategic value,
so it is
possible to assign a cost to the loss
of such data.

Since information has value, it is also
possible to gauge the benefit of obtaining
such data.
Full transcript